Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Viagra virus


  • This topic is locked This topic is locked
11 replies to this topic

#1 lopar

lopar

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:37 AM

Posted 11 November 2010 - 08:34 PM

Sorry not sure if i have done this right - new to this. I saw somewhere to run something called combofix which i did. It told me to post the log to this site. Not sure how to do that, i cut and pasted it as below. Is that what you need? I have a virus that sends out emails to all my address book from my hotmail account that are not from me. When you access them it just has a website that is selling viagra, and sometimes porn. Its going to all my friends! Can you help me stop it? After i did the combofix it sent another email, so clearly i haven't got the virus. Many thanks for your help. The log is here

ComboFix 10-11-11.01 - Ian 11/11/2010 18:04:17.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.479.151 [GMT 0:00]
Running from: c:\documents and settings\Ian\Desktop\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: Lavasoft Ad-Watch Live! Anti-Virus *On-access scanning disabled* (Updated) {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Joint\Start Menu\Programs\WebMediaPlayer
c:\documents and settings\Joint\Start Menu\Programs\WebMediaPlayer\Privacy Policy.lnk
c:\documents and settings\Joint\Start Menu\Programs\WebMediaPlayer\Terms and conditions.lnk
c:\documents and settings\Joint\Start Menu\Programs\WebMediaPlayer\WebMediaPlayer.lnk
c:\documents and settings\Joint\Start Menu\Programs\WebMediaPlayer\Website.lnk
c:\windows\Downloaded Program Files\ODCTOOLS
c:\windows\inf\internet
c:\windows\pack.epk
c:\windows\start.exe
c:\windows\system\Drivers
c:\windows\system\Drivers\DriverLanguageMap.xml
c:\windows\system\Drivers\k750bus.cat
c:\windows\system\Drivers\k750bus.inf
c:\windows\system\Drivers\k750bus.sys
c:\windows\system\Drivers\k750cm95.sys
c:\windows\system\Drivers\k750cmnt.sys
c:\windows\system\Drivers\k750cr.sys
c:\windows\system\Drivers\k750mdfl.sys
c:\windows\system\Drivers\k750mdm.cat
c:\windows\system\Drivers\k750mdm.sys
c:\windows\system\Drivers\k750mdm2.inf
c:\windows\system\Drivers\k750mdmv.inf
c:\windows\system\Drivers\k750mdmw.inf
c:\windows\system\Drivers\k750mgmt.cat
c:\windows\system\Drivers\k750mgmt.sys
c:\windows\system\Drivers\k750obex.cat
c:\windows\system\Drivers\k750obex.sys
c:\windows\system\Drivers\k750obx2.inf
c:\windows\system\Drivers\k750obxv.inf
c:\windows\system\Drivers\k750obxw.inf
c:\windows\system\Drivers\k750sdm2.inf
c:\windows\system\Drivers\k750sdmv.inf
c:\windows\system\Drivers\k750sdmw.inf
c:\windows\system\Drivers\k750wh95.sys
c:\windows\system\Drivers\k750whnt.sys
c:\windows\system\Drivers\v800bus.cat
c:\windows\system\Drivers\v800bus.inf
c:\windows\system\Drivers\v800bus.sys
c:\windows\system\Drivers\v800cm95.sys
c:\windows\system\Drivers\v800cmnt.sys
c:\windows\system\Drivers\v800cr.sys
c:\windows\system\Drivers\v800mdfl.sys
c:\windows\system\Drivers\v800mdm.cat
c:\windows\system\Drivers\v800mdm.sys
c:\windows\system\Drivers\v800mdm2.inf
c:\windows\system\Drivers\v800mdmv.inf
c:\windows\system\Drivers\v800mdmw.inf
c:\windows\system\Drivers\v800mgmt.cat
c:\windows\system\Drivers\v800mgmt.sys
c:\windows\system\Drivers\v800obex.cat
c:\windows\system\Drivers\v800obex.sys
c:\windows\system\Drivers\v800obx2.inf
c:\windows\system\Drivers\v800obxv.inf
c:\windows\system\Drivers\v800obxw.inf
c:\windows\system\Drivers\v800sdm2.inf
c:\windows\system\Drivers\v800sdmv.inf
c:\windows\system\Drivers\v800sdmw.inf
c:\windows\system\Drivers\v800wh95.sys
c:\windows\system\Drivers\v800whnt.sys
c:\windows\system\Drivers\z800bus.cat
c:\windows\system\Drivers\z800bus.inf
c:\windows\system\Drivers\z800bus.sys
c:\windows\system\Drivers\z800cm95.sys
c:\windows\system\Drivers\z800cmnt.sys
c:\windows\system\Drivers\z800cr.sys
c:\windows\system\Drivers\z800mdfl.sys
c:\windows\system\Drivers\z800mdm.cat
c:\windows\system\Drivers\z800mdm.sys
c:\windows\system\Drivers\z800mdm2.inf
c:\windows\system\Drivers\z800mdmv.inf
c:\windows\system\Drivers\z800mdmw.inf
c:\windows\system\Drivers\z800mgmt.cat
c:\windows\system\Drivers\z800mgmt.sys
c:\windows\system\Drivers\z800obex.cat
c:\windows\system\Drivers\z800obex.sys
c:\windows\system\Drivers\z800obx2.inf
c:\windows\system\Drivers\z800obxv.inf
c:\windows\system\Drivers\z800obxw.inf
c:\windows\system\Drivers\z800sdm2.inf
c:\windows\system\Drivers\z800sdmv.inf
c:\windows\system\Drivers\z800sdmw.inf
c:\windows\system\Drivers\z800wh95.sys
c:\windows\system\Drivers\z800whnt.sys
c:\windows\system\oeminfo.ini
c:\windows\system32\windows.scr
c:\windows\Web\default.htt

.
((((((((((((((((((((((((( Files Created from 2010-10-11 to 2010-11-11 )))))))))))))))))))))))))))))))
.

2010-11-09 17:29 . 2010-09-07 15:47 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-11-09 17:29 . 2010-09-07 15:52 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-11-09 17:28 . 2010-09-07 15:47 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-11-09 17:28 . 2010-09-07 15:52 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-11-09 17:28 . 2010-09-07 15:47 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-11-09 17:28 . 2010-09-07 15:47 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-11-09 17:28 . 2010-09-07 15:46 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-11-09 17:24 . 2010-09-07 16:12 38848 ----a-w- c:\windows\avastSS.scr
2010-11-09 17:24 . 2010-09-07 16:11 167592 ----a-w- c:\windows\system32\aswBoot.exe
2010-11-09 17:22 . 2010-11-09 17:22 -------- dc----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-11-09 15:04 . 2010-10-07 23:21 6146896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{109FE3AA-73C5-44DA-ACF5-B1ED0B642D0B}\mpengine.dll
2010-11-08 10:29 . 2010-11-10 20:42 -------- d-----w- c:\program files\Exterminate It!

