Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan horse SHeur3.AQRA and Win32/Zbot.A Virus


  • This topic is locked This topic is locked
26 replies to this topic

#1 wtratt

wtratt

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:43 PM

Posted 12 November 2010 - 02:14 PM

My laptop has been infected for a while with a number of viruses that are affecting my .dll files... AVG is picking it up, but just "moving infection to vault" seems to stop things working- so at the moment infections are free to be rampant.
I'm not an expert, I don't know how .dll files are important- I just want to clean up!
Hope you can help...?


DDS (Ver_10-11-10.01) - NTFSx86
Run by Will at 19:54:33.85 on 11/11/2010
Internet Explorer: 8.0.6001.18372 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1270.282 [GMT 0:00]

AV: AVG Internet Security *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
FW: AVG Firewall *enabled* {8decf618-9569-4340-b34a-d78d28969b66}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSAgent.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgfws8.exe
C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSWatcher.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Office12\GrooveMonitor.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\AVG\AVG8\IdentityProtection\agent\bin\AVGIDSUI.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\NCLAUNCH.EXe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe
C:\Program Files\SANYO\XactiScreenCapture\SetClip.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\AVG\AVG8\IdentityProtection\agent\bin\AVGIDSMonitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Will\Local Settings\Temporary Internet Files\Content.IE5\72VLHD3T\Defogger[1].exe
C:\Documents and Settings\Will\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
uURLSearchHooks: H - No File
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
mWinlogon: Userinit=c:\windows\system32\userinit.exe,,,,
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - f:\program files\adobe\/Adobe Contribute CS4/contributeieplugin.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Click-to-Call BHO: {5c255c8a-e604-49b4-9d64-90988571cecb} - c:\program files\windows live\messenger\wlchtc.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\office12\GrooveShellExtensions.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - f:\program files\adobe\/Adobe Contribute CS4/contributeieplugin.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [NCLaunch] c:\windows\NCLAUNCH.EXe
uRun: [{7A6E35D6-F3E2-82F2-BEC6-6C816DC61DC2}] "c:\documents and settings\will\application data\fawovo\ilfyi.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [SMSERIAL] sm56hlpr.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [adiras] adiras.exe
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\point32.exe"
mRun: [EPSON Stylus CX3600 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATI9BE.EXE /P26 "EPSON Stylus CX3600 Series" /O6 "USB001" /M "Stylus CX3600"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [UVS12 Preload] c:\program files\corel\temp\corel videostudio 12\uvPL.exe
mRun: [GrooveMonitor] "c:\program files\office12\GrooveMonitor.exe"
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [Adobe Acrobat Speed Launcher] "f:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [Acrobat Assistant 8.0] "f:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [Adobe_ID0ENQBO] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [AVGIDS] "c:\program files\avg\avg8\identityprotection\agent\bin\AVGIDSUI.exe"
mRun: [LVCOMSX] c:\windows\system32\LVCOMSX.EXE
mRun: [LogitechVideoTray] c:\program files\logitech\video\LogiTray.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
StartupFolder: c:\docume~1\will\startm~1\programs\startup\bbcipl~1.lnk - c:\program files\bbc iplayer desktop\BBC iPlayer Desktop.exe
StartupFolder: c:\docume~1\will\startm~1\programs\startup\xactis~1.lnk - c:\docume~1\will\applic~1\microsoft\installer\{37327654-ebf7-410c-9161-c24d68e02753}\_E47B9B72500055712D025F.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dslmon.lnk - c:\program files\sagem\sagem f@st 800-840\dslmon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert link target to existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: CabBuilder - hxxp://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} - hxxp://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} - hxxp://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - hxxp://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/CursorManiaFWBInitialSetup1.0.0.15.cab
DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - hxxp://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} - hxxp://www.bridgwater.ac.uk/tsweb/msrdp.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://80.177.205.41:8080/activex/AMC.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
TCP: NameServer = 85.255.112.225,85.255.112.199
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\office12\GrooveShellExtensions.dll

============= SERVICES / DRIVERS ===============

R0 AVGIDSErHr;AVGIDSErHr;c:\windows\system32\drivers\AVGIDSErHr.sys [2009-2-26 25608]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-6-9 12552]
R0 sonypvl3;sonypvl3;c:\windows\system32\drivers\sonypvl3.sys [2006-2-25 18110]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-6-9 335240]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-6-9 27784]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-6-9 108552]
R1 sonypvf3;sonypvf3;c:\windows\system32\drivers\sonypvf3.sys [2006-2-25 619390]
R1 sonypvt3;sonypvt3;c:\windows\system32\drivers\sonypvt3.sys [2006-2-25 423454]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-6-9 297752]
R2 avgfws8;AVG8 Firewall;c:\progra~1\avg\avg8\avgfws8.exe [2009-6-9 1370488]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg8\identityprotection\agent\bin\AVGIDSAgent.exe [2009-2-26 5576712]
R2 AVGIDSWatcher;AVGIDSWatcher;c:\program files\avg\avg8\identityprotection\agent\bin\AVGIDSWatcher.exe [2009-2-26 563720]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2009-6-9 29208]
R3 AVGIDSDriver;AVGIDSDriver;c:\program files\avg\avg8\identityprotection\agent\driver\platform_xp\AVGIDSDriver.sys [2009-2-26 121352]
R3 AVGIDSFilter;AVGIDSFilter;c:\program files\avg\avg8\identityprotection\agent\driver\platform_xp\AVGIDSFilter.sys [2009-2-26 30216]
R3 AVGIDSShim;AVGIDSShim;c:\program files\avg\avg8\identityprotection\agent\driver\platform_xp\AVGIDSShim.sys [2009-2-26 27232]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-26 135664]
S2 SPService;SPService;c:\windows\system32\svchost.exe -k netsvc [2005-2-2 14336]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\common files\adobe\adobe version cue cs4\server\bin\VersionCueCS4.exe [2008-8-15 288112]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg8\toolbar\ToolbarBroker.exe [2010-10-26 517448]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2009-6-9 29208]

=============== Created Last 30 ================


==================== Find3M ====================

2010-09-18 11:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ------w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-28 17:32:57 217600 ------w- C:\UNWISE.EXE
2010-08-28 17:23:12 109056 ------w- c:\program files\exe.exe
2010-08-27 08:02:29 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57:43 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 12:52:45 5120 ------w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12:04 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll

============= FINISH: 19:57:14.03 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:43 PM

Posted 21 November 2010 - 12:42 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 wtratt

wtratt
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:43 PM

Posted 22 November 2010 - 02:54 PM

Hi m0le,

I'm definitely here and waiting. I've just upgraded BBC iPlayer. I hope that won't hinder this process.
I am away on a business trip over the next few days but will see if I can fit my laptop in my bag to keep in touch.

Thanks in advance for your time and help.

Will

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:43 PM

Posted 22 November 2010 - 07:24 PM

There is evidence of an attack.

Please run TDSSKiller

  • Download TDSSKiller and save it to your Desktop.

  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.

  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l report.txt

  • Now click Start Scan.
  • If Malicious objects are found, ensure Cure is selected then click Continue > Reboot now.
  • Click Close
  • Finally press Report and copy and paste the contents into your next reply. If you've rebooted then the log will be found at C:\

Posted Image
m0le is a proud member of UNITE

#5 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:43 PM

Posted 24 November 2010 - 08:56 PM

Edited

Edited by m0le, 24 November 2010 - 08:56 PM.

Posted Image
m0le is a proud member of UNITE

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:43 PM

Posted 26 November 2010 - 09:05 PM

Hi,

I have not had a reply from you for 4 days. Can you please tell me if you still need help with your computer as I am unable to help other members with their problems while I have your topic still open. The time taken between posts can also change the situation with your PC making it more difficult to help you.

If you like you can PM me.

