Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown Malware infection


  • This topic is locked This topic is locked
18 replies to this topic

#1 Peebs64

Peebs64

  • Members
  • 396 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:05:39 PM

Posted 02 September 2010 - 02:23 PM

Hi Malware experts,

A colleague asked me to look at his laptop suggesting that he had downloaded some malware. He was after a particular codec which as soon as he had downloaded opened a popup claiming to be antivirus.

A quick look around on the laptop showed the ie proxy had been set to 127.0.0.1:6522.

This is a Dell Latitude XP Pro SP3 and I'm currently runnning DDS and GMER. I'll post the logs as soon as.

Any advice or help would be very welcome.

Many thanks

Peebs

Here is the DDS log:




DDS (Ver_10-03-17.01) - NTFSx86
Run by Ellis Paul at 20:21:30.90 on 02/09/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1023.328 [GMT 1:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:WINDOWSsystem32Ati2evxx.exe
C:WINDOWSsystem32svchost -k DcomLaunch
svchost.exe
C:Program FilesTrusteerRapportbinRapportMgmtService.exe
C:WINDOWSSystem32svchost.exe -k netsvcs
C:Program FilesIntelWirelessBinEvtEng.exe
C:Program FilesIntelWirelessBinZcfgSvc.exe
C:WINDOWSsystem32Ati2evxx.exe
C:WINDOWSExplorer.EXE
C:Program FilesIntelWirelessBinS24EvMon.exe
C:Program FilesIntelWirelessBinWLKeeper.exe
svchost.exe
svchost.exe
C:Program FilesCommon FilesSymantec SharedccSetMgr.exe
C:Program FilesCommon FilesSymantec SharedccEvtMgr.exe
C:Program FilesCommon FilesSymantec SharedSPBBCSPBBCSvc.exe
C:WINDOWSsystem32spoolsv.exe
C:WINDOWSsystem32rundll32.exe
svchost.exe
C:Program FilesCommon FilesAppleMobile Device SupportAppleMobileDeviceService.exe
C:Program FilesBonjourmDNSResponder.exe
C:Program FilesSymantec AntiVirusDefWatch.exe
C:Program FilesJavajre6binjqs.exe
C:Program FilesCommon FilesMotiveMcciCMService.exe
C:Program FilesDellNICCONFIGSVCNICCONFIGSVC.exe
C:Program FilesIntelWirelessBinRegSrvc.exe
C:WINDOWSsystem32svchost.exe -k imgsvc
C:Program FilesSymantec AntiVirusRtvscan.exe
C:Program FilesATI TechnologiesATI Control Panelatiptaxx.exe
C:Program FilesIntelWirelessBinifrmewrk.exe
C:Program FilesCommon FilesSymantec SharedccApp.exe
C:PROGRA~1SYMANT~1VPTray.exe
C:Program FilesDellQuickSetquickset.exe
C:Program FilesApointApoint.exe
C:Program FilesTrusteerRapportbinRapportService.exe
C:Program FilesApointApntex.exe
C:Program FilesBT Broadband Desktop HelpbtbbBTHelpNotifier.exe
C:WINDOWSSystem32svchost.exe -k HTTPFilter
C:Program FilesCommon FilesJavaJava Updatejusched.exe
C:Program FilesActiv SoftwareActivDriverActivControl2.exe
C:Program FilesiTunesiTunesHelper.exe
C:WINDOWSsystem32ctfmon.exe
C:Program FilesTechSmithJingJing.exe
C:Program FilesActiv SoftwareActivDriveractivmgr.exe
C:Program FilesiPodbiniPodService.exe
G:AdAwaredds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.bbc.co.uk/home/
uSearch Page = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sp/*http://uk.search.yahoo.com/
uSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mDefault_Search_URL = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
mSearch Page = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sp/*http://uk.search.yahoo.com/
mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:6522
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
uURLSearchHooks: UrlSearchHook Class: {00000000-6e41-4fd3-8538-502f5495e5fc} - c:program filesask.comGenericAskToolbar.dll
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:program filesyahoo!companioninstallscpn0yt.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:program filesyahoo!companioninstallscpn0yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:program filescommon filesadobeacrobatactivexAcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:program filesskypetoolbarsinternet explorerSkypeIEPlugin.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:progra~1yahoo!commonyiesrvc.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:program filesgooglegoogletoolbarnotifier5.5.5126.1836swg.dll
BHO: LimeWire Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:program filesask.comGenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:program filesjavajre6binjp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:program filesjavajre6libdeployjqsiejqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:program filesyahoo!companioninstallscpn0yt.dll
TB: LimeWire Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:program filesask.comGenericAskToolbar.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [msnmsgr] "c:progra~1window~4messen~1msnmsgr.exe" /background
uRun: [ctfmon.exe] c:windowssystem32ctfmon.exe
uRun: [Jing] c:program filestechsmithjingJing.exe
uRun: [swg] c:program filesgooglegoogletoolbarnotifierGoogleToolbarNotifier.exe
uRun: [XBV6RD5SZF] c:docume~1ellisp~1locals~1tempQch.exe
uRun: [hbahtiid] c:documents and settingsellis paullocal settingsapplication databgfxtjiidtcpigkqshdw.exe
mRun: [ATIPTA] c:program filesati technologiesati control panelatiptaxx.exe
mRun: [<NO NAME>]
mRun: [IntelWireless] c:program filesintelwirelessbinifrmewrk.exe /tf Intel PROSet/Wireless
mRun: [ccApp] "c:program filescommon filessymantec sharedccApp.exe"
mRun: [vptray] c:progra~1symant~1VPTray.exe
mRun: [Dell QuickSet] c:program filesdellquicksetquickset.exe
mRun: [Apoint] c:program filesapointApoint.exe
mRun: [IMJPMIG8.1] "c:windowsimeimjp8_1IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:windowssystem32imepintlgntImScInst.exe /SYNC
mRun: [Win32system] wscript /e:vbs c:windowssystem32upgrade.sqm
mRun: [btbb_McciTrayApp] "c:program filesbt broadband desktop helpbtbbBTHelpNotifier.exe"
mRun: [btbb_WZC] c:program filesbt broadband desktop helpbtbbbthelpbrowser.exe -appkey=btbb -hidden -url=file://c:program filesbt broadband desktop helpbtbbocb40da9824-4b42-46b2-bd6a-35d94a3216d0EnableWZC.html
mRun: [AppleSyncNotifier] c:program filescommon filesapplemobile device supportAppleSyncNotifier.exe
mRun: [Adobe Reader Speed Launcher] "c:program filesadobereader 9.0readerReader_sl.exe"
mRun: [Adobe ARM] "c:program filescommon filesadobearm1.0AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:program filescommon filesjavajava updatejusched.exe"
mRun: [QuickTime Task] "c:program filesquicktimeqttask.exe" -atboottime
mRun: [ActivControl] c:program filesactiv softwareactivdriverActivControl2.exe
mRun: [iTunesHelper] "c:program filesitunesiTunesHelper.exe"
mRun: [hbahtiid] c:documents and settingsellis paullocal settingsapplication databgfxtjiidtcpigkqshdw.exe
dRun: [CTFMON.EXE] c:windowssystem32CTFMON.EXE
IE: Add to Google Photos Screensa&ver - c:windowssystem32GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:progra~1micros~2office11EXCEL.EXE/3000
IE: Google Sidewiki... - c:program filesgooglegoogle toolbarcomponentGoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%Network Diagnosticxpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:program filesmessengermsmsgs.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:progra~1yahoo!commonyiesrvc.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:program filesskypetoolbarsinternet explorerSkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:progra~1micros~2office11REFIEBAR.DLL
Trusted Zone: ft.comwww
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:program filesyahoo!commonYinsthelper.dll
DPF: {488A4255-3236-44B3-8F27-FA1AECAA8844} - hxxps://img.alipay.com/download/2121/aliedit.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1240381686603
DPF: {73E4740C-08EB-4133-896B-8D0A7C9EE3CD} - hxxps://b2c.icbc.com.cn/icbc/newperbank/AXSafeControls.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: {04B2C72B-0C88-4032-8282-390510D8FC26} = 192.168.254.200
Notify: AtiExtEvent - Ati2evxx.dll
Notify: IntelWireless - c:program filesintelwirelessbinLgNotify.dll
Notify: NavLogon - c:windowssystem32NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:windowssystem32WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 RapportBuka;RapportBuka;c:windowssystem32driversRapportBuka.sys [2010-2-28 390528]
R1 RapportKELL;RapportKELL;c:program filestrusteerrapportbinRapportKELL.sys [2010-7-1 59240]
R1 RapportPG;RapportPG;c:program filestrusteerrapportbinRapportPG.sys [2010-7-1 166632]
R1 SAVRT;SAVRT;c:program filessymantec antivirussavrt.sys [2006-9-6 337592]
R1 SAVRTPEL;SAVRTPEL;c:program filessymantec antivirusSavrtpel.sys [2006-9-6 54968]
R2 ccEvtMgr;Symantec Event Manager;c:program filescommon filessymantec sharedccEvtMgr.exe [2006-7-19 192160]
R2 ccSetMgr;Symantec Settings Manager;c:program filescommon filessymantec sharedccSetMgr.exe [2006-7-19 169632]
R2 RapportMgmtService;Rapport Management Service;c:program filestrusteerrapportbinRapportMgmtService.exe [2010-7-1 840936]
R2 Symantec AntiVirus;Symantec AntiVirus;c:program filessymantec antivirusRtvscan.exe [2006-9-27 1813232]
R3 ActivHidSerMini;Promethean Serial Board Driver;c:windowssystem32driversactivhidsermini.sys [2009-5-5 55936]
R3 Alidevice;Alidevice;c:windowssystem32driversalidevice.sys [2008-7-13 6656]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:program filescommon filessymantec sharedeengineEraserUtilRebootDrv.sys [2010-5-28 102448]
R3 GTIPCI21;GTIPCI21;c:windowssystem32driversgtipci21.sys [2009-4-22 88192]
R3 NAVENG;NAVENG;c:progra~1common~1symant~1virusd~120100823.002naveng.sys [2010-8-24 85424]
R3 NAVEX15;NAVEX15;c:progra~1common~1symant~1virusd~120100823.002navex15.sys [2010-8-24 1362608]
R3 prmvmouse;Promethean HID Mouse Service;c:windowssystem32driversactivmouse.sys [2009-10-5 6144]
S2 gupdate;Google Update Service (gupdate);c:program filesgoogleupdateGoogleUpdate.exe [2010-5-10 135664]
S3 SavRoam;SAVRoam;c:program filessymantec antivirusSavRoam.exe [2006-9-27 116464]

