Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Win32/Patched.DX virus


  • This topic is locked This topic is locked
6 replies to this topic

#1 alex2621

alex2621

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:34 PM

Posted 30 October 2010 - 10:05 AM

Hi,

My computer has been running slowly and also had the following problems:

1. Popping up new IE windows when browsing the internet / redirecting to different pages
2. Displaying the message "HPPhotosmartEssential : There is a problem with this windows installer package. A program required for this install to complete could not be run. Contact support personel or package vendor". When you click ok another windows installer window appears and the cycle repeats.
3. Displayng the error messaage "RUNDLL : Error loading C:\WINDOWS\mlevinen.dll The specified module could not be found"
4. The windows XP firewall can not be enabled.

I've since run an Malwarebytes / AVG anti-virus scan in safe mode and the computer seems to be running faster and I've not observed any more pop-ups however AVG reports that C:\WINDOWS\system32\drivers\tcpip.sys is infected.

Virus log from AVG:
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\1QHCPT8I\cmb10033af6353931[1].htm Virus found VBS/Generic Object was moved to Virus Vault.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\1QHCPT8I\cmb10033a[1].htm Virus found VBS/Generic Object was moved to Virus Vault.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\1QHCPT8I\results[1].htm Virus found VBS/Generic Object was moved to Virus Vault.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\1QHCPT8I\toplogo4[1].htm Virus found VBS/Generic Object was moved to Virus Vault.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\1QHCPT8I\toplogo5[1].htm Virus found VBS/Generic Object was moved to Virus Vault.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\52TJCT97\cmb10033ad71342e2[1].htm Virus found VBS/Generic Object was moved to Virus Vault.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\52TJCT97\onsurvey[1].htm Virus found VBS/Generic Object was moved to Virus Vault.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\52TJCT97\onsurvey[2].htm Virus found VBS/Generic Object was moved to Virus Vault.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\52TJCT97\onsurvey[3].htm Virus found VBS/Generic Object was moved to Virus Vault.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\52TJCT97\r[1].htm Virus found VBS/Generic Object was moved to Virus Vault.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\52TJCT97\search[1].htm Virus found VBS/Generic Object was moved to Virus Vault.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\52TJCT97\tube2[1].htm Virus found VBS/Generic Object was moved to Virus Vault.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\52TJCT97\_;mtfIFrameRequest=false;ord=1288292372285939[1].htm Virus found VBS/Generic Object was moved to Virus Vault.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\52TJCT97\_;mtfIFrameRequest=false;ord=1288292533446633[1].htm Virus found VBS/Generic Object was moved to Virus Vault.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\52TJCT97\_;mtfIFrameRequest=false;ord=1288292608208518[1].htm Virus found VBS/Generic Object was moved to Virus Vault.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\52TJCT97\_;mtfIFrameRequest=false;ord=1288293545507661[1].htm Virus found VBS/Generic Object was moved to Virus Vault.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\5DY7FYP5\blank[1].htm Virus found VBS/Generic Object was moved to Virus Vault.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\5DY7FYP5\cmb10033aa29bc3c9[1].htm Virus found VBS/Generic Object was moved to Virus Vault.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\5DY7FYP5\cmb10033aec37ea79[1].htm Virus found VBS/Generic Object was moved to Virus Vault.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\5DY7FYP5\uk_yahoo_com[1].htm Virus found VBS/Generic Object was moved to Virus Vault.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\AY7DDC37\search[1].htm Virus found VBS/Generic Object was moved to Virus Vault.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\AY7DDC37\_;mtfIFrameRequest=false;ord=1288292417703364[1].htm Virus found VBS/Generic Object was moved to Virus Vault.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\AY7DDC37\_;mtfIFrameRequest=false;ord=1288293728258860[1].htm Virus found VBS/Generic Object was moved to Virus Vault.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\CB3N7NA9\cmb10033a452e031e[1].htm Virus found VBS/Generic Object was moved to Virus Vault.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\CB3N7NA9\cmb10033aa19e3f5f[1].htm Virus found VBS/Generic Object was moved to Virus Vault.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\CB3N7NA9\onsurvey[1].htm Virus found VBS/Generic Object was moved to Virus Vault.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\CB3N7NA9\onsurvey[2].htm Virus found VBS/Generic Object was moved to Virus Vault.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\CB3N7NA9\_;mtfIFrameRequest=false;ord=1288292363096653[1].htm Virus found VBS/Generic Object was moved to Virus Vault.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\IFVSYRCN\cmb10033a59a9bfb2[1].htm Virus found VBS/Generic Object was moved to Virus Vault.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\IFVSYRCN\cmb10033acc84f39d[1].htm Virus found VBS/Generic Object was moved to Virus Vault.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\IFVSYRCN\in[1].htm Virus found VBS/Generic Object was moved to Virus Vault.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\IFVSYRCN\onsurvey[1].htm Virus found VBS/Generic Object was moved to Virus Vault.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\LZYSBYHW\cmb10033a3434ec97[1].htm Virus found VBS/Generic Object was moved to Virus Vault.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\LZYSBYHW\cmb10033a9369d867[1].htm Virus found VBS/Generic Object was moved to Virus Vault.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\LZYSBYHW\md[2].htm Virus found VBS/Generic Object was moved to Virus Vault.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\LZYSBYHW\rloading[1].htm Virus found VBS/Generic Object was moved to Virus Vault.