Thanks,


m0le
Posted Image
m0le is a proud member of UNITE

#7 wtratt

wtratt
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:43 PM

Posted 27 November 2010 - 11:53 AM

Hi m0le,

I apologise for the delay. I have run the TDSSKiller as per your post. The result of the scan indicated no infections.
Below is the report:

2010/11/27 16:49:59.0274 TDSS rootkit removing tool 2.4.9.0 Nov 26 2010 15:38:31
2010/11/27 16:49:59.0274 ================================================================================
2010/11/27 16:49:59.0274 SystemInfo:
2010/11/27 16:49:59.0274
2010/11/27 16:49:59.0274 OS Version: 5.1.2600 ServicePack: 3.0
2010/11/27 16:49:59.0290 Product type: Workstation
2010/11/27 16:49:59.0290 ComputerName: WILLS_LAPTOP
2010/11/27 16:49:59.0290 UserName: Will
2010/11/27 16:49:59.0290 Windows directory: C:\WINDOWS
2010/11/27 16:49:59.0290 System windows directory: C:\WINDOWS
2010/11/27 16:49:59.0290 Processor architecture: Intel x86
2010/11/27 16:49:59.0290 Number of processors: 1
2010/11/27 16:49:59.0290 Page size: 0x1000
2010/11/27 16:49:59.0290 Boot type: Normal boot
2010/11/27 16:49:59.0290 ================================================================================
2010/11/27 16:49:59.0993 Initialize success
2010/11/27 16:50:08.0931 ================================================================================
2010/11/27 16:50:08.0931 Scan started
2010/11/27 16:50:08.0931 Mode: Manual;
2010/11/27 16:50:08.0931 ================================================================================
2010/11/27 16:50:10.0618 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
2010/11/27 16:50:10.0806 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/11/27 16:50:10.0915 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
2010/11/27 16:50:11.0024 adfs (73685e15ef8b0bd9c30f1af413f13d49) C:\WINDOWS\system32\drivers\adfs.sys
2010/11/27 16:50:11.0212 ADIHdAudAddService (f40b7e185b24426a1ab430b5655eb8bb) C:\WINDOWS\system32\drivers\ADIHdAud.sys
2010/11/27 16:50:11.0321 ADILOADER (2b3b8c0a2c979dd77ba6dc9376074854) C:\WINDOWS\system32\Drivers\adildr.sys
2010/11/27 16:50:11.0446 adiusbaw (d478c566318803a7063b120f026dc0b7) C:\WINDOWS\system32\DRIVERS\adiusbaw.sys
2010/11/27 16:50:11.0602 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
2010/11/27 16:50:11.0821 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2010/11/27 16:50:11.0931 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2010/11/27 16:50:12.0165 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
2010/11/27 16:50:12.0368 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
2010/11/27 16:50:12.0477 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
2010/11/27 16:50:12.0587 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
2010/11/27 16:50:12.0681 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
2010/11/27 16:50:12.0852 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
2010/11/27 16:50:13.0024 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
2010/11/27 16:50:13.0165 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
2010/11/27 16:50:13.0274 AmdK7 (8fce268cdbdd83b23419d1f35f42c7b1) C:\WINDOWS\system32\DRIVERS\amdk7.sys
2010/11/27 16:50:13.0399 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
2010/11/27 16:50:13.0540 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2010/11/27 16:50:13.0712 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
2010/11/27 16:50:13.0821 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
2010/11/27 16:50:13.0962 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
2010/11/27 16:50:14.0118 ASPI32 (54ab078660e536da72b21a27f56b035b) C:\WINDOWS\system32\drivers\ASPI32.sys
2010/11/27 16:50:14.0274 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/11/27 16:50:14.0446 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/11/27 16:50:14.0571 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/11/27 16:50:14.0696 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/11/27 16:50:14.0837 Avgfwdx (eb0992def47f48821ded724f379c499e) C:\WINDOWS\system32\DRIVERS\avgfwdx.sys
2010/11/27 16:50:14.0899 Avgfwfd (eb0992def47f48821ded724f379c499e) C:\WINDOWS\system32\DRIVERS\avgfwdx.sys
2010/11/27 16:50:15.0056 AVGIDSDriver (ed3afcbfbca44ad5881456f16fd1b3e8) C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSDriver.sys
2010/11/27 16:50:15.0196 AVGIDSErHr (93adcd7b4bde0b23f14e13462da51d07) C:\WINDOWS\system32\Drivers\AVGIDSErHr.sys
2010/11/27 16:50:15.0274 AVGIDSFilter (37a36bf92cb08c74a2b530db1d170878) C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSFilter.sys
2010/11/27 16:50:15.0352 AVGIDSShim (d848f8da65e59c8d01044dacfc61a64b) C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys
2010/11/27 16:50:15.0524 AvgLdx86 (bc12f2404bb6f2b6b2ff3c4c246cb752) C:\WINDOWS\System32\Drivers\avgldx86.sys
2010/11/27 16:50:15.0649 AvgMfx86 (5903d729d4f0c5bca74123c96a1b29e0) C:\WINDOWS\System32\Drivers\avgmfx86.sys
2010/11/27 16:50:15.0759 AvgRkx86 (94a16f829b1456237b7f929198ce2807) C:\WINDOWS\system32\Drivers\avgrkx86.sys
2010/11/27 16:50:15.0946 AvgTdiX (92d8e1e8502e649b60e70074eb29c380) C:\WINDOWS\System32\Drivers\avgtdix.sys
2010/11/27 16:50:16.0040 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/11/27 16:50:16.0227 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
2010/11/27 16:50:16.0306 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/11/27 16:50:16.0399 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2010/11/27 16:50:16.0540 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
2010/11/27 16:50:16.0649 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/11/27 16:50:16.0743 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/11/27 16:50:16.0837 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/11/27 16:50:17.0071 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
2010/11/27 16:50:17.0212 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
2010/11/27 16:50:17.0337 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2010/11/27 16:50:17.0462 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
2010/11/27 16:50:17.0618 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
2010/11/27 16:50:17.0743 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
2010/11/27 16:50:17.0931 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/11/27 16:50:18.0118 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2010/11/27 16:50:18.0368 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2010/11/27 16:50:18.0477 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/11/27 16:50:18.0759 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2010/11/27 16:50:18.0899 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
2010/11/27 16:50:18.0993 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/11/27 16:50:19.0134 eeCtrl (08035db1987412cced1d4201263776ed) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
2010/11/27 16:50:19.0337 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/11/27 16:50:19.0431 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
2010/11/27 16:50:19.0509 FETNDIS (e9648254056bce81a85380c0c3647dc4) C:\WINDOWS\system32\DRIVERS\fetnd5.sys
2010/11/27 16:50:19.0602 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2010/11/27 16:50:19.0665 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2010/11/27 16:50:19.0837 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2010/11/27 16:50:19.0962 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/11/27 16:50:20.0040 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/11/27 16:50:20.0165 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
2010/11/27 16:50:20.0290 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/11/27 16:50:20.0509 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2010/11/27 16:50:20.0681 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/11/27 16:50:20.0806 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
2010/11/27 16:50:20.0962 HPZid412 (d03d10f7ded688fecf50f8fbf1ea9b8a) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
2010/11/27 16:50:21.0118 HPZipr12 (89f41658929393487b6b7d13c8528ce3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
2010/11/27 16:50:21.0227 HPZius12 (abcb05ccdbf03000354b9553820e39f8) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
2010/11/27 16:50:21.0368 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/11/27 16:50:21.0477 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
2010/11/27 16:50:21.0634 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
2010/11/27 16:50:21.0743 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/11/27 16:50:21.0931 ialm (d68339f8cde3c00b3fc12ab97e36aa30) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
2010/11/27 16:50:22.0227 iaStor (79ae2a97c120f282845d854d0f070ea9) C:\WINDOWS\system32\DRIVERS\iaStor.sys
2010/11/27 16:50:22.0352 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/11/27 16:50:22.0493 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
2010/11/27 16:50:22.0602 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2010/11/27 16:50:22.0681 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2010/11/27 16:50:22.0852 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2010/11/27 16:50:22.0977 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/11/27 16:50:23.0102 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/11/27 16:50:23.0165 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/11/27 16:50:23.0259 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/11/27 16:50:23.0384 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/11/27 16:50:23.0462 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/11/27 16:50:23.0899 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/11/27 16:50:23.0993 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2010/11/27 16:50:24.0102 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/11/27 16:50:24.0306 LVUSBSta (c5efbd05a5195402121711a6ebbb271f) C:\WINDOWS\system32\drivers\lvusbsta.sys
