Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

DDS, GMER and Combofix Logs


  • This topic is locked This topic is locked
3 replies to this topic

#1 jg49

jg49

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:09:01 PM

Posted 15 October 2010 - 06:53 PM

Hi,

As directed in another post I am posing my logs from an infected computer. I have run Malewarebytes and Combofix, but have been unable to clean the computer.

Here are the logs:

DDS (Ver_10-10-10.03) - NTFSx86
Run by Administrator at 19:18:40.51 on Fri 10/15/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_10
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.613 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\SiteAdvisor\6173\SiteAdv.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Documents and Settings\Administrator\Desktop\Defogger.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SiteAdvisor\6173\SAService.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Transoft Solutions\License Server\TransoftLS.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: McAfee SiteAdvisor: {0bf43445-2f28-4351-9252-17fe6e806aa0} - c:\program files\siteadvisor\6173\SiteAdv.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\UdaterUI.exe" /StartedFromRunKey
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SiteAdvisor] c:\program files\siteadvisor\6173\SiteAdv.exe
mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www2.snapfish.com/SnapfishActivia.cab
DPF: {640373B0-6978-4FA5-A9FC-420ECBBC61C7} - hxxp://www.tekla.us/chesterfield/dll/zkitlib.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://javadl-esd.sun.com/update/1.6.0/jinstall-6u10-windows-i586.cab
DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - hxxp://www.sibelius.com/download/software/win/ActiveXPlugin.cab
DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
Handler: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - c:\program files\siteadvisor\6173\SiteAdv.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\3ead6tne.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\program files\mozilla firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar.dll
FF - component: c:\program files\mozilla firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\metrics.dll
FF - component: c:\program files\mozilla firefox\extensions\talkback@mozilla.org\components\qfaservices.dll
FF - component: c:\program files\siteadvisor\6173\ff\components\FFHook.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 RCFOX;SonicWALL IPsec Driver;c:\windows\system32\drivers\RCFOX.SYS [2008-12-9 86552]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2008-2-26 104000]
R2 MSSQL$TRANSOFT;SQL Server (TRANSOFT);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2009-5-27 29262680]
R2 Transoft Solutions License Server V1.6;Transoft Solutions License Server V1.6;c:\program files\transoft solutions\license server\TransoftLS.exe [2009-7-1 376832]
R3 rcvpn;SonicWALL VPN Adapter;c:\windows\system32\drivers\rcvpn.sys [2008-12-9 24876]
S1 mferkdk;VSCore mferkdk;\??\c:\program files\mcafee\virusscan enterprise\mferkdk.sys --> c:\program files\mcafee\virusscan enterprise\mferkdk.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-30 135664]

=============== Created Last 30 ================

2010-10-15 18:57:56 578644 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2010-10-15 17:53:18 -------- d-----w- c:\program files\common files\McAfee
2010-10-15 17:53:08 -------- d-----w- c:\windows\35C03C043F1F42C2A989A757EE691F65.TMP
2010-10-14 20:08:41 -------- d-----w- c:\windows\system32\appmgmt
2010-10-14 03:48:27 -------- d-----w- c:\docume~1\admini~1\locals~1\applic~1\Mozilla
2010-10-14 03:07:50 -------- d-----w- C:\C25037C
2010-10-14 02:59:42 -------- d-sh--w- c:\documents and settings\administrator\PrivacIE
2010-10-14 02:59:12 -------- d-----w- C:\C
2010-10-13 18:54:25 -------- d-----w- c:\documents and settings\administrator\XES
2010-10-13 18:52:32 -------- d-----w- c:\docume~1\admini~1\locals~1\applic~1\Apple Computer
2010-10-13 18:52:18 -------- d-----w- c:\docume~1\admini~1\applic~1\SiteAdvisor
2010-10-13 18:50:46 221184 ----a-w- c:\windows\system32\wmpns.dll
2010-10-13 18:45:52 58368 ----a-w- c:\windows\system32\spoolsvSrv.exe
2010-10-13 17:46:38 -------- d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes
2010-10-13 17:46:20 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-13 17:46:17 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-10-13 17:46:16 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-13 17:46:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-13 17:41:51 -------- d-sh--w- c:\documents and settings\administrator\IETldCache
2010-10-13 17:31:45 -------- d-sha-r- C:\cmdcons
2010-10-13 17:26:37 77312 ----a-w- c:\windows\MBR.exe
2010-10-13 17:26:37 256512 ----a-w- c:\windows\PEV.exe
2010-10-13 17:26:36 98816 ----a-w- c:\windows\sed.exe
2010-10-13 17:26:36 161792 ----a-w- c:\windows\SWREG.exe
2010-10-13 16:15:50 0 ----a-w- c:\windows\Ijeligokima.bin
2010-10-13 16:14:12 843264 ----a-w- c:\windows\system32\drivers\uvyjciud.sys
2010-10-13 16:13:53 -------- d-----w- c:\docume~1\alluse~1\applic~1\Update
2010-10-13 16:13:48 -------- d-----w- c:\program files\Microsoft
2010-09-30 11:14:01 -------- d-----w- c:\program files\iPod
2010-09-30 11:09:09 -------- d-----w- c:\program files\Bonjour
2010-09-23 11:24:18 -------- d-----w- c:\program files\Corpscon6

==================== Find3M ====================

2010-10-13 19:17:52 561152 ----a-w- C:\Convert.exe
2010-09-08 15:17:46 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 15:17:46 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-07-27 22:44:10 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-07-27 22:44:10 107808 ----a-w- c:\windows\system32\dns-sd.exe

============= FINISH: 19:19:31.07 ===============

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-10-10.03)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 2/26/2008 11:27:29 AM
System Uptime: 10/15/2010 7:14:22 PM (0 hours ago)