=============== Created Last 30 ================

2010-09-02 19:20:32 0 ----a-w- c:documents and settingsellis pauldefogger_reenable
2010-08-23 21:18:33 212480 ----a-w- c:windowsQtagya.exe
2010-08-23 21:18:23 91648 --sha-r- c:windowssystem32ddraw2.dll
2010-08-14 22:02:03 0 d-----w- c:program filesAsk.com
2010-08-13 11:24:29 339968 ----a-w- c:windowssystem32RapportBuka.dll

==================== Find3M ====================

2010-06-30 12:23:55 149504 ----a-w- c:windowssystem32schannel.dll
2010-06-24 12:22:03 916480 ----a-w- c:windowssystem32wininet.dll
2010-06-24 02:14:38 1861120 ----a-w- c:windowssystem32win32k.sys
2010-06-17 14:03:00 80384 ----a-w- c:windowssystem32iccvid.dll
2010-06-14 07:41:45 1172480 ----a-w- c:windowssystem32msxml3.dll
2009-09-05 22:46:34 16384 --sha-w- c:windowssystem32configsystemprofilecookiesindex.dat

============= FINISH: 20:21:55.09 ===============

Edited by Pandy, 02 September 2010 - 03:58 PM.
Merge reply ~Pandy

I am a man of science, not someone's snuggle bunny. - Sheldon Cooper

BC AdBot (Login to Remove)

 


#2 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:05:39 PM

Posted 11 September 2010 - 06:25 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Casey

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#3 Peebs64

Peebs64
  • Topic Starter

  • Members
  • 396 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:05:39 PM

Posted 11 September 2010 - 09:06 AM

Hi Casey,

Firstly thanks for your support with this problem. Some things have changed since my original posting; I was under increasing pressure to return the laptop to its owner so I have run rkill and malwarebytes prior to your posting. MBAM did find 6 infected files which have been removed.