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-08 19:52 . 2009-10-31 09:14 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-10-19 10:41 . 2009-10-03 07:23 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-10-07 23:21 . 2009-11-29 00:53 6146896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2010-09-18 11:23 . 2006-02-28 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2006-02-28 12:00 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2006-02-28 12:00 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2006-02-28 12:00 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58 . 2006-02-28 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58 . 2006-02-28 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58 . 2006-02-28 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-09-08 10:17 . 2010-09-08 10:17 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 10:17 . 2010-09-08 10:17 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-09-01 11:51 . 2006-02-28 12:00 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42 . 2006-02-28 12:00 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02 . 2006-02-28 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57 . 2006-02-28 12:00 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 13:39 . 2006-02-28 12:00 357248 ------w- c:\windows\system32\drivers\srv.sys
2010-08-26 12:52 . 2009-04-18 10:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12 . 2006-02-28 12:00 617472 ------w- c:\windows\system32\comctl32.dll
2010-08-21 16:17 . 2010-08-21 16:17 352256 ----a-w- c:\windows\eSellerateEngine.dll
2010-08-17 13:17 . 2006-02-28 12:00 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45 . 2006-02-28 12:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2008-08-29 00:14 . 2008-08-29 00:23 18773765 ------w- c:\program files\f8all169ip.bin
2007-02-22 19:38 . 2007-02-22 19:38 14993976 ------w- c:\program files\GoogleEarthWin.exe
2007-02-19 20:29 . 2007-02-19 20:29 1959424 ------w- c:\program files\3090A_XPdrv71205.exe
2007-02-18 15:09 . 2007-02-18 15:09 39994008 ------w- c:\program files\zlsSetup_70_302_000_en.exe
2006-11-15 17:31 . 2006-11-15 17:31 814547 ------w- c:\program files\RegSupreme_setup.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PopUpStopperFreeEdition"="c:\progra~1\PANICW~1\POP-UP~1\PSFree.exe" [2005-03-17 536576]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2006-11-17 577536]
"SiSPower"="SiSPower.dll" [2004-09-02 49152]
"ptrun"="PTControlPanel.exe" [2008-03-24 3575808]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-05-26 1043968]
"ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2010-05-26 730600]
"ConnectionCenter"="c:\program files\Citrix\ICA Client\concentr.exe" [2009-09-12 103768]
"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-09-07 2838912]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2010-02-28 519584]

c:\documents and settings\Ian\Start Menu\Programs\Startup\
MailWasherPro.lnk - c:\program files\MailWasher\MailWasher.exe [2006-5-26 5541888]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableClock"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoMultiIE"= 0 (0x0)
"LWA"= 0 (0x0)
"LWB"= 0 (0x0)
"LWC"= 0 (0x0)
"LWD"= 0 (0x0)
"LWE"= 0 (0x0)
"LWF"= 0 (0x0)
"LWG"= 0 (0x0)
"LWH"= 0 (0x0)
"LWI"= 0 (0x0)
"LWJ"= 0 (0x0)
"LWK"= 0 (0x0)
"LWL"= 0 (0x0)
"LWM"= 0 (0x0)
"LWN"= 0 (0x0)
"LWO"= 0 (0x0)
"LWP"= 0 (0x0)
"LWQ"= 0 (0x0)
"LWR"= 0 (0x0)
"LWS"= 0 (0x0)
"LWT"= 0 (0x0)
"LWU"= 0 (0x0)
"LWV"= 0 (0x0)
"LWW"= 0 (0x0)
"LWX"= 0 (0x0)
"LWY"= 0 (0x0)
"LWZ"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-20 16:11 548352 ------w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /k:C /k:D /k:E *\0lsdelete

