Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Unruy.H & Hello4 Trojan


  • This topic is locked This topic is locked
30 replies to this topic

#1 Mog123

Mog123

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:12 AM

Posted 06 September 2011 - 12:57 PM

Hi,

I hope you can help as my computer started to freeze so I re-booted it and then discovered Windows defender popping up every couple of seconds saying I was infected with Unruy.H Trojan.
I tried to remove it using defender but nothing was happening apart from my computer basically running at full capacity or basically not responding.
When I re-boot I sometimes get blank window's screens popping up over each other and the following:

Run DLL
Error loading C:\windows\$XNTuninstall643$\wzrel.dll
The specified module cannot be found

Firefox randomly freezes & shuts down and simply opening Windows explorer can take minutes.

My DDs.txt is below:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 7.0.6002.18005 BrowserJavaVersion: 1.6.0_23
Run by Mog at 11:08:10 on 2011-09-06
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Windows\System32\bgsvcgen.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Virgin Media\Service Manager\ServicepointService.exe
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\Program Files\HomeCinema\TV Enhance\Kernel\TV\TVECapSvc.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\HomeCinema\TV Enhance\Kernel\TV\TVESched.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehRecvr.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Program Files\RingCentral\RingCentral Call Controller\RCHotKey.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\RingCentral\RingCentral Call Controller\RCUI.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Common Files\Panasonic\HD Writer AutoStart\HDWriterAutoStart.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\iTunes\iTunesHelper .exe
C:\Program Files\Virgin Media\Service Manager\ServiceManager .exe
C:\Program Files\Common Files\Java\Java Update\jusched .exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor .exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Live\Messenger\msnmsgr .exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\AVG\AVG8\avgscanx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Users\Mog\AppData\Local\Temp\hki4710.exe
C:\Users\Mog\AppData\Local\Temp\hki4710.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Windows Live\Messenger\msnmsgr .exe
C:\Program Files\QuickTime\QTTask .exe
C:\Windows\system32\Taskmgr.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Mog\Downloads\dds.scr
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\svchost.exe -k swprv
.
============== Pseudo HJT Report ===============
.
uSearch Bar = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.daemon-search.com/startpage
uWindow Title = Internet Explorer Provided By Sky Broadband
uDefault_Page_URL = hxxp://www.sky.com
mSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: FGCatchUrl: {2f364306-aa45-47b5-9f9d-39a8b94e7ef7} - c:\program files\flashget\jccatch.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Download_Bho Class: {a986e409-30cc-4185-89bb-ab212c104524} - c:\program files\ppliveva\DownloaderManager.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6308.1122\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: brumadcpdgrm Object: {ef664f2b-438f-4107-b440-ccd774a286de} - c:\windows\$xntuninstall643$\qpeji.dll
BHO: FlashGet GetFlash Class: {f156768e-81ef-470c-9057-481ba8380dba} - c:\program files\flashget\getflash.dll
BHO: Yontoo Layers: {fd72061e-9fde-484d-a58a-0bab4151cad8} - c:\program files\yontoo layers runtime\YontooIEClient_2.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr .exe" /background
uRun: [RCHotKey] "c:\program files\ringcentral\ringcentral call controller\RCHotKey.exe"
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [RCUI] "c:\program files\ringcentral\ringcentral call controller\RCUI.exe"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\TomTomHOMERunner.exe"
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask .exe" -atboottime
mRun: [ServiceManager.exe] "c:\program files\virgin media\service manager\ServiceManager.exe" /AUTORUN
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [bipro] rundll32 "c:\windows\$xntuninstall643$\wzrel.dll",,Run
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &Download All with FlashGet - c:\program files\flashget\jc_all.htm
IE: &Download with FlashGet - c:\program files\flashget\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
IE: {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.sky.com
IE: {95B3F550-91C4-4627-BCC4-521288C52977} - c:\program files\pplive\PPLive.exe
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\programs\partygaming\partypoker\RunApp.exe
IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\program files\flashget\FlashGet.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: sony-europe.com
Trusted Zone: sonystyle-europe.com
Trusted Zone: vaio-link.com
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{19FD4D38-5258-444F-B48D-F367539B2C4F} : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{50804DA4-B5BF-471B-9BAE-4D9E66687C0E} : DhcpNameServer = 192.168.0.1
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
AppInit_DLLs: avgrsstx.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\mog\appdata\roaming\mozilla\firefox\profiles\6r7dose1.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\google\update\1.3.21.65\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\virgin media\service manager\nprpspa.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
.
---- FIREFOX POLICIES ----
FF - user.js: extentions.y2layers.installId - 701e0c82-826f-4c87-bf70-b48fb021b925
FF - user.js: extentions.y2layers.installId - 882c566c-cf57-4e1c-ac0b-fcf8997027ad
.
============= SERVICES / DRIVERS ===============
.
R? clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86
R? DHTRACE;Intel® DHTrace Controller
R? gupdate;Google Update Service (gupdate)
R? gupdatem;Google Update Service (gupdatem)
R? NPF;Netgroup Packet Filter
R? WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0
S? {49DE1C67-83F8-4102-99E0-C16DCC7EEC796};{49DE1C67-83F8-4102-99E0-C16DCC7EEC796}
S? 3xHybrid;Philips SAA713x PCI Card
S? avg8wd;AVG8 WatchDog
S? AvgLdx86;AVG AVI Loader Driver x86
S? AvgMfx86;AVG On-access Scanner Minifilter Driver x86
S? DQLWinService;DQLWinService
S? FontCache;Windows Font Cache Service
S? IntelDH;IntelDH Driver
S? netr28u;RT2870 USB Wireless LAN Card Driver for Vista
S? nmsunidr;UniDriver for NMS
S? RapportCerberus_29574;RapportCerberus_29574
S? RapportEI;RapportEI
S? RapportKELL;RapportKELL
S? RapportMgmtService;Rapport Management Service
S? RapportPG;RapportPG
S? SBSDWSCService;SBSD Security Center Service
S? ServicepointService;ServicepointService
S? TomTomHOMEService;TomTomHOMEService
S? TVECapSvc;TVEnhance Background Capture Service (TBCS)
S? TVESched;TVEnhance Task Scheduler (TTS))
S? X10Hid;X10 Hid Device
.
=============== Created Last 30 ================
.
2011-09-05 19:28:33 38912 ----a-w- c:\windows\system32\NR7c53k.com
2011-09-05 18:23:18 -------- d-----w- c:\programdata\Tarma Installer
2011-09-05 18:23:17 -------- d-----w- c:\program files\Yontoo Layers Runtime
2011-09-05 18:23:08 -------- d-----w- c:\windows\$XNTUninstall643$
2011-09-04 12:45:07 7152464 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{95f49daf-2e11-416e-9ba3-7983425b58a4}\mpengine.dll
2011-08-24 15:37:50 2048 ----a-w- c:\windows\system32\tzres.dll
2011-08-22 11:30:03 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-08-22 11:12:50 89048 ----a-w- c:\program files\mozilla firefox\libEGL.dll
2011-08-22 11:12:50 2106216 ----a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll
2011-08-22 11:12:50 1998168 ----a-w- c:\program files\mozilla firefox\d3dx9_43.dll
2011-08-22 11:12:49 785368 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll
2011-08-22 11:12:49 478168 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
2011-08-22 11:12:49 1846232 ----a-w- c:\program files\mozilla firefox\mozjs.dll
2011-08-22 11:12:49 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
2011-08-21 09:00:36 53816 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
2011-08-15 21:10:54 -------- d-----w- c:\program files\iPod
2011-08-15 21:10:53 -------- d-----w- c:\program files\iTunes
2011-08-15 21:08:37 -------- d-----w- c:\program files\Bonjour
2011-08-11 08:34:54 3602832 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-08-11 08:34:54 3550096 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-08-11 08:34:45 905104 ----a-w- c:\windows\system32\drivers\tcpip.sys
.
==================== Find3M ====================
.
2011-09-05 18:34:03 38912 ----a-w- c:\windows\fonts\NR7c53k.com
2011-08-15 14:41:48 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-22 13:54:40 1383424 ----a-w- c:\windows\system32\mshtml.tlb
2011-07-12 10:20:54 83816 ----a-w- c:\windows\system32\dns-sd.exe
2011-07-12 10:20:54 73064 ----a-w- c:\windows\system32\dnssd.dll
2011-07-12 10:20:54 178536 ----a-w- c:\windows\system32\dnssdX.dll
2011-07-06 15:31:47 214016 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-06-21 15:49:52 834048 ----a-w- c:\windows\system32\wininet.dll
2011-06-21 14:13:51 389632 ----a-w- c:\windows\system32\html.iec
2011-06-17 16:03:18 375808 ----a-w- c:\windows\system32\winsrv.dll
.
============= FINISH: 11:12:13.81 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:12 AM

Posted 08 September 2011 - 12:47 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.
  • Do not run any other tool untill instructed to do so!


Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 Mog123

Mog123
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:12 AM

Posted 08 September 2011 - 05:57 AM

Hi,

Firstly thanks for helping me out with this problem!

I have disabled AVG and went to disable Windows defender as instructed but when I cam to saving the changes the following message appeared:

Windows Defender encountered a error Ox80070425. The service cannot accept control messages at this time.

So I haven't even got on to the Combofix part yet!

Please let me know what I should do next.

Kind Regards,

Ian

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:12 AM

Posted 08 September 2011 - 07:19 AM

go ahead and run combofix


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 Mog123

Mog123
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:12 AM

Posted 08 September 2011 - 09:39 AM

I keep trying to run combofix and the furthest I have got was stage 35 and then it had to reboot my computer. Since then I cant get anywhere near that stage and it constantly reboots my computer.

When I download combofix with Vista Home i never get the option to save it to my desktop, instead just click on the file once downloaded. I have read you may need to rename it but the only way I can do this is to drag the file from the download window to my desktop and then right click and 'rename'.

Any ideas of what i should do/try to try and get combofix to run all the way through?

Cheers.

#6 Mog123

Mog123
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:12 AM

Posted 08 September 2011 - 10:34 AM

Right after about the 15th attempt I have finally managed to get all the way through Combofix!

Upon re-starting I still get the window saying:

Run DLL
Error loading C:\windows\$XNTuninstall643$\wzrel.dll
The specified module cannot be found


I haven't tested my computer fully as yet but it was much quicker to load and the blank windows screens that kept popping up are no longer. Also opening files etc is lightening quick compared to how it was.

Anyhow my Combofix is below:

ComboFix 11-09-08.03 - Mog 08/09/2011 15:43:02.4.2 - x86 NETWORK
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2045.1411 [GMT 1:00]
Running from: c:\users\Mog\Desktop\Cb.exe
AV: AVG Anti-Virus Free *Disabled/Updated* {0C939084-9E57-CBDB-EA61-0B0C7F62AF82}
SP: AVG Anti-Virus Free *Disabled/Updated* {B7F27160-B86D-C455-D0D1-307E04E5E53F}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\install.exe
c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe
c:\program files\Common Files\InstallShield\UpdateService\ISUSPM .exe
c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe
c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
c:\program files\RingCentral\RingCentral Call Controller\RCHotKey.exe
c:\program files\RingCentral\RingCentral Call Controller\RCUI.exe
c:\program files\Spybot - Search & Destroy\TeaTimer.exe
c:\program files\TomTom HOME 2\TomTomHOMERunner.exe
c:\program files\Virgin Media\Service Manager\ServiceManager.exe
c:\program files\Windows Live\Messenger\msnmsgr .exe
c:\program files\Windows Live\Messenger\msnmsgr.exe
c:\programdata\3D3
c:\programdata\3D3\Frames\FBRU_AA-1.frame
c:\programdata\3D3\Frames\FBRU_AA-2.frame
c:\programdata\3D3\Frames\FBRU_AB-1.frame
c:\programdata\3D3\Frames\FBRU_AB-2.frame
c:\programdata\3D3\Frames\FBRU_AB-3.frame
c:\programdata\3D3\Frames\FBRU_AB-4.frame
c:\programdata\3D3\Frames\FBRU_AC-1.frame
c:\programdata\3D3\Frames\FBRU_AC-2.frame
c:\programdata\3D3\Frames\FBRU_AD-1.frame
c:\programdata\3D3\Frames\FBRU_AD-2.frame
c:\programdata\3D3\Frames\FCHI_AA1.frame
c:\programdata\3D3\Frames\FCIR_AA-1.frame
c:\programdata\3D3\Frames\FCIR_AA-2.frame
c:\programdata\3D3\Frames\FOVL_AA1.frame
c:\programdata\3D3\Frames\FOVL_AA2.frame
c:\programdata\3D3\Frames\FOVL_BB1.frame
c:\programdata\3D3\Frames\FPFR_WW1.frame
c:\programdata\3D3\Frames\FPHO_BB-1.frame
c:\programdata\3D3\Frames\FSEA_AA-1.frame
c:\programdata\3D3\Frames\FSLD_AA-1.frame
c:\programdata\3D3\Frames\FSLD_BB-1.frame
c:\programdata\3D3\Frames\FSTR_AA-1.frame
c:\programdata\3D3\Frames\FSTR_AA-2.frame
c:\programdata\3D3\mm.db
c:\programdata\3D3\thumbnail.db
c:\programdata\ICmnUm55.exe
c:\programdata\Tarma Installer
c:\programdata\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setup.dll
c:\programdata\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll
c:\programdata\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.dat
c:\programdata\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.exe
c:\programdata\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.ico
c:\users\Mog\AppData\Local\ApplicationHistory
c:\users\Mog\AppData\Local\ApplicationHistory\BetAngel.exe.c2bf77ed.ini
c:\users\Mog\AppData\Local\ApplicationHistory\BetAngel.exe.dcee0e7e.ini
c:\users\Mog\AppData\Local\ApplicationHistory\DeviceManager.exe.9c7ee1e1.ini
c:\users\Mog\Documents\DPE.DUS
c:\windows\$xntuninstall643$
c:\windows\$xntuninstall643$\apUninstall.exe
c:\windows\$XNTUninstall643$\qpeji.dll
c:\windows\$xntuninstall643$\zrpt.xml
c:\windows\Fonts\NR7c53k.com
c:\windows\system32\comct332.ocx
c:\windows\Web\dwm.exe
c:\windows\Web\lid
c:\windows\Web\lnm
.
<pre>
c:\program files\Adobe\Reader 9.0\Reader\Reader_sl .exe ---^> c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe
c:\program files\Common Files\InstallShield\UpdateService\ISUSPM  .exe ---^> c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe
c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe ---^> c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
</pre>
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_NPF
-------\Service_NPF
.
.
((((((((((((((((((((((((( Files Created from 2011-08-08 to 2011-09-08 )))))))))))))))))))))))))))))))
.
.
2011-09-08 14:53 . 2011-09-08 14:53 0 ---ha-w- c:\users\Mog\AppData\Local\BIT8140.tmp
2011-09-08 14:51 . 2011-09-08 14:53 -------- d-----w- c:\users\Mog\AppData\Local\temp
2011-09-08 14:51 . 2011-09-08 14:51 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-09-08 08:54 . 2011-08-12 02:44 7152464 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{8D2D168B-4946-41DE-9FEF-EAEAA452B704}\mpengine.dll
2011-09-06 11:42 . 2011-09-06 11:42 38912 ----a-w- c:\windows\system32\NR7c53k.com
2011-09-05 18:23 . 2011-09-05 18:23 -------- d-----w- c:\program files\Yontoo Layers Runtime
2011-08-24 15:37 . 2011-07-11 13:25 2048 ----a-w- c:\windows\system32\tzres.dll
2011-08-22 11:30 . 2011-09-08 13:04 134104 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-08-22 11:12 . 2011-09-08 13:04 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-08-22 11:12 . 2011-08-12 03:15 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
2011-08-22 11:12 . 2011-08-12 03:15 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll
2011-08-22 11:12 . 2011-09-08 13:04 478168 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-08-22 11:12 . 2011-09-08 13:04 785368 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-08-22 11:12 . 2011-09-08 13:04 1846232 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-08-22 11:12 . 2011-09-08 13:04 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-08-21 09:00 . 2011-08-21 09:00 53816 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
2011-08-15 21:10 . 2011-08-15 21:10 -------- d-----w- c:\program files\iPod
2011-08-15 21:10 . 2011-09-08 09:01 -------- d-----w- c:\program files\iTunes
2011-08-15 21:08 . 2011-08-15 21:08 -------- d-----w- c:\program files\Bonjour
2011-08-11 08:34 . 2011-06-20 08:54 3602832 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-08-11 08:34 . 2011-06-20 08:54 3550096 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-08-11 08:34 . 2011-06-17 20:13 905104 ----a-w- c:\windows\system32\drivers\tcpip.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-06 11:42 . 2011-09-08 14:54 38912 ----a-w- c:\windows\Fonts\NR7c53k.com
2011-08-15 14:41 . 2011-05-25 08:04 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-12 10:20 . 2011-07-12 10:20 83816 ----a-w- c:\windows\system32\dns-sd.exe
2011-07-12 10:20 . 2011-07-12 10:20 73064 ----a-w- c:\windows\system32\dnssd.dll
2011-07-12 10:20 . 2011-07-12 10:20 178536 ----a-w- c:\windows\system32\dnssdX.dll
2011-09-08 13:04 . 2011-08-22 11:30 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
<pre>
c:\program files\Adobe\Reader 9.0\Reader\Reader_sl .exe
c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe
c:\program files\Common Files\Java\Java Update\jusched .exe
c:\program files\iTunes\iTunesHelper .exe
c:\program files\Microsoft Office\Office12\GrooveMonitor .exe
c:\program files\QuickTime\QTTask  .exe
c:\program files\RingCentral\RingCentral Call Controller\RCHotKey .exe
c:\program files\RingCentral\RingCentral Call Controller\RCUI .exe
</pre>
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}]
2011-07-15 04:46 195360 ----a-w- c:\program files\Yontoo Layers Runtime\YontooIEClient_2.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Mog\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Mog\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Mog\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Mog\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM .exe -scheduler" [X]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr .exe" [N/A]
"RCHotKey"="c:\program files\RingCentral\RingCentral Call Controller\RCHotKey.exe" [N/A]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-18 39408]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"RCUI"="c:\program files\RingCentral\RingCentral Call Controller\RCUI.exe" [N/A]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [N/A]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [N/A]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2007-08-17 4702208]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-08 38916]
"ServiceManager.exe"="c:\program files\Virgin Media\Service Manager\ServiceManager.exe" [N/A]
"bipro"="c:\windows\$XNTUninstall643$\wzrel.dll" [N/A]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HD Writer.lnk - c:\program files\Common Files\Panasonic\HD Writer AutoStart\HDWriterAutoStart.exe [2011-1-19 308640]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ServicepointService]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-03-30 04:59 937920 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-09-08 14:54 38916 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2009-08-13 14:51 177440 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
c:\program files\iTunes\iTunesHelper.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
c:\program files\TomTom HOME 2\TomTomHOMERunner.exe [N/A]
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 135664]