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\LZYSBYHW\_;mtfIFrameRequest=false;ord=1288292247590944[1].htm Virus found VBS/Generic Object was moved to Virus Vault.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\LZYSBYHW\_;mtfIFrameRequest=false;ord=1288293364473730[1].htm Virus found VBS/Generic Object was moved to Virus Vault.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\LZYSBYHW\_;mtfIFrameRequest=false;ord=1288293423700118[1].htm Virus found VBS/Generic Object was moved to Virus Vault.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\LZYSBYHW\_;mtfIFrameRequest=false;ord=1288293505882277[1].htm Virus found VBS/Generic Object was moved to Virus Vault.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\V4HLYEPY\cmb10033ad55e5f7f[1].htm Virus found VBS/Generic Object was moved to Virus Vault.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\V4HLYEPY\r[1].htm Virus found VBS/Generic Object was moved to Virus Vault.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\V4HLYEPY\_;mtfIFrameRequest=false;ord=1288292393853363[1].htm Virus found VBS/Generic Object was moved to Virus Vault.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\V4HLYEPY\_;mtfIFrameRequest=false;ord=1288292596677422[1].htm Virus found VBS/Generic Object was moved to Virus Vault.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\V4HLYEPY\_;mtfIFrameRequest=false;ord=1288293555651462[1].htm Virus found VBS/Generic Object was moved to Virus Vault.
C:\pagefile.sys Locked file. Not tested.
C:\Program Files\Adobe\Reader 9.0\Reader\AGM.dll Virus identified Win32/Zbot.E Object was moved to Virus Vault.
C:\Program Files\Adobe\Reader 9.0\Reader\authplay.dll Virus identified Win32/Zbot.E Object was moved to Virus Vault.
C:\Program Files\BT Broadband 205\Launcher\V205Support.dll Virus identified Win32/Zbot.E Object was moved to Virus Vault.
C:\Program Files\CDBurnerXP\StarBurnX12.dll Virus identified Win32/Zbot.E Object was moved to Virus Vault.
C:\Program Files\CDBurnerXP\vorbis.dll Virus identified Win32/Zbot.E Object was moved to Virus Vault.
C:\Program Files\Common Files\Microsoft Shared\OFFICE12\VS Runtime\MSENV.DLL Virus identified Win32/Zbot.E Object was moved to Virus Vault.
C:\Program Files\Common Files\System\Ole DB\MSOLAP.DLL Virus identified Win32/Zbot.E Object was moved to Virus Vault.
C:\Program Files\Common Files\System\Ole DB\MSOLAP80.DLL Virus identified Win32/Zbot.E Object was moved to Virus Vault.
C:\Program Files\Google\Picasa3\plugins\Red.dll Virus identified Win32/Zbot.E Object was moved to Virus Vault.
C:\Program Files\HP\Digital Imaging\bin\hpqtbp02.dll Virus identified Win32/Zbot.E Object was moved to Virus Vault.
C:\Program Files\HP\Digital Imaging\bin\vc9.0_xerces-c_2_8.dll Virus identified Win32/Zbot.E Object was moved to Virus Vault.
C:\Program Files\HP\Digital Imaging\DocProc\format5.dll Virus identified Win32/Zbot.E Object was moved to Virus Vault.
C:\Program Files\HP\Digital Imaging\DocProc\xerces-c_2_3_0.dll Virus identified Win32/Zbot.E Object was moved to Virus Vault.
C:\Program Files\HP\Digital Imaging\LGT 2.0 plugins\Plugin_HP.dll Virus identified Win32/Zbot.E Object was moved to Virus Vault.
C:\Program Files\HP\Digital Imaging\LGT 2.0 plugins\Plugin_Standard.dll Virus identified Win32/Zbot.E Object was moved to Virus Vault.
C:\Program Files\HP\Digital Imaging\LGT plugins\Plugin_HP.dll Virus identified Win32/Zbot.E Object was moved to Virus Vault.
C:\Program Files\HP\Digital Imaging\LGT plugins\Plugin_Standard.dll Virus identified Win32/Zbot.E Object was moved to Virus Vault.
C:\Program Files\HP\Digital Imaging\Smart Web Printing\PDFCreatorPilot3.dll Virus identified Win32/Zbot.E Object was moved to Virus Vault.
C:\Program Files\HP\Temp\{0E720B4A-B82A-474c-B95E-D7778590090D}\setup\msxml3.dll Virus identified Win32/Zbot.E Object was moved to Virus Vault.
C:\Program Files\HP\Temp\{1079B169-EB6F-4BEF-89AD-AEC57823C16B}\hpzsetup.exe Virus identified Win32/Zbot.E Object was moved to Virus Vault.
C:\Program Files\MFInstall\LTCLR13n.dll Virus identified Win32/Zbot.E Object was moved to Virus Vault.
C:\Program Files\MFInstall\LTKRN13n.dll Virus identified Win32/Zbot.E Object was moved to Virus Vault.
C:\Program Files\Microsoft Silverlight\4.0.50524.0\coreclr.dll Virus identified Win32/Zbot.E Object was moved to Virus Vault.
C:\Program Files\Microsoft Silverlight\4.0.50524.0\npctrl.dll Virus identified Win32/Zbot.E Object was moved to Virus Vault.
C:\Program Files\OpenOffice.org 3\Basis\program\bf_swmi.dll Virus identified Win32/Zbot.E Object was moved to Virus Vault.
C:\Program Files\OpenOffice.org 3\Basis\program\libeay32.dll Virus identified Win32/Zbot.E Object was moved to Virus Vault.
C:\Program Files\OpenOffice.org 3\Basis\program\sbmi.dll Virus identified Win32/Zbot.E Object was moved to Virus Vault.
C:\Program Files\OpenOffice.org 3\URE\bin\sal3.dll Virus identified Win32/Zbot.E Object was moved to Virus Vault.
C:\Program Files\Real\RealPlayer\rpplugins\rjbdll.dll Virus identified Win32/Zbot.E Object was moved to Virus Vault.
C:\RECYCLER\S-1-5-21-789336058-1979792683-1801674531-1003\Dc225\SP3GDR\ieframe.dll Virus identified Win32/Zbot.E Object was moved to Virus Vault.
C:\RECYCLER\S-1-5-21-789336058-1979792683-1801674531-1003\Dc225\SP3GDR\iertutil.dll Virus identified Win32/Zbot.E Object was moved to Virus Vault.
C:\RECYCLER\S-1-5-21-789336058-1979792683-1801674531-1003\Dc225\SP3GDR\mshtml.dll Virus identified Win32/Zbot.E Object was moved to Virus Vault.
C:\RECYCLER\S-1-5-21-789336058-1979792683-1801674531-1003\Dc225\SP3GDR\urlmon.dll Virus identified Win32/Zbot.E Object was moved to Virus Vault.
C:\RECYCLER\S-1-5-21-789336058-1979792683-1801674531-1003\Dc225\SP3QFE\ieframe.dll Virus identified Win32/Zbot.E Object was moved to Virus Vault.
C:\RECYCLER\S-1-5-21-789336058-1979792683-1801674531-1003\Dc225\SP3QFE\iertutil.dll Virus identified Win32/Zbot.E Object was moved to Virus Vault.
C:\RECYCLER\S-1-5-21-789336058-1979792683-1801674531-1003\Dc225\SP3QFE\mshtml.dll Virus identified Win32/Zbot.E Object was moved to Virus Vault.
C:\RECYCLER\S-1-5-21-789336058-1979792683-1801674531-1003\Dc225\SP3QFE\urlmon.dll Virus identified Win32/Zbot.E Object was moved to Virus Vault.
C:\RECYCLER\S-1-5-21-789336058-1979792683-1801674531-1003\Dc229\rtmgdr\browseui.dll Virus identified Win32/Zbot.E Object was moved to Virus Vault.