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^TotalMedia Backup Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\TotalMedia Backup Monitor.lnk
backup=c:\windows\pss\TotalMedia Backup Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Ian^Start Menu^Programs^Startup^Microsoft SharePoint Workspace.lnk]
path=c:\documents and settings\Ian\Start Menu\Programs\Startup\Microsoft SharePoint Workspace.lnk
backup=c:\windows\pss\Microsoft SharePoint Workspace.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Ian^Start Menu^Programs^Startup^OneNote 2010 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Ian\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2010 Screen Clipper and Launcher.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG9_TRAY
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\fssui
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Quick Search Box
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISW
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ParentalControl
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 01:04 39792 ------w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2010-09-08 16:31 47904 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ArcSoft Connection Service]
2010-03-18 10:19 207360 ------w- c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCSSync]
2010-03-13 13:54 91520 ----a-w- c:\program files\Microsoft Office\Office14\BCSSync.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
2008-04-14 00:12 15360 ------w- c:\windows\SYSTEM32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DWQueuedReporting]
2010-02-28 01:09 519584 ----a-w- c:\progra~1\COMMON~1\MICROS~1\DW\DWTRIG20.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzPrint]
2005-08-01 12:05 94208 ------w- c:\program files\Lexmark 2300 Series\ezprint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISTray]
2009-04-03 23:50 1168264 ------w- c:\program files\Spyware Doctor\pctsTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-09-24 01:10 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kdx]
2008-10-21 10:26 1032640 ------w- c:\program files\Kontiki\KHost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxcgmon.exe]
2005-07-21 06:07 200704 ------w- c:\program files\Lexmark 2300 Series\lxcgmon.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2010-04-29 14:39 1090952 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
2007-12-19 01:47 8720384 ------w- c:\program files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OfficeSyncProcess]
2010-03-16 01:58 718208 ----a-w- c:\program files\Microsoft Office\Office14\MSOSYNC.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-09-08 10:17 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 16:07 2260480 --sh--r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2010-11-07 17:52 2424560 ----a-w- c:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-07-19 01:48 39408 ------w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"sdCoreService"=3 (0x3)
"sdAuxService"=3 (0x3)
"mnmsrvc"=3 (0x3)
"Lavasoft Ad-Aware Service"=3 (0x3)
"ACDaemon"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"WORKFLOW"=f:\installs\WORKFLOW.EXE
"KodakCCS"=c:\program files\Common Files\KODAK\KODAK_DR\KodakCCS.exe --pdr: "c:\program files\Common Files\KODAK\KODAK_DR\dcmnter.pdr"
"lxcgmon.exe"="c:\program files\Lexmark 2300 Series\lxcgmon.exe"
"EzPrint"="c:\program files\Lexmark 2300 Series\ezprint.exe"
"TaskMonitor"=d:\windows\taskmon.exe
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"LXCGCATS"=rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16
"ScanRegistry"=d:\windows\scanregw.exe /autorun
"BJCFD"=c:\program files\BroadJump\Client Foundation\CFD.exe
"CARPService"=carpserv.exe
"MSConfigReminder"=c:\windows\PCHEALTH\HELPCTR\BINARIES\MSCONFIG.EXE /reminder
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices-]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"SchedulingAgent"=mstask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"c:\\Program Files\\Panicware\\Pop-Up Stopper Free Edition\\PSFree.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\WINDOWS\\SYSTEM32\\ZoneLabs\\vsmon.exe"=
"c:\\Program Files\\Microsoft Office\\Office14\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 Lbd;Lbd;c:\windows\SYSTEM32\DRIVERS\Lbd.sys [26/02/2010 20:48 64288]
R1 aswSP;aswSP;c:\windows\SYSTEM32\DRIVERS\aswSP.sys [09/11/2010 17:29 165584]
R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\SYSTEM32\DRIVERS\ctxusbm.sys [08/09/2009 17:13 65584]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [19/08/2008 22:34 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [19/08/2008 22:34 67656]
R2 aswFsBlk;aswFsBlk;c:\windows\SYSTEM32\DRIVERS\aswFsBlk.sys [09/11/2010 17:29 17744]
R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [26/05/2010 13:35 26352]
R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [26/05/2010 13:35 493032]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 19:19 13592]
S1 RapportBuka;RapportBuka;\??\c:\windows\system32\drivers\RapportBuka.sys --> c:\windows\system32\drivers\RapportBuka.sys [?]
S1 RapportPG;RapportPG;\??\c:\program files\Trusteer\Rapport\bin\RapportPG.sys --> c:\program files\Trusteer\Rapport\bin\RapportPG.sys [?]
S2 gupdate1c98c9196b88090;Google Update Service (gupdate1c98c9196b88090);c:\program files\Google\Update\GoogleUpdate.exe [11/02/2009 21:41 133104]
S2 RapportMgmtService;Rapport Management Service;"c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe" --> c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [?]
S3 AEXPAM;Philips SmartManage Service;c:\windows\system32\Drivers\aexpamdrv.sys --> c:\windows\system32\Drivers\aexpamdrv.sys [?]
S3 cmiainfo;cmiainfo;\??\c:\documents and settings\Joint\Local Settings\Temp\{E03CB61E-45A6-4653-909A-6BC2C5EFBFB5}\{C6F74245-2B77-40F4-AADA-D2BAE56CB113}\cmiainfo.sys --> c:\documents and settings\Joint\Local Settings\Temp\{E03CB61E-45A6-4653-909A-6BC2C5EFBFB5}\{C6F74245-2B77-40F4-AADA-D2BAE56CB113}\cmiainfo.sys [?]
S3 EverestDriver;Lavalys EVEREST Kernel Driver;\??\h:\bootcd\WinTools\EVEREST Home Edition\kerneld.wnt --> h:\bootcd\WinTools\EVEREST Home Edition\kerneld.wnt [?]
S3 HSFHWCD2;HSFHWCD2;c:\windows\SYSTEM32\DRIVERS\HSFHWCD2.sys [20/02/2007 18:48 201728]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [12/07/2010 08:55 1375992]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [28/08/2010 12:38 15264]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [25/03/2010 09:25 30969208]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [09/01/2010 20:37 4640000]
S3 pcwe;pcwe;\??\e:\bootcd\WinTools\PCWizard\pcw86-32.sys --> e:\bootcd\WinTools\PCWizard\pcw86-32.sys [?]
S3 s115bus;Sony Ericsson Device 115 driver (WDM);c:\windows\SYSTEM32\DRIVERS\s115bus.sys [23/04/2007 13:54 83208]
S3 s115mgmt;Sony Ericsson Device 115 USB WMC Device Management Drivers (WDM);c:\windows\SYSTEM32\DRIVERS\s115mgmt.sys [23/04/2007 13:54 100488]
S3 s115obex;Sony Ericsson Device 115 USB WMC OBEX Interface;c:\windows\SYSTEM32\DRIVERS\s115obex.sys [23/04/2007 13:54 98568]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [19/08/2008 22:34 12872]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [03/04/2009 23:24 356920]
S4 SiS7012;Service for AC'97 Sample Driver (WDM);c:\windows\SYSTEM32\DRIVERS\sis7012.sys [19/03/2007 22:08 177280]

--- Other Services/Drivers In Memory ---

*Deregistered* - uphcleanhlp

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
2008-04-14 00:12 73216 ------w- c:\progra~1\OUTLOO~1\setup50.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
2008-04-14 00:12 73216 ------w- c:\progra~1\OUTLOO~1\setup50.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
2008-04-14 00:12 73216 ------w- c:\progra~1\OUTLOO~1\setup50.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
2008-04-14 00:12 73216 ------w- c:\progra~1\OUTLOO~1\setup50.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
2001-03-23 16:17 7168 ----a-w- c:\windows\SYSTEM32\updcrl.exe
.
Contents of the 'Scheduled Tasks' folder

2010-11-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2010-11-11 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-07-19 01:47]

2010-11-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-11 21:41]

2010-11-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-11 21:41]

2010-11-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-854245398-507921405-1060284298-1006Core.job
- c:\documents and settings\Joint\Application Data\Google\Update\GoogleUpdate.exe [2010-05-22 16:38]

2010-11-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-854245398-507921405-1060284298-1006UA.job
- c:\documents and settings\Joint\Application Data\Google\Update\GoogleUpdate.exe [2010-05-22 16:38]

2010-11-11 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]

2008-03-25 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2007-08-24 15:31]

2007-03-23 c:\windows\Tasks\Uninstall Expiration Reminder.job
- c:\windows\system32\OOBE\oobebaln.exe [2007-02-08 00:12]

2010-11-11 c:\windows\Tasks\User_Feed_Synchronization-{1A9A7ED4-3376-4540-9579-8224A1BD3952}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 03:31]

2010-11-11 c:\windows\Tasks\User_Feed_Synchronization-{76C0439D-9DB2-4309-9FDB-828F48AE43CC}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 03:31]

2010-11-11 c:\windows\Tasks\User_Feed_Synchronization-{7A80DC55-9111-4DD5-B1DD-62516FCEE0A7}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 03:31]

2010-11-11 c:\windows\Tasks\User_Feed_Synchronization-{B7C42381-2A19-49B4-88C0-D2339839FE22}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 03:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/webhp?hl=en&ned=uk&tab=nw
uSearchMigratedDefaultURL = hxxp://search.orange.co.uk/all?brand=ouk&tab=web&p=_adr&q={searchTerms}
uInternet Settings,ProxyOverride = localhost;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Crawler Search - tbr:iemenu
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~1\Office14\ONBttnIE.dll/105
IE: Search with Freeserve
IE: Wanadoo Search - file://c:\program files\WANADOO1\Cache\SelectedContextSearch.htm
IE: {{08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com
LSP: ptsp.dll
Trusted Zone: google.co.uk\www
Trusted Zone: hants.gov.uk\owa
Trusted Zone: microsoft.com\oas.support
Trusted Zone: microsoft.com\support
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
Handler: ms-its50 - {F8606A00-F5CF-11D1-B6BB-0000F80149F6} - c:\program files\Common Files\Microsoft Shared\Information Retrieval\itss50.dll
DPF: DirectAnimation Java Classes
DPF: Microsoft XML Parser for Java
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://passport.hants.gov.uk/dana-cached/sc/JuniperSetupClient.cab
.
- - - - ORPHANS REMOVED - - - -