R3 DHTRACE;Intel® DHTrace Controller;c:\program files\Common Files\Intel\IntelDH\bin\DHTraceController.exe [2007-06-27 39640]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 135664]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-06-09 691696]
S0 RapportKELL;RapportKELL;c:\windows\System32\Drivers\RapportKELL.sys [2011-08-21 53816]
S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-08-19 335240]
S1 RapportCerberus_29574;RapportCerberus_29574;c:\programdata\Trusteer\Rapport\store\exts\RapportCerberus\29574\RapportCerberus32_29574.sys [2011-08-07 216912]
S1 RapportEI;RapportEI;c:\program files\Trusteer\Rapport\bin\RapportEI.sys [2011-08-21 66360]
S1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [2011-08-21 158904]
S2 {49DE1C67-83F8-4102-99E0-C16DCC7EEC796};{49DE1C67-83F8-4102-99E0-C16DCC7EEC796};c:\program files\HomeCinema\PlayMovie\000.fcl [2007-10-11 41456]
S2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-08-19 297752]
S2 DQLWinService;DQLWinService;c:\program files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe [2007-02-12 208896]
S2 nmsunidr;UniDriver for NMS;c:\windows\system32\DRIVERS\nmsunidr.sys [2007-02-18 5376]
S2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [2011-08-21 870200]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 ServicepointService;ServicepointService;c:\program files\Virgin Media\Service Manager\ServicepointService.exe [2011-03-25 689464]
S2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [2011-03-09 92592]
S2 TVECapSvc;TVEnhance Background Capture Service (TBCS);c:\program files\HomeCinema\TV Enhance\Kernel\TV\TVECapSvc.exe [2007-10-19 290909]
S2 TVESched;TVEnhance Task Scheduler (TTS));c:\program files\HomeCinema\TV Enhance\Kernel\TV\TVESched.exe [2007-10-19 114779]
S3 3xHybrid;Philips SAA713x PCI Card;c:\windows\system32\DRIVERS\3xHybrid.sys [2007-08-22 1242976]
S3 IntelDH;IntelDH Driver;c:\windows\system32\Drivers\IntelDH.sys [2007-11-08 5632]
S3 netr28u;RT2870 USB Wireless LAN Card Driver for Vista;c:\windows\system32\DRIVERS\netr28u.sys [2007-11-21 569344]
S3 X10Hid;X10 Hid Device;c:\windows\system32\Drivers\x10hid.sys [2006-11-17 13976]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2011-09-08 c:\windows\Tasks\At1.job
- c:\windows\Fonts\NR7c53k.com [2011-09-08 11:42]
.
2011-09-08 c:\windows\Tasks\At10.job
- c:\windows\Fonts\NR7c53k.com [2011-09-08 11:42]
.
2011-09-08 c:\windows\Tasks\At11.job
- c:\windows\Fonts\NR7c53k.com [2011-09-08 11:42]
.
2011-09-08 c:\windows\Tasks\At12.job
- c:\windows\Fonts\NR7c53k.com [2011-09-08 11:42]
.
2011-09-08 c:\windows\Tasks\At13.job
- c:\windows\Fonts\NR7c53k.com [2011-09-08 11:42]
.
2011-09-08 c:\windows\Tasks\At14.job
- c:\windows\Fonts\NR7c53k.com [2011-09-08 11:42]
.
2011-09-08 c:\windows\Tasks\At15.job
- c:\windows\Fonts\NR7c53k.com [2011-09-08 11:42]
.
2011-09-08 c:\windows\Tasks\At16.job
- c:\windows\Fonts\NR7c53k.com [2011-09-08 11:42]
.
2011-09-08 c:\windows\Tasks\At17.job
- c:\windows\Fonts\NR7c53k.com [2011-09-08 11:42]
.
2011-09-08 c:\windows\Tasks\At18.job
- c:\windows\Fonts\NR7c53k.com [2011-09-08 11:42]
.
2011-09-08 c:\windows\Tasks\At19.job
- c:\windows\Fonts\NR7c53k.com [2011-09-08 11:42]
.
2011-09-08 c:\windows\Tasks\At2.job
- c:\windows\Fonts\NR7c53k.com [2011-09-08 11:42]
.
2011-09-08 c:\windows\Tasks\At20.job
- c:\windows\Fonts\NR7c53k.com [2011-09-08 11:42]
.
2011-09-08 c:\windows\Tasks\At21.job
- c:\windows\Fonts\NR7c53k.com [2011-09-08 11:42]
.
2011-09-08 c:\windows\Tasks\At22.job
- c:\windows\Fonts\NR7c53k.com [2011-09-08 11:42]
.
2011-09-08 c:\windows\Tasks\At23.job
- c:\windows\Fonts\NR7c53k.com [2011-09-08 11:42]
.
2011-09-08 c:\windows\Tasks\At24.job
- c:\windows\Fonts\NR7c53k.com [2011-09-08 11:42]
.
2011-09-06 c:\windows\Tasks\At25.job
- c:\windows\system32\NR7c53k.com [2011-09-06 11:42]
.
2011-09-06 c:\windows\Tasks\At26.job
- c:\windows\system32\NR7c53k.com [2011-09-06 11:42]
.
2011-09-06 c:\windows\Tasks\At27.job
- c:\windows\system32\NR7c53k.com [2011-09-06 11:42]
.
2011-09-06 c:\windows\Tasks\At28.job
- c:\windows\system32\NR7c53k.com [2011-09-06 11:42]
.
2011-09-06 c:\windows\Tasks\At29.job
- c:\windows\system32\NR7c53k.com [2011-09-06 11:42]
.
2011-09-08 c:\windows\Tasks\At3.job
- c:\windows\Fonts\NR7c53k.com [2011-09-08 11:42]
.
2011-09-06 c:\windows\Tasks\At30.job
- c:\windows\system32\NR7c53k.com [2011-09-06 11:42]
.
2011-09-06 c:\windows\Tasks\At31.job
- c:\windows\system32\NR7c53k.com [2011-09-06 11:42]
.
2011-09-06 c:\windows\Tasks\At32.job
- c:\windows\system32\NR7c53k.com [2011-09-06 11:42]
.
2011-09-06 c:\windows\Tasks\At33.job
- c:\windows\system32\NR7c53k.com [2011-09-06 11:42]
.
2011-09-08 c:\windows\Tasks\At34.job
- c:\windows\system32\NR7c53k.com [2011-09-06 11:42]
.
2011-09-06 c:\windows\Tasks\At35.job
- c:\windows\system32\NR7c53k.com [2011-09-06 11:42]
.
2011-09-06 c:\windows\Tasks\At36.job
- c:\windows\system32\NR7c53k.com [2011-09-06 11:42]
.
2011-09-06 c:\windows\Tasks\At37.job
- c:\windows\system32\NR7c53k.com [2011-09-06 11:42]
.
2011-09-06 c:\windows\Tasks\At38.job
- c:\windows\system32\NR7c53k.com [2011-09-06 11:42]
.
2011-09-08 c:\windows\Tasks\At39.job
- c:\windows\system32\NR7c53k.com [2011-09-06 11:42]
.
2011-09-08 c:\windows\Tasks\At4.job
- c:\windows\Fonts\NR7c53k.com [2011-09-08 11:42]
.
2011-09-08 c:\windows\Tasks\At40.job
- c:\windows\system32\NR7c53k.com [2011-09-06 11:42]
.
2011-09-06 c:\windows\Tasks\At41.job
- c:\windows\system32\NR7c53k.com [2011-09-06 11:42]
.
2011-09-06 c:\windows\Tasks\At42.job
- c:\windows\system32\NR7c53k.com [2011-09-06 11:42]
.
2011-09-06 c:\windows\Tasks\At43.job
- c:\windows\system32\NR7c53k.com [2011-09-06 11:42]
.
2011-09-05 c:\windows\Tasks\At44.job
- c:\windows\system32\NR7c53k.com [2011-09-06 11:42]
.
2011-09-06 c:\windows\Tasks\At45.job
- c:\windows\system32\NR7c53k.com [2011-09-06 11:42]
.
2011-09-06 c:\windows\Tasks\At46.job
- c:\windows\system32\NR7c53k.com [2011-09-06 11:42]
.
2011-09-06 c:\windows\Tasks\At47.job
- c:\windows\system32\NR7c53k.com [2011-09-06 11:42]
.
2011-09-06 c:\windows\Tasks\At48.job
- c:\windows\system32\NR7c53k.com [2011-09-06 11:42]
.
2011-09-08 c:\windows\Tasks\At5.job
- c:\windows\Fonts\NR7c53k.com [2011-09-08 11:42]
.
2011-09-08 c:\windows\Tasks\At6.job
- c:\windows\Fonts\NR7c53k.com [2011-09-08 11:42]
.
2011-09-08 c:\windows\Tasks\At7.job
- c:\windows\Fonts\NR7c53k.com [2011-09-08 11:42]
.
2011-09-08 c:\windows\Tasks\At8.job
- c:\windows\Fonts\NR7c53k.com [2011-09-08 11:42]
.
2011-09-08 c:\windows\Tasks\At9.job
- c:\windows\Fonts\NR7c53k.com [2011-09-08 11:42]
.
2011-09-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 12:10]
.
2011-09-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 12:10]
.
2011-09-08 c:\windows\Tasks\User_Feed_Synchronization-{A3C6695F-F6BC-4500-B453-A5F3BE5EFE5F}.job
- c:\windows\system32\msfeedssync.exe [2008-03-20 07:33]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.daemon-search.com/startpage
mSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
Trusted Zone: sony-europe.com
Trusted Zone: sonystyle-europe.com
Trusted Zone: vaio-link.com
FF - ProfilePath - c:\users\Mog\AppData\Roaming\Mozilla\Firefox\Profiles\6r7dose1.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - user.js: extentions.y2layers.installId - 701e0c82-826f-4c87-bf70-b48fb021b925
FF - user.js: extentions.y2layers.installId - 882c566c-cf57-4e1c-ac0b-fcf8997027ad
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-$XNTUninstall643$ - c:\windows\$XNTUninstall643$\apUninstall.exe
AddRemove-{889DF117-14D1-44EE-9F31-C5FB5D47F68B} - c:\progra~2\TARMAI~1\{889DF~1\Setup.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-08 15:53
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{49DE1C67-83F8-4102-99E0-C16DCC7EEC796}]
"ImagePath"="\??\c:\program files\HomeCinema\PlayMovie\000.fcl"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{95808DC4-FA4A-4C74-92FE-5B863F82066B}]
"ImagePath"="\??\c:\program files\HomeCinema\PowerDVD\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(3260)
c:\users\Mog\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\IntelDH\CCU\AlertService.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\windows\System32\bgsvcgen.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\progra~1\COMMON~1\X10\Common\x10nets.exe
c:\windows\system32\WUDFHost.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\ehome\ehsched.exe
c:\windows\ehome\ehRecvr.exe
c:\program files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2011-09-08 16:01:28 - machine was rebooted
ComboFix-quarantined-files.txt 2011-09-08 15:01
.
Pre-Run: 287,233,617,920 bytes free
Post-Run: 286,808,522,752 bytes free
.
- - End Of File - - FF331A0A38D57D9F7A27413CF75AD834