2010/11/27 16:50:24.0524 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/11/27 16:50:24.0618 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2010/11/27 16:50:24.0727 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/11/27 16:50:24.0821 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/11/27 16:50:24.0962 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/11/27 16:50:25.0102 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
2010/11/27 16:50:25.0181 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/11/27 16:50:25.0306 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/11/27 16:50:25.0446 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2010/11/27 16:50:25.0571 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/11/27 16:50:25.0681 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/11/27 16:50:25.0806 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/11/27 16:50:25.0899 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/11/27 16:50:26.0009 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2010/11/27 16:50:26.0118 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2010/11/27 16:50:26.0259 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2010/11/27 16:50:26.0431 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2010/11/27 16:50:26.0556 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2010/11/27 16:50:26.0681 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/11/27 16:50:26.0821 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/11/27 16:50:26.0899 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/11/27 16:50:27.0024 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/11/27 16:50:27.0149 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/11/27 16:50:27.0259 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/11/27 16:50:27.0493 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2010/11/27 16:50:27.0634 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2010/11/27 16:50:27.0790 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/11/27 16:50:27.0962 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/11/27 16:50:28.0118 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/11/27 16:50:28.0243 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/11/27 16:50:28.0540 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2010/11/27 16:50:28.0618 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
2010/11/27 16:50:28.0759 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/11/27 16:50:28.0837 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/11/27 16:50:28.0915 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/11/27 16:50:29.0071 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2010/11/27 16:50:29.0181 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
2010/11/27 16:50:29.0634 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
2010/11/27 16:50:29.0774 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
2010/11/27 16:50:30.0009 Point32 (e4910ce9d882bf825979fcf4636a9bd8) C:\WINDOWS\system32\DRIVERS\point32.sys
2010/11/27 16:50:30.0134 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/11/27 16:50:30.0290 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/11/27 16:50:30.0399 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/11/27 16:50:30.0587 PxHelp20 (d970470f8f39470bdae94d313a1ccdce) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2010/11/27 16:50:30.0774 QCMerced (9a155d31b8e52f41b258282092cc93a7) C:\WINDOWS\system32\DRIVERS\LVCM.sys
2010/11/27 16:50:31.0446 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
2010/11/27 16:50:31.0587 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
2010/11/27 16:50:31.0665 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
2010/11/27 16:50:31.0759 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
2010/11/27 16:50:31.0915 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
2010/11/27 16:50:31.0977 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/11/27 16:50:32.0087 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/11/27 16:50:32.0165 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/11/27 16:50:32.0227 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/11/27 16:50:32.0368 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/11/27 16:50:32.0446 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/11/27 16:50:32.0587 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2010/11/27 16:50:32.0696 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/11/27 16:50:32.0837 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/11/27 16:50:33.0024 RTL8023xp (7f0413bdd7d53eb4c7a371e7f6f84df1) C:\WINDOWS\system32\DRIVERS\Rtlnicxp.sys
2010/11/27 16:50:33.0165 S3SavageNB (0dbcc071a268e0340a2ba6bdd98bace4) C:\WINDOWS\system32\DRIVERS\s3gnbm.sys
2010/11/27 16:50:33.0352 sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINDOWS\system32\DRIVERS\sdbus.sys
2010/11/27 16:50:33.0540 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/11/27 16:50:33.0727 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
2010/11/27 16:50:33.0884 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\DRIVERS\sfloppy.sys
2010/11/27 16:50:34.0102 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
2010/11/27 16:50:34.0243 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2010/11/27 16:50:34.0415 smserial (d2025c301325e0bc51fedb27386c185a) C:\WINDOWS\system32\DRIVERS\smserial.sys
2010/11/27 16:50:34.0634 sonypvf3 (f576ee7cc67a9b1e6a0f6a9ec1b1e6ab) C:\WINDOWS\system32\drivers\sonypvf3.sys
2010/11/27 16:50:34.0852 sonypvl3 (9b70d51a35fe6230814d031e66f34651) C:\WINDOWS\system32\drivers\sonypvl3.sys
2010/11/27 16:50:34.0993 sonypvt3 (6db72277b2d0db32d6b4a3882e966a97) C:\WINDOWS\system32\drivers\sonypvt3.sys
2010/11/27 16:50:35.0181 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
2010/11/27 16:50:35.0337 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2010/11/27 16:50:35.0446 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/11/27 16:50:35.0634 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/11/27 16:50:35.0884 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2010/11/27 16:50:35.0993 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/11/27 16:50:36.0087 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2010/11/27 16:50:36.0227 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
2010/11/27 16:50:36.0352 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
2010/11/27 16:50:36.0431 symlcbrd (b226f8a4d780acdf76145b58bb791d5b) C:\WINDOWS\system32\drivers\symlcbrd.sys
2010/11/27 16:50:36.0509 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
2010/11/27 16:50:36.0618 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
2010/11/27 16:50:36.0774 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/11/27 16:50:36.0946 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/11/27 16:50:37.0040 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/11/27 16:50:37.0134 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/11/27 16:50:37.0274 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/11/27 16:50:37.0477 tifm21 (2448935e1cf84b0341a24a17908c7311) C:\WINDOWS\system32\drivers\tifm21.sys
2010/11/27 16:50:37.0540 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
2010/11/27 16:50:37.0618 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2010/11/27 16:50:37.0681 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
2010/11/27 16:50:37.0774 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2010/11/27 16:50:37.0868 USBAAPL (e8c1b9ebac65288e1b51e8a987d98af6) C:\WINDOWS\system32\Drivers\usbaapl.sys
2010/11/27 16:50:37.0977 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
2010/11/27 16:50:38.0181 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/11/27 16:50:38.0259 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/11/27 16:50:38.0337 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/11/27 16:50:38.0681 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2010/11/27 16:50:39.0181 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2010/11/27 16:50:39.0602 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/11/27 16:50:39.0743 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2010/11/27 16:50:39.0837 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2010/11/27 16:50:39.0931 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
2010/11/27 16:50:39.0993 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
2010/11/27 16:50:40.0071 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/11/27 16:50:40.0306 w29n51 (c89da341fcc883a3d79dc11727484fc2) C:\WINDOWS\system32\DRIVERS\w29n51.sys
2010/11/27 16:50:40.0837 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/11/27 16:50:41.0040 wceusbsh (4c0b8ef721783f52f8e531fbdc4b1f74) C:\WINDOWS\system32\DRIVERS\wceusbsh.sys
2010/11/27 16:50:41.0337 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/11/27 16:50:41.0509 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
2010/11/27 16:50:41.0587 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
2010/11/27 16:50:41.0696 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2010/11/27 16:50:41.0821 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2010/11/27 16:50:41.0977 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2010/11/27 16:50:42.0337 ================================================================================
2010/11/27 16:50:42.0337 Scan finished
2010/11/27 16:50:42.0337 ================================================================================