However I wish to proceed with your assistance in ensuring this is a clean machine and have posted the logs as requested below.

Peebs


DDS (Ver_10-03-17.01) - NTFSx86
Run by Ellis Paul at 14:15:29.07 on 11/09/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1023.403 [GMT 1:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Activ Software\ActivDriver\ActivControl2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TechSmith\Jing\Jing.exe
C:\Program Files\Activ Software\ActivDriver\activmgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Ellis Paul\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.bbc.co.uk/home/
uSearch Page = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sp/*http://uk.search.yahoo.com/
uSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mDefault_Search_URL = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
mSearch Page = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sp/*http://uk.search.yahoo.com/
mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
uURLSearchHooks: UrlSearchHook Class: {00000000-6e41-4fd3-8538-502f5495e5fc} - c:\program files\ask.com\GenericAskToolbar.dll
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll
BHO: LimeWire Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: LimeWire Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [msnmsgr] "c:\progra~1\window~4\messen~1\msnmsgr.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Jing] c:\program files\techsmith\jing\Jing.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [XBV6RD5SZF] c:\docume~1\ellisp~1\locals~1\temp\Qch.exe
uRun: [hbahtiid] c:\documents and settings\ellis paul\local settings\application data\bgfxtjiid\tcpigkqshdw.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [<NO NAME>]
mRun: [IntelWireless] c:\program files\intel\wireless\bin\ifrmewrk.exe /tf Intel PROSet/Wireless
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [Win32system] wscript /e:vbs c:\windows\system32\upgrade.sqm
mRun: [btbb_McciTrayApp] "c:\program files\bt broadband desktop help\btbb\BTHelpNotifier.exe"
mRun: [btbb_WZC] c:\program files\bt broadband desktop help\btbb\bthelpbrowser.exe -appkey=btbb -hidden -url=file://c:\program files\bt broadband desktop help\btbb\ocb\40da9824-4b42-46b2-bd6a-35d94a3216d0\EnableWZC.html
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [ActivControl] c:\program files\activ software\activdriver\ActivControl2.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: ft.com\www
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {488A4255-3236-44B3-8F27-FA1AECAA8844} - hxxps://img.alipay.com/download/2121/aliedit.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1240381686603
DPF: {73E4740C-08EB-4133-896B-8D0A7C9EE3CD} - hxxps://b2c.icbc.com.cn/icbc/newperbank/AXSafeControls.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: AtiExtEvent - Ati2evxx.dll
Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 RapportBuka;RapportBuka;c:\windows\system32\drivers\RapportBuka.sys [2010-2-28 390528]
R1 RapportKELL;RapportKELL;c:\program files\trusteer\rapport\bin\RapportKELL.sys [2010-7-1 59240]
R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2010-7-1 166632]
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-7-19 192160]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-7-19 169632]
R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2010-7-1 840936]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2006-9-27 1813232]
R3 ActivHidSerMini;Promethean Serial Board Driver;c:\windows\system32\drivers\activhidsermini.sys [2009-5-5 55936]
R3 Alidevice;Alidevice;c:\windows\system32\drivers\alidevice.sys [2008-7-13 6656]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-5-28 102448]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2009-4-22 88192]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100910.003\naveng.sys [2010-9-11 85424]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100910.003\navex15.sys [2010-9-11 1362608]
R3 prmvmouse;Promethean HID Mouse Service;c:\windows\system32\drivers\activmouse.sys [2009-10-5 6144]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-5-10 135664]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-9-27 116464]

=============== Created Last 30 ================

2010-09-11 10:24:28 0 d-----w- c:\docume~1\ellisp~1\applic~1\Malwarebytes
2010-09-11 09:56:13 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-09-02 19:20:32 0 ----a-w- c:\documents and settings\ellis paul\defogger_reenable
2010-08-23 21:18:23 91648 --sha-r- c:\windows\system32\ddraw2.dll
2010-08-14 22:02:03 0 d-----w- c:\program files\Ask.com
2010-08-13 11:24:29 339968 ----a-w- c:\windows\system32\RapportBuka.dll

==================== Find3M ====================

2010-07-17 04:00:04 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-30 12:23:55 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:22:03 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-24 02:14:38 1861120 ----a-w- c:\windows\system32\win32k.sys
2010-06-17 14:03:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 07:41:45 1172480 ----a-w- c:\windows\system32\msxml3.dll
2009-09-05 22:46:34 16384 --sha-w- c:\windows\system32\config\systemprofile\cookies\index.dat

============= FINISH: 14:15:53.21 ===============

Attached File  Attach.txt   11.76KB   1 downloads
Attached File  ark.txt   9.23KB   3 downloads
I am a man of science, not someone's snuggle bunny. - Sheldon Cooper

#4 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:05:39 PM

Posted 11 September 2010 - 10:30 AM

Hi,

My name is Casey and I will be helping you with your malware problems.

As you may have noticed, I am currently in training which means that all of my responses will first be verified by a malware removal coach. As such, there may be a little delay in my responses to you. On the plus side, there will be two sets of eyes looking over your logs.

Whilst I research the problems in your logs, it is very important that you do not make any changes to this PC. Specifically, do not run any further malware removal tools or try to remove anything yourself.