C:\RECYCLER\S-1-5-21-789336058-1979792683-1801674531-1003\Dc229\rtmgdr\mshtml.dll Virus identified Win32/Zbot.E Object was moved to Virus Vault.
C:\RECYCLER\S-1-5-21-789336058-1979792683-1801674531-1003\Dc229\rtmgdr\shdocvw.dll Virus identified Win32/Zbot.E Object was moved to Virus Vault.
C:\RECYCLER\S-1-5-21-789336058-1979792683-1801674531-1003\Dc229\RTMQFE\browseui.dll Virus identified Win32/Zbot.E Object was moved to Virus Vault.
C:\RECYCLER\S-1-5-21-789336058-1979792683-1801674531-1003\Dc229\RTMQFE\mshtml.dll Virus identified Win32/Zbot.E Object was moved to Virus Vault.
C:\RECYCLER\S-1-5-21-789336058-1979792683-1801674531-1003\Dc229\RTMQFE\shdocvw.dll Virus identified Win32/Zbot.E Object was moved to Virus Vault.
C:\RECYCLER\S-1-5-21-789336058-1979792683-1801674531-1003\Dc231\sp1qfe\shell32.dll Virus identified Win32/Zbot.E Object was moved to Virus Vault.
C:\RECYCLER\S-1-5-21-789336058-1979792683-1801674531-1003\Dc233\sp1qfe\query.dll Virus identified Win32/Zbot.E Object was moved to Virus Vault.
C:\RECYCLER\S-1-5-21-789336058-1979792683-1801674531-1003\Dc234\rtmgdr\browseui.dll Virus identified Win32/Zbot.E Object was moved to Virus Vault.
C:\RECYCLER\S-1-5-21-789336058-1979792683-1801674531-1003\Dc234\rtmgdr\mshtml.dll Virus identified Win32/Zbot.E Object was moved to Virus Vault.
C:\RECYCLER\S-1-5-21-789336058-1979792683-1801674531-1003\Dc234\rtmgdr\shdocvw.dll Virus identified Win32/Zbot.E Object was moved to Virus Vault.
C:\RECYCLER\S-1-5-21-789336058-1979792683-1801674531-1003\Dc234\RTMQFE\browseui.dll Virus identified Win32/Zbot.E Object was moved to Virus Vault.
C:\RECYCLER\S-1-5-21-789336058-1979792683-1801674531-1003\Dc234\RTMQFE\mshtml.dll Virus identified Win32/Zbot.E Object was moved to Virus Vault.
C:\RECYCLER\S-1-5-21-789336058-1979792683-1801674531-1003\Dc234\RTMQFE\shdocvw.dll Virus identified Win32/Zbot.E Object was moved to Virus Vault.
C:\RECYCLER\S-1-5-21-789336058-1979792683-1801674531-1003\Dc242\sp1qfe\shell32.dll Virus identified Win32/Zbot.E Object was moved to Virus Vault.
C:\RECYCLER\S-1-5-21-789336058-1979792683-1801674531-1003\Dc242\sp2gdr\shell32.dll Virus identified Win32/Zbot.E Object was moved to Virus Vault.
C:\RECYCLER\S-1-5-21-789336058-1979792683-1801674531-1003\Dc242\sp2qfe\shell32.dll Virus identified Win32/Zbot.E Object was moved to Virus Vault.
C:\RECYCLER\S-1-5-21-789336058-1979792683-1801674531-1003\Dc243\sp1qfe\shell32.dll Virus identified Win32/Zbot.E Object was moved to Virus Vault.
C:\RECYCLER\S-1-5-21-789336058-1979792683-1801674531-1003\Dc243\sp2gdr\shell32.dll Virus identified Win32/Zbot.E Object was moved to Virus Vault.
C:\RECYCLER\S-1-5-21-789336058-1979792683-1801674531-1003\Dc243\sp2qfe\shell32.dll Virus identified Win32/Zbot.E Object was moved to Virus Vault.
C:\System Volume Information\ Locked file. Not tested.
C:\WINDOWS\$NtUninstallKB828028$\msasn1.dll Locked file. Not tested.
C:\WINDOWS\$NtUninstallKB828035$\msgsvc.dll Locked file. Not tested.
C:\WINDOWS\$NtUninstallKB828035$\wkssvc.dll Locked file. Not tested.
C:\WINDOWS\$NtUninstallKB828741$\catsrv.dll Locked file. Not tested.
C:\WINDOWS\$NtUninstallKB828741$\catsrvut.dll Locked file. Not tested.
C:\WINDOWS\$NtUninstallKB828741$\clbcatex.dll Locked file. Not tested.
C:\WINDOWS\$NtUninstallKB828741$\clbcatq.dll Locked file. Not tested.
C:\WINDOWS\$NtUninstallKB828741$\colbact.dll Locked file. Not tested.
C:\WINDOWS\$NtUninstallKB828741$\comadmin.dll Locked file. Not tested.
C:\WINDOWS\$NtUninstallKB828741$\comrepl.exe Locked file. Not tested.
C:\WINDOWS\$NtUninstallKB828741$\comsvcs.dll Locked file. Not tested.
C:\WINDOWS\$NtUninstallKB828741$\comuid.dll Locked file. Not tested.
C:\WINDOWS\$NtUninstallKB828741$\es.dll Locked file. Not tested.
C:\WINDOWS\$NtUninstallKB828741$\migregdb.exe Locked file. Not tested.
C:\WINDOWS\$NtUninstallKB828741$\msdtcprx.dll Locked file. Not tested.
C:\WINDOWS\$NtUninstallKB828741$\msdtctm.dll Locked file. Not tested.
C:\WINDOWS\$NtUninstallKB828741$\msdtcuiu.dll Locked file. Not tested.
C:\WINDOWS\$NtUninstallKB828741$\mtxclu.dll Locked file. Not tested.
C:\WINDOWS\$NtUninstallKB828741$\mtxoci.dll Locked file. Not tested.
C:\WINDOWS\$NtUninstallKB828741$\ole32.dll Locked file. Not tested.
C:\WINDOWS\$NtUninstallKB828741$\rpcrt4.dll Locked file. Not tested.
C:\WINDOWS\$NtUninstallKB828741$\rpcss.dll Locked file. Not tested.
C:\WINDOWS\$NtUninstallKB828741$\txflog.dll Locked file. Not tested.
C:\WINDOWS\$NtUninstallKB835732$\callcont.dll Locked file. Not tested.
C:\WINDOWS\$NtUninstallKB835732$\gdi32.dll Locked file. Not tested.
C:\WINDOWS\$NtUninstallKB835732$\h323.tsp Locked file. Not tested.
C:\WINDOWS\$NtUninstallKB835732$\h323msp.dll Locked file. Not tested.
C:\WINDOWS\$NtUninstallKB835732$\helpctr.exe Locked file. Not tested.
C:\WINDOWS\$NtUninstallKB835732$\ipnathlp.dll Locked file. Not tested.
C:\WINDOWS\$NtUninstallKB835732$\lsasrv.dll Locked file. Not tested.
C:\WINDOWS\$NtUninstallKB835732$\mf3216.dll Locked file. Not tested.
C:\WINDOWS\$NtUninstallKB835732$\msasn1.dll Locked file. Not tested.
C:\WINDOWS\$NtUninstallKB835732$\msgina.dll Locked file. Not tested.
C:\WINDOWS\$NtUninstallKB835732$\mst120.dll Locked file. Not tested.
C:\WINDOWS\$NtUninstallKB835732$\netapi32.dll Locked file. Not tested.
C:\WINDOWS\$NtUninstallKB835732$\nmcom.dll Locked file. Not tested.
C:\WINDOWS\$NtUninstallKB835732$\rtcdll.dll Locked file. Not tested.
C:\WINDOWS\$NtUninstallKB835732$\schannel.dll Locked file. Not tested.
C:\WINDOWS\$NtUninstallQ828026$\msdxm.ocx Locked file. Not tested.
C:\WINDOWS\$NtUninstallQ828026$\wmp.dll Locked file. Not tested.
C:\WINDOWS\system32\config\default Locked file. Not tested.
C:\WINDOWS\system32\config\default.LOG Locked file. Not tested.
C:\WINDOWS\system32\config\SAM Locked file. Not tested.
C:\WINDOWS\system32\config\SAM.LOG Locked file. Not tested.
C:\WINDOWS\system32\config\SECURITY Locked file. Not tested.
C:\WINDOWS\system32\config\SECURITY.LOG Locked file. Not tested.
C:\WINDOWS\system32\config\software Locked file. Not tested.
C:\WINDOWS\system32\config\software.LOG Locked file. Not tested.
C:\WINDOWS\system32\config\system Locked file. Not tested.
C:\WINDOWS\system32\config\system.LOG Locked file. Not tested.
C:\WINDOWS\system32\drivers\tcpip.sys Virus identified Win32/Patched.DX