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:43 PM

Posted 27 November 2010 - 06:15 PM

Please run the following removal tools

Please download Posted Image Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
    If MBAM won't update then download and update MBAM on a clean computer then save the rules.ref folder to a memory stick. This file is found here: 'C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware' then transfer it across to the infected computer.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.


And

Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

Posted Image
m0le is a proud member of UNITE

#9 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:43 PM

Posted 30 November 2010 - 08:09 PM

Hi wtratt,

Still waiting for the MBAM and SAS logs :)
Posted Image
m0le is a proud member of UNITE

#10 wtratt

wtratt
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:43 PM

Posted 01 December 2010 - 01:14 AM

I apologise, they took some time...

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 5214

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18372

30/11/2010 20:28:35
mbam-log-2010-11-30 (20-28-35).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 282622
Time elapsed: 10 hour(s), 41 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 19
Registry Values Infected: 4
Registry Data Items Infected: 3
Folders Infected: 3
Files Infected: 13

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\mywebsearch.pseudotransparentplugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.pseudotransparentplugin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\sp (TrojanProxy.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\videoegg.activexloader.1 (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{9da1990b-9bca-4c80-aefb-11a40fa849f9} (Rogue.ContraVirus) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{84da4fdf-a1cf-4195-8688-3e961f505983} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{96afbe69-c3b0-4b00-8578-d933d2896ee2} (TrojanProxy.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b64f4a7c-97c9-11da-8bde-f66bad1e3f3a} (Rogue.WinAntiVirus) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\ad-protect.exe (Rogue.ContraVirus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\VideoEgg (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\gxvxc (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\sp (TrojanProxy.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SPService (TrojanProxy.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\appisqt_dlls (Spyware.Agent.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{96afbe69-c3b0-4b00-8578-d933d2896ee2} (TrojanProxy.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{7a6e35d6-f3e2-82f2-bec6-6c816dc61dc2} (Trojan.ZbotR.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\netsvc (TrojanProxy.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.225,85.255.112.199 -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\All Users\Application Data\VideoEgg (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Shared (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\exe.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Program Files\Java\jre1.6.0_05\bin\javaw.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Program Files\Java\jre1.6.0_07\bin\javaw.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Program Files\Microsoft\desktoplayer.exe.vir (Virus.Ramnit) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cooper.mine (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\VideoEgg\user.dat (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Shared\08EE1454.dat (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Documents and Settings\Will\Application Data\dhxiuw.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\DelUS.bat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\h7t.wt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hgtd.ruy (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\f49f4daa.dat (Worm.Koobface) -> Quarantined and deleted successfully.
C:\WINDOWS\himark2.dat (Malware.Trace) -> Quarantined and deleted successfully.






And the other...

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/01/2010 at 04:39 AM

Application Version : 4.46.1000

Core Rules Database Version : 5933
Trace Rules Database Version: 3745

Scan type : Complete Scan
Total Scan Time : 05:18:24

Memory items scanned : 555
Memory threats detected : 0
Registry items scanned : 9566
Registry threats detected : 70
File items scanned : 122473
File threats detected : 182

Trojan.Media-Codec
HKLM\Software\Classes\CLSID\{479fd0cf-5be9-4c63-8cda-b6d371c67bd5}
HKCR\CLSID\{479FD0CF-5BE9-4C63-8CDA-B6D371C67BD5}
HKCR\CLSID\{479FD0CF-5BE9-4C63-8CDA-B6D371C67BD5}
HKCR\CLSID\{479FD0CF-5BE9-4C63-8CDA-B6D371C67BD5}\Implemented Categories
HKCR\CLSID\{479FD0CF-5BE9-4C63-8CDA-B6D371C67BD5}\Implemented Categories\{00021493-0000-0000-C000-000000000046}
HKCR\CLSID\{479FD0CF-5BE9-4C63-8CDA-B6D371C67BD5}\InprocServer32
HKCR\CLSID\{479FD0CF-5BE9-4C63-8CDA-B6D371C67BD5}\InprocServer32#ThreadingModel
C:\PROGRAM FILES\WINMEDIACODEC\IESPLUGIN.DLL
HKU\S-1-5-21-2976228377-3688322865-4195324798-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{479FD0CF-5BE9-4C63-8CDA-B6D371C67BD5}
HKU\S-1-5-21-2976228377-3688322865-4195324798-1006\Software\Internet Security
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Explorer Security Plugin 2006
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Explorer Security Plugin 2006#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Explorer Security Plugin 2006#UninstallString

Trojan.SmitFraud Variant
HKU\S-1-5-21-2976228377-3688322865-4195324798-1006\Software\Classes\CLSID\{e5b1e382-817e-4b74-8a96-ec78751e6acf}
HKCR\CLSID\{E5B1E382-817E-4B74-8A96-EC78751E6ACF}
HKCR\CLSID\{E5B1E382-817E-4B74-8A96-EC78751E6ACF}\InProcServer32
HKCR\CLSID\{E5B1E382-817E-4B74-8A96-EC78751E6ACF}\InProcServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\IMFDFCJ.DLL
HKCR\CLSID\{E5B1E382-817E-4B74-8A96-EC78751E6ACF}

Trojan.Homepage
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{686A161D-5BD1-4999-8832-6393F41E564C}
HKCR\CLSID\{686A161D-5BD1-4999-8832-6393F41E564C}
HKU\S-1-5-21-2976228377-3688322865-4195324798-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{686A161D-5BD1-4999-8832-6393F41E564C}
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{686A161D-5BD1-4999-8832-6393F41E564C}