#7 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:12 AM

Posted 08 September 2011 - 12:11 PM

Greetings

Good That cleaned up some bad guys but I see some other stuff that we need to go after, so I want you to run this custom script for me.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

File::
c:\windows\Fonts\NR7c53k.com

Folder::
c:\program files\Yontoo Layers Runtime

AtJob::

Firefox::
FF - ProfilePath - c:\users\Mog\AppData\Roaming\Mozilla\Firefox\Profiles\6r7dose1.default\
FF - user.js: extentions.y2layers.installId - 701e0c82-826f-4c87-bf70-b48fb021b925
FF - user.js: extentions.y2layers.installId - 882c566c-cf57-4e1c-ac0b-fcf8997027ad

RenV::
c:\program files\Adobe\Reader 9.0\Reader\Reader_sl .exe
c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe
c:\program files\Common Files\Java\Java Update\jusched .exe
c:\program files\iTunes\iTunesHelper .exe
c:\program files\Microsoft Office\Office12\GrooveMonitor .exe
c:\program files\QuickTime\QTTask  .exe
c:\program files\RingCentral\RingCentral Call Controller\RCHotKey .exe
c:\program files\RingCentral\RingCentral Call Controller\RCUI .exe


Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#8 Mog123

Mog123
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:12 AM

Posted 09 September 2011 - 05:37 AM

Hi Gringo,

Here is my latest log from Combofix. As before not had a real chance to test the computer as I wanted to post this ASAP as its taken me ages to get it and want to be sure the computer is relatively clean before putting it through its paces. I still however get the same message below on start up:

Run DLL
Error loading C:\windows\$XNTuninstall643$\wzrel.dll
The specified module cannot be found


Let me know what you find?

