View Full Version : virtumonde.crack spyware
OriginalMcBlood
2009-04-27, 23:38
Hi please help I have the above piece of malware plus some win32 type malware.
I mistakenly ran s&d and removed a lot of stuff before reading the correct process properly, sorry. Anyway here is the log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:27:36, on 27/04/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ntl\ntl Netguard\fws.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
c:\APPS\Powercinema\Kernel\CLML_NTService\CLMLServer.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Sonic\DigitalMedia LE v7\MyDVD LE\USBDeviceService.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wscntfy.exe
c:\APPS\Powercinema\Kernel\TV\CLSched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Sonic\DigitalMedia LE v7\MyDVD LE\DetectorApp.exe
C:\APPS\Powercinema\PCMService.exe
C:\apps\ABoard\ABoard.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\apps\ABoard\AOSD.exe
C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
C:\Program Files\ntl\ntl Netguard\RPS.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\TEMP\System.exe
C:\APPS\SMP\SmpSys.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DNA\btdna.exe
D:\Documents and Settings\The Family\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\NETGEAR\WG111v3\WG111v3.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
D:\Documents and Settings\The Family\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
D:\Documents and Settings\The Family\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
D:\Documents and Settings\The Family\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
D:\Documents and Settings\The Family\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://format.packardbell.com/cgi-bin/redirect/?country=UK&range=AD&phase=6&key=SEARCH
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ntlworld.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.ntlworld.com/welcome
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Packard Bell
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\drivers\services.exe
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\ntl\ntl Netguard\pkR.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\ntl\ntl Netguard\FBHR.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: qs Class - {8A555E0E-6240-DD93-198D-45F571D4FD9B} - C:\Program Files\altcmd\altcmd32.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: {510b77fa-78dc-54eb-1954-c32aa5ec61ee} - {ee16ce5a-a23c-4591-be45-cd87af77b015} - C:\WINDOWS\system32\vrqzew.dll
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [DetectorApp] C:\Program Files\Sonic\DigitalMedia LE v7\MyDVD LE\DetectorApp.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [PCMService] "c:\APPS\Powercinema\PCMService.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32"
O4 - HKLM\..\Run: [ACTIVBOARD] c:\apps\ABoard\ABoard.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [ntl Netguard] "C:\Program Files\ntl\ntl Netguard\RPS.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [MsgCenterExe] "C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" -osboot
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Windows System Update] C:\WINDOWS\TEMP\CSRSS.EXE
O4 - HKLM\..\Run: [Windows Updater] C:\WINDOWS\TEMP\System.exe
O4 - HKLM\..\Run: [Language_Shortcut] C:\WINDOWS\TEMP\IEXPLORE.EXE
O4 - HKLM\..\Run: [SYSTRAY_UPDATE] C:\WINDOWS\TEMP\systray.exe
O4 - HKLM\..\Run: [[system]] C:\WINDOWS\system32\drivers\services.exe
O4 - HKLM\..\Run: [System Restore] C:\WINDOWS\TEMP\alg.exe
O4 - HKCU\..\Run: [SmpcSys] C:\APPS\SMP\SmpSys.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_1_0
O4 - HKCU\..\Run: [Google Update] "D:\Documents and Settings\The Family\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [[system]] C:\WINDOWS\system32\drivers\services.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: userinit.exe
O4 - Global Startup: broadband medic.lnk = C:\Program Files\ntl\broadband medic\bin\matcli.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: NETGEAR WG111v3 Smart Wizard.lnk = C:\Program Files\NETGEAR\WG111v3\WG111v3.exe
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\uk.htm
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} (CPlayFirstDinerDash2Control Object) - http://www.shockwave.com/content/dinerdash2/sis/DinerDash2.1.0.0.67.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/Windows/Initial/VideoEggPublisher.exe
O16 - DPF: {B516CA4E-A5BA-405C-AFCF-A97F08CC7429} (GoBit Games Player) - http://www.shockwave.com/content/burgershop/sis/GoBitGamesPlayer_v4.cab