Adware.Tracking Cookie
C:\Documents and Settings\Will\Cookies\will@trafficmp[1].txt
C:\Documents and Settings\Will\Cookies\will@invitemedia[2].txt
C:\Documents and Settings\Will\Cookies\will@in.getclicky[1].txt
C:\Documents and Settings\Will\Cookies\will@royalbankofscotland.122.2o7[1].txt
C:\Documents and Settings\Will\Cookies\will@msnaccountservices.112.2o7[1].txt
C:\Documents and Settings\Will\Cookies\will@digitalprintingmedia.co[2].txt
C:\Documents and Settings\Will\Cookies\will@www.pornhub[2].txt
C:\Documents and Settings\Will\Cookies\will@nextag.co[1].txt
C:\Documents and Settings\Will\Cookies\will@www.qsstats[2].txt
C:\Documents and Settings\Will\Cookies\will@mediaplex[2].txt
C:\Documents and Settings\Will\Cookies\will@zedo[1].txt
C:\Documents and Settings\Will\Cookies\will@tribalfusion[1].txt
C:\Documents and Settings\Will\Cookies\will@chitika[2].txt
C:\Documents and Settings\Will\Cookies\will@content.yieldmanager[1].txt
C:\Documents and Settings\Will\Cookies\will@server.cpmstar[1].txt
C:\Documents and Settings\Will\Cookies\will@adserv.crossrhythms.co[2].txt
C:\Documents and Settings\Will\Cookies\will@advertising[2].txt
C:\Documents and Settings\Will\Cookies\will@onlineadtracker.co[2].txt
C:\Documents and Settings\Will\Cookies\will@e-2dj6whkyamcpwkq.stats.esomniture[2].txt
C:\Documents and Settings\Will\Cookies\will@statse.webtrendslive[2].txt
C:\Documents and Settings\Will\Cookies\will@fastclick[2].txt
C:\Documents and Settings\Will\Cookies\will@doubleclick[1].txt
C:\Documents and Settings\Will\Cookies\will@2o7[2].txt
C:\Documents and Settings\Will\Cookies\will@yieldmanager[1].txt
C:\Documents and Settings\Will\Cookies\will@imrworldwide[2].txt
C:\Documents and Settings\Will\Cookies\will@adviva[1].txt
C:\Documents and Settings\Will\Cookies\will@liveperson[3].txt
C:\Documents and Settings\Will\Cookies\will@adtech[1].txt
C:\Documents and Settings\Will\Cookies\will@tradedoubler[1].txt
C:\Documents and Settings\Will\Cookies\will@www.vertadnet[2].txt
C:\Documents and Settings\Will\Cookies\will@interclick[1].txt
C:\Documents and Settings\Will\Cookies\will@weborama[1].txt
C:\Documents and Settings\Will\Cookies\will@avgtechnologies.112.2o7[1].txt
C:\Documents and Settings\Will\Cookies\will@ads.bleepingcomputer[2].txt
C:\Documents and Settings\Will\Cookies\will@e-2dj6wjloghd5keo.stats.esomniture[1].txt
C:\Documents and Settings\Will\Cookies\will@questionmarket[2].txt
C:\Documents and Settings\Will\Cookies\will@vdwp.solution.weborama[2].txt
C:\Documents and Settings\Will\Cookies\will@ru4[2].txt
C:\Documents and Settings\Will\Cookies\will@stats.paypal[2].txt
C:\Documents and Settings\Will\Cookies\will@247realmedia[2].txt
C:\Documents and Settings\Will\Cookies\will@www.qsstats[1].txt
C:\Documents and Settings\Will\Cookies\will@tacoda[1].txt
C:\Documents and Settings\Will\Cookies\will@traditionalmusic.co[2].txt
C:\Documents and Settings\Will\Cookies\will@revsci[2].txt
C:\Documents and Settings\Will\Cookies\will@content.yieldmanager[3].txt
C:\Documents and Settings\Will\Cookies\will@apmebf[2].txt
C:\Documents and Settings\Will\Cookies\will@fr.sitestat[1].txt
C:\Documents and Settings\Will\Cookies\will@jsfp.coremetrics[1].txt
C:\Documents and Settings\Will\Cookies\will@paypal.112.2o7[2].txt
C:\Documents and Settings\Will\Cookies\will@tripod[2].txt
C:\Documents and Settings\Will\Cookies\will@xiti[1].txt
C:\Documents and Settings\Will\Cookies\will@media6degrees[1].txt
C:\Documents and Settings\Will\Cookies\will@specificclick[2].txt
C:\Documents and Settings\Will\Cookies\will@himedia.individuad[2].txt
C:\Documents and Settings\Will\Cookies\will@adxpose[1].txt
C:\Documents and Settings\Will\Cookies\will@msnportal.112.2o7[1].txt
C:\Documents and Settings\Will\Cookies\will@casalemedia[1].txt
C:\Documents and Settings\Will\Cookies\will@adserver.adtechus[1].txt
C:\Documents and Settings\Will\Cookies\will@microsoftinternetexplorer.112.2o7[1].txt
C:\Documents and Settings\Will\Cookies\will@bs.serving-sys[2].txt
C:\Documents and Settings\Will\Cookies\will@e-2dj6wjl4kjc5wkq.stats.esomniture[2].txt
C:\Documents and Settings\Will\Cookies\will@pornhub[2].txt
C:\Documents and Settings\Will\Cookies\will@fr.sitestat[2].txt
C:\Documents and Settings\Will\Cookies\will@eas.apm.emediate[2].txt
C:\Documents and Settings\Will\Cookies\will@ice.112.2o7[1].txt
C:\Documents and Settings\Will\Cookies\will@serving-sys[2].txt
C:\Documents and Settings\Will\Cookies\will@atdmt[1].txt
C:\Documents and Settings\Will\Cookies\will@ad.yieldmanager[1].txt
C:\Documents and Settings\Will\Cookies\will@server.iad.liveperson[1].txt
C:\Documents and Settings\Will\Cookies\will@collective-media[1].txt
C:\Documents and Settings\Will\Cookies\will@insightexpressai[1].txt
C:\Documents and Settings\Will\Cookies\will@adbrite[2].txt
C:\Documents and Settings\Will\Cookies\will@shinystat[1].txt
C:\Documents and Settings\Will\Cookies\will@ehg-reed.hitbox[2].txt
C:\Documents and Settings\Will\Cookies\will@banners.facebookofsex[2].txt
C:\Documents and Settings\Will\Cookies\will@kontera[1].txt
C:\Documents and Settings\Will\Cookies\will@www.windowsmedia[2].txt
C:\Documents and Settings\Will\Cookies\will@uk.at.atwola[2].txt
C:\Documents and Settings\Will\Cookies\will@e-2dj6wfliwlajidp.stats.esomniture[2].txt
C:\Documents and Settings\Will\Cookies\will@www.googleadservices[4].txt
C:\Documents and Settings\Will\Cookies\will@e-2dj6wfkoojczoeq.stats.esomniture[2].txt
C:\Documents and Settings\Will\Cookies\will@server.lon.liveperson[2].txt
C:\Documents and Settings\Will\Cookies\will@adultfriendfinder[1].txt
C:\Documents and Settings\Will\Cookies\will@archant.122.2o7[1].txt
C:\Documents and Settings\Will\Cookies\will@liveperson[2].txt
C:\Documents and Settings\Will\Cookies\will@www.googleadservices[2].txt
C:\Documents and Settings\Will\Cookies\will@liveperson[5].txt
C:\Documents and Settings\Will\Cookies\will@xadultbook[1].txt
C:\Documents and Settings\Will\Cookies\will@ehg-logantod.hitbox[2].txt
C:\Documents and Settings\Will\Cookies\will@partypoker[1].txt
C:\Documents and Settings\Will\Cookies\will@debenhams.122.2o7[1].txt
C:\Documents and Settings\Will\Cookies\will@ad1.emediate[2].txt
C:\Documents and Settings\Will\Cookies\will@w00tpublishers.wootmedia[1].txt
C:\Documents and Settings\Will\Cookies\will@liveperson[4].txt
C:\Documents and Settings\Will\Cookies\will@microsoftwindows.112.2o7[1].txt
C:\Documents and Settings\Will\Cookies\will@rts.pgmediaserve[2].txt
C:\Documents and Settings\Will\Cookies\will@at.atwola[2].txt
C:\Documents and Settings\Will\Cookies\will@sanfordcorporation.112.2o7[1].txt
C:\Documents and Settings\Will\Cookies\will@facemediagroup.co[1].txt
C:\Documents and Settings\Will\Cookies\will@s4.shinystat[1].txt
C:\Documents and Settings\Will\Cookies\will@www.vonessenmedia.co[1].txt
C:\Documents and Settings\Will\Cookies\will@server.lon.liveperson[3].txt
C:\Documents and Settings\Will\Cookies\will@www.googleadservices[1].txt
C:\Documents and Settings\Will\Cookies\will@uk.sitestat[1].txt
C:\Documents and Settings\Will\Cookies\will@statcounter[2].txt
C:\Documents and Settings\Will\Cookies\will@e-2dj6aekiqocpaho.stats.esomniture[2].txt
C:\Documents and Settings\Will\Cookies\will@media.vonessenhotels.co[2].txt
C:\Documents and Settings\Will\Cookies\will@eyewonder[1].txt
C:\Documents and Settings\Will\Cookies\will@associatednorthcliffedigital.122.2o7[1].txt