Motherboard: Dell Inc. | | 0UY141
Processor: Intel® Core™2 Duo CPU T7250 @ 2.00GHz | Microprocessor | 1995/200mhz
Processor: Intel® Core™2 Duo CPU T7250 @ 2.00GHz | Microprocessor | 1994/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 74 GiB total, 25.904 GiB free.
D: is CDROM ()
E: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1: 10/13/2010 11:08:13 PM - System Checkpoint
RP2: 10/14/2010 4:07:03 PM - Removed McAfee VirusScan Enterprise
RP3: 10/15/2010 5:37:49 PM - System Checkpoint

==== Installed Programs ======================

AccXES
Adobe Acrobat 8 Standard - English, Français, Deutsch
Adobe Acrobat 8.1.2 Security Update 1 (KB403742)
Adobe Acrobat 8.1.2 Standard
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Shockwave Player 11.5
Adobe SVG Viewer 3.0
Apple Application Support
Apple Mobile Device Support
Apple Software Update
AutoCAD 2008 - English
AutoCAD 2010 - English
AutoCAD 2010 Language Pack - English
Autodesk DWF Viewer 7
AutoTURN 6
Bonjour
Broadcom Gigabit Integrated Controller
Canon Camera Access Library
Canon Camera Support Core Library
Canon G.726 WMP-Decoder
Canon MovieEdit Task for ZoomBrowser EX
Canon RAW Image Task for ZoomBrowser EX
Canon Utilities CameraWindow
Canon Utilities CameraWindow DC
Canon Utilities CameraWindow DC_DV 5 for ZoomBrowser EX
Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX
Canon Utilities EOS Utility
Canon Utilities MyCamera
Canon Utilities MyCamera DC
Canon Utilities PhotoStitch
Canon Utilities RemoteCapture Task for ZoomBrowser EX
Canon Utilities ZoomBrowser EX
Canon ZoomBrowser EX Memory Card Utility
Carlson 2008 for AutoCAD
Conexant HDA D330 MDC V.92 Modem
Corpscon 6.0.1
Critical Update for Windows Media Player 11 (KB959772)
CULTEC StormGenie 2009-May-21
CutePDF Writer 2.8
Dell Resource CD
Dell Wireless WLAN Card
DYMO Label Software
EC-Design® 2003
FileZilla Client 3.3.1
GDR 4053 for SQL Server Database Services 2005 ENU (KB970892)
Google Earth
Google Earth Plug-in
Google Toolbar for Internet Explorer
Google Update Helper
HEC-RAS 4.0
High Definition Audio Driver Package - KB835221
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB942288-v3)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HY-8 7.2
Hydraflow Storm Sewers 2008
HydroCAD
iPhone Configuration Utility
iTunes
Java™ 6 Update 10
LANDEX Remote
Malwarebytes' Anti-Malware
McAfee SiteAdvisor
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Basic 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Express Edition (TRANSOFT)
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Mozilla Firefox (2.0)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6 Service Pack 2 (KB973686)
NFF 3.2
North American Green Ver. 4.3
Norton Security Scan
NSS 4.0b8
NVIDIA Drivers
OGA Notifier 2.0.0048.0
OZ776 SCR Driver V1.1.3.9
PowerDVD
QuickTime
RealPlayer
Rhapsody Player Engine
Roxio Creator Audio
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Drag-to-Disc
Roxio Express Labeler
Roxio Update Manager
RW-240 PLOTCLIENT
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for 2007 Microsoft Office System (KB982312)
Security Update for 2007 Microsoft Office System (KB982331)
Security Update for Microsoft Office Excel 2007 (KB982308)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office Outlook 2007 (KB2288953)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2251419)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958470)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971032)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB981349)
Sibelius Scorch (ActiveX Only)
SigmaTel Audio
Sonic Activation Module
SonicWALL Global VPN Client
SonicWALL Global VPN Client 4.0.0.835
TABVIEW2
Terrain Navigator Pro
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Outlook 2007 Junk Email Filter (kb2291599)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows Internet Explorer 7 (KB980182)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows Internet Explorer 8 (KB980302)
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB925720)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VBA (2627.01)
Visual FoxPro ODBC Driver
VTPSUHM 6.2
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Hotfix - KB839210
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinZip 12.1

==== Event Viewer Messages From Past Week ========

10/15/2010 7:10:50 PM, error: System Error [1003] - Error code 100000d1, parameter1 f7a94000, parameter2 00000002, parameter3 00000000, parameter4 f7375ccb.
10/15/2010 7:05:24 PM, error: System Error [1003] - Error code 100000d1, parameter1 f7af2000, parameter2 00000002, parameter3 00000000, parameter4 f7375ccb.
10/15/2010 7:04:07 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM Service service to connect.
10/15/2010 7:04:07 PM, error: Service Control Manager [7000] - The IMAPI CD-Burning COM Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
10/15/2010 2:46:58 PM, error: System Error [1003] - Error code 100000d1, parameter1 f7b6a000, parameter2 00000002, parameter3 00000000, parameter4 f73b5ccb.
10/15/2010 2:46:47 PM, error: System Error [1003] - Error code 100000d1, parameter1 f7b48000, parameter2 00000002, parameter3 00000000, parameter4 f73b5ccb.
10/15/2010 2:09:27 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd RCFOX Rdbss Tcpip
10/15/2010 2:09:27 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
10/15/2010 2:09:27 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
10/15/2010 2:09:27 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
10/15/2010 2:09:27 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
10/15/2010 2:09:27 PM, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
10/15/2010 2:09:27 PM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
10/14/2010 4:03:03 PM, error: Disk [11] - The driver detected a controller error on \Device\Harddisk1\D.
10/13/2010 7:31:58 PM, error: System Error [1003] - Error code 100000d1, parameter1 f7af4000, parameter2 00000002, parameter3 00000000, parameter4 f73b3ccb.
10/13/2010 5:04:26 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
10/13/2010 3:08:10 PM, error: Service Control Manager [7023] - The System Restore Service service terminated with the following error: The system cannot find the file specified.
10/13/2010 3:07:11 PM, error: SRService [104] - The System Restore initialization process failed.
10/13/2010 2:47:46 PM, error: Service Control Manager [7023] - The HID Input Service service terminated with the following error: The specified module could not be found.
10/13/2010 12:14:14 PM, error: Service Control Manager [7000] - The Microsoft Kernel Acoustic Echo Canceller service failed to start due to the following error: A device attached to the system is not functioning.
10/13/2010 12:13:53 PM, error: Service Control Manager [7023] - The MicroSoft Production Service service terminated with the following error: The specified module could not be found.
10/13/2010 10:03:53 AM, error: Service Control Manager [7000] - The Parallel port driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
10/13/2010 10:03:26 AM, error: NETLOGON [5719] - No Domain Controller is available for domain KCE-NORTH due to the following: There are currently no logon servers available to service the logon request. . Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator.
10/13/2010 1:45:31 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
10/13/2010 1:42:19 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
10/13/2010 1:41:08 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
10/13/2010 1:33:59 PM, error: Service Control Manager [7034] - The Dell Wireless WLAN Tray Service service terminated unexpectedly. It has done this 1 time(s).