BHO-{A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKLM-Run-Cmaudio - cmicnfg.cpl
Notify-avgrsstarter - (no file)
Notify-WgaLogon - (no file)
MSConfigStartUp-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
AddRemove-SiS7012 - c:\progra~1\SiS7012\Uninst\uninst2k.exe PCI\VEN_1039&DEV_7012



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-11 18:58
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\EverestDriver]
"ImagePath"="\??\h:\bootcd\WinTools\EVEREST Home Edition\kerneld.wnt"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\$$$\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{6FF92F3D-3F24-F6C6-F982-E83A6F4FA95B}\InProcServer32*]
"janignpdmlclhgaleblk"=hex:6a,61,6f,6a,6c,63,65,70,64,64,64,67,6a,6e,6e,6d,64,
6c,61,65,00,00
"ianimmfgcifdhoklmj"=hex:6a,61,6f,6a,6c,63,65,70,64,64,64,67,6a,6e,6e,6d,64,6c,
61,65,00,00

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(504)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll

- - - - - - - > 'lsass.exe'(560)
c:\windows\system32\ptsp.dll
c:\windows\system32\WININET.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll

- - - - - - - > 'explorer.exe'(3588)
c:\windows\system32\WININET.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\progra~1\COMMON~1\MICROS~1\OFFICE14\Cultures\office.odf
c:\progra~1\MICROS~1\Office14\1033\GrooveIntlResource.dll
c:\progra~1\PANICW~1\POP-UP~1\XAHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\ptsp.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Kontiki\KService.exe
c:\program files\UPHClean\uphclean.exe
c:\windows\SOUNDMAN.EXE
c:\windows\system32\PTControlPanel.exe
c:\program files\Citrix\ICA Client\wfcrun32.exe
.
**************************************************************************
.
Completion time: 2010-11-11 19:17:36 - machine was rebooted
ComboFix-quarantined-files.txt 2010-11-11 19:17

Pre-Run: 35,607,988,736 bytes free
Post-Run: 38,469,374,976 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /noexecute=optin

- - End Of File - - 645EA876D93898735E5DCCBD52683AB2

BC AdBot (Login to Remove)

 


#2 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:08:37 AM

Posted 19 November 2010 - 05:40 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Casey

EDIT: You should never run ComboFix without trained supervision. It is a very powerful tool and can cause serious damage to your PC.

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#3 lopar

lopar
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:37 AM

Posted 22 November 2010 - 07:07 PM

Hi - thank you very much - i do hope you can help me. The problem is a virus that sends viagra related material from my windows live mail account to all my contacts.
Here is the DDS text

DDS (Ver_10-11-10.01) - NTFSx86
Run by Ian at 17:41:47.63 on 22/11/2010
Internet Explorer: 8.0.6001.18702

============== Running Processes ===============

C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\PTControlPanel.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Citrix\ICA Client\concentr.exe
C:\Program Files\Alwil Software\Avast5\avastUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Citrix\ICA Client\wfcrun32.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\PTControlPanel.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Citrix\ICA Client\concentr.exe
C:\Program Files\Alwil Software\Avast5\avastUI.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\MailWasher\MailWasher.exe
C:\Program Files\Citrix\ICA Client\wfcrun32.exe
C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Ian\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/webhp?hl=en&ned=uk&tab=nw
uSearchMigratedDefaultURL = hxxp://search.orange.co.uk/all?brand=ouk&tab=web&p=_adr&q={searchTerms}
uInternet Settings,ProxyOverride = localhost;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~1\office14\GROOVEEX.DLL
BHO: ZoneAlarm Security Engine Registrar: {8a4a36c2-0535-4d2c-bd3d-496cb7eed6e3} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
BHO: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
BHO: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No File
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~1\office14\URLREDIR.DLL
BHO: {b56a7d7d-6927-48c8-a975-17df180c71ac} - PCTools Browser Monitor
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: {8B68564D-53FD-4293-B80C-993A9F3988EE} - No File
TB: {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: ZoneAlarm Security Engine: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
TB: {4E7BD74F-2B8D-469E-A3F1-F068B59BBB2A} - No File
TB: {4E7BD74F-2B8D-469E-A0FB-F862B587B57D} - No File
TB: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File
uRun: [PopUpStopperFreeEdition] "c:\progra~1\panicw~1\pop-up~1\PSFree.exe"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
mRun: [ptrun] PTControlPanel.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [ISW] "c:\program files\checkpoint\zaforcefield\ForceField.exe" /icon="hidden"
mRun: [ConnectionCenter] "c:\program files\citrix\ica client\concentr.exe" /startup
mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
uPolicies-explorer: NoMultiIE = 0 (0x0)
uPolicies-explorer: LWA = 0 (0x0)
uPolicies-explorer: LWB = 0 (0x0)
uPolicies-explorer: LWC = 0 (0x0)
uPolicies-explorer: LWD = 0 (0x0)
uPolicies-explorer: LWE = 0 (0x0)
uPolicies-explorer: LWF = 0 (0x0)
uPolicies-explorer: LWG = 0 (0x0)
uPolicies-explorer: LWH = 0 (0x0)
uPolicies-explorer: LWI = 0 (0x0)
uPolicies-explorer: LWJ = 0 (0x0)
uPolicies-explorer: LWK = 0 (0x0)
uPolicies-explorer: LWL = 0 (0x0)
uPolicies-explorer: LWM = 0 (0x0)
uPolicies-explorer: LWN = 0 (0x0)
uPolicies-explorer: LWO = 0 (0x0)
uPolicies-explorer: LWP = 0 (0x0)
uPolicies-explorer: LWQ = 0 (0x0)
uPolicies-explorer: LWR = 0 (0x0)
uPolicies-explorer: LWS = 0 (0x0)
uPolicies-explorer: LWT = 0 (0x0)
uPolicies-explorer: LWU = 0 (0x0)
uPolicies-explorer: LWV = 0 (0x0)
uPolicies-explorer: LWW = 0 (0x0)
uPolicies-explorer: LWX = 0 (0x0)
uPolicies-explorer: LWY = 0 (0x0)
uPolicies-explorer: LWZ = 0 (0x0)
uPolicies-system: DisableClock = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Crawler Search - tbr:iemenu
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~1\office14\ONBttnIE.dll/105
IE: Search with Freeserve
IE: Wanadoo Search - file://c:\program files\wanadoo1\cache\SelectedContextSearch.htm
IE: {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - {A1EDC4A1-940F-48E0-8DFD-E38F1D501021}
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: ptsp.dll
Trusted Zone: google.co.uk\www
Trusted Zone: hants.gov.uk\owa
Trusted Zone: microsoft.com\oas.support
Trusted Zone: microsoft.com\support
DPF: DirectAnimation Java Classes
DPF: Microsoft XML Parser for Java
DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://oas.support.microsoft.com/ActiveX/MSDcode.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.4.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1005.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1174322920172
DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} - hxxp://www.facebook.com/controls/contactx.dll
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1171810906757
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38913.6425231481
DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - hxxp://www.superadblocker.com/activex/sabspx.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://passport.hants.gov.uk/dana-cached/setup/JuniperSetupSP1.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://passport.hants.gov.uk/dana-cached/sc/JuniperSetupClient.cab
DPF: {FF1CD9A3-00CD-45C1-8182-4EEC229A182D} - hxxps://www.plaxo.com/activex/plx_upldr-2k-xp.cab
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: ms-its50 - {F8606A00-F5CF-11D1-B6BB-0000F80149F6} - c:\program files\common files\microsoft shared\information retrieval\itss50.dll
Handler: msref - {74D92DF3-6D9D-11D1-8B38-006097DBED7A} - c:\progra~1\common~1\micros~1\refere~1\msref.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~1\office14\GROOVEEX.DLL
mASetup: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "c:\progra~1\outloo~1\setup50.exe" /APP:OE /CALLER:WIN9X /user /install
mASetup: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "c:\progra~1\outloo~1\setup50.exe" /app:oe /caller:win9x /user /install - "c:\progra~1\outloo~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install
mASetup: {7790769C-0471-11d2-AF11-00C04FA35D02} - "c:\progra~1\outloo~1\setup50.exe" /APP:WAB /CALLER:WIN9X /user /install
mASetup: {7790769C-0471-11d2-AF11-00C04FA35D02} - "c:\progra~1\outloo~1\setup50.exe" /app:wab /caller:win9x /user /install - "c:\progra~1\outloo~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install
mASetup: {9EF0045A-CDD9-438e-95E6-02B9AFEC8E11} - c:\windows\system32\updcrl.exe -e -u c:\windows\system\verisignpub1.crl