------------------------------------------------------------
Objects scanned : 284268
Found infections : 103
Found PUPs : 0
Healed infections : 102
Healed PUPs : 0
Warnings : 0
------------------------------------------------------------

Here is the DDS log file:

DDS (Ver_10-10-21.02) - NTFSx86
Run by Owner at 14:13:34.50 on 30/10/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1279.490 [GMT 1:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\WINDOWS\System32\MsiExec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uDefault_Search_URL = hxxp://www.google.com/ie
mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5577
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uURLSearchHooks: ZoneAlarm Security Toolbar: {91da5e8a-3318-4f8c-b67e-5964de3ab546} - c:\program files\zonealarm_security\tbZone.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: ZoneAlarm Security Engine Registrar: {8a4a36c2-0535-4d2c-bd3d-496cb7eed6e3} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: ZoneAlarm Security Toolbar: {91da5e8a-3318-4f8c-b67e-5964de3ab546} - c:\program files\zonealarm_security\tbZone.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
TB: ZoneAlarm Security Toolbar: {91da5e8a-3318-4f8c-b67e-5964de3ab546} - c:\program files\zonealarm_security\tbZone.dll
TB: ZoneAlarm Security Engine: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {724D43A0-0D85-11D4-9908-00400523E39A} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\owner\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [Xmulilah] rundll32.exe "c:\windows\mlevinen.dll",Startup
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe
mRun: [LVCOMS] c:\program files\common files\logitech\qcdriver\LVCOMS.EXE
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Gmazetoxic] rundll32.exe "c:\windows\agomodor.dll",Startup
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [ISW] "c:\program files\checkpoint\zaforcefield\ForceField.exe" /icon="hidden"
dRun: [Symantec NetDriver Warning] c:\progra~1\symnet~1\SNDWarn.exe
dRun: [ofhvfmgf] c:\documents and settings\networkservice\local settings\application data\xgsfuiyky\hwsgflftssd.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
Trusted Zone: valuedopinions.co.uk\www
Trusted Zone: yahoo.com
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
DPF: {4A85DBE0-BFB2-4119-8401-186A7C6EB653} - hxxp://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/mjss/MJSS.cab109791.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - hxxp://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - hxxp://acs.pandasoftware.com/activescan/as5free/asinst.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {EAEFAD15-8753-45EF-94B0-1BAA7970CC21} - hxxp://ferrymans.plus.com/MpegInst.cab
DPF: {F3D4C08D-3616-43F0-9E29-44C749B0664B} - hxxp://ferrymans.plus.com/JpegInst.cab
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