You may wish to "track this topic" so that you are immediately informed of any replies I make. I also ask that you reply to my posts within 5 days else your topic will be closed as stale.

Throughout the removal process, if you have any questions then you should ask them. If you are unsure of my instructions or something does not go as planned - then please tell me. Conversely, it is also important that you answer any questions I have and that you keep me updated on the state of the PC.

Regards,

Casey

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#5 Peebs64

Peebs64
  • Topic Starter

  • Members
  • 396 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:05:39 PM

Posted 11 September 2010 - 10:35 AM

Sure thing Casey,

I'm hoping to do the same one day!

Peebs
I am a man of science, not someone's snuggle bunny. - Sheldon Cooper

#6 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:05:39 PM

Posted 12 September 2010 - 08:59 AM

Hi again,

It looks as though Malware Bytes did not successfully remove all of the threats on the PC, so we will continue with fixing it.

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

Note: If you have trouble running ComboFix, then please rename ComboFix.exe to Caseyboy.exe and re-run.

Casey

Edited by Casey_boy, 12 September 2010 - 08:59 AM.

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#7 Peebs64

Peebs64
  • Topic Starter

  • Members
  • 396 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:05:39 PM

Posted 12 September 2010 - 12:37 PM

Hi Casey,

Below is the log from comboFix. Interesting to see that the original malware files still exist after running MBAM and also the deletions from the temp IE folder.

Peebs



ComboFix 10-09-11.04 - Ellis Paul 12/09/2010 18:19:23.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1023.574 [GMT 1:00]
Running from: c:\documents and settings\Ellis Paul\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc10.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc11.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc12.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc13.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc14.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc15.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc150.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc16.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc17.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc18.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc19.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc1A.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc1B.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc1C.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc1D.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc1E.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc1F.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc20.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc21.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc22.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc23.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc24.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc25.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc26.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc27.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc28.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc29.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc2A.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc2B.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc2C.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc2D.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc2E.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc2F.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc30.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc31.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc32.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc33.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc34.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc35.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc36.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc37.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc38.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc39.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc3A.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc3B.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc3C.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc3D.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc3E.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc3F.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc4.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc40.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc41.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc42.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc43.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc44.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc45.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc46.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc47.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc48.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc49.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc4A.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc4B.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc4C.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc4D.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc4E.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc4F.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc5.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc50.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc51.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc52.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc53.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc54.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc55.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc56.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc57.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc58.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc59.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc5A.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc5B.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc5C.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc5D.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc5E.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc5F.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc6.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc60.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc61.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc62.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc63.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc64.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc65.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc66.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc67.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc68.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc69.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc6A.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc6B.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc6C.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc6D.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc6E.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc6F.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc7.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc70.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc71.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc72.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc73.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc74.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc75.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc76.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc77.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc78.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc79.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc7A.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc7B.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc7C.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc7D.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc7E.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc7F.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc8.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc80.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc81.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc82.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc83.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc84.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc85.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc86.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc87.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc88.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc89.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc8A.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc8B.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc8C.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc8D.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc8E.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc8F.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc9.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc90.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc91.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc92.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc93.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc94.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc95.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc96.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc97.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc98.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc99.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc9A.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc9B.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc9C.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc9D.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc9E.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mcc9F.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mccA.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mccA0.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mccA1.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mccA2.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mccA3.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mccA4.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mccA5.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mccA6.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mccA7.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mccA8.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mccA9.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mccAA.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mccAB.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mccAC.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mccAD.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mccAE.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mccAF.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mccB.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mccB0.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mccB1.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mccB2.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mccB3.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mccB4.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mccB5.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mccB6.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mccB7.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mccB8.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mccB9.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mccBA.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mccBB.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mccBC.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mccBD.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mccBE.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mccBF.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mccC.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mccC0.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mccC1.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mccC2.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mccC3.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mccC4.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mccC5.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mccC8.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mccC9.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mccCD.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mccD.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mccD9.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mccE.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mccE4.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mccED.tmp
c:\documents and settings\Ellis Paul\Local Settings\Temporary Internet Files\mccF.tmp

.
((((((((((((((((((((((((( Files Created from 2010-08-12 to 2010-09-12 )))))))))))))))))))))))))))))))
.

2010-09-11 11:31 . 2010-09-11 11:31 -------- d-----w- c:\program files\Common Files\Java
2010-09-11 10:24 . 2010-09-11 10:24 -------- d-----w- c:\documents and settings\Ellis Paul\Application Data\Malwarebytes
2010-09-11 09:56 . 2010-09-11 09:56 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-09-11 09:56 . 2010-09-11 09:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-09-11 09:49 . 2010-09-11 09:49 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-09-11 09:49 . 2010-09-11 09:49 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-09-11 09:49 . 2010-09-11 09:49 -------- d-----w- c:\documents and settings\Administrator\Application Data\Intel
2010-08-23 21:45 . 2010-09-11 10:20 -------- d-----w- c:\documents and settings\Ellis Paul\Local Settings\Application Data\bgfxtjiid
2010-08-23 21:18 . 2010-08-23 21:18 91648 --sha-r- c:\windows\system32\ddraw2.dll
2010-08-14 22:22 . 2010-08-14 22:56 -------- d-----w- c:\documents and settings\Ellis Paul\Local Settings\Application Data\AskToolbar