Cheers,

Ian


ComboFix 11-09-08.03 - Mog 09/09/2011 11:07:33.6.2 - x86 NETWORK
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2045.1471 [GMT 1:00]
Running from: c:\users\Mog\Desktop\Cb.exe
Command switches used :: c:\users\Mog\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *Disabled/Updated* {0C939084-9E57-CBDB-EA61-0B0C7F62AF82}
SP: AVG Anti-Virus Free *Disabled/Updated* {B7F27160-B86D-C455-D0D1-307E04E5E53F}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\windows\Fonts\NR7c53k.com"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Mog\AppData\Roaming\Ewebow
c:\users\Mog\AppData\Roaming\Ewebow\atini.off
c:\users\Mog\AppData\Roaming\Fyme
c:\users\Mog\AppData\Roaming\Fyme\ewuqw.oso
c:\users\Mog\AppData\Roaming\Nuwuox
c:\users\Mog\AppData\Roaming\Nuwuox\irila.exe
c:\users\Mog\AppData\Roaming\Runu
c:\users\Mog\AppData\Roaming\Runu\kocaz.exe
c:\windows\Fonts\NR7c53k.com
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job
.
.
((((((((((((((((((((((((( Files Created from 2011-08-09 to 2011-09-09 )))))))))))))))))))))))))))))))
.
.
2011-09-09 10:14 . 2011-09-09 10:21 -------- d-----w- c:\users\Mog\AppData\Local\temp
2011-09-09 10:14 . 2011-09-09 10:14 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-09-08 19:23 . 2011-09-08 19:23 212480 ----a-w- c:\users\Mog\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yrynlu.exe
2011-09-08 19:23 . 2011-09-08 19:23 212480 ----a-w- c:\users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\udoka.exe
2011-09-08 19:23 . 2011-09-08 19:23 212480 ----a-w- c:\users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\exkufu.exe
2011-09-08 19:23 . 2011-09-08 19:23 212480 ----a-w- c:\users\Mog\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ucykt.exe
2011-09-08 19:23 . 2011-09-08 19:23 212480 ----a-w- c:\users\Mog\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\acolu.exe
2011-09-08 19:23 . 2011-09-08 19:23 212480 ----a-w- c:\users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\asty.exe
2011-09-08 19:22 . 2011-09-08 19:22 212480 ----a-w- c:\users\Mog\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ywvi.exe
2011-09-08 19:22 . 2011-09-08 19:22 212480 ----a-w- c:\users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\tyywku.exe
2011-09-08 19:21 . 2011-09-08 19:21 212480 ----a-w- c:\users\Mog\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\azyt.exe
2011-09-08 19:21 . 2011-09-08 19:21 212480 ----a-w- c:\users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\oceqoq.exe
2011-09-08 19:21 . 2011-09-08 19:21 212480 ----a-w- c:\users\Mog\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ynce.exe
2011-09-08 19:21 . 2011-09-08 19:21 212480 ----a-w- c:\users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\aric.exe
2011-09-08 19:20 . 2011-09-08 19:20 212480 ----a-w- c:\users\Mog\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tycyx.exe
2011-09-08 19:20 . 2011-09-08 19:20 212480 ----a-w- c:\users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\ofho.exe
2011-09-08 08:54 . 2011-08-12 02:44 7152464 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{8D2D168B-4946-41DE-9FEF-EAEAA452B704}\mpengine.dll
2011-09-06 11:42 . 2011-09-06 11:42 38912 ----a-w- c:\windows\system32\NR7c53k.com
2011-08-24 15:37 . 2011-07-11 13:25 2048 ----a-w- c:\windows\system32\tzres.dll
2011-08-22 11:30 . 2011-09-08 13:04 134104 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-08-22 11:12 . 2011-09-08 13:04 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-08-22 11:12 . 2011-08-12 03:15 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
2011-08-22 11:12 . 2011-08-12 03:15 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll
2011-08-22 11:12 . 2011-09-08 13:04 478168 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-08-22 11:12 . 2011-09-08 13:04 785368 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-08-22 11:12 . 2011-09-08 13:04 1846232 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-08-22 11:12 . 2011-09-08 13:04 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-08-21 09:00 . 2011-08-21 09:00 53816 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
2011-08-15 21:10 . 2011-08-15 21:10 -------- d-----w- c:\program files\iPod
2011-08-15 21:10 . 2011-09-08 18:15 -------- d-----w- c:\program files\iTunes
2011-08-15 21:08 . 2011-08-15 21:08 -------- d-----w- c:\program files\Bonjour
2011-08-11 08:34 . 2011-06-20 08:54 3602832 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-08-11 08:34 . 2011-06-20 08:54 3550096 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-08-11 08:34 . 2011-06-17 20:13 905104 ----a-w- c:\windows\system32\drivers\tcpip.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-15 14:41 . 2011-05-25 08:04 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-12 10:20 . 2011-07-12 10:20 83816 ----a-w- c:\windows\system32\dns-sd.exe
2011-07-12 10:20 . 2011-07-12 10:20 73064 ----a-w- c:\windows\system32\dnssd.dll
2011-07-12 10:20 . 2011-07-12 10:20 178536 ----a-w- c:\windows\system32\dnssdX.dll
2011-09-08 13:04 . 2011-08-22 11:30 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
<pre>
c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe
</pre>
.
((((((((((((((((((((((((((((( SnapShot@2011-09-08_18.36.24 )))))))))))))))))))))))))))))))))))))))))
.
- 2011-09-08 10:29 . 2011-09-08 15:55 49152 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012011090820110909\index.dat
+ 2011-09-08 10:29 . 2011-09-08 19:20 49152 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012011090820110909\index.dat
- 2011-09-08 18:27 . 2011-09-08 18:27 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2011-09-09 10:15 . 2011-09-09 10:15 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2011-09-09 10:15 . 2011-09-09 10:15 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2011-09-08 18:27 . 2011-09-08 18:27 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2011-03-04 21:49 . 2011-09-09 09:41 420800 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2011-03-04 21:49 . 2011-09-08 18:26 420800 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}]
c:\program files\Yontoo Layers Runtime\YontooIEClient_2.dll [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Mog\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Mog\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Mog\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Mog\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM .exe -scheduler" [X]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr .exe" [N/A]
"RCHotKey"="c:\program files\RingCentral\RingCentral Call Controller\RCHotKey.exe" [2008-05-05 32768]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-18 39408]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"RCUI"="c:\program files\RingCentral\RingCentral Call Controller\RCUI.exe" [2009-06-04 479232]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [N/A]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [N/A]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2007-08-17 4702208]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
"ServiceManager.exe"="c:\program files\Virgin Media\Service Manager\ServiceManager.exe" [N/A]
"bipro"="c:\windows\$XNTUninstall643$\wzrel.dll" [N/A]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
.
c:\users\Mog\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
acolu.exe [2011-9-8 212480]
azyt.exe [2011-9-8 212480]
tycyx.exe [2011-9-8 212480]
ucykt.exe [2011-9-8 212480]
ynce.exe [2011-9-8 212480]
yrynlu.exe [2011-9-8 212480]
ywvi.exe [2011-9-8 212480]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HD Writer.lnk - c:\program files\Common Files\Panasonic\HD Writer AutoStart\HDWriterAutoStart.exe [2011-1-19 308640]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ServicepointService]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-03-30 04:59 937920 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-06-08 04:02 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2009-08-13 14:51 177440 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-07-19 17:29 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
c:\program files\TomTom HOME 2\TomTomHOMERunner.exe [N/A]
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 135664]
R3 DHTRACE;Intel® DHTrace Controller;c:\program files\Common Files\Intel\IntelDH\bin\DHTraceController.exe [2007-06-27 39640]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 135664]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-06-09 691696]
S0 RapportKELL;RapportKELL;c:\windows\System32\Drivers\RapportKELL.sys [2011-08-21 53816]
S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-08-19 335240]
S1 RapportCerberus_29574;RapportCerberus_29574;c:\programdata\Trusteer\Rapport\store\exts\RapportCerberus\29574\RapportCerberus32_29574.sys [2011-08-07 216912]
S1 RapportEI;RapportEI;c:\program files\Trusteer\Rapport\bin\RapportEI.sys [2011-08-21 66360]
S1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [2011-08-21 158904]
S2 {49DE1C67-83F8-4102-99E0-C16DCC7EEC796};{49DE1C67-83F8-4102-99E0-C16DCC7EEC796};c:\program files\HomeCinema\PlayMovie\000.fcl [2007-10-11 41456]
S2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-08-19 297752]
S2 DQLWinService;DQLWinService;c:\program files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe [2007-02-12 208896]
S2 nmsunidr;UniDriver for NMS;c:\windows\system32\DRIVERS\nmsunidr.sys [2007-02-18 5376]
S2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [2011-08-21 870200]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 ServicepointService;ServicepointService;c:\program files\Virgin Media\Service Manager\ServicepointService.exe [2011-03-25 689464]
S2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [2011-03-09 92592]
S2 TVECapSvc;TVEnhance Background Capture Service (TBCS);c:\program files\HomeCinema\TV Enhance\Kernel\TV\TVECapSvc.exe [2007-10-19 290909]
S2 TVESched;TVEnhance Task Scheduler (TTS));c:\program files\HomeCinema\TV Enhance\Kernel\TV\TVESched.exe [2007-10-19 114779]
S3 3xHybrid;Philips SAA713x PCI Card;c:\windows\system32\DRIVERS\3xHybrid.sys [2007-08-22 1242976]
S3 IntelDH;IntelDH Driver;c:\windows\system32\Drivers\IntelDH.sys [2007-11-08 5632]
S3 netr28u;RT2870 USB Wireless LAN Card Driver for Vista;c:\windows\system32\DRIVERS\netr28u.sys [2007-11-21 569344]
S3 X10Hid;X10 Hid Device;c:\windows\system32\Drivers\x10hid.sys [2006-11-17 13976]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2011-09-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 12:10]
.
2011-09-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 12:10]
.
2011-09-08 c:\windows\Tasks\User_Feed_Synchronization-{A3C6695F-F6BC-4500-B453-A5F3BE5EFE5F}.job
- c:\windows\system32\msfeedssync.exe [2008-03-20 07:33]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.daemon-search.com/startpage
mSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
Trusted Zone: sony-europe.com
Trusted Zone: sonystyle-europe.com
Trusted Zone: vaio-link.com
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\users\Mog\AppData\Roaming\Mozilla\Firefox\Profiles\6r7dose1.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-09 11:20
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{49DE1C67-83F8-4102-99E0-C16DCC7EEC796}]
"ImagePath"="\??\c:\program files\HomeCinema\PlayMovie\000.fcl"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{95808DC4-FA4A-4C74-92FE-5B863F82066B}]
"ImagePath"="\??\c:\program files\HomeCinema\PowerDVD\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(5612)
c:\users\Mog\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\IntelDH\CCU\AlertService.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\windows\System32\bgsvcgen.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\progra~1\COMMON~1\X10\Common\x10nets.exe
c:\windows\system32\WUDFHost.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\ehome\ehsched.exe
c:\windows\ehome\ehRecvr.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\DllHost.exe
c:\windows\system32\vssvc.exe
c:\windows\ehome\mcupdate.EXE
.
**************************************************************************
.
Completion time: 2011-09-09 11:27:02 - machine was rebooted
ComboFix-quarantined-files.txt 2011-09-09 10:26
ComboFix2.txt 2011-09-08 15:01
.
Pre-Run: 286,553,260,032 bytes free
Post-Run: 286,517,272,576 bytes free
.
- - End Of File - - 25626ACC69682C122EF6E41D1649A493

#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:12 AM

Posted 09 September 2011 - 07:36 AM

Greetings

Good That cleaned up some bad guys but I see some other stuff that we need to go after, so I want you to run this custom script for me.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

File::
c:\users\Mog\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yrynlu.exe
c:\users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\udoka.exe
c:\users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\exkufu.exe
c:\users\Mog\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ucykt.exe
c:\users\Mog\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\acolu.exe
c:\users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\asty.exe
c:\users\Mog\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ywvi.exe
c:\users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\tyywku.exe
c:\users\Mog\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\azyt.exe
c:\users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\oceqoq.exe
c:\users\Mog\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ynce.exe
c:\users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\aric.exe
c:\users\Mog\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tycyx.exe
c:\users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\ofho.exe

Folder::
c:\program files\Yontoo Layers Runtime


Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 Mog123

Mog123
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:12 AM

Posted 09 September 2011 - 08:57 AM

Hi Gringo,

Latest log results from Combofix are below:

ComboFix 11-09-08.03 - Mog 09/09/2011 14:35:20.6.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2045.994 [GMT 1:00]
Running from: c:\users\Mog\Desktop\Cb.exe
Command switches used :: c:\users\Mog\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *Disabled/Updated* {0C939084-9E57-CBDB-EA61-0B0C7F62AF82}
SP: AVG Anti-Virus Free *Disabled/Updated* {B7F27160-B86D-C455-D0D1-307E04E5E53F}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\aric.exe"
"c:\users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\asty.exe"
"c:\users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\exkufu.exe"
"c:\users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\oceqoq.exe"
"c:\users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\ofho.exe"
"c:\users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\tyywku.exe"
"c:\users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\udoka.exe"
"c:\users\Mog\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\acolu.exe"
"c:\users\Mog\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\azyt.exe"
"c:\users\Mog\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tycyx.exe"
"c:\users\Mog\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ucykt.exe"
"c:\users\Mog\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ynce.exe"
"c:\users\Mog\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yrynlu.exe"
"c:\users\Mog\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ywvi.exe"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\aric.exe
c:\users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\asty.exe
c:\users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\exkufu.exe
c:\users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\oceqoq.exe
c:\users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\ofho.exe
c:\users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\tyywku.exe
c:\users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\udoka.exe
c:\users\Mog\AppData\Roaming\Ammea
c:\users\Mog\AppData\Roaming\Ammea\ehyl.exe
c:\users\Mog\AppData\Roaming\Eqanan
c:\users\Mog\AppData\Roaming\Eqanan\roazd.exe
c:\users\Mog\AppData\Roaming\Ibquu
c:\users\Mog\AppData\Roaming\Ibquu\lois.exe
c:\users\Mog\AppData\Roaming\Leet
c:\users\Mog\AppData\Roaming\Leet\inwex.ute
c:\users\Mog\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\acolu.exe
c:\users\Mog\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\azyt.exe
c:\users\Mog\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tycyx.exe
c:\users\Mog\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ucykt.exe
c:\users\Mog\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ynce.exe
c:\users\Mog\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yrynlu.exe
c:\users\Mog\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ywvi.exe
c:\users\Mog\AppData\Roaming\Qaid
c:\users\Mog\AppData\Roaming\Qaid\waloa.hev
c:\users\Mog\AppData\Roaming\Tiuf
c:\users\Mog\AppData\Roaming\Tiuf\deleu.lay
.
.
((((((((((((((((((((((((( Files Created from 2011-08-09 to 2011-09-09 )))))))))))))))))))))))))))))))
.
.
2011-09-09 13:46 . 2011-09-09 13:46 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-09-09 13:44 . 2011-09-09 13:44 -------- d-----w- c:\users\Mog\AppData\Roaming\Omukvu
2011-09-09 13:44 . 2011-09-09 13:44 -------- d-----w- c:\users\Mog\AppData\Roaming\Eqgiu
2011-09-09 13:44 . 2011-09-09 13:44 -------- d-----w- c:\users\Mog\AppData\Roaming\Wuyg
2011-09-09 13:44 . 2011-09-09 13:44 -------- d-----w- c:\users\Mog\AppData\Roaming\Igiq
2011-09-09 13:43 . 2011-09-09 13:43 -------- d-----w- c:\users\Mog\AppData\Roaming\Ytoxav
2011-09-09 13:43 . 2011-09-09 13:43 -------- d-----w- c:\users\Mog\AppData\Roaming\Exhuy
2011-09-09 10:27 . 2011-09-09 13:46 -------- d-----w- c:\users\Mog\AppData\Local\temp
2011-09-08 08:54 . 2011-08-12 02:44 7152464 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{8D2D168B-4946-41DE-9FEF-EAEAA452B704}\mpengine.dll
2011-09-06 11:42 . 2011-09-06 11:42 38912 ----a-w- c:\windows\system32\NR7c53k.com
2011-08-24 15:37 . 2011-07-11 13:25 2048 ----a-w- c:\windows\system32\tzres.dll
2011-08-22 11:30 . 2011-09-08 13:04 134104 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-08-22 11:12 . 2011-09-08 13:04 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-08-22 11:12 . 2011-08-12 03:15 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
2011-08-22 11:12 . 2011-08-12 03:15 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll
2011-08-22 11:12 . 2011-09-08 13:04 478168 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-08-22 11:12 . 2011-09-08 13:04 785368 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-08-22 11:12 . 2011-09-08 13:04 1846232 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-08-22 11:12 . 2011-09-08 13:04 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-08-21 09:00 . 2011-08-21 09:00 53816 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
2011-08-15 21:10 . 2011-08-15 21:10 -------- d-----w- c:\program files\iPod
2011-08-15 21:10 . 2011-09-08 18:15 -------- d-----w- c:\program files\iTunes
2011-08-15 21:08 . 2011-08-15 21:08 -------- d-----w- c:\program files\Bonjour
2011-08-11 08:34 . 2011-06-20 08:54 3602832 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-08-11 08:34 . 2011-06-20 08:54 3550096 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-08-11 08:34 . 2011-06-17 20:13 905104 ----a-w- c:\windows\system32\drivers\tcpip.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-15 14:41 . 2011-05-25 08:04 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-12 10:20 . 2011-07-12 10:20 83816 ----a-w- c:\windows\system32\dns-sd.exe
2011-07-12 10:20 . 2011-07-12 10:20 73064 ----a-w- c:\windows\system32\dnssd.dll
2011-07-12 10:20 . 2011-07-12 10:20 178536 ----a-w- c:\windows\system32\dnssdX.dll
2011-09-08 13:04 . 2011-08-22 11:30 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
<pre>
c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe
c:\program files\Spybot - Search & Destroy\TeaTimer .exe
c:\program files\TomTom HOME 2\TomTomHOMERunner .exe
c:\program files\Virgin Media\Service Manager\ServiceManager .exe
c:\program files\Windows Live\Messenger\msnmsgr  .exe
</pre>
.
((((((((((((((((((((((((((((( SnapShot@2011-09-08_18.36.24 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-09-27 04:31 . 2011-09-09 13:31 76514 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-01-04 17:11 . 2011-09-09 13:31 21444 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-986331289-2932445914-2247384907-1002_UserData.bin
+ 2008-03-30 07:09 . 2011-09-09 10:42 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\index.dat
- 2008-03-30 07:09 . 2011-09-08 10:42 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\index.dat
+ 2011-09-08 10:29 . 2011-09-08 19:20 49152 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012011090820110909\index.dat
- 2011-09-08 10:29 . 2011-09-08 15:55 49152 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012011090820110909\index.dat
+ 2009-11-25 14:01 . 2011-09-09 13:29 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-11-25 14:01 . 2011-09-08 18:27 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-11-25 14:01 . 2011-09-08 18:27 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-11-25 14:01 . 2011-09-09 13:29 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2011-09-08 18:27 . 2011-09-08 18:27 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2011-09-09 13:29 . 2011-09-09 13:29 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2011-09-08 18:27 . 2011-09-08 18:27 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2011-09-09 13:29 . 2011-09-09 13:29 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2006-11-02 13:05 . 2011-09-09 13:31 153806 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2006-11-02 13:05 . 2011-09-08 18:38 153806 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2006-11-02 10:33 . 2011-09-08 18:32 650068 c:\windows\System32\perfh009.dat
+ 2006-11-02 10:33 . 2011-09-09 13:36 650068 c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2011-09-08 18:32 125006 c:\windows\System32\perfc009.dat
+ 2006-11-02 10:33 . 2011-09-09 13:36 125006 c:\windows\System32\perfc009.dat
- 2008-01-04 16:40 . 2011-09-08 18:27 212992 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-01-04 16:40 . 2011-09-09 13:29 212992 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-01-04 16:40 . 2011-09-09 13:29 557056 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-01-04 16:40 . 2011-09-08 18:27 557056 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-03-04 21:49 . 2011-09-09 13:28 420800 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2011-03-04 21:49 . 2011-09-08 18:26 420800 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2011-09-07 21:50 . 2011-09-09 13:28 421568 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-986331289-2932445914-2247384907-1002-8192.dat
- 2011-09-07 21:50 . 2011-09-08 18:10 421568 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-986331289-2932445914-2247384907-1002-8192.dat
+ 2008-01-04 16:40 . 2011-09-09 13:29 2752512 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}]
c:\program files\Yontoo Layers Runtime\YontooIEClient_2.dll [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Mog\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Mog\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Mog\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Mog\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM .exe -scheduler" [X]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr .exe" [N/A]
"RCHotKey"="c:\program files\RingCentral\RingCentral Call Controller\RCHotKey.exe" [2008-05-05 32768]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-18 39408]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"RCUI"="c:\program files\RingCentral\RingCentral Call Controller\RCUI.exe" [2009-06-04 479232]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [N/A]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [N/A]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2007-08-17 4702208]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
"ServiceManager.exe"="c:\program files\Virgin Media\Service Manager\ServiceManager.exe" [N/A]
"bipro"="c:\windows\$XNTUninstall643$\wzrel.dll" [N/A]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HD Writer.lnk - c:\program files\Common Files\Panasonic\HD Writer AutoStart\HDWriterAutoStart.exe [2011-1-19 308640]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ServicepointService]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-03-30 04:59 937920 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-06-08 04:02 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2009-08-13 14:51 177440 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-07-19 17:29 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
c:\program files\TomTom HOME 2\TomTomHOMERunner.exe [N/A]
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 135664]
R3 DHTRACE;Intel® DHTrace Controller;c:\program files\Common Files\Intel\IntelDH\bin\DHTraceController.exe [2007-06-27 39640]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 135664]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-06-09 691696]
S0 RapportKELL;RapportKELL;c:\windows\System32\Drivers\RapportKELL.sys [2011-08-21 53816]
S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-08-19 335240]
S1 RapportCerberus_29574;RapportCerberus_29574;c:\programdata\Trusteer\Rapport\store\exts\RapportCerberus\29574\RapportCerberus32_29574.sys [2011-08-07 216912]
S1 RapportEI;RapportEI;c:\program files\Trusteer\Rapport\bin\RapportEI.sys [2011-08-21 66360]
S1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [2011-08-21 158904]
S2 {49DE1C67-83F8-4102-99E0-C16DCC7EEC796};{49DE1C67-83F8-4102-99E0-C16DCC7EEC796};c:\program files\HomeCinema\PlayMovie\000.fcl [2007-10-11 41456]
S2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-08-19 297752]
S2 DQLWinService;DQLWinService;c:\program files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe [2007-02-12 208896]
S2 nmsunidr;UniDriver for NMS;c:\windows\system32\DRIVERS\nmsunidr.sys [2007-02-18 5376]
S2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [2011-08-21 870200]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 ServicepointService;ServicepointService;c:\program files\Virgin Media\Service Manager\ServicepointService.exe [2011-03-25 689464]
S2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [2011-03-09 92592]
S2 TVECapSvc;TVEnhance Background Capture Service (TBCS);c:\program files\HomeCinema\TV Enhance\Kernel\TV\TVECapSvc.exe [2007-10-19 290909]
S2 TVESched;TVEnhance Task Scheduler (TTS));c:\program files\HomeCinema\TV Enhance\Kernel\TV\TVESched.exe [2007-10-19 114779]
S3 3xHybrid;Philips SAA713x PCI Card;c:\windows\system32\DRIVERS\3xHybrid.sys [2007-08-22 1242976]
S3 IntelDH;IntelDH Driver;c:\windows\system32\Drivers\IntelDH.sys [2007-11-08 5632]
S3 netr28u;RT2870 USB Wireless LAN Card Driver for Vista;c:\windows\system32\DRIVERS\netr28u.sys [2007-11-21 569344]
S3 X10Hid;X10 Hid Device;c:\windows\system32\Drivers\x10hid.sys [2006-11-17 13976]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2011-09-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 12:10]
.
2011-09-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 12:10]
.
2011-09-09 c:\windows\Tasks\User_Feed_Synchronization-{A3C6695F-F6BC-4500-B453-A5F3BE5EFE5F}.job
- c:\windows\system32\msfeedssync.exe [2008-03-20 07:33]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.daemon-search.com/startpage
mSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
Trusted Zone: sony-europe.com
Trusted Zone: sonystyle-europe.com
Trusted Zone: vaio-link.com
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\users\Mog\AppData\Roaming\Mozilla\Firefox\Profiles\6r7dose1.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-09 14:46
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{49DE1C67-83F8-4102-99E0-C16DCC7EEC796}]
"ImagePath"="\??\c:\program files\HomeCinema\PlayMovie\000.fcl"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{95808DC4-FA4A-4C74-92FE-5B863F82066B}]
"ImagePath"="\??\c:\program files\HomeCinema\PowerDVD\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2011-09-09 14:53:19
ComboFix-quarantined-files.txt 2011-09-09 13:53
ComboFix2.txt 2011-09-09 10:27
ComboFix3.txt 2011-09-08 15:01
.
Pre-Run: 286,506,487,808 bytes free
Post-Run: 286,447,534,080 bytes free
.
- - End Of File - - A56BC9C07027A685AD506E9B331800B2