============= SERVICES / DRIVERS ===============

R0 ppa;Iomega Parallel Port Filter Driver;c:\windows\system32\drivers\ppa.sys [2003-8-19 17792]
R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [2010-8-5 58984]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-6-10 216400]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-6-10 29584]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-6-10 243024]
R1 RapportCerberus_18130;RapportCerberus_18130;c:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportcerberus\18130\RapportCerberus_18130.sys [2010-8-5 34536]
R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2010-8-5 168936]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2010-10-30 532224]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-19 308136]
R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\checkpoint\zaforcefield\ISWKL.sys [2010-9-2 26872]
R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\checkpoint\zaforcefield\ISWSVC.exe [2010-9-2 493048]
R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2010-8-5 763112]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 slnt;RTL8139D PCI Fast Ethernet Adapter;c:\windows\system32\drivers\slnt.sys [2008-1-8 18004]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg9\toolbar\ToolbarBroker.exe [2010-10-26 517448]
S3 RapportIaso;RapportIaso;c:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportmr\19211\RapportIaso.sys [2010-8-19 12544]

=============== Created Last 30 ================

2010-10-30 12:30:12 -------- d-----w- c:\docume~1\owner\applic~1\CheckPoint
2010-10-30 12:24:53 -------- d-----w- c:\program files\Conduit
2010-10-30 12:24:53 -------- d-----w- c:\docume~1\owner\locals~1\applic~1\Conduit
2010-10-30 12:24:51 -------- d-----w- c:\docume~1\owner\locals~1\applic~1\ZoneAlarm_Security
2010-10-30 12:24:50 -------- d-----w- c:\program files\ZoneAlarm_Security
2010-10-30 12:24:29 -------- d-----w- c:\program files\CheckPoint
2010-10-30 12:23:56 1238528 ----a-w- c:\windows\system32\zpeng25.dll
2010-10-30 12:23:51 -------- d-----w- c:\program files\Zone Labs
2010-10-29 18:01:05 -------- d-----w- c:\docume~1\owner\applic~1\Tynio
2010-10-29 18:01:05 -------- d-----w- c:\docume~1\owner\applic~1\Avhudi
2010-10-29 07:48:48 -------- d-----w- c:\docume~1\owner\applic~1\Qyidxu
2010-10-29 07:48:48 -------- d-----w- c:\docume~1\owner\applic~1\Ehily
2010-10-28 09:17:31 -------- d-----w- c:\docume~1\owner\applic~1\Omuv
2010-10-28 09:17:31 -------- d-----w- c:\docume~1\owner\applic~1\Dudi
2010-10-27 19:51:54 -------- d-----w- c:\program files\temp
2010-10-27 19:51:22 -------- d-----w- c:\program files\tmp
2010-10-20 08:02:31 0 ----a-w- c:\windows\Mpapak.bin
2010-10-20 08:02:25 -------- d-----w- c:\docume~1\owner\locals~1\applic~1\{5AD8577D-E95F-4EBD-85C5-32A38E0C0208}

==================== Find3M ====================

2010-08-11 12:58:25 1409 ----a-w- c:\windows\QTFont.for

============= FINISH: 14:17:00.69 ===============

Thanks in advance,
Alex

Attached Files



BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:08:34 PM

Posted 30 October 2010 - 03:25 PM

Good evening. :)

Take a trip to this webpage for download links and instructions for running Combofix by sUBs.*
  • Please be aware that this tool may require the PC to be rebooted so close any programs you have open before you start.
  • When CF has finished, it will produce a log - C:\ComboFix.txt - copy and paste it into your next reply.
  • Let me know how the PC is behaving.
* There are two points to note from the instructions page:

1) The Recovery Console.

It is recommended that you install this as, in certain circumstances, it may be the difference between a successful repair and a reformat. If you are uncertain as to whether or not you already have the Recovery Console installed, simply run CF and it will prompt you if it does not detect it.
CF will complete some, but not all, of it's removal tasks without the installation of the Console so, should you choose not to allow the installation, you may not get the results you hoped for.

2) Disabling your Anti-Virus.

CF has been the victim of false-positive detections on occasion and a resident AV may incorrectly identify and delete part of the tool which won't do it much good. If you don't disable your AV, you may not get the results you hoped for either.

So long, and thanks for all the fish.

 

 


#3 alex2621

alex2621
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:34 PM

Posted 01 November 2010 - 08:28 AM

Hi Noviciate,

Thank you for responding to my post. I ran combofix twice, the first time it had trouble downloading the recovery console but I couldn't see any way to cancel the scan.

Here are the logs the program produced:

1:
ComboFix 10-10-31.04 - Owner 01/11/2010 11:57:47.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1279.857 [GMT 0:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\Application Data\EurekaLog
c:\documents and settings\Owner\Local Settings\Application Data\{5AD8577D-E95F-4EBD-85C5-32A38E0C0208}
c:\documents and settings\Owner\Local Settings\Application Data\{5AD8577D-E95F-4EBD-85C5-32A38E0C0208}\chrome.manifest
c:\documents and settings\Owner\Local Settings\Application Data\{5AD8577D-E95F-4EBD-85C5-32A38E0C0208}\chrome\content\_cfg.js
c:\documents and settings\Owner\Local Settings\Application Data\{5AD8577D-E95F-4EBD-85C5-32A38E0C0208}\chrome\content\overlay.xul
c:\documents and settings\Owner\Local Settings\Application Data\{5AD8577D-E95F-4EBD-85C5-32A38E0C0208}\install.rdf
c:\windows\admintxt.txt
c:\windows\agomodor.dll
c:\windows\Downloaded Program Files\Install.inf
c:\windows\system32\config\systemprofile\Application Data\Ogtabu
c:\windows\system32\config\systemprofile\Application Data\Ogtabu\ixxe.exe
c:\windows\system32\dmlconf.dat

Infected copy of c:\windows\system32\drivers\tcpip.sys was found and disinfected
Restored copy from - Kitty had a snack :P
Infected copy of c:\windows\explorer.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\explorer.exe

Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\winlogon.exe

Infected copy of c:\windows\explorer.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\explorer.exe
.
((((((((((((((((((((((((( Files Created from 2010-10-01 to 2010-11-01 )))))))))))))))))))))))))))))))
.