==== End Of File ===========================
GMER 1.0.15.15319 - http://www.gmer.net
Rootkit scan 2010-10-15 17:00:13
Windows 5.1.2600 Service Pack 2
Running: 83jge5kg.exe; Driver: C:\DOCUME~1\rborger\LOCALS~1\Temp\fgtcqpow.sys


---- Kernel code sections - GMER 1.0.15 ----

.text uvyjciud.sys F7372000 13 Bytes JMP F7383ECC uvyjciud.sys
.text uvyjciud.sys F737200E 12 Bytes [52, FF, 74, 24, 0C, 8D, 64, ...]
.text uvyjciud.sys F737201B 77 Bytes [00, D4, CA, 2F, 66, 0F, BA, ...]
.text uvyjciud.sys F737206A 101 Bytes [89, 45, 04, 68, CC, CE, 00, ...]
.text uvyjciud.sys F73720D0 14 Bytes [00, 66, 21, 45, 04, 60, E8, ...]
.text ...
? C:\WINDOWS\system32\drivers\uvyjciud.sys A device attached to the system is not functioning.
PAGE Ntfs.sys F723DC55 4 Bytes CALL 8718F9A1
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xF67A3380, 0x2F2807, 0xE8000020]
page C:\WINDOWS\System32\Drivers\oz776.sys entry point in "page" section [0xF774EE34]

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 87147690
Device \Driver\Tcpip \Device\Ip 86ED6A90
Device \Driver\Tcpip \Device\Tcp 86ED6A90
Device \Driver\Tcpip \Device\Udp 86ED6A90
Device \Driver\Tcpip \Device\RawIp 86ED6A90
Device \Driver\Tcpip \Device\IPMULTICAST 86ED6A90

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Roxio)

---- Services - GMER 1.0.15 ----

Service (*** hidden *** ) [BOOT] uvyjciud <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\uvyjciud@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\uvyjciud@Start 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\uvyjciud@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\uvyjciud@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet003\Services\uvyjciud@Type 1
Reg HKLM\SYSTEM\ControlSet003\Services\uvyjciud@Start 0
Reg HKLM\SYSTEM\ControlSet003\Services\uvyjciud@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet003\Services\uvyjciud@Group Boot Bus Extender

---- EOF - GMER 1.0.15 ----
ComboFix 10-10-12.03 - Administrator 10/13/2010 15:17:25.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.649 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\C.exe
AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Outdated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\rborger\LOCALS~1\Temp\qlpcw8.exe
c:\documents and settings\administrator.KCE-NORTH\Local Settings\Application Data\{90CB4713-53B9-4233-8AFC-D26C61B4D725}
c:\documents and settings\administrator.KCE-NORTH\Local Settings\Application Data\{90CB4713-53B9-4233-8AFC-D26C61B4D725}\chrome.manifest
c:\documents and settings\administrator.KCE-NORTH\Local Settings\Application Data\{90CB4713-53B9-4233-8AFC-D26C61B4D725}\chrome\content\_cfg.js
c:\documents and settings\administrator.KCE-NORTH\Local Settings\Application Data\{90CB4713-53B9-4233-8AFC-D26C61B4D725}\chrome\content\c.js
c:\documents and settings\administrator.KCE-NORTH\Local Settings\Application Data\{90CB4713-53B9-4233-8AFC-D26C61B4D725}\chrome\content\overlay.xul
c:\documents and settings\administrator.KCE-NORTH\Local Settings\Application Data\{90CB4713-53B9-4233-8AFC-D26C61B4D725}\install.rdf
c:\documents and settings\Administrator\Local Settings\Application Data\{EAF8FEA7-A00E-4EBF-BCE8-59D9D9818197}
c:\documents and settings\Administrator\Local Settings\Application Data\{EAF8FEA7-A00E-4EBF-BCE8-59D9D9818197}\chrome.manifest
c:\documents and settings\Administrator\Local Settings\Application Data\{EAF8FEA7-A00E-4EBF-BCE8-59D9D9818197}\chrome\content\_cfg.js
c:\documents and settings\Administrator\Local Settings\Application Data\{EAF8FEA7-A00E-4EBF-BCE8-59D9D9818197}\chrome\content\overlay.xul
c:\documents and settings\Administrator\Local Settings\Application Data\{EAF8FEA7-A00E-4EBF-BCE8-59D9D9818197}\install.rdf
c:\documents and settings\All Users\Application Data\Update\seupd.exe
c:\documents and settings\rborger\Application Data\hotfix.exe
c:\documents and settings\rborger\Local Settings\Application Data\{EF6F3EDB-4155-446D-89BA-262244C240CE}
c:\documents and settings\rborger\Local Settings\Application Data\{EF6F3EDB-4155-446D-89BA-262244C240CE}\chrome.manifest
c:\documents and settings\rborger\Local Settings\Application Data\{EF6F3EDB-4155-446D-89BA-262244C240CE}\chrome\content\_cfg.js
c:\documents and settings\rborger\Local Settings\Application Data\{EF6F3EDB-4155-446D-89BA-262244C240CE}\chrome\content\overlay.xul
c:\documents and settings\rborger\Local Settings\Application Data\{EF6F3EDB-4155-446D-89BA-262244C240CE}\install.rdf
c:\documents and settings\rborger\Local Settings\Temporary Internet Files\plot.log
c:\program files\Internet Explorer\dmlconf.dat
c:\program files\Microsoft\DesktopLayer.exe
c:\program files\Mozilla Firefox\searchplugins\google_search.xml
C:\Thumbs.db
c:\windows\acusitefesuf.dll
c:\windows\system32\pwss2vpp.dll
c:\windows\system32\zpa8jxzoh4.dll
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job