O16 - DPF: {BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19} (CPlayFirstddfotgControl Object) - http://www.shockwave.com/content/dinerdashfloonthego/sis/ddfotg.1.0.0.33.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game08.zylom.com/activex/zylomgamesplayer.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D40F5876-A494-4124-8161-82625BB28C06} (CPlayFirstChocolatieControl Object) - http://www.shockwave.com/content/chocolatier2/sis/Chocolatier2Web.1.0.0.10.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/zuma/sis/popcaploader_v10.cab
O16 - DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} (Seagate SeaTools English Online) - file:///C:/DRIVERS/snapsys/HDDDiag/bin/npseatools.cab
O16 - DPF: {EA6246B4-F380-443F-8727-9AEA3371146C} (CPlayFirstWeddingDashControl Object) - http://www.shockwave.com/content/weddingdash/sis/WeddingDash.1.0.0.47.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\wowfx.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - c:\APPS\Powercinema\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: Radialpoint Service (FWS) - Radialpoint Inc. - C:\Program Files\ntl\ntl Netguard\fws.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: KService - Unknown owner - C:\Program Files\Kontiki\KService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: USBDeviceService - Unknown owner - C:\Program Files\Sonic\DigitalMedia LE v7\MyDVD LE\USBDeviceService.exe
--
End of file - 14450 bytes
One or more of the identified infections is a backdoor trojan.
This allows hackers to remotely control your computer, steal critical system information and Download and Execute files
I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.
Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? (http://www.dslreports.com/faq/10451)
When Should I Format, How Should I Reinstall (http://www.dslreports.com/faq/10063)
However, if you do not have the resources to reinstall your computer and would like me to attempt to clean it, I will be happy to do so.
Should you have any questions, please feel free to ask.
Please let us know what you have decided to do in your next post.
OriginalMcBlood
2009-04-29, 15:24
I can reformat it if I only need to reformat one HDD.
The problem is that I have 2 HDDs on this computer. The standard factory issue installed drive split into 2 normal drives C and D but I also have a second HDD ( K) connected via a USB.
IF I can just wipe the C (where the OS is) and D drives and remain secure then that is fine because I can use the other drive to store a backup all of my files. If this is infected though I do not have the resource to do this.
It depends on the nature of the virus. Anything I download normally I download onto D and then tranfers across to K ( the entire download untouched) and install on K. All original downloaded data on D is normally deleted and deleted from the recycle bin. If the programme is related to "standard" applications such as the OS, browser, Java etc or is less than about 1 gb then I commonly install it on the C.
I strongly suspect this has piggy backed in with IE.8 maybe I have unknowingly downloaded from a dodgy mocked up site. Practically immediately after install my spyware software started giving me detections and If I tried to browse it tried to redirected me to a URL starting "gremlinko" before coming up with a cannot connect page.
At the same time on bootup windows DEP kicked in flashing numerous DDM proxy messages, well the same one over and over again.
The source could also have been a driver update tool app that I downlowded installed ran and uninstalled all within about half an hour.
If however it has lay dormant for a week or longer then it could be a few different things.
Anyway back to the point Will I need to reformat all drives connected to this PC? And also this PC is networked and there are 2 other PCs and an Xbox that share this network what about them are they secure?
I can keep posting from my nice clean PC at work.
thanks blade
OriginalMcBlood
Hi
Both C and D drive should be reformatted.
Also, in your case there's a worm that is aware of removable drives. That means your USB drive may carry the infection.
Let me know what you want to do (try cleaning or format).
OriginalMcBlood
2009-04-29, 18:30
Hi
lets try and clean it first and if that does not work then I will have to go down the reformat route. Happy days I am carrying about 400 GB of apps and documents on this PC and god only knows where all the original media is to reinstall it all!
I am looking at a lot of time and work to get it back to where it was before infection if I have to reformat but I suppose that is better than being bankrupt and the CID knocking on my door because someone with my identity has done something naughty.