2010-10-30 12:30 . 2010-10-30 12:30 -------- d-----w- c:\documents and settings\Owner\Application Data\CheckPoint
2010-10-30 12:24 . 2010-10-30 12:54 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Conduit
2010-10-30 12:24 . 2010-10-30 12:24 -------- d-----w- c:\program files\Conduit
2010-10-30 12:24 . 2010-10-30 12:54 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\ZoneAlarm_Security
2010-10-30 12:24 . 2010-10-30 12:24 -------- d-----w- c:\program files\ZoneAlarm_Security
2010-10-30 12:24 . 2010-10-30 12:24 -------- d-----w- c:\program files\CheckPoint
2010-10-30 12:24 . 2010-09-02 08:20 69120 ----a-w- c:\windows\system32\zlcomm.dll
2010-10-30 12:24 . 2010-09-02 08:20 103936 ----a-w- c:\windows\system32\zlcommdb.dll
2010-10-30 12:23 . 2010-09-02 08:20 1238528 ----a-w- c:\windows\system32\zpeng25.dll
2010-10-30 12:23 . 2010-10-30 12:23 -------- d-----w- c:\program files\Zone Labs
2010-10-29 21:35 . 2010-11-01 10:59 -------- d-----w- c:\documents and settings\Administrator
2010-10-29 18:01 . 2010-10-29 21:21 -------- d-----w- c:\documents and settings\Owner\Application Data\Tynio
2010-10-29 18:01 . 2010-10-29 21:07 -------- d-----w- c:\documents and settings\Owner\Application Data\Avhudi
2010-10-29 07:48 . 2010-10-29 13:10 -------- d-----w- c:\documents and settings\Owner\Application Data\Qyidxu
2010-10-29 07:48 . 2010-10-29 07:58 -------- d-----w- c:\documents and settings\Owner\Application Data\Ehily
2010-10-28 09:17 . 2010-10-28 14:15 -------- d-----w- c:\documents and settings\Owner\Application Data\Dudi
2010-10-28 09:17 . 2010-10-28 09:19 -------- d-----w- c:\documents and settings\Owner\Application Data\Omuv
2010-10-27 19:51 . 2010-10-27 19:53 -------- d-----w- c:\program files\temp
2010-10-27 19:51 . 2010-10-29 18:01 -------- d-----w- c:\program files\tmp
2010-10-27 19:50 . 2010-10-27 19:51 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Ecbiyw
2010-10-20 08:02 . 2010-11-01 10:02 0 ----a-w- c:\windows\Mpapak.bin

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-11 12:58 . 2010-08-11 12:58 1409 ----a-w- c:\windows\QTFont.for
2010-08-05 18:19 . 2010-08-05 18:19 58984 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{91da5e8a-3318-4f8c-b67e-5964de3ab546}"= "c:\program files\ZoneAlarm_Security\tbZone.dll" [2010-06-13 2734688]

[HKEY_CLASSES_ROOT\clsid\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]
2010-06-13 18:10 2734688 ----a-w- c:\program files\ZoneAlarm_Security\tbZone.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{91da5e8a-3318-4f8c-b67e-5964de3ab546}"= "c:\program files\ZoneAlarm_Security\tbZone.dll" [2010-06-13 2734688]

[HKEY_CLASSES_ROOT\clsid\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{91DA5E8A-3318-4F8C-B67E-5964DE3AB546}"= "c:\program files\ZoneAlarm_Security\tbZone.dll" [2010-06-13 2734688]

[HKEY_CLASSES_ROOT\clsid\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-08-03 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-02-28 315392]
"HPDJ Taskbar Utility"="c:\windows\System32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-10-12 196608]
"LVCOMS"="c:\program files\Common Files\Logitech\QCDriver\LVCOMS.EXE" [2001-11-13 98304]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-14 49152]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-03-13 185896]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-09-02 1043968]
"ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2010-09-02 738808]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Scroll-In-Mouse V2.0.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Scroll-In-Mouse V2.0.lnk
backup=c:\windows\pss\Scroll-In-Mouse V2.0.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-06-12 01:38 34672 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CARPService]
2001-12-23 19:02 4608 ----a-r- c:\windows\system32\carpserv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
2008-03-13 16:36 214560 ----a-w- c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2008-03-13 16:36 185896 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"gusvc"=3 (0x3)
"ZipToA"=2 (0x2)
"UPS"=3 (0x3)
"SCardSvr"=3 (0x3)
"SamSs"=2 (0x2)
"IomegaAccess"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"idsvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

R0 ppa;Iomega Parallel Port Filter Driver;c:\windows\system32\drivers\ppa.sys [19/08/2003 13:51 17792]
R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [05/08/2010 18:19 58984]
R1 RapportCerberus_18130;RapportCerberus_18130;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\18130\RapportCerberus_18130.sys [05/08/2010 18:29 34536]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [05/08/2010 18:19 168936]
R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [02/09/2010 12:26 26872]
R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [02/09/2010 12:26 493048]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [05/08/2010 18:19 763112]
R3 slnt;RTL8139D PCI Fast Ethernet Adapter;c:\windows\system32\drivers\slnt.sys [08/01/2008 13:10 18004]
S3 RapportIaso;RapportIaso;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportMR\19211\RapportIaso.sys [19/08/2010 21:39 12544]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-10-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-789336058-1979792683-1801674531-1003Core.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-08-03 09:55]

2010-11-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-789336058-1979792683-1801674531-1003UA.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-08-03 09:55]

2010-10-30 c:\windows\Tasks\ParetoLogic Update Version2.job
- c:\program files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe [2009-01-21 05:36]