Infected copy of c:\windows\system32\drivers\uvyjciud.sys was found and disinfected
Restored copy from - Kitty had a snack :p
Infected copy of c:\windows\system32\drivers\uvyjciud.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Service_6to4


((((((((((((((((((((((((( Files Created from 2010-09-13 to 2010-10-13 )))))))))))))))))))))))))))))))
.

2010-10-13 18:54 . 2010-10-13 18:54 -------- d-----w- c:\documents and settings\Administrator\XES
2010-10-13 18:52 . 2010-10-13 19:35 -------- d-----w- c:\documents and settings\Administrator\Application Data\Apple Computer
2010-10-13 18:52 . 2010-10-13 18:52 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Apple Computer
2010-10-13 18:52 . 2010-10-13 18:52 -------- d-----w- c:\documents and settings\Administrator\Application Data\SiteAdvisor
2010-10-13 18:50 . 2004-08-04 10:00 221184 ----a-w- c:\windows\system32\wmpns.dll
2010-10-13 18:45 . 2010-10-13 18:45 58368 ----a-w- c:\windows\system32\spoolsvSrv.exe
2010-10-13 17:46 . 2010-10-13 17:46 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-10-13 17:46 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-13 17:46 . 2010-10-13 17:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-10-13 17:46 . 2010-10-13 17:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-13 17:46 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-13 17:41 . 2010-10-13 17:41 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-10-13 16:15 . 2010-10-13 16:15 0 ----a-w- c:\windows\Ijeligokima.bin
2010-10-13 16:14 . 2010-10-13 19:37 843264 ----a-w- c:\windows\system32\drivers\uvyjciud.sys
2010-10-13 16:13 . 2010-10-13 16:13 144 ----a-w- c:\documents and settings\rborger\Application Data\dsfsds.bat
2010-10-13 16:13 . 2010-10-13 19:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Update
2010-10-13 16:13 . 2010-10-13 19:29 -------- d-----w- c:\program files\Microsoft
2010-10-13 12:28 . 2010-10-13 12:28 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-09-30 11:14 . 2010-09-30 11:14 -------- d-----w- c:\program files\iPod
2010-09-30 11:09 . 2010-09-30 11:09 -------- d-----w- c:\program files\Bonjour
2010-09-23 11:24 . 2010-09-23 11:24 -------- d-----w- c:\program files\Corpscon6

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2006-10-11 08:04 . 2008-03-15 13:16 61036 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2006-10-11 08:04 . 2008-03-15 13:16 48742 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2006-10-11 08:05 . 2008-03-15 13:16 29313 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2006-10-11 08:05 . 2008-03-15 13:16 41082 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2006-10-11 08:04 . 2008-03-15 13:16 166510 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-04-29 8429568]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 136768]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-07-17 111952]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-10-10 2183168]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-03-15 185896]
"SiteAdvisor"="c:\program files\SiteAdvisor\6173\SiteAdv.exe" [2007-08-28 36640]
"NvMediaCenter"="NvMCTray.dll" [2007-04-29 81920]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-03 136600]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2006-10-04 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2009-6-19 525640]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2008-01-12 00:54 623992 ----a-w- c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
2006-08-17 14:00 1116920 ----a-w- c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\SonicWALL\\SonicWALL Global VPN Client\\SWGVpnClient.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 RCFOX;SonicWALL IPsec Driver;c:\windows\system32\drivers\RCFOX.SYS [12/9/2008 11:43 AM 86552]
R2 MSSQL$TRANSOFT;SQL Server (TRANSOFT);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [5/27/2009 3:27 AM 29262680]
R2 Transoft Solutions License Server V1.6;Transoft Solutions License Server V1.6;c:\program files\Transoft Solutions\License Server\TransoftLS.exe [7/1/2009 4:22 PM 376832]
R3 rcvpn;SonicWALL VPN Adapter;c:\windows\system32\drivers\rcvpn.sys [12/9/2008 11:42 AM 24876]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/30/2010 6:20 PM 135664]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [10/13/2010 1:46 PM 38224]

--- Other Services/Drivers In Memory ---

*Deregistered* - uvyjciud
.
Contents of the 'Scheduled Tasks' folder

2010-10-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-10-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 22:20]

2010-10-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 22:20]