C:\Documents and Settings\Will\Cookies\will@tracking.dc-storm[1].txt
C:\Documents and Settings\Will\Cookies\will@hitbox[2].txt
C:\Documents and Settings\Will\Cookies\will@www.googleadservices[5].txt
C:\Documents and Settings\Will\Cookies\will@ehg-debenhams.hitbox[2].txt
C:\Documents and Settings\Will\Cookies\will@www.googleadservices[6].txt
C:\Documents and Settings\Will\Cookies\will@www.googleadservices[3].txt
C:\Documents and Settings\Will\Cookies\will@ads.monster[2].txt
C:\Documents and Settings\Will\Cookies\will@2.bfugmedia[1].txt
C:\Documents and Settings\Will\Cookies\will@www.googleadservices[8].txt
C:\Documents and Settings\Will\Cookies\will@www.googleadservices[7].txt
C:\Documents and Settings\LocalService\Cookies\system@avgtechnologies.112.2o7[1].txt
C:\Documents and Settings\LocalService\Cookies\system@interclick[1].txt
C:\Documents and Settings\LocalService\Cookies\system@microsoftwindows.112.2o7[1].txt
2mdn.net [ C:\Documents and Settings\Will\Application Data\Macromedia\Flash Player\#SharedObjects\ZMZAG7BM ]
acvs.mediaonenetwork.net [ C:\Documents and Settings\Will\Application Data\Macromedia\Flash Player\#SharedObjects\ZMZAG7BM ]
advprotraffic.com [ C:\Documents and Settings\Will\Application Data\Macromedia\Flash Player\#SharedObjects\ZMZAG7BM ]
atdmt.com [ C:\Documents and Settings\Will\Application Data\Macromedia\Flash Player\#SharedObjects\ZMZAG7BM ]
broadcast.piximedia.fr [ C:\Documents and Settings\Will\Application Data\Macromedia\Flash Player\#SharedObjects\ZMZAG7BM ]
cdn.insights.gravity.com [ C:\Documents and Settings\Will\Application Data\Macromedia\Flash Player\#SharedObjects\ZMZAG7BM ]
cdn4.specificclick.net [ C:\Documents and Settings\Will\Application Data\Macromedia\Flash Player\#SharedObjects\ZMZAG7BM ]
cdn5.specificclick.net [ C:\Documents and Settings\Will\Application Data\Macromedia\Flash Player\#SharedObjects\ZMZAG7BM ]
ec.atdmt.com [ C:\Documents and Settings\Will\Application Data\Macromedia\Flash Player\#SharedObjects\ZMZAG7BM ]
emea.2mdn.net [ C:\Documents and Settings\Will\Application Data\Macromedia\Flash Player\#SharedObjects\ZMZAG7BM ]
googleads.g.doubleclick.net [ C:\Documents and Settings\Will\Application Data\Macromedia\Flash Player\#SharedObjects\ZMZAG7BM ]
ia.media-imdb.com [ C:\Documents and Settings\Will\Application Data\Macromedia\Flash Player\#SharedObjects\ZMZAG7BM ]
img-cdn.mediaplex.com [ C:\Documents and Settings\Will\Application Data\Macromedia\Flash Player\#SharedObjects\ZMZAG7BM ]
interclick.com [ C:\Documents and Settings\Will\Application Data\Macromedia\Flash Player\#SharedObjects\ZMZAG7BM ]
m.uk.2mdn.net [ C:\Documents and Settings\Will\Application Data\Macromedia\Flash Player\#SharedObjects\ZMZAG7BM ]
m1.2mdn.net [ C:\Documents and Settings\Will\Application Data\Macromedia\Flash Player\#SharedObjects\ZMZAG7BM ]
m1.emea.2mdn.net [ C:\Documents and Settings\Will\Application Data\Macromedia\Flash Player\#SharedObjects\ZMZAG7BM ]
macromedia.com [ C:\Documents and Settings\Will\Application Data\Macromedia\Flash Player\#SharedObjects\ZMZAG7BM ]
media.entertonement.com [ C:\Documents and Settings\Will\Application Data\Macromedia\Flash Player\#SharedObjects\ZMZAG7BM ]
media.resulthost.org [ C:\Documents and Settings\Will\Application Data\Macromedia\Flash Player\#SharedObjects\ZMZAG7BM ]
media.scanscout.com [ C:\Documents and Settings\Will\Application Data\Macromedia\Flash Player\#SharedObjects\ZMZAG7BM ]
media.tattomedia.com [ C:\Documents and Settings\Will\Application Data\Macromedia\Flash Player\#SharedObjects\ZMZAG7BM ]
media01.kyte.tv [ C:\Documents and Settings\Will\Application Data\Macromedia\Flash Player\#SharedObjects\ZMZAG7BM ]
media1.break.com [ C:\Documents and Settings\Will\Application Data\Macromedia\Flash Player\#SharedObjects\ZMZAG7BM ]
mediaplex.com [ C:\Documents and Settings\Will\Application Data\Macromedia\Flash Player\#SharedObjects\ZMZAG7BM ]
msnbcmedia.msn.com [ C:\Documents and Settings\Will\Application Data\Macromedia\Flash Player\#SharedObjects\ZMZAG7BM ]
msntest.serving-sys.com [ C:\Documents and Settings\Will\Application Data\Macromedia\Flash Player\#SharedObjects\ZMZAG7BM ]
naiadsystems.com [ C:\Documents and Settings\Will\Application Data\Macromedia\Flash Player\#SharedObjects\ZMZAG7BM ]
objects.tremormedia.com [ C:\Documents and Settings\Will\Application Data\Macromedia\Flash Player\#SharedObjects\ZMZAG7BM ]
oddcast.com [ C:\Documents and Settings\Will\Application Data\Macromedia\Flash Player\#SharedObjects\ZMZAG7BM ]
s0.2mdn.net [ C:\Documents and Settings\Will\Application Data\Macromedia\Flash Player\#SharedObjects\ZMZAG7BM ]
secure-us.imrworldwide.com [ C:\Documents and Settings\Will\Application Data\Macromedia\Flash Player\#SharedObjects\ZMZAG7BM ]
serving-sys.com [ C:\Documents and Settings\Will\Application Data\Macromedia\Flash Player\#SharedObjects\ZMZAG7BM ]
spe.atdmt.com [ C:\Documents and Settings\Will\Application Data\Macromedia\Flash Player\#SharedObjects\ZMZAG7BM ]
stat.easydate.biz [ C:\Documents and Settings\Will\Application Data\Macromedia\Flash Player\#SharedObjects\ZMZAG7BM ]
static.2mdn.net [ C:\Documents and Settings\Will\Application Data\Macromedia\Flash Player\#SharedObjects\ZMZAG7BM ]
static.youporn.com [ C:\Documents and Settings\Will\Application Data\Macromedia\Flash Player\#SharedObjects\ZMZAG7BM ]
track.omguk.com [ C:\Documents and Settings\Will\Application Data\Macromedia\Flash Player\#SharedObjects\ZMZAG7BM ]
udn.specificclick.net [ C:\Documents and Settings\Will\Application Data\Macromedia\Flash Player\#SharedObjects\ZMZAG7BM ]
uk.2mdn.net [ C:\Documents and Settings\Will\Application Data\Macromedia\Flash Player\#SharedObjects\ZMZAG7BM ]
virginmedia.a.mms.mavenapps.net [ C:\Documents and Settings\Will\Application Data\Macromedia\Flash Player\#SharedObjects\ZMZAG7BM ]
www.naiadsystems.com [ C:\Documents and Settings\Will\Application Data\Macromedia\Flash Player\#SharedObjects\ZMZAG7BM ]
www.oddcast.com [ C:\Documents and Settings\Will\Application Data\Macromedia\Flash Player\#SharedObjects\ZMZAG7BM ]
www.pornhub.com [ C:\Documents and Settings\Will\Application Data\Macromedia\Flash Player\#SharedObjects\ZMZAG7BM ]
www.pornkeeper.com [ C:\Documents and Settings\Will\Application Data\Macromedia\Flash Player\#SharedObjects\ZMZAG7BM ]
www.soundclick.com [ C:\Documents and Settings\Will\Application Data\Macromedia\Flash Player\#SharedObjects\ZMZAG7BM ]
www.ziporn.com [ C:\Documents and Settings\Will\Application Data\Macromedia\Flash Player\#SharedObjects\ZMZAG7BM ]
zedo.com [ C:\Documents and Settings\Will\Application Data\Macromedia\Flash Player\#SharedObjects\ZMZAG7BM ]
C:\Documents and Settings\Will\Local Settings\Temp\Cookies\will@122.2o7[1].txt
C:\Documents and Settings\Will\Local Settings\Temp\Cookies\will@2o7[2].txt
C:\Documents and Settings\Will\Local Settings\Temp\Cookies\will@adviva[2].txt
C:\Documents and Settings\Will\Local Settings\Temp\Cookies\will@apmebf[1].txt
C:\Documents and Settings\Will\Local Settings\Temp\Cookies\will@atdmt[1].txt
C:\Documents and Settings\Will\Local Settings\Temp\Cookies\will@doubleclick[1].txt
C:\Documents and Settings\Will\Local Settings\Temp\Cookies\will@mediaplex[1].txt
C:\Documents and Settings\Will\Local Settings\Temp\Cookies\will@msnportal.112.2o7[2].txt
C:\Documents and Settings\Will\Local Settings\Temp\Cookies\will@tribalfusion[1].txt