2010-10-31 c:\windows\Tasks\User_Feed_Synchronization-{2783B93B-4AB2-40E1-82D7-25573F84BD3E}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 03:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uDefault_Search_URL = hxxp://www.google.com/ie
mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5577
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Trusted Zone: valuedopinions.co.uk\www
Trusted Zone: yahoo.com
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} -
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {EAEFAD15-8753-45EF-94B0-1BAA7970CC21} - hxxp://ferrymans.plus.com/MpegInst.cab
DPF: {F3D4C08D-3616-43F0-9E29-44C749B0664B} - hxxp://ferrymans.plus.com/JpegInst.cab
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Xmulilah - c:\windows\mlevinen.dll
HKLM-Run-hpqSRMon - c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe
HKLM-Run-QuickTime Task - c:\program files\QuickTime\qttask.exe
HKLM-Run-Gmazetoxic - c:\windows\agomodor.dll
HKU-Default-Run-Symantec NetDriver Warning - c:\progra~1\SYMNET~1\SNDWarn.exe
Notify-avgrsstarter - avgrsstx.dll
MSConfigStartUp-MSN Messenger - live.messenger.com
MSConfigStartUp-QuickTime Task - c:\program files\QuickTime\qttask.exe
MSConfigStartUp-Windows live Messenger - msn.com
AddRemove-Fish Tycoon - c:\documents and settings\Owner\Desktop\Fish Tycoon\uninst.exe
AddRemove-HP Photosmart Essential - c:\program files\HP\Digital Imaging\PhotosmartEssential\hpzscr01.exe
AddRemove-InstallShield_{29352C60-C48D-42AF-AF54-17B282634E86} - c:\program files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe
AddRemove-InstallShield_{929408E6-D265-4174-805F-81D1D914E2A4} - c:\progra~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe
AddRemove-RealJukebox 1.0 - c:\program files\Common Files\Real\Update_OB\r1puninst.exe
AddRemove-RealPlayer 6.0 - c:\program files\Common Files\Real\Update_OB\r1puninst.exe
AddRemove-Tomb Raider II - c:\program files\Core Design\Tomb Raider II\Uninst.isu
AddRemove-Tomb Raider II Gold - c:\program files\Core Design\Tomb Raider II Gold\Uninst.isu



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-01 12:14
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(680)
c:\windows\system32\Ati2evxx.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll

- - - - - - - > 'lsass.exe'(736)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll

- - - - - - - > 'explorer.exe'(7040)
c:\windows\system32\WININET.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\program files\Trusteer\Rapport\bin\rooksbas.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\CDBurnerXP\NMSAccessU.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\msiexec.exe
c:\windows\system32\MsiExec.exe
.
**************************************************************************
.
Completion time: 2010-11-01 12:20:30 - machine was rebooted
ComboFix-quarantined-files.txt 2010-11-01 12:20

Pre-Run: 2,020,478,976 bytes free
Post-Run: 2,087,841,792 bytes free

- - End Of File - - 578C02F9694726BEDC0B7F6C348DB8EF

2:
ComboFix 10-10-31.04 - Owner 01/11/2010 12:26:55.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1279.808 [GMT 0:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((( Files Created from 2010-10-01 to 2010-11-01 )))))))))))))))))))))))))))))))
.

2010-10-30 12:30 . 2010-10-30 12:30 -------- d-----w- c:\documents and settings\Owner\Application Data\CheckPoint
2010-10-30 12:24 . 2010-10-30 12:54 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Conduit
2010-10-30 12:24 . 2010-10-30 12:24 -------- d-----w- c:\program files\Conduit
2010-10-30 12:24 . 2010-10-30 12:54 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\ZoneAlarm_Security
2010-10-30 12:24 . 2010-10-30 12:24 -------- d-----w- c:\program files\ZoneAlarm_Security
2010-10-30 12:24 . 2010-10-30 12:24 -------- d-----w- c:\program files\CheckPoint
2010-10-30 12:24 . 2010-09-02 08:20 69120 ----a-w- c:\windows\system32\zlcomm.dll
2010-10-30 12:24 . 2010-09-02 08:20 103936 ----a-w- c:\windows\system32\zlcommdb.dll
2010-10-30 12:23 . 2010-09-02 08:20 1238528 ----a-w- c:\windows\system32\zpeng25.dll
2010-10-30 12:23 . 2010-10-30 12:23 -------- d-----w- c:\program files\Zone Labs
2010-10-29 21:35 . 2010-11-01 10:59 -------- d-----w- c:\documents and settings\Administrator
2010-10-29 18:01 . 2010-10-29 21:21 -------- d-----w- c:\documents and settings\Owner\Application Data\Tynio
2010-10-29 18:01 . 2010-10-29 21:07 -------- d-----w- c:\documents and settings\Owner\Application Data\Avhudi
2010-10-29 07:48 . 2010-10-29 13:10 -------- d-----w- c:\documents and settings\Owner\Application Data\Qyidxu
2010-10-29 07:48 . 2010-10-29 07:58 -------- d-----w- c:\documents and settings\Owner\Application Data\Ehily
2010-10-28 09:17 . 2010-10-28 14:15 -------- d-----w- c:\documents and settings\Owner\Application Data\Dudi
2010-10-28 09:17 . 2010-10-28 09:19 -------- d-----w- c:\documents and settings\Owner\Application Data\Omuv
2010-10-27 19:51 . 2010-10-27 19:53 -------- d-----w- c:\program files\temp
2010-10-27 19:51 . 2010-10-29 18:01 -------- d-----w- c:\program files\tmp
2010-10-27 19:50 . 2010-10-27 19:51 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Ecbiyw
2010-10-20 08:02 . 2010-11-01 10:02 0 ----a-w- c:\windows\Mpapak.bin

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-11 12:58 . 2010-08-11 12:58 1409 ----a-w- c:\windows\QTFont.for
2010-08-05 18:19 . 2010-08-05 18:19 58984 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{91da5e8a-3318-4f8c-b67e-5964de3ab546}"= "c:\program files\ZoneAlarm_Security\tbZone.dll" [2010-06-13 2734688]