2010-09-24 c:\windows\Tasks\Norton Security Scan for rborger.job
- c:\program files\Norton Security Scan\Engine\2.7.3.34\Nss.exe [2010-03-07 10:32]
.
.
------- Supplementary Scan -------
.
DPF: {640373B0-6978-4FA5-A9FC-420ECBBC61C7} - hxxp://www.tekla.us/chesterfield/dll/zkitlib.dll
FF - ProfilePath -
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-HNUtmHTgqgc - c:\docume~1\rborger\LOCALS~1\Temp\qlpcw8.exe
HKCU-Run-uPc+MV0NplOaXms - c:\windows\system32\zpa8jxzoh4.dll
HKLM-Run-uPc+MV0NplOaXms - c:\windows\system32\zpa8jxzoh4.dll
HKLM-Run-HNUtmHTgqgc - c:\docume~1\rborger\LOCALS~1\Temp\qlpcw8.exe
HKLM-Run-Ktuquzojaziju - c:\windows\acusitefesuf.dll



Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8708B44C]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7626fc3
\Driver\ACPI -> ACPI.sys @ 0xf7499cb8
\Driver\atapi -> atapi.sys @ 0xf73607b4
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80582544
ParseProcedure -> ntkrnlpa.exe @ 0x80581684
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80582544
ParseProcedure -> ntkrnlpa.exe @ 0x80581684
NDIS: Broadcom NetXtreme 57xx Gigabit Controller -> SendCompleteHandler -> NDIS.sys @ 0xf7250ba0
PacketIndicateHandler -> NDIS.sys @ 0xf723fa0b
SendHandler -> NDIS.sys @ 0xf7253b31
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\uvyjciud]

.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1532)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(1592)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2296)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\windows\system32\DLAAPI_W.DLL
c:\windows\system32\CDRTC.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\windows\System32\SCardSvr.exe
c:\windows\system32\RunDLL32.exe
c:\program files\McAfee\Common Framework\McTray.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\windows\system32\nvsvc32.exe
c:\program files\SiteAdvisor\6173\SAService.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\SigmaTel\C-Major Audio\WDM\StacSV.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-10-13 15:45:10 - machine was rebooted
ComboFix-quarantined-files.txt 2010-10-13 19:45

Pre-Run: 19,876,925,440 bytes free
Post-Run: 27,973,349,376 bytes free

- - End Of File - - A1C46EE65952DAE0E5CDB50B0276C4B0
ComboFix 10-10-12.03 - Administrator 10/13/2010 23:21:20.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.649 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\C.exe
AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Outdated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\system32\drivers\uvyjciud.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((( Files Created from 2010-09-14 to 2010-10-14 )))))))))))))))))))))))))))))))
.

2010-10-14 02:59 . 2010-10-14 02:59 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-10-14 02:59 . 2010-10-14 02:59 -------- d-----w- C:\C
2010-10-13 18:54 . 2010-10-13 18:54 -------- d-----w- c:\documents and settings\Administrator\XES
2010-10-13 18:52 . 2010-10-13 19:35 -------- d-----w- c:\documents and settings\Administrator\Application Data\Apple Computer
2010-10-13 18:52 . 2010-10-13 18:52 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Apple Computer
2010-10-13 18:52 . 2010-10-13 18:52 -------- d-----w- c:\documents and settings\Administrator\Application Data\SiteAdvisor
2010-10-13 18:50 . 2004-08-04 10:00 221184 ----a-w- c:\windows\system32\wmpns.dll
2010-10-13 18:45 . 2010-10-13 18:45 58368 ----a-w- c:\windows\system32\spoolsvSrv.exe
2010-10-13 17:46 . 2010-10-13 17:46 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-10-13 17:46 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-13 17:46 . 2010-10-13 17:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-10-13 17:46 . 2010-10-13 19:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-13 17:46 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-13 17:41 . 2010-10-13 17:41 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-10-13 16:15 . 2010-10-13 16:15 0 ----a-w- c:\windows\Ijeligokima.bin
2010-10-13 16:14 . 2010-10-14 03:39 843264 ----a-w- c:\windows\system32\drivers\uvyjciud.sys
2010-10-13 16:13 . 2010-10-13 16:13 144 ----a-w- c:\documents and settings\rborger\Application Data\dsfsds.bat
2010-10-13 16:13 . 2010-10-13 19:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Update
2010-10-13 16:13 . 2010-10-13 19:29 -------- d-----w- c:\program files\Microsoft
2010-10-13 12:28 . 2010-10-13 12:28 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-09-30 11:14 . 2010-09-30 11:14 -------- d-----w- c:\program files\iPod
2010-09-30 11:09 . 2010-09-30 11:09 -------- d-----w- c:\program files\Bonjour
2010-09-23 11:24 . 2010-09-23 11:24 -------- d-----w- c:\program files\Corpscon6

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2006-10-11 08:04 . 2008-03-15 13:16 61036 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2006-10-11 08:04 . 2008-03-15 13:16 48742 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2006-10-11 08:05 . 2008-03-15 13:16 29313 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2006-10-11 08:05 . 2008-03-15 13:16 41082 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2006-10-11 08:04 . 2008-03-15 13:16 166510 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-04-29 8429568]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 136768]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-07-17 111952]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-10-10 2183168]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-03-15 185896]
"SiteAdvisor"="c:\program files\SiteAdvisor\6173\SiteAdv.exe" [2007-08-28 36640]
"NvMediaCenter"="NvMCTray.dll" [2007-04-29 81920]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-03 136600]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2006-10-04 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2009-6-19 525640]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2008-01-12 00:54 623992 ----a-w- c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
2006-08-17 14:00 1116920 ----a-w- c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\SonicWALL\\SonicWALL Global VPN Client\\SWGVpnClient.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 RCFOX;SonicWALL IPsec Driver;c:\windows\system32\drivers\RCFOX.SYS [12/9/2008 11:43 AM 86552]
R2 MSSQL$TRANSOFT;SQL Server (TRANSOFT);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [5/27/2009 3:27 AM 29262680]
R2 Transoft Solutions License Server V1.6;Transoft Solutions License Server V1.6;c:\program files\Transoft Solutions\License Server\TransoftLS.exe [7/1/2009 4:22 PM 376832]
R3 rcvpn;SonicWALL VPN Adapter;c:\windows\system32\drivers\rcvpn.sys [12/9/2008 11:42 AM 24876]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/30/2010 6:20 PM 135664]