Is the malware in the os or is it more deeply embedded, could we clean and then I could uninstall and reinstall my OS or is this a pointless exercise just making me feel more secure without any guaranteed security benefits?
Sorry to moan I really appreciate your help on this I am just PO'ed with getting malware after never having any for the last, forever and priding myself on being, I thought, very secure.
cheers
OriginalMcBlood
2009-04-29, 19:36
Just read the post above and realised it sounds a bit naive. I know if I reinstall the OS that I will be reformatting following the normal process (although I also know that there are ways around this).
To clarify if I back up everything on my drives. They get cleaned and then I just dump everything that was on there back again could I effectively reinfect my system thus wasting my and more importantly your valuable time?
Hi
You should backup only videos, music and pictures.
As said, one of infections there is aware of removable drives. If you're going to backup anything to USB drive, it's better make sure drive hasn't infection.
Disable autorun on infected system (instructions (http://support.microsoft.com/kb/967715/)).
1. Download Flash_Disinfector (http://www.techsupportforum.com/sectools/sUBs/Flash_Disinfector.exe) and save it to your Desktop of your clean system.
2. After downloading, double-click on Flash_Disinfector to run it.
3. Just follow the prompts and continue until it begin scanning.
4. If asked to insert your flash drive or any removable device including USB Pen Drive and Memory Stick, please do so.
5. It will scan removable drives, wait for the scan to finish. Done.
Run Kaspersky Online Scanner (http://www.kaspersky.com/virusscanner) to check if external hard drive is clean. If it is then you may backup those above mentioned file types
OriginalMcBlood
2009-04-30, 13:52
sorry for the delay did not read until just now will follow instructions tonight and post results on Fri during the day
OriginalMcBlood
2009-05-01, 12:02
Okay I have hit a problem.
I downloaded flash disinfector (your link did not work by the way) on to a pen drive from a laptop.
I went on the infected system to disable autorun. I disabled autorun and rebooted and put the pen drive into a usb in the infected computer. It did not appear that autorun had been disabled properly. I went back and downloaded an update from microsoft to make it work using the same pen drive. I was so caught up in trying to clean the infected machine that I totally forgot about the dangers of cross infection. I then installed the update and disabled autorun.
When I then went to install and run flash disinfector, from the pen drive, the file had not downloaded properly and was unable to fully install.
It was at this point that I stopped and thought about the danger of cross infection, maybe too late. So I used my antispyware scanner provided by my ISP to scan the pen drive I had been using.
Yes you guessed it, it showed the pen drive as infected with about 4 viruses. All the ones that it shows if I run it on the infected system (it does not pick up all the ones that spybot S & D does).
So my problem is now two fold:
I do not have a way of getting any files onto the infected machine because my pen drive is compromised.
The laptop I used to download the files may now well be infected as well. This laptop is in constant use and it was amazing that I could use it for the 2 minutes that I did to download these files. This computer has no antispyware software on it at all and because of the constant use issues I can not get on it to put any on it and scan (it is exclusively my wifes and is used very heavily for work related stuff).
The laptop is not showing any signs of infection but it did request the password for my wifes' email account which it does sporadically, she told me but this was the next time she checked it after I had used the pen drive in her machine. Could I ask what you think the liklihood of infection is? Nothing has been installed or downloaded onto this machine only the infected pen drive used in it.
I can not use the pc I am posting from to download any files even if I went and got a new pen drive or even to download to CD. The pc's within my organisation, because of the potential risk involved in any information governance breaches are disabled in the production of any portable media.
I would still like to try and clean this machine but it is looking less and less possible.
In your opinion, (I accept full liability for any consequences of any action I take with regards to this computer malware infection irrespective of advice given) is it too much of a risk to connect this machine to the internet to download flash disinfector and run Kaspersky Online Scanner (http://www.kaspersky.com/virusscanner)
This is only one step added, downloading flash disinfector, before you advised going online anyway.
cheers
Hi
I think you can download KOS to this system with issues. As said earlier, I'm ready to assist with system cleaning if you want to try that.