#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:12 AM

Posted 09 September 2011 - 01:51 PM

Greetings

Good That cleaned up some bad guys but I see some other stuff that we need to go after, so I want you to run this custom script for me.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

File::
c:\windows\system32\NR7c53k.com

Folder::
c:\users\Mog\AppData\Roaming\Omukvu
c:\users\Mog\AppData\Roaming\Eqgiu
c:\users\Mog\AppData\Roaming\Wuyg
c:\users\Mog\AppData\Roaming\Igiq
c:\users\Mog\AppData\Roaming\Ytoxav
c:\users\Mog\AppData\Roaming\Exhuy
c:\program files\Yontoo Layers Runtime

RenV::
c:\program files\Virgin Media\Service Manager\ServiceManager .exe
c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe
c:\program files\Spybot - Search & Destroy\TeaTimer .exe
c:\program files\TomTom HOME 2\TomTomHOMERunner .exe
c:\program files\Windows Live\Messenger\msnmsgr  .exe

DDS::
Trusted Zone: sony-europe.com
Trusted Zone: sonystyle-europe.com
Trusted Zone: vaio-link.com


Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 Mog123

Mog123
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:12 AM

Posted 10 September 2011 - 05:59 AM

Hi!

Latest Combofix log below.

ComboFix 11-09-08.03 - Mog 09/09/2011 21:38:30.7.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2045.902 [GMT 1:00]
Running from: c:\users\Mog\Desktop\Cb.exe
Command switches used :: c:\users\Mog\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *Disabled/Updated* {0C939084-9E57-CBDB-EA61-0B0C7F62AF82}
SP: AVG Anti-Virus Free *Disabled/Updated* {B7F27160-B86D-C455-D0D1-307E04E5E53F}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
FILE ::
"c:\windows\system32\NR7c53k.com"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe
c:\users\Mog\AppData\Roaming\Eqgiu
c:\users\Mog\AppData\Roaming\Eqgiu\agic.did
c:\users\Mog\AppData\Roaming\Exhuy
c:\users\Mog\AppData\Roaming\Exhuy\ofak.exe
c:\users\Mog\AppData\Roaming\Igiq
c:\users\Mog\AppData\Roaming\Igiq\ysdy.foy
c:\users\Mog\AppData\Roaming\Omukvu
c:\users\Mog\AppData\Roaming\Omukvu\paozu.exe
c:\users\Mog\AppData\Roaming\Wuyg
c:\users\Mog\AppData\Roaming\Wuyg\utyl.exe
c:\users\Mog\AppData\Roaming\Ytoxav
c:\users\Mog\AppData\Roaming\Ytoxav\ihan.ypm
c:\windows\Fonts\NR7c53k.com
c:\windows\system32\NR7c53k.com
c:\windows\Tasks\At1.job
.
<pre>
c:\program files\Adobe\Reader 9.0\Reader\Reader_sl .exe ---^> c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe
</pre>
.
.
((((((((((((((((((((((((( Files Created from 2011-08-10 to 2011-09-10 )))))))))))))))))))))))))))))))
.
.
2011-09-10 09:34 . 2011-09-10 09:34 9310 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TEXTBOX.JS
2011-09-10 09:34 . 2011-09-10 09:34 8646 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TILEBOX.JS
2011-09-10 09:34 . 2011-09-10 09:34 6429 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\UICORE.JS
2011-09-10 09:34 . 2011-09-10 09:34 63115 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\USERTILE.JS
2011-09-10 09:34 . 2011-09-10 09:34 5927 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TEXT.JS
2011-09-10 09:34 . 2011-09-10 09:34 4599 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\UIRESOURCE.JS
2011-09-10 09:34 . 2011-09-10 09:34 8613 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\SAVEDUSER.JS
2011-09-10 09:34 . 2011-09-10 09:34 8288 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\IMAGE.JS
2011-09-10 09:34 . 2011-09-10 09:34 6910 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\NEWUSERCOMM.JS
2011-09-10 09:34 . 2011-09-10 09:34 6208 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\LINK.JS
2011-09-10 09:34 . 2011-09-10 09:34 18541 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\LOCALIZATION.JS
2011-09-10 09:34 . 2011-09-10 09:34 1651 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\QUERYSTRING.JS
2011-09-10 09:33 . 2011-09-10 09:33 51852 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\EXTERNALWRAPPER.JS
2011-09-10 09:33 . 2011-09-10 09:33 23327 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\COMBOBOX.JS
2011-09-10 09:33 . 2011-09-10 09:33 20719 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\DIVWRAPPER.JS
2011-09-10 09:33 . 2011-09-10 09:33 8782 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\BUTTON.JS
2011-09-10 09:33 . 2011-09-10 09:33 7271 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\CHECKBOX.JS
2011-09-09 20:46 . 2011-09-10 09:41 -------- d-----w- c:\users\Mog\AppData\Local\temp
2011-09-09 20:46 . 2011-09-09 20:46 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-09-08 08:54 . 2011-08-12 02:44 7152464 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{8D2D168B-4946-41DE-9FEF-EAEAA452B704}\mpengine.dll
2011-09-05 19:28 . 2011-09-06 10:43 113152 ----a-w- c:\windows\system32\NR7c53k.com_
2011-08-24 15:37 . 2011-07-11 13:25 2048 ----a-w- c:\windows\system32\tzres.dll
2011-08-22 11:30 . 2011-09-08 13:04 134104 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-08-22 11:12 . 2011-09-08 13:04 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-08-22 11:12 . 2011-08-12 03:15 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
2011-08-22 11:12 . 2011-08-12 03:15 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll
2011-08-22 11:12 . 2011-09-08 13:04 478168 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-08-22 11:12 . 2011-09-08 13:04 785368 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-08-22 11:12 . 2011-09-08 13:04 1846232 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-08-22 11:12 . 2011-09-08 13:04 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-08-21 09:00 . 2011-08-21 09:00 53816 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
2011-08-15 21:10 . 2011-08-15 21:10 -------- d-----w- c:\program files\iPod
2011-08-15 21:10 . 2011-09-08 18:15 -------- d-----w- c:\program files\iTunes
2011-08-15 21:08 . 2011-08-15 21:08 -------- d-----w- c:\program files\Bonjour
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-15 14:41 . 2011-05-25 08:04 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-22 13:54 . 2011-08-11 08:35 1383424 ----a-w- c:\windows\system32\mshtml.tlb
2011-07-12 10:20 . 2011-07-12 10:20 83816 ----a-w- c:\windows\system32\dns-sd.exe
2011-07-12 10:20 . 2011-07-12 10:20 73064 ----a-w- c:\windows\system32\dnssd.dll
2011-07-12 10:20 . 2011-07-12 10:20 178536 ----a-w- c:\windows\system32\dnssdX.dll
2011-07-06 15:31 . 2011-08-11 08:35 214016 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-06-21 15:49 . 2011-08-11 08:35 834048 ----a-w- c:\windows\system32\wininet.dll
2011-06-21 14:13 . 2011-08-11 08:35 389632 ----a-w- c:\windows\system32\html.iec
2011-06-20 08:54 . 2011-08-11 08:34 3602832 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-06-20 08:54 . 2011-08-11 08:34 3550096 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-06-17 20:13 . 2011-08-11 08:34 905104 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-06-17 16:03 . 2011-08-11 08:35 375808 ----a-w- c:\windows\system32\winsrv.dll
2011-09-08 13:04 . 2011-08-22 11:30 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
<pre>
c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe
</pre>
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}]
c:\program files\Yontoo Layers Runtime\YontooIEClient_2.dll [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Mog\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Mog\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Mog\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Mog\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM .exe -scheduler" [X]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr .exe" [N/A]
"RCHotKey"="c:\program files\RingCentral\RingCentral Call Controller\RCHotKey.exe" [2008-05-05 32768]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-18 39408]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"RCUI"="c:\program files\RingCentral\RingCentral Call Controller\RCUI.exe" [2009-06-04 479232]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2011-03-09 247728]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2007-08-17 4702208]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
"ServiceManager.exe"="c:\program files\Virgin Media\Service Manager\ServiceManager.exe" [2011-03-25 4371768]
"bipro"="c:\windows\$XNTUninstall643$\wzrel.dll" [N/A]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HD Writer.lnk - c:\program files\Common Files\Panasonic\HD Writer AutoStart\HDWriterAutoStart.exe [2011-1-19 308640]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\evadosp]
2011-09-09 20:58 11264 ----a-w- c:\windows\System32\config\systemprofile\AppData\Local\evadosp.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ServicepointService]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-03-30 04:59 937920 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-06-08 04:02 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2009-08-13 14:51 177440 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-07-19 17:29 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
2011-03-09 12:30 247728 ----a-w- c:\program files\TomTom HOME 2\TomTomHOMERunner.exe
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 135664]
R3 DHTRACE;Intel® DHTrace Controller;c:\program files\Common Files\Intel\IntelDH\bin\DHTraceController.exe [2007-06-27 39640]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 135664]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-06-09 691696]
S0 RapportKELL;RapportKELL;c:\windows\System32\Drivers\RapportKELL.sys [2011-08-21 53816]
S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-08-19 335240]
S1 RapportCerberus_29574;RapportCerberus_29574;c:\programdata\Trusteer\Rapport\store\exts\RapportCerberus\29574\RapportCerberus32_29574.sys [2011-08-07 216912]
S1 RapportEI;RapportEI;c:\program files\Trusteer\Rapport\bin\RapportEI.sys [2011-08-21 66360]
S1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [2011-08-21 158904]
S2 {49DE1C67-83F8-4102-99E0-C16DCC7EEC796};{49DE1C67-83F8-4102-99E0-C16DCC7EEC796};c:\program files\HomeCinema\PlayMovie\000.fcl [2007-10-11 41456]
S2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-08-19 297752]
S2 DQLWinService;DQLWinService;c:\program files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe [2007-02-12 208896]
S2 nmsunidr;UniDriver for NMS;c:\windows\system32\DRIVERS\nmsunidr.sys [2007-02-18 5376]
S2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [2011-08-21 870200]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 ServicepointService;ServicepointService;c:\program files\Virgin Media\Service Manager\ServicepointService.exe [2011-03-25 689464]
S2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [2011-03-09 92592]
S2 TVECapSvc;TVEnhance Background Capture Service (TBCS);c:\program files\HomeCinema\TV Enhance\Kernel\TV\TVECapSvc.exe [2007-10-19 290909]
S2 TVESched;TVEnhance Task Scheduler (TTS));c:\program files\HomeCinema\TV Enhance\Kernel\TV\TVESched.exe [2007-10-19 114779]
S3 3xHybrid;Philips SAA713x PCI Card;c:\windows\system32\DRIVERS\3xHybrid.sys [2007-08-22 1242976]
S3 IntelDH;IntelDH Driver;c:\windows\system32\Drivers\IntelDH.sys [2007-11-08 5632]
S3 netr28u;RT2870 USB Wireless LAN Card Driver for Vista;c:\windows\system32\DRIVERS\netr28u.sys [2007-11-21 569344]
S3 X10Hid;X10 Hid Device;c:\windows\system32\Drivers\x10hid.sys [2006-11-17 13976]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2011-09-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 12:10]
.
2011-09-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 12:10]
.
2011-09-09 c:\windows\Tasks\User_Feed_Synchronization-{A3C6695F-F6BC-4500-B453-A5F3BE5EFE5F}.job
- c:\windows\system32\msfeedssync.exe [2008-03-20 07:33]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.daemon-search.com/startpage
mSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\users\Mog\AppData\Roaming\Mozilla\Firefox\Profiles\6r7dose1.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-10 10:40
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{49DE1C67-83F8-4102-99E0-C16DCC7EEC796}]
"ImagePath"="\??\c:\program files\HomeCinema\PlayMovie\000.fcl"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{95808DC4-FA4A-4C74-92FE-5B863F82066B}]
"ImagePath"="\??\c:\program files\HomeCinema\PowerDVD\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(4528)
c:\users\Mog\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\IntelDH\CCU\AlertService.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\windows\System32\bgsvcgen.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\progra~1\COMMON~1\X10\Common\x10nets.exe
c:\windows\system32\WUDFHost.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\ehome\ehsched.exe
c:\windows\ehome\ehRecvr.exe
c:\program files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2011-09-10 10:47:40 - machine was rebooted
ComboFix-quarantined-files.txt 2011-09-10 09:47
ComboFix2.txt 2011-09-09 13:53
ComboFix3.txt 2011-09-09 10:27
ComboFix4.txt 2011-09-08 15:01
.
Pre-Run: 284,429,889,536 bytes free
Post-Run: 284,886,069,248 bytes free
.
- - End Of File - - FD7E9E8D5152C16E35AD1C75E56286BA

#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:12 AM

Posted 11 September 2011 - 02:26 PM

Hello

How is the computer doing now


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 Mog123

Mog123
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:12 AM

Posted 12 September 2011 - 04:09 AM

Hi,

Well it certainly seems better but I still get that 'Run DLL' message everything I start up and I have lost the icons to shut, minimise etc Firefox in the top right of the screen.

Is Combofix showing no further problems now then? If not what should I do now?

Kind Regards,

Ian

#15 Mog123

Mog123
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:12 AM

Posted 12 September 2011 - 05:17 AM

UPDATE:

Firefox definitely isn't right. As I mentioned before the icons in the top right are not visible and if i click anywhere on the top bar Firefox just shuts down.

Also I sometimes have overlapping icons if 2 browsers open or my browser and MS Outlook for instance.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users