--- Other Services/Drivers In Memory ---

*Deregistered* - uvyjciud
.
Contents of the 'Scheduled Tasks' folder

2010-10-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-10-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 22:20]

2010-10-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 22:20]

2010-09-24 c:\windows\Tasks\Norton Security Scan for rborger.job
- c:\program files\Norton Security Scan\Engine\2.7.3.34\Nss.exe [2010-03-07 10:32]
.
.
------- Supplementary Scan -------
.
DPF: {640373B0-6978-4FA5-A9FC-420ECBBC61C7} - hxxp://www.tekla.us/chesterfield/dll/zkitlib.dll
FF - ProfilePath -
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

AddRemove-InstallShield_{32147780-0837-4E34-8B48-9CDA6D9DE6FA} - c:\progra~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe



Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x8715944C]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf75e8fc3
\Driver\ACPI -> ACPI.sys @ 0xf745bcb8
\Driver\atapi -> atapi.sys @ 0xf73227b4
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80582544
ParseProcedure -> ntkrnlpa.exe @ 0x80581684
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80582544
ParseProcedure -> ntkrnlpa.exe @ 0x80581684
NDIS: Broadcom NetXtreme 57xx Gigabit Controller -> SendCompleteHandler -> NDIS.sys @ 0xf7200ba0
PacketIndicateHandler -> NDIS.sys @ 0xf71efa0b
SendHandler -> NDIS.sys @ 0xf7203b31
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\uvyjciud]

.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-220523388-1647877149-725345543-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f1,de,0f,93,b4,f9,1e,42,80,f7,b7,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f1,de,0f,93,b4,f9,1e,42,80,f7,b7,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1528)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(1588)
c:\windows\system32\WININET.dll
.
Completion time: 2010-10-13 23:43:09
ComboFix-quarantined-files.txt 2010-10-14 03:43
ComboFix2.txt 2010-10-13 19:45

Pre-Run: 27,716,063,232 bytes free
Post-Run: 27,702,968,320 bytes free

- - End Of File - - 64B27396BD36B446DC0B33E1915AF0F3
ComboFix 10-10-12.03 - Administrator 10/14/2010 0:09.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.638 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\C.exe
AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Outdated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\system32\drivers\uvyjciud.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((( Files Created from 2010-09-14 to 2010-10-14 )))))))))))))))))))))))))))))))
.

2010-10-14 03:48 . 2010-10-14 03:48 -------- d-----w- c:\documents and settings\Administrator\Application Data\Talkback
2010-10-14 03:48 . 2010-10-14 03:48 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2010-10-14 02:59 . 2010-10-14 02:59 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-10-14 02:59 . 2010-10-14 02:59 -------- d-----w- C:\C
2010-10-13 18:54 . 2010-10-13 18:54 -------- d-----w- c:\documents and settings\Administrator\XES
2010-10-13 18:52 . 2010-10-13 19:35 -------- d-----w- c:\documents and settings\Administrator\Application Data\Apple Computer
2010-10-13 18:52 . 2010-10-13 18:52 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Apple Computer
2010-10-13 18:52 . 2010-10-13 18:52 -------- d-----w- c:\documents and settings\Administrator\Application Data\SiteAdvisor
2010-10-13 18:50 . 2004-08-04 10:00 221184 ----a-w- c:\windows\system32\wmpns.dll
2010-10-13 18:45 . 2010-10-13 18:45 58368 ----a-w- c:\windows\system32\spoolsvSrv.exe
2010-10-13 17:46 . 2010-10-13 17:46 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-10-13 17:46 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-13 17:46 . 2010-10-13 17:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-10-13 17:46 . 2010-10-13 19:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-13 17:46 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-13 17:41 . 2010-10-13 17:41 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-10-13 16:15 . 2010-10-13 16:15 0 ----a-w- c:\windows\Ijeligokima.bin
2010-10-13 16:14 . 2010-10-14 04:24 843264 ----a-w- c:\windows\system32\drivers\uvyjciud.sys
2010-10-13 16:13 . 2010-10-13 16:13 144 ----a-w- c:\documents and settings\rborger\Application Data\dsfsds.bat
2010-10-13 16:13 . 2010-10-13 19:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Update
2010-10-13 16:13 . 2010-10-13 19:29 -------- d-----w- c:\program files\Microsoft
2010-10-13 12:28 . 2010-10-13 12:28 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-09-30 11:14 . 2010-09-30 11:14 -------- d-----w- c:\program files\iPod
2010-09-30 11:09 . 2010-09-30 11:09 -------- d-----w- c:\program files\Bonjour
2010-09-23 11:24 . 2010-09-23 11:24 -------- d-----w- c:\program files\Corpscon6