Trojan.Spy-Shield/BON
HKCR\Interface\{214345B8-BB69-498D-A168-29F58F15D806}
HKCR\Interface\{214345B8-BB69-498D-A168-29F58F15D806}\ProxyStubClsid
HKCR\Interface\{214345B8-BB69-498D-A168-29F58F15D806}\ProxyStubClsid32
HKCR\Interface\{214345B8-BB69-498D-A168-29F58F15D806}\TypeLib
HKCR\Interface\{214345B8-BB69-498D-A168-29F58F15D806}\TypeLib#Version

Malware.VirusBlast
HKCR\VB.Server
HKCR\VB.Server\CLSID
HKCR\VB.Server\CurVer
HKCR\VB.Server.1
HKCR\VB.Server.1\CLSID
HKCR\CLSID\{0D0FAB5C-2BE4-4126-A28E-828FEBCE1E55}
HKCR\CLSID\{0D0FAB5C-2BE4-4126-A28E-828FEBCE1E55}#AppID
HKCR\CLSID\{0D0FAB5C-2BE4-4126-A28E-828FEBCE1E55}\LocalServer32
HKCR\CLSID\{0D0FAB5C-2BE4-4126-A28E-828FEBCE1E55}\ProgID
HKCR\CLSID\{0D0FAB5C-2BE4-4126-A28E-828FEBCE1E55}\Programmable
HKCR\CLSID\{0D0FAB5C-2BE4-4126-A28E-828FEBCE1E55}\TypeLib
HKCR\CLSID\{0D0FAB5C-2BE4-4126-A28E-828FEBCE1E55}\VersionIndependentProgID
HKCR\CLSID\{9DA04BBD-71BB-020C-436E-42FECBB98F05}
HKCR\CLSID\{9DA04BBD-71BB-020C-436E-42FECBB98F05}\dafp
HKCR\CLSID\{9DA04BBD-71BB-020C-436E-42FECBB98F05}\iGplyKodckC
HKCR\CLSID\{9DA04BBD-71BB-020C-436E-42FECBB98F05}\InprocServer32
HKCR\CLSID\{9DA04BBD-71BB-020C-436E-42FECBB98F05}\InprocServer32#ThreadingModel
HKCR\CLSID\{9DA04BBD-71BB-020C-436E-42FECBB98F05}\lMlyldjeweqB
HKCR\CLSID\{9DA04BBD-71BB-020C-436E-42FECBB98F05}\nycKxezzRYaN
HKCR\CLSID\{9DA04BBD-71BB-020C-436E-42FECBB98F05}\pmsd
HKCR\CLSID\{9DA04BBD-71BB-020C-436E-42FECBB98F05}\qLmMvmzkuQPK
HKCR\CLSID\{9DA04BBD-71BB-020C-436E-42FECBB98F05}\qWzkhygl
HKCR\TypeLib\{80ED1EB2-55FB-4434-BD41-E1645A370158}
HKCR\TypeLib\{80ED1EB2-55FB-4434-BD41-E1645A370158}\1.0
HKCR\TypeLib\{80ED1EB2-55FB-4434-BD41-E1645A370158}\1.0\0
HKCR\TypeLib\{80ED1EB2-55FB-4434-BD41-E1645A370158}\1.0\0\win32
HKCR\TypeLib\{80ED1EB2-55FB-4434-BD41-E1645A370158}\1.0\FLAGS
HKCR\TypeLib\{80ED1EB2-55FB-4434-BD41-E1645A370158}\1.0\HELPDIR
HKCR\Interface\{1131081D-81ED-46F0-8B03-B728AEAFFD12}
HKCR\Interface\{1131081D-81ED-46F0-8B03-B728AEAFFD12}\ProxyStubClsid
HKCR\Interface\{1131081D-81ED-46F0-8B03-B728AEAFFD12}\ProxyStubClsid32
HKCR\Interface\{1131081D-81ED-46F0-8B03-B728AEAFFD12}\TypeLib
HKCR\Interface\{1131081D-81ED-46F0-8B03-B728AEAFFD12}\TypeLib#Version

Malware.VirusBurst
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Safety Alerter 2006
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Safety Alerter 2006#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Safety Alerter 2006#UninstallString

Trojan.DNSChanger-Codec
HKLM\Software\1
HKLM\Software\1#31AC70412E939D72A9234CDEBB1AF5867B
HKLM\Software\1#31897356954C2CD3D41B221E3F24F99BBA
HKLM\Software\1#31C2E1E4D78E6A11B88DFA803456A1FFA5
HKLM\Software\9
HKLM\Software\9#31AC70412E939D72A9234CDEBB1AF5867B
HKLM\Software\9#31897356954C2CD3D41B221E3F24F99BBA
HKLM\Software\9#31C2E1E4D78E6A11B88DFA803456A1FFA5

Trojan.Unknown Origin
C:\PROGRAM FILES\WINMEDIACODEC\TS.ICO

#11 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:43 PM

Posted 01 December 2010 - 04:55 PM

Please run Combofix now. Some of those files are hard to kill

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#12 wtratt

wtratt
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:43 PM

Posted 02 December 2010 - 02:24 PM

Hi,

Trying to run ComboFix. I have successfully downloaded it onto my desktop as comfix.exe
However to run it I am prompted to uninstall AVG. I have followed this instruction, however during the uninstallation, it says:

Uninstall Failed!
1 error occurred. Click Details to show more information.

If the problems continue please contact the technical support support@avg.com

The computer must be restarted in order to complete the uninstallation. By selecting the checkbox, the computer will restart when the OK button is pressed.


I did restart hoping it might complete the uninstallation, but AVG was still active after reboot.

I clicked on the 'Details...' that it mentions and this is the content:

Local machine: installation failed
Installation:
Error: Action failed for registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows: creating registry key....
Error 0x80070005


Hopefully you can shed some light on this mysterious registry key that looks like the issue...?

Many thanks
Will

#13 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:43 PM

Posted 02 December 2010 - 06:15 PM

AVG and Combofix are not getting on.

Please run the AVG uninstaller to make sure it's gone. Reboot and then attempt to run Combofix
Posted Image
m0le is a proud member of UNITE

#14 wtratt

wtratt
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:43 PM

Posted 04 December 2010 - 06:11 AM

Thanks for the uninstaller, all worked. Please find the log output below.
I don't know where it has been saved though.

Will

ComboFix 10-12-03.01 - Will 04/12/2010 10:50:53.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1270.828 [GMT 0:00]
Running from: c:\documents and settings\Will\Desktop\comfix.exe
AV: AVG Internet Security *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *disabled* {8decf618-9569-4340-b34a-d78d28969b66}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Will\Recent\Thumbs.db
c:\program files\filesubmit
c:\windows\Downloaded Program Files\f3initialsetup1.0.0.15.inf
c:\windows\jestertb.dll
c:\windows\system32\_000006_.tmp.dll
c:\windows\system32\_000009_.tmp.dll
c:\windows\system32\AutoRun.inf
c:\windows\system32\drivers\FSC__PI__AMILO Pro V2040__FUJITSU SIEMENS_AMILO Pro V2040__PhoenixBIOS 4.0 Release 6.1 _PTLTD - 6040000_R01-A1B .MRK
c:\windows\system32\gxvxccount
c:\windows\system32\kernel1.exe
c:\windows\system32\pthreadVC.dll
c:\windows\system32\Thumbs.db

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF


((((((((((((((((((((((((( Files Created from 2010-11-04 to 2010-12-04 )))))))))))))))))))))))))))))))
.

2010-11-30 23:09 . 2010-11-30 23:09 -------- d-----w- c:\documents and settings\Will\Application Data\SUPERAntiSpyware.com
2010-11-30 23:09 . 2010-11-30 23:09 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-11-30 23:09 . 2010-11-30 23:09 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-11-29 19:55 . 2010-11-29 19:55 -------- d-----w- c:\documents and settings\Will\Application Data\Malwarebytes
2010-11-29 19:54 . 2010-04-29 15:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-29 19:54 . 2010-11-29 19:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-11-29 19:54 . 2010-04-29 15:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-29 19:54 . 2010-11-29 19:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-22 19:49 . 2010-11-22 19:49 -------- d-----w- c:\program files\BBC iPlayer Desktop
2010-11-09 20:13 . 2010-11-09 20:13 -------- d-----w- c:\documents and settings\Will\Application Data\BBCiPlayerDesktop.61DB7A798358575D6A969CCD73DDBBD723A6DA9D.1
2010-11-06 11:37 . 2010-11-06 11:37 103864 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-04 10:54 . 2005-02-02 20:37 578560 ----a-w- c:\windows\system32\user32.dll
2010-09-18 11:23 . 2005-02-02 20:36 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2005-02-02 20:36 974848 ------w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2005-02-02 20:36 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2005-02-02 20:36 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-08-28 17:24 . 2006-10-21 12:34 335872 ------w- c:\program files\internet explorer\plugins\PanoViewer.dll
1999-04-30 15:00 . 2006-10-21 12:34 98304 ------w- c:\program files\internet explorer\plugins\UPjpeg.dll
.
Infected c:\windows\system32\user32.dll hex repaired