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-12 17:13 . 2009-04-22 06:34 -------- d-----w- c:\program files\Symantec AntiVirus
2010-09-12 17:08 . 2010-07-08 19:34 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-09-11 12:28 . 2009-09-24 21:44 63488 ----a-w- c:\documents and settings\All Users\Application Data\Activ Software\ActivApplications\ActivFocusHook.dll
2010-09-11 12:25 . 2010-06-24 15:32 322200 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-09-11 11:30 . 2009-10-26 22:16 -------- d-----w- c:\program files\Java
2010-08-19 17:55 . 2009-10-26 22:21 -------- d-----w- c:\documents and settings\Ellis Paul\Application Data\LimeWire
2010-08-13 15:47 . 2010-08-13 15:47 503808 ----a-w- c:\documents and settings\Ellis Paul\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-69aa5149-n\msvcp71.dll
2010-08-13 15:47 . 2010-08-13 15:47 499712 ----a-w- c:\documents and settings\Ellis Paul\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-69aa5149-n\jmc.dll
2010-08-13 15:47 . 2010-08-13 15:47 348160 ----a-w- c:\documents and settings\Ellis Paul\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-69aa5149-n\msvcr71.dll
2010-08-13 15:47 . 2010-08-13 15:47 12800 ----a-w- c:\documents and settings\Ellis Paul\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-654124f3-n\decora-d3d.dll
2010-08-13 15:47 . 2010-08-13 15:47 61440 ----a-w- c:\documents and settings\Ellis Paul\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-654124f3-n\decora-sse.dll
2010-08-13 11:24 . 2010-08-13 11:24 339968 ----a-w- c:\windows\system32\RapportBuka.dll
2010-07-17 04:00 . 2010-05-10 20:57 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-16 23:24 . 2009-04-22 06:53 -------- d-----w- c:\documents and settings\Ellis Paul\Application Data\Skype
2010-07-14 17:04 . 2010-07-14 17:04 72504 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe
2010-07-01 11:07 . 2010-07-01 11:07 434176 ----a-w- c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportMS\17053\RapportMS.dll
2010-06-30 12:23 . 2008-04-14 12:00 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:22 . 2008-04-14 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-24 02:14 . 2008-04-14 12:00 1861120 ----a-w- c:\windows\system32\win32k.sys
2010-06-21 14:18 . 2008-04-14 12:00 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-17 14:03 . 2008-04-14 12:00 80384 ----a-w- c:\windows\system32\iccvid.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-06-17 1233288]

[HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2010-06-17 10:02 1233288 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-06-17 1233288]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-06-17 1233288]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Jing"="c:\program files\TechSmith\Jing\Jing.exe" [2010-03-30 3036424]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-05-10 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Win32system"="wscript" [X]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-05-12 344064]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 52896]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-09-27 125168]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2005-03-04 606208]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-09-13 155648]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]
"btbb_McciTrayApp"="c:\program files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe" [2009-09-14 1584640]
"btbb_WZC"="c:\program files\BT Broadband Desktop Help\btbb\BTHelpBrowser.exe" [2009-09-14 1069568]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-16 47392]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-17 421888]
"ActivControl"="c:\program files\Activ Software\ActivDriver\ActivControl2.exe" [2010-03-23 1088800]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 08:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\BT Broadband Desktop Help\\btbb\\BTHelpBrowser.exe"=
"c:\\Program Files\\BT Broadband Desktop Help\\btbb\\BTHelpNotifier.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 RapportBuka;RapportBuka;c:\windows\system32\drivers\RapportBuka.sys [28/02/2010 21:18 390528]
R1 RapportKELL;RapportKELL;c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [01/07/2010 12:07 59240]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [01/07/2010 12:07 166632]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [01/07/2010 12:07 840936]
R3 ActivHidSerMini;Promethean Serial Board Driver;c:\windows\system32\drivers\activhidsermini.sys [05/05/2009 17:25 55936]
R3 Alidevice;Alidevice;c:\windows\system32\drivers\alidevice.sys [13/07/2008 09:10 6656]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [28/05/2010 20:08 102448]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [22/04/2009 08:45 88192]
R3 prmvmouse;Promethean HID Mouse Service;c:\windows\system32\drivers\activmouse.sys [05/10/2009 16:56 6144]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/05/2010 21:56 135664]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [27/09/2006 13:33 116464]

--- Other Services/Drivers In Memory ---

*Deregistered* - pxtdapod
.
Contents of the 'Scheduled Tasks' folder

2010-08-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 04:34]

2010-09-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-10 20:56]

2010-09-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-10 20:56]

2010-09-11 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 14:07]

2010-09-12 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2010-06-30 21:35]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bbc.co.uk/home/
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
Trusted Zone: ft.com\www
DPF: {488A4255-3236-44B3-8F27-FA1AECAA8844} - hxxps://img.alipay.com/download/2121/aliedit.cab
DPF: {73E4740C-08EB-4133-896B-8D0A7C9EE3CD} - hxxps://b2c.icbc.com.cn/icbc/newperbank/AXSafeControls.cab
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-msnmsgr - c:\progra~1\WINDOW~4\MESSEN~1\msnmsgr.exe
HKCU-Run-hbahtiid - c:\documents and settings\Ellis Paul\Local Settings\Application Data\bgfxtjiid\tcpigkqshdw.exe
AddRemove-BT Yahoo! Applications - c:\progra~1\Yahoo!\Common\uninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-12 18:27
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\INTEL\Wireless\Folders\x*]
"Path"="c:\\WINDOWS\\system32\\config\\systemprofile\\Application Data\\Intel\\Wireless\\"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(740)
c:\windows\system32\Ati2evxx.dll
c:\program files\Intel\Wireless\Bin\LgNotify.dll
.
Completion time: 2010-09-12 18:29:16
ComboFix-quarantined-files.txt 2010-09-12 17:29

Pre-Run: 5,486,526,464 bytes free
Post-Run: 5,523,300,352 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 748F19B8FE23FCEDDC5E27944F3E3CEE

I am a man of science, not someone's snuggle bunny. - Sheldon Cooper

#8 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:05:39 PM

Posted 12 September 2010 - 05:39 PM

Hi,

There’s a little more work to do to just clean up.

P2P Warning

Your log(s) show that you are using so called peer-to-peer or file-sharing programs (in your case µTorrent and LimeWire 5.5.13). These programs allow file sharing between users as the name(s) suggest. In today's world cyber crime has become an enormous problem. Different ways are used to infect personal computers to make use of their stored data or machine power for further propagation of malware files. A popular means is the use of file-sharing tools as a huge amount of prospective victims can be reached through them.