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2006-10-11 08:04 . 2008-03-15 13:16 61036 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2006-10-11 08:04 . 2008-03-15 13:16 48742 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2006-10-11 08:05 . 2008-03-15 13:16 29313 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2006-10-11 08:05 . 2008-03-15 13:16 41082 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2006-10-11 08:04 . 2008-03-15 13:16 166510 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-10-14_03.39.15 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-10-14 04:03 . 2010-10-14 04:03 16384 c:\windows\Temp\Perflib_Perfdata_4e4.dat
+ 2004-08-04 10:00 . 2010-10-14 04:09 86080 c:\windows\system32\perfc009.dat
- 2004-08-04 10:00 . 2010-10-14 03:21 86080 c:\windows\system32\perfc009.dat
+ 2004-08-04 10:00 . 2010-10-14 04:09 482536 c:\windows\system32\perfh009.dat
- 2004-08-04 10:00 . 2010-10-14 03:21 482536 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-04-29 8429568]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 136768]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-07-17 111952]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-10-10 2183168]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-03-15 185896]
"SiteAdvisor"="c:\program files\SiteAdvisor\6173\SiteAdv.exe" [2007-08-28 36640]
"NvMediaCenter"="NvMCTray.dll" [2007-04-29 81920]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-03 136600]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2006-10-04 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2009-6-19 525640]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2008-01-12 00:54 623992 ----a-w- c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
2006-08-17 14:00 1116920 ----a-w- c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\SonicWALL\\SonicWALL Global VPN Client\\SWGVpnClient.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 RCFOX;SonicWALL IPsec Driver;c:\windows\system32\drivers\RCFOX.SYS [12/9/2008 11:43 AM 86552]
R2 MSSQL$TRANSOFT;SQL Server (TRANSOFT);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [5/27/2009 3:27 AM 29262680]
R2 Transoft Solutions License Server V1.6;Transoft Solutions License Server V1.6;c:\program files\Transoft Solutions\License Server\TransoftLS.exe [7/1/2009 4:22 PM 376832]
R3 rcvpn;SonicWALL VPN Adapter;c:\windows\system32\drivers\rcvpn.sys [12/9/2008 11:42 AM 24876]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/30/2010 6:20 PM 135664]

--- Other Services/Drivers In Memory ---

*Deregistered* - uvyjciud
.
Contents of the 'Scheduled Tasks' folder

2010-10-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-10-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 22:20]

2010-10-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 22:20]

2010-09-24 c:\windows\Tasks\Norton Security Scan for rborger.job
- c:\program files\Norton Security Scan\Engine\2.7.3.34\Nss.exe [2010-03-07 10:32]
.
.
------- Supplementary Scan -------
.
DPF: {640373B0-6978-4FA5-A9FC-420ECBBC61C7} - hxxp://www.tekla.us/chesterfield/dll/zkitlib.dll
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3ead6tne.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\metrics.dll
FF - component: c:\program files\Mozilla Firefox\extensions\talkback@mozilla.org\components\qfaservices.dll
FF - component: c:\program files\SiteAdvisor\6173\FF\components\FFHook.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x8715B44C]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf75e8fc3
\Driver\ACPI -> ACPI.sys @ 0xf745bcb8
\Driver\atapi -> atapi.sys @ 0xf73227b4
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80582544
ParseProcedure -> ntkrnlpa.exe @ 0x80581684
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80582544
ParseProcedure -> ntkrnlpa.exe @ 0x80581684
NDIS: Broadcom NetXtreme 57xx Gigabit Controller -> SendCompleteHandler -> NDIS.sys @ 0xf7200ba0
PacketIndicateHandler -> NDIS.sys @ 0xf71efa0b
SendHandler -> NDIS.sys @ 0xf7203b31
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\uvyjciud]

.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-220523388-1647877149-725345543-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f1,de,0f,93,b4,f9,1e,42,80,f7,b7,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f1,de,0f,93,b4,f9,1e,42,80,f7,b7,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1528)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(1592)
c:\windows\system32\WININET.dll
.
Completion time: 2010-10-14 00:28:45
ComboFix-quarantined-files.txt 2010-10-14 04:28
ComboFix2.txt 2010-10-14 03:43
ComboFix3.txt 2010-10-13 19:45

Pre-Run: 27,696,979,968 bytes free
Post-Run: 27,683,946,496 bytes free

- - End Of File - - E438F0F872C88D1F0C0B9BB4C0F10623
ComboFix 10-10-12.03 - Administrator 10/14/2010 15:36:18.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.634 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\C.exe
AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Outdated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\system32\drivers\uvyjciud.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((( Files Created from 2010-09-14 to 2010-10-14 )))))))))))))))))))))))))))))))
.

2010-10-14 03:48 . 2010-10-14 03:48 -------- d-----w- c:\documents and settings\Administrator\Application Data\Talkback
2010-10-14 03:48 . 2010-10-14 03:48 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2010-10-14 02:59 . 2010-10-14 02:59 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-10-14 02:59 . 2010-10-14 02:59 -------- d-----w- C:\C
2010-10-13 18:54 . 2010-10-13 18:54 -------- d-----w- c:\documents and settings\Administrator\XES
2010-10-13 18:52 . 2010-10-13 19:35 -------- d-----w- c:\documents and settings\Administrator\Application Data\Apple Computer
2010-10-13 18:52 . 2010-10-13 18:52 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Apple Computer
2010-10-13 18:52 . 2010-10-13 18:52 -------- d-----w- c:\documents and settings\Administrator\Application Data\SiteAdvisor
2010-10-13 18:50 . 2004-08-04 10:00 221184 ----a-w- c:\windows\system32\wmpns.dll
2010-10-13 18:45 . 2010-10-13 18:45 58368 ----a-w- c:\windows\system32\spoolsvSrv.exe
2010-10-13 17:46 . 2010-10-13 17:46 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-10-13 17:46 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-13 17:46 . 2010-10-13 17:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-10-13 17:46 . 2010-10-13 19:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-13 17:46 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-13 17:41 . 2010-10-13 17:41 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-10-13 16:15 . 2010-10-13 16:15 0 ----a-w- c:\windows\Ijeligokima.bin
2010-10-13 16:14 . 2010-10-14 19:52 843264 ----a-w- c:\windows\system32\drivers\uvyjciud.sys
2010-10-13 16:13 . 2010-10-13 16:13 144 ----a-w- c:\documents and settings\rborger\Application Data\dsfsds.bat
2010-10-13 16:13 . 2010-10-13 19:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Update
2010-10-13 16:13 . 2010-10-13 19:29 -------- d-----w- c:\program files\Microsoft
2010-10-13 12:28 . 2010-10-13 12:28 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-09-30 11:14 . 2010-09-30 11:14 -------- d-----w- c:\program files\iPod
2010-09-30 11:09 . 2010-09-30 11:09 -------- d-----w- c:\program files\Bonjour
2010-09-23 11:24 . 2010-09-23 11:24 -------- d-----w- c:\program files\Corpscon6