OriginalMcBlood
2009-05-01, 16:34
should I turn the tea timer back on before I go on line?
OriginalMcBlood
2009-05-01, 18:18
Yes I would like to try and clean it please will follow your previous instructions first and post any results.
thanks
Ok. Shall wait for your input :)
OriginalMcBlood
2009-05-02, 01:28
KASPERSKY ONLINE SCANNER 7.0 REPORT
Friday, May 1, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Friday, May 01, 2009 14:52:27
Records in database: 2117868
--------------------------------------------------------------------------------
Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\
Scan statistics:
Files scanned: 243828
Threat name: 10
Infected objects: 51
Suspicious objects: 4
Duration of the scan: 04:43:38
File name / Threat name / Threats count
C:\WINDOWS\system32\vrqzew.dll/C:\WINDOWS\system32\vrqzew.dll Infected: Packed.Win32.Krap.n 29
C:\WINDOWS\TEMP\System.exe/C:\WINDOWS\TEMP\System.exe Infected: Backdoor.Win32.SdBot.jpe 1
C:\WINDOWS\csauie1.ocx Infected: not-a-virus:AdWare.Win32.Coupons.u 1
C:\WINDOWS\system32\drivers\services.exe Infected: Backdoor.Win32.SdBot.jpe 1
C:\WINDOWS\system32\isyhvxyp.dll Infected: Packed.Win32.Krap.n 1
C:\WINDOWS\system32\khfCuVmm.dll Infected: Trojan-Downloader.Win32.BHO.kml 1
C:\WINDOWS\system32\mvyerpjt.dll Infected: Packed.Win32.Krap.n 1
C:\WINDOWS\system32\vrqzew.dll Infected: Packed.Win32.Krap.n 1
C:\WINDOWS\system32\vtUlMecY.dll Infected: Trojan-Downloader.Win32.BHO.kml 1
C:\WINDOWS\system32\wowfx.dll Infected: Trojan.Win32.Agent.alos 1
C:\WINDOWS\Temp\System.exe Infected: Backdoor.Win32.SdBot.jpe 1
D:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6B0D69EF.wmf Infected: Trojan-Downloader.Win32.Agent.acd 1
D:\Documents and Settings\The Family\Application Data\nvsvc1024.dll Infected: Trojan.Win32.Agent.alos 1
D:\Documents and Settings\The Family\Application Data\Sun\Java\Deployment\cache\6.0\25\650d0659-68161e1c Infected: Exploit.Java.Gimsh.a 1
D:\Documents and Settings\The Family\Application Data\Sun\Java\Deployment\cache\6.0\44\232f2a6c-75a95481 Infected: Exploit.Java.Gimsh.a 1
D:\Documents and Settings\The Family\Application Data\Sun\Java\Deployment\cache\6.0\47\bd7ce2f-6f01188c Infected: Exploit.Java.Gimsh.b 1
D:\Documents and Settings\The Family\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-51fad18-3450a110.zip Infected: Exploit.Java.Gimsh.a 1
D:\Documents and Settings\The Family\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6b13a7e7-52495110.zip Infected: Exploit.Java.Gimsh.b 1
D:\Documents and Settings\The Family\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6d00d9f7-4fb0852d.zip Infected: Exploit.Java.Gimsh.a 1
D:\Documents and Settings\The Family\Local Settings\Application Data\Identities\{D688B133-BB08-44AA-9610-0788232F351C}\Microsoft\Outlook Express\Dylan.dbx Suspicious: Trojan-Spy.HTML.Fraud.gen 1
D:\Documents and Settings\The Family\Start Menu\Programs\Startup\userinit.exe Infected: Backdoor.Win32.SdBot.jpe 1
D:\Documents and Settings\The Family\svchost.exe Infected: Backdoor.Win32.SdBot.jpe 1
D:\RECYCLER\S-1-5-21-2687666314-1017323166-2936280733-1006\Dd129.bak Suspicious: Trojan-Spy.HTML.Fraud.gen 1
D:\RECYCLER\S-1-5-21-2687666314-1017323166-2936280733-1006\Dd156.bak Suspicious: Trojan-Spy.HTML.Fraud.gen 1
D:\RECYCLER\S-1-5-21-2687666314-1017323166-2936280733-1006\Dd181.bak Suspicious: Trojan-Spy.HTML.Fraud.gen 1
K:\My Documents 2\Downloads 2\downloaded stuff originals\Pro Evolution Soccer 2009 crack - [ pes2009.exe ].exe Infected: Trojan.Win32.VB.kki 1
K:\Programs 2\KONAMI\Pro Evolution 2009\cracked exe(s)\Pro Evolution Soccer 2009 crack - [ pes2009.exe ].exe Infected: Trojan.Win32.VB.kki 1
The selected area was scanned.