============= SERVICES / DRIVERS ===============

R? AEXPAM;Philips SmartManage Service
R? avast! Mail Scanner;avast! Mail Scanner
R? avast! Web Scanner;avast! Web Scanner
R? cmiainfo;cmiainfo
R? EverestDriver;Lavalys EVEREST Kernel Driver
R? gupdate1c98c9196b88090;Google Update Service (gupdate1c98c9196b88090)
R? HSFHWCD2;HSFHWCD2
R? IKFileSec;File Security Driver
R? IKSysFlt;System Filter Driver
R? IKSysSec;System Security Driver
R? Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service
R? Lavasoft Kernexplorer;Lavasoft helper driver
R? Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service
R? pcwe;pcwe
R? RapportBuka;RapportBuka
R? RapportMgmtService;Rapport Management Service
R? RapportPG;RapportPG
R? s115bus;Sony Ericsson Device 115 driver (WDM)
R? s115mgmt;Sony Ericsson Device 115 USB WMC Device Management Drivers (WDM)
R? s115obex;Sony Ericsson Device 115 USB WMC OBEX Interface
R? SASENUM;SASENUM
R? sdAuxService;PC Tools Auxiliary Service
R? sdCoreService;PC Tools Security Service
R? SiS7012;Service for AC'97 Sample Driver (WDM)
S? aswFsBlk;aswFsBlk
S? aswSP;aswSP
S? avast! Antivirus;avast! Antivirus
S? ctxusbm;Citrix USB Monitor Driver
S? ISWKL;ZoneAlarm Toolbar ISWKL
S? IswSvc;ZoneAlarm Toolbar IswSvc
S? Lbd;Lbd
S? osppsvc;Office Software Protection Platform
S? SASDIFSV;SASDIFSV
S? SASKUTIL;SASKUTIL
S? vsdatant;vsdatant
S? vsmon;TrueVector Internet Monitor
S? WinDefend;Windows Defender

=============== Created Last 30 ================

2010-11-20 13:16:50 6273872 ----a-w- c:\docume~2\alluse~1\applic~1\microsoft\windows defender\definition updates\{aa8bf5e5-a669-4486-991e-887d04ee2f34}\mpengine.dll
2010-11-11 17:58:33 -------- dcsha-r- C:\cmdcons
2010-11-11 17:51:06 89088 ----a-w- c:\windows\MBR.exe
2010-11-11 17:51:06 256512 ----a-w- c:\windows\PEV.exe
2010-11-11 17:51:06 161792 ----a-w- c:\windows\SWREG.exe
2010-11-11 17:51:05 98816 ----a-w- c:\windows\sed.exe
2010-11-09 17:24:57 38848 ----a-w- c:\windows\avastSS.scr
2010-11-09 17:22:05 -------- dc----w- c:\docume~2\alluse~1\applic~1\Alwil Software
2010-11-08 10:29:12 -------- d-----w- c:\program files\Exterminate It!

==================== Find3M ====================

2010-10-19 10:41:44 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-09-18 11:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58:06 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58:06 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-09-08 10:17:46 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 10:17:46 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02:29 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57:43 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2008-08-29 00:14:35 18773765 ------w- c:\program files\f8all169ip.bin
2007-02-22 19:38:20 14993976 ------w- c:\program files\GoogleEarthWin.exe
2007-02-19 20:29:02 1959424 ------w- c:\program files\3090A_XPdrv71205.exe
2007-02-18 15:09:58 39994008 ------w- c:\program files\zlsSetup_70_302_000_en.exe
2006-11-15 17:31:44 814547 ------w- c:\program files\RegSupreme_setup.exe

============= FINISH: 17:52:21.98 ===============

Here is the attach txt - i am terribly sorry but i wasn't able to attach the zip file - it wouldn't let me. I am pasting it here. Hope thats ok


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-11-10.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 15/02/2007 21:56:28
System Uptime: 22/11/2010 12:34:04 (5 hours ago)

Motherboard: ECS | | M810D
Processor: AMD Athlon™ Processor | Slot-1 | 1244/100mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 77 GiB total, 34.849 GiB free.
D: is FIXED (NTFS) - 2 GiB total, 0.774 GiB free.
E: is FIXED (NTFS) - 4 GiB total, 2.876 GiB free.
F: is CDROM ()
G: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: SiS 900 PCI Fast Ethernet Adapter
Device ID: PCI\VEN_1039&DEV_0900&SUBSYS_09001039&REV_90\3&61AAA01&0&20
Manufacturer: SiS
Name: SiS 900 PCI Fast Ethernet Adapter
PNP Device ID: PCI\VEN_1039&DEV_0900&SUBSYS_09001039&REV_90\3&61AAA01&0&20
Service: SISNIC