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2006-10-11 08:04 . 2008-03-15 13:16 61036 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2006-10-11 08:04 . 2008-03-15 13:16 48742 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2006-10-11 08:05 . 2008-03-15 13:16 29313 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2006-10-11 08:05 . 2008-03-15 13:16 41082 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2006-10-11 08:04 . 2008-03-15 13:16 166510 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-10-14_03.39.15 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-10-14 19:31 . 2010-10-14 19:31 16384 c:\windows\Temp\Perflib_Perfdata_4f8.dat
+ 2004-08-04 10:00 . 2010-10-14 19:36 86080 c:\windows\system32\perfc009.dat
- 2004-08-04 10:00 . 2010-10-14 03:21 86080 c:\windows\system32\perfc009.dat
+ 2004-08-04 10:00 . 2010-10-14 19:36 482536 c:\windows\system32\perfh009.dat
- 2004-08-04 10:00 . 2010-10-14 03:21 482536 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-04-29 8429568]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 136768]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-07-17 111952]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-10-10 2183168]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-03-15 185896]
"SiteAdvisor"="c:\program files\SiteAdvisor\6173\SiteAdv.exe" [2007-08-28 36640]
"NvMediaCenter"="NvMCTray.dll" [2007-04-29 81920]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-03 136600]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2006-10-04 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2009-6-19 525640]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2008-01-12 00:54 623992 ----a-w- c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
2006-08-17 14:00 1116920 ----a-w- c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\SonicWALL\\SonicWALL Global VPN Client\\SWGVpnClient.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 RCFOX;SonicWALL IPsec Driver;c:\windows\system32\drivers\RCFOX.SYS [12/9/2008 11:43 AM 86552]
R2 MSSQL$TRANSOFT;SQL Server (TRANSOFT);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [5/27/2009 3:27 AM 29262680]
R2 Transoft Solutions License Server V1.6;Transoft Solutions License Server V1.6;c:\program files\Transoft Solutions\License Server\TransoftLS.exe [7/1/2009 4:22 PM 376832]
R3 rcvpn;SonicWALL VPN Adapter;c:\windows\system32\drivers\rcvpn.sys [12/9/2008 11:42 AM 24876]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/30/2010 6:20 PM 135664]

--- Other Services/Drivers In Memory ---

*Deregistered* - uvyjciud
.
Contents of the 'Scheduled Tasks' folder

2010-10-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-10-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 22:20]

2010-10-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 22:20]

2010-09-24 c:\windows\Tasks\Norton Security Scan for rborger.job
- c:\program files\Norton Security Scan\Engine\2.7.3.34\Nss.exe [2010-03-07 10:32]
.
.
------- Supplementary Scan -------
.
DPF: {640373B0-6978-4FA5-A9FC-420ECBBC61C7} - hxxp://www.tekla.us/chesterfield/dll/zkitlib.dll
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3ead6tne.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\metrics.dll
FF - component: c:\program files\Mozilla Firefox\extensions\talkback@mozilla.org\components\qfaservices.dll
FF - component: c:\program files\SiteAdvisor\6173\FF\components\FFHook.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x8713644C]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf75e8fc3
\Driver\ACPI -> ACPI.sys @ 0xf745bcb8
\Driver\atapi -> atapi.sys @ 0xf73227b4
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80582544
ParseProcedure -> ntkrnlpa.exe @ 0x80581684
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80582544
ParseProcedure -> ntkrnlpa.exe @ 0x80581684
NDIS: Broadcom NetXtreme 57xx Gigabit Controller -> SendCompleteHandler -> NDIS.sys @ 0xf7200ba0
PacketIndicateHandler -> NDIS.sys @ 0xf71efa0b
SendHandler -> NDIS.sys @ 0xf7203b31
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\uvyjciud]

.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-220523388-1647877149-725345543-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f1,de,0f,93,b4,f9,1e,42,80,f7,b7,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f1,de,0f,93,b4,f9,1e,42,80,f7,b7,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1528)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(1588)
c:\windows\system32\WININET.dll
.
Completion time: 2010-10-14 15:55:54
ComboFix-quarantined-files.txt 2010-10-14 19:55
ComboFix2.txt 2010-10-14 04:28
ComboFix3.txt 2010-10-14 03:43
ComboFix4.txt 2010-10-13 19:45

Pre-Run: 27,689,603,072 bytes free
Post-Run: 27,676,454,912 bytes free

- - End Of File - - 7EE0D8DC86632DD022ECAEAFFF3376D3


BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,113 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:01 AM

Posted 26 October 2010 - 11:31 AM

Hello ,
And :welcome: to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Quick Scan button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Please download Rootkit Unhooker and save it to your Desktop
  • Double-click on RKUnhookerLE to run it
  • Click the Report tab, then click Scan
  • Check Drivers, Stealth and uncheck the rest
  • Click OK
  • Wait until it's finished and then go to File > Save Report
  • Save the report to your Desktop
Copy the entire contents of the report and paste it in a reply here.

Note - you may get this warning it is ok, just ignore: "Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"


-------------------------------------------------------------
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new OTL log (don't forget extra.txt)
  • RKU log

Thanks and again sorry for the delay.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 jg49

jg49
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:09:01 PM

Posted 26 October 2010 - 11:56 AM

Thanks, but I ended up reformatting the computer. I could not have it down any longer.

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,113 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:01 AM

Posted 26 October 2010 - 01:20 PM

I'm sorry to hear that, but I hope things are running okay now.

I will now close this topic.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users