It is therefore possible to be infected by downloading infected files via peer-to-peer tools and so these tools must be used with extreme care. Some further reading on this subject, along with included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

I strongly recommend that you uninstall these programs, however, should you decide to keep this program(s) please refrain from using it until we get your computer clean and always show caution in any files you download.

CFScript

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quote box below into it (ignoring the word QUOTE):

QUOTE
File::
c:\windows\system32\upgrade.sqm
c:\docume~1\ellisp~1\locals~1\temp\Qch.exe

Folder::
c:\documents and settings\Ellis Paul\Local Settings\Application Data\bgfxtjiid

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Win32system"=-
"XBV6RD5SZF"=-


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Casey

Edited by Casey_boy, 13 September 2010 - 10:14 AM.

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#9 Peebs64

Peebs64
  • Topic Starter

  • Members
  • 396 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:05:39 PM

Posted 13 September 2010 - 11:18 AM

Hi Casey,

As requested, the ComboFix log below run with the script.

Regards

Peebs


ComboFix 10-09-12.04 - Ellis Paul 13/09/2010 13:04:54.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1023.374 [GMT 1:00]
Running from: c:\documents and settings\Ellis Paul\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Ellis Paul\Desktop\cfscript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
* Created a new restore point

FILE ::
"c:\docume~1\ellisp~1\locals~1\temp\Qch.exe"
"c:\windows\system32\upgrade.sqm"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Ellis Paul\Local Settings\Application Data\bgfxtjiid

.
((((((((((((((((((((((((( Files Created from 2010-08-13 to 2010-09-13 )))))))))))))))))))))))))))))))
.

2010-09-13 12:00 . 2010-09-13 12:00 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-09-11 11:31 . 2010-09-11 11:31 -------- d-----w- c:\program files\Common Files\Java
2010-09-11 10:24 . 2010-09-11 10:24 -------- d-----w- c:\documents and settings\Ellis Paul\Application Data\Malwarebytes
2010-09-11 09:56 . 2010-09-11 09:56 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-09-11 09:56 . 2010-09-11 09:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-09-11 09:49 . 2010-09-11 09:49 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-09-11 09:49 . 2010-09-11 09:49 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-09-11 09:49 . 2010-09-11 09:49 -------- d-----w- c:\documents and settings\Administrator\Application Data\Intel
2010-08-23 21:18 . 2010-08-23 21:18 91648 --sha-r- c:\windows\system32\ddraw2.dll
2010-08-14 22:22 . 2010-08-14 22:56 -------- d-----w- c:\documents and settings\Ellis Paul\Local Settings\Application Data\AskToolbar

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-13 12:02 . 2009-04-22 06:34 -------- d-----w- c:\program files\Symantec AntiVirus
2010-09-13 08:37 . 2010-09-13 08:37 664 ----a-w- c:\windows\system32\d3d9caps.tmp
2010-09-11 12:28 . 2009-09-24 21:44 63488 ----a-w- c:\documents and settings\All Users\Application Data\Activ Software\ActivApplications\ActivFocusHook.dll
2010-09-11 12:25 . 2010-06-24 15:32 322200 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-09-11 11:30 . 2009-10-26 22:16 -------- d-----w- c:\program files\Java
2010-08-19 17:55 . 2009-10-26 22:21 -------- d-----w- c:\documents and settings\Ellis Paul\Application Data\LimeWire
2010-08-13 15:47 . 2010-08-13 15:47 503808 ----a-w- c:\documents and settings\Ellis Paul\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-69aa5149-n\msvcp71.dll
2010-08-13 15:47 . 2010-08-13 15:47 499712 ----a-w- c:\documents and settings\Ellis Paul\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-69aa5149-n\jmc.dll
2010-08-13 15:47 . 2010-08-13 15:47 348160 ----a-w- c:\documents and settings\Ellis Paul\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-69aa5149-n\msvcr71.dll
2010-08-13 15:47 . 2010-08-13 15:47 12800 ----a-w- c:\documents and settings\Ellis Paul\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-654124f3-n\decora-d3d.dll
2010-08-13 15:47 . 2010-08-13 15:47 61440 ----a-w- c:\documents and settings\Ellis Paul\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-654124f3-n\decora-sse.dll
2010-08-13 11:24 . 2010-08-13 11:24 339968 ----a-w- c:\windows\system32\RapportBuka.dll
2010-07-17 04:00 . 2010-05-10 20:57 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-16 23:24 . 2009-04-22 06:53 -------- d-----w- c:\documents and settings\Ellis Paul\Application Data\Skype
2010-07-14 17:04 . 2010-07-14 17:04 72504 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe
2010-07-01 11:07 . 2010-07-01 11:07 434176 ----a-w- c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportMS\17053\RapportMS.dll
2010-06-30 12:23 . 2008-04-14 12:00 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:22 . 2008-04-14 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-24 02:14 . 2008-04-14 12:00 1861120 ----a-w- c:\windows\system32\win32k.sys
2010-06-21 14:18 . 2008-04-14 12:00 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-17 14:03 . 2008-04-14 12:00 80384 ----a-w- c:\windows\system32\iccvid.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-06-17 1233288]

[HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2010-06-17 10:02 1233288 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-06-17 1233288]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-06-17 1233288]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Jing"="c:\program files\TechSmith\Jing\Jing.exe" [2010-03-30 3036424]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-05-10 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-05-12 344064]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 52896]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-09-27 125168]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2005-03-04 606208]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-09-13 155648]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]
"btbb_McciTrayApp"="c:\program files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe" [2009-09-14 1584640]
"btbb_WZC"="c:\program files\BT Broadband Desktop Help\btbb\BTHelpBrowser.exe" [2009-09-14 1069568]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-16 47392]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-17 421888]
"ActivControl"="c:\program files\Activ Software\ActivDriver\ActivControl2.exe" [2010-03-23 1088800]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 08:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\BT Broadband Desktop Help\\btbb\\BTHelpBrowser.exe"=
"c:\\Program Files\\BT Broadband Desktop Help\\btbb\\BTHelpNotifier.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 RapportBuka;RapportBuka;c:\windows\system32\drivers\RapportBuka.sys [28/02/2010 21:18 390528]
R1 RapportKELL;RapportKELL;c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [01/07/2010 12:07 59240]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [01/07/2010 12:07 166632]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [01/07/2010 12:07 840936]
R3 ActivHidSerMini;Promethean Serial Board Driver;c:\windows\system32\drivers\activhidsermini.sys [05/05/2009 17:25 55936]
R3 Alidevice;Alidevice;c:\windows\system32\drivers\alidevice.sys [13/07/2008 09:10 6656]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [28/05/2010 20:08 102448]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [22/04/2009 08:45 88192]
R3 prmvmouse;Promethean HID Mouse Service;c:\windows\system32\drivers\activmouse.sys [05/10/2009 16:56 6144]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/05/2010 21:56 135664]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [27/09/2006 13:33 116464]

--- Other Services/Drivers In Memory ---

*Deregistered* - pxtdapod
.
Contents of the 'Scheduled Tasks' folder

2010-08-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 04:34]

2010-09-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-10 20:56]

2010-09-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-10 20:56]

2010-09-11 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 14:07]

2010-09-13 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2010-06-30 21:35]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bbc.co.uk/home/
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
Trusted Zone: ft.com\www
TCP: {04B2C72B-0C88-4032-8282-390510D8FC26} = 192.168.254.200
DPF: {488A4255-3236-44B3-8F27-FA1AECAA8844} - hxxps://img.alipay.com/download/2121/aliedit.cab
DPF: {73E4740C-08EB-4133-896B-8D0A7C9EE3CD} - hxxps://b2c.icbc.com.cn/icbc/newperbank/AXSafeControls.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-13 13:11
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\INTEL\Wireless\Folders\x*]
"Path"="c:\\WINDOWS\\system32\\config\\systemprofile\\Application Data\\Intel\\Wireless\\"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(740)
c:\windows\system32\Ati2evxx.dll
c:\program files\Intel\Wireless\Bin\LgNotify.dll

- - - - - - - > 'explorer.exe'(36828)
c:\windows\system32\WININET.dll
c:\documents and settings\All Users\Application Data\ACTIV Software\ActivApplications\ActivFocusHook.dll
c:\program files\Trusteer\Rapport\bin\rooksbas.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-09-13 13:13:14
ComboFix-quarantined-files.txt 2010-09-13 12:13
ComboFix2.txt 2010-09-12 17:29

Pre-Run: 5,506,879,488 bytes free
Post-Run: 5,494,759,424 bytes free

- - End Of File - - EE053B709D1B771B3AF9D35F94CE3151

I am a man of science, not someone's snuggle bunny. - Sheldon Cooper

#10 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:05:39 PM

Posted 14 September 2010 - 04:06 PM

Hi Peebs,

Your log looks good, but let’s just do a couple more things to check first.

Ask toolbar warning

Whilst not directly malware, it has been associated with bundling malware, we therefore recommend that you uninstall the Ask Toolbar from your PC. To remove, please go to Add/Remove programs and find any entry related to the Ask Toolbar and uninstall it.

Run an online scan

Please perform a scan with Kaspersky Online Virus Scanner.
-- Requires free Java Runtime Environment (JRE) to be installed before scanning for malware as ActiveX is no longer being used.
-- This scan will not remove any detected file threats but it will show where they are located so they can be cleaned with other tools.
  • Vista users need to right-click the IE or FF Start Menu or Quick Launch Bar icons and Run As Administrator from the context menu.
  • Read the "Advantages - Requirements and Limitations" then press the ... button.
  • You will be prompted to install an application from Kaspersky. Click the Run button. It will start downloading and installing the scanner and virus definitions.
  • When the downloads have finished, you should see 'Database is updated. Ready to scan'. Click on the ... button.
  • Make sure these boxes are checked. By default, they should be. If not, please check them and click on the ... button afterwards:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
  • Click on My Computer under the Scan section. OK any warnings from your protection programs.
  • The scan will take a while so be patient and do NOT use the computer while the scan is running. Keep all other programs and windows closed.
  • Once the scan is complete (the 'status' will show complete), click on View Scan Report and any infected objects will be shown.
  • Click on Save Report As... and change the Files of type to Text file (.txt)
  • Name the file KAVScan_ddmmyy (day, month, year) before clicking on the Save button and save it to your Desktop.
  • Copy and paste (Ctrl+C) the saved scan results from that file in your next reply.
-- Note: Some online scanners will detect existing anti-virus software and refuse to cooperate. You may have to disable the real-time protection components of your existing anti-virus and try running the scan again. If you do this, remember to turn them back on after you are finished.

Fresh DDS logs

After the online scan, please post a fresh set of DDS logs for my review.

Casey

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#11 Peebs64

Peebs64
  • Topic Starter

  • Members
  • 396 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:05:39 PM

Posted 15 September 2010 - 02:10 AM

Morning Casey,

I cannot find any association with ask.com or Yahoo in add/remove programs. All the addins in IE7 are disabled for yahoo ask toolbar so I'm a bit stuck with the first suggestion. However I will run the Kaspersky scan and the DDS as requested.

Regards

Peebs
I am a man of science, not someone's snuggle bunny. - Sheldon Cooper

#12 Peebs64

Peebs64
  • Topic Starter

  • Members
  • 396 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:05:39 PM

Posted 15 September 2010 - 07:19 AM

Hi Casey,

As requested, KAS Scan and DDS logs.

Regards

Peebs

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Wednesday, September 15, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Wednesday, September 15, 2010 04:54:58
Records in database: 4213706
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Objects scanned: 52312
Threats found: 2
Infected objects found: 3
Suspicious objects found: 0
Scan duration: 01:56:11


File name / Threat / Threats count
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\082C0000\4CAF73DD.VBN Infected: Trojan-Dropper.Win32.FrauDrop.bbg 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B640000\4B752B45.VBN Infected: Exploit.Win32.Pidief.avs 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B640001\4B752B54.VBN Infected: Exploit.Win32.Pidief.avs 1

Selected area has been scanned.