==== System Restore Points ===================

RP140: 26/10/2010 09:25:07 - Software Distribution Service 3.0
RP141: 27/10/2010 12:47:54 - System Checkpoint
RP142: 28/10/2010 21:56:04 - System Checkpoint
RP143: 29/10/2010 11:28:19 - Software Distribution Service 3.0
RP144: 30/10/2010 13:07:41 - System Checkpoint
RP145: 31/10/2010 18:18:30 - System Checkpoint
RP146: 01/11/2010 21:24:04 - System Checkpoint
RP147: 02/11/2010 09:58:03 - Software Distribution Service 3.0
RP148: 03/11/2010 12:37:27 - System Checkpoint
RP149: 04/11/2010 13:17:19 - System Checkpoint
RP150: 04/11/2010 14:51:01 - Software Distribution Service 3.0
RP151: 05/11/2010 13:08:20 - Software Distribution Service 3.0
RP152: 06/11/2010 14:27:43 - System Checkpoint
RP153: 07/11/2010 15:25:50 - System Checkpoint
RP154: 08/11/2010 12:30:10 - Spybot-S&D Spyware removal
RP155: 09/11/2010 15:02:48 - Software Distribution Service 3.0
RP156: 09/11/2010 17:22:04 - avast! Free Antivirus Setup
RP157: 09/11/2010 17:43:33 - Revo Uninstaller's restore point - Panda Cloud Antivirus
RP158: 10/11/2010 17:46:25 - System Checkpoint
RP159: 10/11/2010 19:39:51 - Revo Uninstaller's restore point - Viagravirus Removal Tool [1]
RP160: 11/11/2010 09:07:39 - Software Distribution Service 3.0
RP161: 12/11/2010 12:45:26 - Software Distribution Service 3.0
RP162: 13/11/2010 14:30:05 - System Checkpoint
RP163: 14/11/2010 14:37:37 - System Checkpoint
RP164: 15/11/2010 17:06:19 - System Checkpoint
RP165: 16/11/2010 16:10:49 - Software Distribution Service 3.0
RP166: 17/11/2010 16:58:26 - System Checkpoint
RP167: 18/11/2010 17:37:30 - System Checkpoint
RP168: 19/11/2010 18:03:18 - System Checkpoint
RP169: 20/11/2010 13:16:04 - Software Distribution Service 3.0
RP170: 21/11/2010 14:26:31 - System Checkpoint
RP171: 22/11/2010 14:36:19 - System Checkpoint

==== Installed Programs ======================

ABBYY FineReader 6.0 Sprint
Ad-Aware
Ad-Aware Email Scanner for Outlook
Adobe Acrobat 5.0
Adobe AIR
Adobe Download Manager
Adobe Flash Player 10 ActiveX
Adobe Photoshop 5.0
Adobe Reader 8.1.4
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ArcSoft TotalMedia Backup
AutoUpdate
avast! Free Antivirus
BAMZOOKi v3.1 (build 115.158)
BBC Balamory
BBC iPlayer Desktop
Bonjour
BroadJump Client Foundation
C-Media WDM Audio Driver
Canon i450
Canon Utilities Easy-PhotoPrint
CCHelp
CCleaner
CCScore
Choice Guard
Citrix online plug-in - web
Citrix online plug-in (DV)
Citrix online plug-in (HDX)
Citrix online plug-in (USB)
Citrix online plug-in (Web)
COMMUNICATE!-32
Compatibility Pack for the 2007 Office system
CR2
Create your own Model Railway 1.3
Definition update for Microsoft Office 2010 (KB982726)
DivX Codec
DivX Content Uploader
DivX Player
DivX Web Player
Encarta World Atlas 99
ESSAdpt
ESSANUP
ESSBrwr
ESSCAM
ESSCDBK
ESScore
ESSgui
ESShelp
ESSini
ESSPCD
ESSTUTOR
ESSvpaht
ESSvpot
Exterminate It!
Fighters Anthology
Free Internet Window Washer
Google Earth
Google Photos Screensaver
Google Update Helper
Google Updater
Hamsterball Gold 2.18
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB976002-v5)
IKEA HomePlanner Kitchen
Intel® 536EP Modem
Intel® 536EP Modem Drivers and Utilities
iTunes
Java™ 6 Update 13
Java™ 6 Update 6
Java™ 6 Update 7
Jump Ahead 2000 Year 2 v1.0
Juniper Networks Cache Cleaner 5.5.0
Juniper Networks Cache Cleaner 6.4.0
Juniper Networks Setup Client
Junk Mail filter update
Kodak EasyShare software
KSU
LEGO Digital Designer
Lexmark 2300 Series
MailWasher Free
Malwarebytes' Anti-Malware
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft AutoRoute Express Europe 98
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Encarta 98 Encyclopedia
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 97, Professional Edition
Microsoft Office Access MUI (English) 2010
Microsoft Office Access Setup Metadata MUI (English) 2010
Microsoft Office Excel MUI (English) 2010
Microsoft Office Groove MUI (English) 2010
Microsoft Office InfoPath MUI (English) 2010
Microsoft Office OneNote MUI (English) 2010
Microsoft Office Outlook MUI (English) 2010
Microsoft Office PowerPoint MUI (English) 2010
Microsoft Office Professional Plus 2010
Microsoft Office Proof (English) 2010
Microsoft Office Proof (French) 2010
Microsoft Office Proof (Spanish) 2010
Microsoft Office Proofing (English) 2010
Microsoft Office Publisher MUI (English) 2010
Microsoft Office Shared MUI (English) 2010
Microsoft Office Shared Setup Metadata MUI (English) 2010
Microsoft Office Word MUI (English) 2010
Microsoft Software Update for Web Folders (English) 14
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft XML Parser and SDK
MioMore Desktop 2008
MobileMe Control Panel
Moodflow.com Inspirational Screen Saver
MSVCRT
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6.0 Parser (KB933579)
MySpaceIM
Nero Suite
Notifier
OTtBP
Parental InternetFilter 3.1
PCDLNCH
Philips Flat Panel Adjust
Pop-Up Stopper Free Edition
PowerDVD
Quake II
QuickTime
RealPlayer
Realtek AC'97 Audio
RegSupreme 1.4
Revo Uninstaller 1.90
Safari
SecondLife (remove only)
Security Task Manager 1.7
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft Office 2010 (KB2289161)
Security Update for Microsoft Word 2010 (KB2345000)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB982132)
Segoe UI
SFR
SFR2
SiS 900 PCI Fast Ethernet Adapter Driver
Sky Broadband
Sky Player
Sony Ericsson PC Suite
Spybot - Search & Destroy
Spybot - Search & Destroy 1.5.2.20
Spyware Doctor 6.0
SUPERAntiSpyware Free Edition
Thomas & Friends - The Great Festival Adventure
ThrustMaster Sprint Racing Wheel
TOCA Touring Car Championship (Codemasters)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2010 (KB2202188)
Update for Microsoft OneNote 2010 (KB2288640)
Update for Microsoft Outlook Social Connector (KB2289116)
Update for Windows Internet Explorer 8 (KB968220)
Update for Windows Internet Explorer 8 (KB971930)
Update for Windows Internet Explorer 8 (KB972636)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB2345886)
User Profile Hive Cleanup Service
VC 9.0 Runtime
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WebFldrs XP
Windows Defender
Windows Imaging Component
Windows Installer Clean Up
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live Communications Platform
Windows Live Essentials
Windows Live Mail
Windows Media DRM Reset
Windows Media Format 11 runtime
Windows Media Player 11
Windows Presentation Foundation
Windows XP Service Pack 3
XML Paper Specification Shared Components Pack 1.0
Yahoo! Toolbar
ZoneAlarm
ZoneAlarm Spy Blocker
ZoneAlarm Toolbar
Zoom V.92 USB Faxmodem Upgrade