[HKEY_CLASSES_ROOT\clsid\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]
2010-06-13 18:10 2734688 ----a-w- c:\program files\ZoneAlarm_Security\tbZone.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{91da5e8a-3318-4f8c-b67e-5964de3ab546}"= "c:\program files\ZoneAlarm_Security\tbZone.dll" [2010-06-13 2734688]

[HKEY_CLASSES_ROOT\clsid\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{91DA5E8A-3318-4F8C-B67E-5964DE3AB546}"= "c:\program files\ZoneAlarm_Security\tbZone.dll" [2010-06-13 2734688]

[HKEY_CLASSES_ROOT\clsid\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-08-03 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-02-28 315392]
"HPDJ Taskbar Utility"="c:\windows\System32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-10-12 196608]
"LVCOMS"="c:\program files\Common Files\Logitech\QCDriver\LVCOMS.EXE" [2001-11-13 98304]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-14 49152]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-03-13 185896]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-09-02 1043968]
"ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2010-09-02 738808]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Scroll-In-Mouse V2.0.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Scroll-In-Mouse V2.0.lnk
backup=c:\windows\pss\Scroll-In-Mouse V2.0.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-06-12 01:38 34672 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CARPService]
2001-12-23 19:02 4608 ----a-r- c:\windows\system32\carpserv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
2008-03-13 16:36 214560 ----a-w- c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2008-03-13 16:36 185896 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"gusvc"=3 (0x3)
"ZipToA"=2 (0x2)
"UPS"=3 (0x3)
"SCardSvr"=3 (0x3)
"SamSs"=2 (0x2)
"IomegaAccess"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"idsvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

R0 ppa;Iomega Parallel Port Filter Driver;c:\windows\system32\drivers\ppa.sys [19/08/2003 13:51 17792]
R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [05/08/2010 18:19 58984]
R1 RapportCerberus_18130;RapportCerberus_18130;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\18130\RapportCerberus_18130.sys [05/08/2010 18:29 34536]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [05/08/2010 18:19 168936]
R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [02/09/2010 12:26 26872]
R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [02/09/2010 12:26 493048]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [05/08/2010 18:19 763112]
R3 slnt;RTL8139D PCI Fast Ethernet Adapter;c:\windows\system32\drivers\slnt.sys [08/01/2008 13:10 18004]
S3 RapportIaso;RapportIaso;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportMR\19211\RapportIaso.sys [19/08/2010 21:39 12544]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-10-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-789336058-1979792683-1801674531-1003Core.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-08-03 09:55]

2010-11-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-789336058-1979792683-1801674531-1003UA.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-08-03 09:55]

2010-10-30 c:\windows\Tasks\ParetoLogic Update Version2.job
- c:\program files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe [2009-01-21 05:36]

2010-10-31 c:\windows\Tasks\User_Feed_Synchronization-{2783B93B-4AB2-40E1-82D7-25573F84BD3E}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 03:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uDefault_Search_URL = hxxp://www.google.com/ie
mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5577
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Trusted Zone: valuedopinions.co.uk\www
Trusted Zone: yahoo.com
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} -
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {EAEFAD15-8753-45EF-94B0-1BAA7970CC21} - hxxp://ferrymans.plus.com/MpegInst.cab
DPF: {F3D4C08D-3616-43F0-9E29-44C749B0664B} - hxxp://ferrymans.plus.com/JpegInst.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-01 12:32
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(680)
c:\windows\system32\Ati2evxx.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll

- - - - - - - > 'lsass.exe'(736)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll

- - - - - - - > 'explorer.exe'(18784)
c:\windows\system32\WININET.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\program files\Trusteer\Rapport\bin\rooksbas.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-11-01 12:34:56
ComboFix-quarantined-files.txt 2010-11-01 12:34
ComboFix2.txt 2010-11-01 12:20

Pre-Run: 2,090,881,024 bytes free
Post-Run: 2,064,015,360 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - B59F0CFBC56C40403995812507CFAA3C

The computer seems to be running much better now. I don't have the RUNDLL error on start up and so far I have not noticed any more browser redirects. I had trouble uninstalling AVG as requested by combofix because the registery values under HKLM\software\microsoft\windows nt\currentversion\windows kept coming up as access denied. I used a program to remove AVG from the vendor's website which seemed to remove it and since running combofix the registery values can now be edited.

However I am still getting the looping message about "HPPhotosmartEssential" on start up which can not be cleared.

Alex

#4 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:08:34 PM

Posted 01 November 2010 - 02:42 PM

Good evening. :

s. I had trouble uninstalling AVG as requested by combofix...

Did ComboFix ask you to uninstall AVG or simply disable it?

So long, and thanks for all the fish.

 

 


#5 alex2621

alex2621
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:34 PM

Posted 01 November 2010 - 04:00 PM

I think it asked me to disable or uninstall but I'm not 100% on that now. I remember initially I tried to disable AVG but combofix still prompted to disable it even after I thought I had, so I went ahead and performed an uninstall.

Thanks,
Alex

#6 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:08:34 PM

Posted 01 November 2010 - 04:03 PM

OK, will you reinstall it, or an alternative anti-virus, if you haven't already. If you fancy a change I can let you have a couple of links to other free AVs if you wish.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Once you've sorted the above, work through the below and post accordingly:

Download Malwarebytes' Anti-Malware from here and save it to your Desktop - unless you already have it, in which case skip to the "updating" bit below.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • Ensure a checkmark is placed next to both Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware and then click Finish.
  • If an update is found, it will download and install the latest version - you'll need to clear it with your firewall.
  • Once the program has loaded, select Perform full scan and then Scan.
  • When the scan has finished, click OK and then Show Results to view the results - no surprise there!
  • If MBAM finds anything, check the box(es) and click Remove Selected.
  • Please note - Leave unchecked any boxes that have \System Volume Information\ in the filepath. These pose no immediate risk to your PC unless you use System Restore and will be dealt with later.
  • When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
Let me have the MBAM log, a fresh DDS log AND a description of how your PC is behaving.

So long, and thanks for all the fish.

 

 


#7 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:08:34 PM

Posted 06 November 2010 - 05:30 PM

As there has been no response for five days this thread is now closed.

So long, and thanks for all the fish.

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users