DDS (Ver_10-03-17.01) - NTFSx86
Run by Ellis Paul at 13:15:09.46 on 15/09/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1023.398 [GMT 1:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Activ Software\ActivDriver\ActivControl2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TechSmith\Jing\Jing.exe
C:\Program Files\Activ Software\ActivDriver\activmgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Ellis Paul\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.bbc.co.uk/home/
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
uURLSearchHooks: UrlSearchHook Class: {00000000-6e41-4fd3-8538-502f5495e5fc} - c:\program files\ask.com\GenericAskToolbar.dll
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll
BHO: LimeWire Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: LimeWire Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [Jing] c:\program files\techsmith\jing\Jing.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [IntelWireless] c:\program files\intel\wireless\bin\ifrmewrk.exe /tf Intel PROSet/Wireless
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [btbb_McciTrayApp] "c:\program files\bt broadband desktop help\btbb\BTHelpNotifier.exe"
mRun: [btbb_WZC] c:\program files\bt broadband desktop help\btbb\bthelpbrowser.exe -appkey=btbb -hidden -url=file://c:\program files\bt broadband desktop help\btbb\ocb\40da9824-4b42-46b2-bd6a-35d94a3216d0\EnableWZC.html
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [ActivControl] c:\program files\activ software\activdriver\ActivControl2.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: ft.com\www
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {488A4255-3236-44B3-8F27-FA1AECAA8844} - hxxps://img.alipay.com/download/2121/aliedit.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1240381686603
DPF: {73E4740C-08EB-4133-896B-8D0A7C9EE3CD} - hxxps://b2c.icbc.com.cn/icbc/newperbank/AXSafeControls.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: {04B2C72B-0C88-4032-8282-390510D8FC26} = 192.168.254.200
Notify: AtiExtEvent - Ati2evxx.dll
Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 RapportBuka;RapportBuka;c:\windows\system32\drivers\RapportBuka.sys [2010-2-28 390528]
R1 RapportKELL;RapportKELL;c:\program files\trusteer\rapport\bin\RapportKELL.sys [2010-7-1 59240]
R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2010-7-1 166632]
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-7-19 192160]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-7-19 169632]
R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2010-7-1 840936]
R3 ActivHidSerMini;Promethean Serial Board Driver;c:\windows\system32\drivers\activhidsermini.sys [2009-5-5 55936]
R3 Alidevice;Alidevice;c:\windows\system32\drivers\alidevice.sys [2008-7-13 6656]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-5-28 102448]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2009-4-22 88192]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100910.003\naveng.sys [2010-9-11 85424]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100910.003\navex15.sys [2010-9-11 1362608]
R3 prmvmouse;Promethean HID Mouse Service;c:\windows\system32\drivers\activmouse.sys [2009-10-5 6144]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-5-10 135664]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-9-27 116464]
S4 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2006-9-27 1813232]

=============== Created Last 30 ================

2010-09-15 12:06:25 0 d--h--w- c:\windows\$hf_mig$
2010-09-13 12:00:44 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-09-12 17:17:56 0 d-sha-r- C:\cmdcons
2010-09-12 17:14:08 98816 ----a-w- c:\windows\sed.exe
2010-09-12 17:14:08 77312 ----a-w- c:\windows\MBR.exe
2010-09-12 17:14:08 256512 ----a-w- c:\windows\PEV.exe
2010-09-12 17:14:08 161792 ----a-w- c:\windows\SWREG.exe
2010-09-11 10:24:28 0 d-----w- c:\docume~1\ellisp~1\applic~1\Malwarebytes
2010-09-11 09:56:13 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-09-02 19:20:32 0 ----a-w- c:\documents and settings\ellis paul\defogger_reenable
2010-08-23 21:18:23 91648 --sha-r- c:\windows\system32\ddraw2.dll

==================== Find3M ====================

2010-08-13 11:24:29 339968 ----a-w- c:\windows\system32\RapportBuka.dll
2010-07-17 04:00:04 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-30 12:23:55 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:22:03 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-24 02:14:38 1861120 ----a-w- c:\windows\system32\win32k.sys
2010-06-17 14:03:00 80384 ----a-w- c:\windows\system32\iccvid.dll

============= FINISH: 13:15:42.34 ===============

I am a man of science, not someone's snuggle bunny. - Sheldon Cooper

#13 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:39 PM

Posted 18 September 2010 - 03:47 PM

Hello there Peebs64.

Casey needs to be away this week, and for now, I will proceed helping you. We apologize for the delay.

Let's begin. The logs look a lot better. Kaspersky only detected a few Symantec quarantined items, so that's nothing to worry about. We can clear those afterwards.

How's your computer running though? Any problems, symptoms?

I just want to check one file, that I would like to take a closer look.

Submit file sample
  • Open to the Submission Channel.
  • Please navigate by pressing the Browse button and look for the file: c:\windows\system32\ddraw2.dll <- This file
  • Please also include the link to this topic.
  • Under the comments section, say Extremeboy requested it.

Other than that, everything looks pretty clean, let me know how it's on your side.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#14 Peebs64

Peebs64
  • Topic Starter

  • Members
  • 396 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:05:39 PM

Posted 19 September 2010 - 07:13 AM

Hello Extremeboy,

I currently don't have access to the laptop, maybe in the next couple of days. I'll upload the requested file as soon as.

As regards performance, I haven't seen any suspicious behaviour for a while now.

Thanks

Peebs
I am a man of science, not someone's snuggle bunny. - Sheldon Cooper

#15 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:39 PM

Posted 19 September 2010 - 01:29 PM

Okay, that sounds good.

We'll await for your reply then. By then, Casey may back and he will probably continue working with you.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users