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883856]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-07 68856]
"NCLaunch"="c:\windows\NCLAUNCH.EXe" [2008-01-23 65536]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-11-22 2424560]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-03-22 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-03-22 126976]
"SMSERIAL"="sm56hlpr.exe" [2005-04-26 544768]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2005-03-23 217088]
"EPSON Stylus CX3600 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE" [2004-03-04 98304]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-04-13 47392]
"GrooveMonitor"="c:\program files\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2009-03-11 611712]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-07-19 221184]
"LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2005-06-08 217088]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-17 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Will\Start Menu\Programs\Startup\
BBC iPlayer Desktop.lnk - c:\program files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe [2010-11-22 142336]
Xacti Screen Capture 1.1.lnk - c:\documents and settings\Will\Application Data\Microsoft\Installer\{37327654-EBF7-410C-9161-C24D68E02753}\_E47B9B72500055712D025F.exe [2008-9-11 128198]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
DSLMON.lnk - c:\program files\SAGEM\SAGEM F@st 800-840\dslmon.exe [2006-5-2 962660]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\SPSSInc\\SPSS16\\SPSSWinWrapIDE.exe"=
"c:\\Program Files\\SPSSInc\\SPSS16\\spss.com"=
"c:\\Program Files\\SPSSInc\\SPSS16\\spss.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS4\\Server\\bin\\VersionCueCS4.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy2.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\HP Software Update\\hpwucli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Smart Web Printing\\SmartWebPrintExe.exe"=
"c:\\Program Files\\SPSSInc\\Statistics17\\statistics.com"=
"c:\\Program Files\\SPSSInc\\Statistics17\\SPSSWinWrapIDE.exe"=
"c:\\Program Files\\SPSSInc\\Statistics17\\statistics.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Freewire\\Freewire Television\\Freewire Television.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"11516:TCP"= 11516:TCP:*:Disabled:BitComet 11516 TCP
"11516:UDP"= 11516:UDP:*:Disabled:BitComet 11516 UDP
"5900:TCP"= 5900:TCP:vnc5900
"5800:TCP"= 5800:TCP:vnc5800
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"3703:TCP"= 3703:TCP:Adobe Version Cue CS4 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS4 Server
"51000:TCP"= 51000:TCP:Adobe Version Cue CS4 Server
"51001:TCP"= 51001:TCP:Adobe Version Cue CS4 Server
"19047:TCP"= 19047:TCP:spport
"12958:TCP"= 12958:TCP:spport
"12231:TCP"= 12231:TCP:spport
"7002:TCP"= 7002:TCP:spport
"8805:TCP"= 8805:TCP:spport
"20383:TCP"= 20383:TCP:spport
"19374:TCP"= 19374:TCP:spport
"10871:TCP"= 10871:TCP:spport
"8028:TCP"= 8028:TCP:spport
"13313:TCP"= 13313:TCP:spport
"16004:TCP"= 16004:TCP:spport
"23257:TCP"= 23257:TCP:spport
"7079:TCP"= 7079:TCP:spport
"10893:TCP"= 10893:TCP:spport
"28867:TCP"= 28867:TCP:spport
"14730:TCP"= 14730:TCP:spport
"8591:TCP"= 8591:TCP:spport
"9564:TCP"= 9564:TCP:spport
"15652:TCP"= 15652:TCP:spport
"25192:TCP"= 25192:TCP:spport
"21821:TCP"= 21821:TCP:spport
"24776:TCP"= 24776:TCP:spport
"22133:TCP"= 22133:TCP:spport
"8119:TCP"= 8119:TCP:spport
"29019:TCP"= 29019:TCP:spport
"21458:TCP"= 21458:TCP:spport
"5736:TCP"= 5736:TCP:spport
"21832:TCP"= 21832:TCP:spport
"16685:TCP"= 16685:TCP:spport
"26223:TCP"= 26223:TCP:spport
"26330:TCP"= 26330:TCP:spport
"22149:TCP"= 22149:TCP:spport
"13189:TCP"= 13189:TCP:spport
"10221:TCP"= 10221:TCP:spport
"18582:TCP"= 18582:TCP:spport
"25477:TCP"= 25477:TCP:spport
"29451:TCP"= 29451:TCP:spport
"8541:TCP"= 8541:TCP:spport
"29848:TCP"= 29848:TCP:spport
"12984:TCP"= 12984:TCP:spport
"15941:TCP"= 15941:TCP:spport
"10996:TCP"= 10996:TCP:spport
"15048:TCP"= 15048:TCP:spport
"14132:TCP"= 14132:TCP:spport
"17979:TCP"= 17979:TCP:spport
"21200:TCP"= 21200:TCP:spport
"15155:TCP"= 15155:TCP:spport
"28227:TCP"= 28227:TCP:spport

R0 sonypvl3;sonypvl3;c:\windows\system32\drivers\sonypvl3.sys [25/02/2006 15:01 18110]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17/02/2010 18:25 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/05/2010 18:41 67656]
R1 sonypvf3;sonypvf3;c:\windows\system32\drivers\sonypvf3.sys [25/02/2006 15:01 619390]
R1 sonypvt3;sonypvt3;c:\windows\system32\drivers\sonypvt3.sys [25/02/2006 15:01 423454]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [26/02/2010 21:49 135664]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [15/08/2008 05:46 288112]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG8\Toolbar\ToolbarBroker.exe --> c:\program files\AVG\AVG8\Toolbar\ToolbarBroker.exe [?]
S3 Avgfwdx;Avgfwdx;c:\windows\system32\DRIVERS\avgfwdx.sys --> c:\windows\system32\DRIVERS\avgfwdx.sys [?]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\DRIVERS\avgfwdx.sys --> c:\windows\system32\DRIVERS\avgfwdx.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-06-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2010-12-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-26 21:48]

2010-12-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-26 21:48]

2010-01-02 c:\windows\Tasks\NSSstub.job
- c:\windows\system32\Adobe\Shockwave 11\nssstub.exe [2010-01-02 14:56]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert link target to existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} -
DPF: CabBuilder - hxxp://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://80.177.205.41:8080/activex/AMC.cab
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-adiras - adiras.exe
HKLM-Run-UVS12 Preload - c:\program files\Corel\Temp\Corel VideoStudio 12\uvPL.exe
HKLM-Run-Adobe Acrobat Speed Launcher - f:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe
HKLM-Run-Acrobat Assistant 8.0 - f:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
HKU-Default-Run-Picasa Media Detector - c:\program files\Picasa2\PicasaMediaDetector.exe
Notify-avgrsstarter - avgrsstx.dll
AddRemove-GraphicView 32 - c:\progra~1\GRAPHI~1\UNWISE.EXE
AddRemove-Nero - Burning Rom!UninstallKey - c:\program files\Ahead\nero\uninstall\UNNERO.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-04 11:00
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ba,bb,d2,27,82,e6,09,4d,8e,87,92,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ba,bb,d2,27,82,e6,09,4d,8e,87,92,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(868)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL

- - - - - - - > 'explorer.exe'(2448)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\hnetcfg.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\InterVideo\DeviceService\DevSvc.exe
c:\program files\Intel\Intel Matrix Storage Manager\iaantmon.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\windows\sm56hlpr.exe
c:\program files\SANYO\XactiScreenCapture\SetClip.exe
c:\program files\Logitech\Video\FxSvr2.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\msiexec.exe
.
**************************************************************************
.
Completion time: 2010-12-04 11:07:28 - machine was rebooted
ComboFix-quarantined-files.txt 2010-12-04 11:07

Pre-Run: 2,084,814,848 bytes free
Post-Run: 2,656,194,560 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition (bootscreen)" /noexecute=optin /fastdetect /KERNEL=kernel1.exe
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - BCFE0710C3C76E5D32AB2A0523114F9D

#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:43 PM

Posted 04 December 2010 - 06:06 PM

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the box below into it:

RegLock::
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]


Save this as CFScript.txt, in the same location as Comfix.exe (called ComboFix.exe in the below graphic)


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

If the program requests for you to update Combofix then click Yes.

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


Please now run ESET's online scanner

  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Leave the top box checked and then check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users