==== Event Viewer Messages From Past Week ========

18/11/2010 16:50:08, error: Tcpip [4199] - The system detected an address conflict for IP address 192.168.0.2 with the system having network hardware address 00:26:B0:42:29:4A. Network operations on this system may be disrupted as a result.
18/11/2010 08:19:26, error: Service Control Manager [7023] - The IPSEC Services service terminated with the following error: The authentication service is unknown.
18/11/2010 08:19:26, error: Service Control Manager [7000] - The Rapport Management Service service failed to start due to the following error: The system cannot find the path specified.
18/11/2010 08:18:22, error: Dhcp [1002] - The IP address lease 192.168.0.3 for the Network Card with network address 000E2E8EF482 has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).
17/11/2010 11:39:24, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: szkg
17/11/2010 11:39:24, error: Service Control Manager [7022] - The KService service hung on starting.
17/11/2010 11:36:58, error: Dhcp [1002] - The IP address lease 192.168.0.2 for the Network Card with network address 000E2E8EF482 has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).

==== End Of File ===========================


I have also run the defogger tool which was fine but i could not run the GMER. i downloaded it ok but on the first run it caused the computer to hang. i did a forced reboot but it hung again (wouldn't even start to run), tried once more with the same result and then tried to run it in safe mode - same result again. I therefore can not post this log.

Edited by elise025, 25 November 2010 - 05:39 AM.
email address removed for security reasons ~ Elise


#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,576 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:37 AM

Posted 25 November 2010 - 05:41 AM

Hello, and sorry for the delay.

First of all, did you try to change your email password and if so, did this stop the spamming?

Besides this, do you have any other problems?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#5 lopar

lopar
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:37 AM

Posted 27 November 2010 - 09:38 AM

Windows live mail has detected a possible virus and has disabled the account so I can't see if its sending any more. I have not reenabled it until the virus is removed. Another email program has told me i have 131 emails to that account - so its still doing soemthing. I can not acccess the emails however. The point is i need to ensure the virus is removed. Can you help me with that ? Should i go to another site perhaps if you are all inundated with other problems at this site? It has been 2 weeks now and the only advice so far has been to change the password. I really understand that you guys are really busy and you are volunteers, and i do really appreciate you giving up your time seflessly, so please don't take this the worng way, but i am rather desperate to get it removed so i stop embarrassing my friends. Can you help ?

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,576 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:37 AM

Posted 27 November 2010 - 10:15 AM

I am asking you this because 1) in my experience the vast majority of spam cases are fixed with a password change and 2) no active malware shows in your log.

As long as you do not change those passwords you can be assured your accounts will continue to send out spam. I am pretty convinced that, no matter at what forum you ask this question, the reply will be the same.


MALWAREBYTES ANTIMALWARE
-------------------------------------------
Please launch MBAM and update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Full Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#7 lopar

lopar
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:37 AM

Posted 27 November 2010 - 07:23 PM

Thanks very much. I ran MBAM a couple of weeks ago when i first spotted the problem but it found nothing at all.
I am not sure i understand what you are saying - my simple brain says that if my pc is sending out unpleasant emails to everyone in my address book and i haven't done it, i MUST have a virus. Or are you saying that its possible for my pc not be infected and somehow the emails are sent remotely ? Can you explain? If that is indeed the case then i will, as you say, just change the password and stop worrying about it. I am rather assuming though that i have something in my pc that i need to get rid of - is that not the case then?
Finally, i couldn't run the GMER thing - it caused my system to hang. I don't know what that program is but is that a problem in itself? Would successfully running that program perhaps pick up the virus (if there is one)? Thank you very much for your continued help.

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,576 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:37 AM

Posted 28 November 2010 - 03:14 AM

GMER is a rootkit detector and known to be unstable. Combofix uses parts of GMER and would have indicated a rootkit. We can run another rootkit detector, but i'm pretty sure it will not find anything.

  • Please Download Rootkit Unhooker Save it to your desktop.
  • extract RKUnhooker to your desktop
    Note** it is zipped up in a .rar file - If you do not have a program to unzip this type of file -
    you can get a free one from here - http://www.7-zip.org/
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"


"just click on Cancel, then Accept".


Basically what happened is: someone hacked your email account, either by "guessing" the password, or by tricking you into visiting a site that asked for your login credentials or tracked them (typically sites like: find out who has blocked you, or: you have been selected to win something). Altering the password will prevent the spammer from accessing your mail and thus from sending out spam.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#9 lopar

lopar
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:37 AM

Posted 28 November 2010 - 12:58 PM

Thank you very much Elise - i understand what has happened now. I have changed the passowrd and re-enabled the account. Here is the log. Anything to be concerned about ?
If not may i just express my appreciation for your help.

RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #1
==============================================
>Drivers
==============================================
0xBF012000 C:\WINDOWS\System32\SiSGRV.dll 2736128 bytes (Silicon Integrated Systems Corporation, SiS Compatible Super VGA Driver)
0x804D7000 C:\WINDOWS\system32\ntoskrnl.exe 2189952 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2189952 bytes
0x804D7000 RAW 2189952 bytes
0x804D7000 WMIxWDM 2189952 bytes
0xF6A66000 C:\WINDOWS\system32\DRIVERS\IntelS51.sys 1863680 bytes (Intel Corporation, Intel V.92 Modem)
0xBF800000 Win32k 1855488 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1855488 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xF6C51000 C:\WINDOWS\system32\drivers\cmuda.sys 1376256 bytes (C-Media Inc, C-Media Audio WDM Driver)
0xF755C000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xF03C1000 C:\WINDOWS\System32\vsdatant.sys 528384 bytes (Check Point Software Technologies LTD, ZoneAlarm Firewalling Driver)
0xF69D1000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xF046A000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xEF3F1000 C:\WINDOWS\system32\DRIVERS\srv.sys 360448 bytes (Microsoft Corporation, Server driver)
0xBFFA0000 C:\WINDOWS\System32\ATMFD.DLL 286720 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xEF068000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xF6E10000 C:\WINDOWS\System32\DRIVERS\sisgrp.sys 262144 bytes (Silicon Integrated Systems Corporation, SiS Compatible Super VGA Driver)
0xF767A000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xF752F000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xEE2A4000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)
0xF0442000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xF0357000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xEFE5B000 C:\WINDOWS\System32\Drivers\Fastfat.SYS 147456 bytes (Microsoft Corporation, Fast FAT File System Driver)
0xF6DC4000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xF6C2D000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xF6DA1000 C:\WINDOWS\system32\drivers\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xF04F6000 C:\WINDOWS\system32\DRIVERS\MpFilter.sys 143360 bytes (Microsoft Corporation, Microsoft antimalware file system filter driver)
0xF039F000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0xF037D000 C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys 139264 bytes (SUPERAdBlocker.com and SUPERAntiSpyware.com, SASKUTIL.SYS)
0xF7612000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xF6A46000 C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys 131072 bytes (Realtek Semiconductor Corporation , Realtek 10/100/1000 NDIS 5.1 Driver )
0xF764A000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xF7515000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xF7632000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xF0303000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes
0xF75E9000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xF6A2F000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xF0115000 C:\WINDOWS\system32\DRIVERS\irda.sys 90112 bytes (Microsoft Corporation, IRDA Protocol Driver)
0xF00FF000 C:\WINDOWS\system32\DRIVERS\nwlnkipx.sys 90112 bytes (Microsoft Corporation, NWLINK2 IPX Protocol Driver)
0xEF9AA000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xF0343000 C:\WINDOWS\system32\DRIVERS\ctxusbm.sys 81920 bytes (Citrix Systems, Inc., Citrix USB Filter Driver)
0xF6DE8000 C:\WINDOWS\system32\DRIVERS\parport.sys 81920 bytes (Microsoft Corporation, Parallel Port Driver)
0xF6DFC000 C:\WINDOWS\System32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0x806EE000 ACPI_HAL 81152 bytes
0x806EE000 C:\WINDOWS\system32\hal.dll 81152 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xF04C3000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xF7600000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xF7669000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xF7799000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xF78B9000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xF77B9000 C:\WINDOWS\system32\DRIVERS\nwlnknb.sys 65536 bytes (Microsoft Corporation, NWLINK2 IPX Netbios Protocol Driver)
0xF7889000 C:\WINDOWS\system32\DRIVERS\serial.sys 65536 bytes (Microsoft Corporation, Serial Device Driver)
0xF7899000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xF7719000 Lbd.sys 61440 bytes (Lavasoft AB, Boot Driver)
0xF78C9000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xEFF2F000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xF6402000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xF01DB000 C:\WINDOWS\system32\DRIVERS\nwlnkspx.sys 57344 bytes (Microsoft Corporation, NWLINK2 SPX Protocol Driver)
0xF7709000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xF7879000 C:\WINDOWS\system32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)
0xF78D9000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xF76E9000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xF78F9000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xF7939000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xF78A9000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xF76D9000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xF78E9000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xF7869000 C:\WINDOWS\system32\DRIVERS\amdk7.sys 40960 bytes (Microsoft Corporation, Processor Device Driver)
0xF76C9000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xF7809000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xF7739000 SISAGPX.sys 40960 bytes (Silicon Integrated Systems Corporation, SiS AGPv3.5 Filter)
0xF7909000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xF76F9000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xF63E2000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xEE60F000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0xF7729000 PxHelp20.sys 36864 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
0xF7769000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xF7A89000 C:\Program Files\CheckPoint\ZAForceField\ISWKL.sys 32768 bytes (Check Point Software Technologies, ZoneAlarm ForceField)
0xF79F9000 C:\WINDOWS\System32\Drivers\Modem.SYS 32768 bytes (Microsoft Corporation, Modem Device Driver)
0xF6306000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xF79F1000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xF79D9000 C:\WINDOWS\system32\DRIVERS\fdc.sys 28672 bytes (Microsoft Corporation, Floppy Disk Controller Driver)
0xF62F6000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xF7949000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xF79E1000 C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys 24576 bytes (GEAR Software Inc., CD DVD Filter)
0xF79D1000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xF79C9000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xF62E6000 C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS 24576 bytes (SUPERAdBlocker.com and SUPERAntiSpyware.com, SASDIFSV.SYS)
0xF630E000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xF62DE000 C:\WINDOWS\system32\DRIVERS\flpydisk.sys 20480 bytes (Microsoft Corporation, Floppy Driver)
0xF7A21000 C:\WINDOWS\system32\DRIVERS\irsir.sys 20480 bytes (Microsoft Corporation, Serial Infrared Driver)
0xF62EE000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xF7951000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xF7A11000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xF7A01000 C:\WINDOWS\system32\DRIVERS\rasirda.sys 20480 bytes (Microsoft Corporation, IrDA WAN Miniport Driver)
0xF7A19000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)
0xF7A09000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xF79E9000 C:\WINDOWS\system32\DRIVERS\usbohci.sys 20480 bytes (Microsoft Corporation, OHCI USB Miniport Driver)
0xF62C6000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xEEE90000 C:\WINDOWS\system32\DRIVERS\asyncmac.sys 16384 bytes (Microsoft Corporation, MS Remote Access serial network driver)
0xF7B8D000 C:\WINDOWS\system32\drivers\MODEMCSA.sys 16384 bytes (Microsoft Corporation, Unimodem CSA Filter)
0xF74F1000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xF028F000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xF7BB1000 C:\WINDOWS\system32\DRIVERS\serenum.sys 16384 bytes (Microsoft Corporation, Serial Port Enumerator)
0xF7AD9000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xF7B95000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xF7BB5000 C:\WINDOWS\system32\DRIVERS\gameenum.sys 12288 bytes (Microsoft Corporation, Game Port Enumerator)
0xF74ED000 C:\WINDOWS\system32\DRIVERS\irenum.sys 12288 bytes (Microsoft Corporation, Infra-Red Bus Enumerator)
0xF7BC5000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xF0951000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xF053D000 C:\WINDOWS\System32\DRIVERS\srvkp.sys 12288 bytes (Silicon Integrated Systems Corporation, SiS VGA Driver Manager)
0xBFF50000 C:\WINDOWS\System32\TSDDD.dll 12288 bytes (Microsoft Corporation, Framebuffer Display Driver)
0xEF9DB000 C:\WINDOWS\system32\Drivers\uphcleanhlp.sys 12288 bytes
0xF0945000 C:\WINDOWS\System32\drivers\ws2ifsl.sys 12288 bytes (Microsoft Corporation, Winsock2 IFS Layer)
0xF7BE9000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xF7BF7000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes
0xF7BE7000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xF7BC9000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xF7BEB000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xF7C57000 C:\WINDOWS\System32\Drivers\ParVdm.SYS 8192 bytes (Microsoft Corporation, VDM Parallel Driver)
0xF7BED000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xF7BF5000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xF7C6D000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xF7BCB000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xF7DBC000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xF7D7E000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xF7DB4000 C:\WINDOWS\system32\drivers\msmpu401.sys 4096 bytes (Microsoft Corporation, MPU401 Adapter Driver)
0xF7DDA000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xF7C91000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
==============================================
>Stealth
==============================================

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,576 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:37 AM

Posted 28 November 2010 - 01:00 PM

You are quite welcome. :)

That log looks completely fine. In the mean time, please run also the MBAM full scan if you didn't do it yet and let me know if anything is found.

Please monitor your accounts for sending out spam the coming days and keep me posted on that (you can include your own email address in the contacts list so you will see if any spam is send out, as you will then receive a message yourself as well).

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#11 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,576 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:37 AM

Posted 02 December 2010 - 06:59 AM

Hi, are you still there?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,576 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:37 AM

Posted 06 December 2010 - 07:47 AM

Due to lack of feedback this topic will now be closed.

If you need it reopened, please send me a PM.

Everyone else, please start a new topic.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users