Cracks and safe computing don't fit well together. You have to delete all illegal stuff you got there. Means all copyrighted material that you don't have legal rights.
Then if you want take cleaning route you have to do following. Before that uninstall your P2P file sharing programs, like BitTorrent, though.
Download DDS and save it to your desktop from here (http://www.techsupportforum.com/sectools/sUBs/dds) or here (http://download.bleepingcomputer.com/sUBs/dds.scr) or here (http://www.forospyware.com/sUBs/dds).
Disable any script blocker, and then double click dds.scr to run the tool.
When done, DDS will open two (2) logs:
DDS.txt
Attach.txt
Save both reports to your desktop. Post them back to your topic.
OriginalMcBlood
2009-05-03, 16:11
Followed instructions.
Then ran KOS K clean therefore backed up "My documents" on D, as folder and subfolders appeared clean onto K and disconnected K.
DDS scan results are included.
DDS (Ver_09-03-16.01) - NTFSx86
Run by The Family at 13:53:36.76 on 03/05/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.2558.1886 [GMT 1:00]
AV: ntl Netguard Anti-virus *On-access scanning enabled* (Updated)
FW: ntl Netguard Firewall *enabled*
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\ntl\ntl Netguard\fws.exe
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
c:\APPS\Powercinema\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Sonic\DigitalMedia LE v7\MyDVD LE\USBDeviceService.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wscntfy.exe
c:\APPS\Powercinema\Kernel\TV\CLSched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Sonic\DigitalMedia LE v7\MyDVD LE\DetectorApp.exe
C:\APPS\Powercinema\PCMService.exe
C:\apps\ABoard\ABoard.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
C:\apps\ABoard\AOSD.exe
C:\Program Files\ntl\ntl Netguard\RPS.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\TEMP\System.exe
C:\APPS\SMP\SmpSys.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Documents and Settings\The Family\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\NETGEAR\WG111v3\WG111v3.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\ntl\broadband medic\bin\mpbtn.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\WINDOWS\system32\NOTEPAD.EXE
D:\Documents and Settings\The Family\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.ntlworld.com/
uSearch Bar = hxxp://format.packardbell.com/cgi-bin/redirect/?country=UK&range=AD&phase=6&key=SEARCH
uSearchMigratedDefaultURL = hxxp://search.msn.co.uk/previewx.aspx?q={searchTerms}&FORM=CBPW&first=1&noredir=1
uInternet Connection Wizard,ShellNext = hxxp://www.ntlworld.com/welcome
uInternet Settings,ProxyOverride = 127.0.0.1
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\drivers\services.exe
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: PopKill Class: {3c060ea2-e6a9-4e49-a530-d4657b8c449a} - c:\program files\ntl\ntl netguard\pkR.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: ZKBho Class: {56071e0d-c61b-11d3-b41c-00e02927a304} - c:\program files\ntl\ntl netguard\FBHR.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: qs Class: {8a555e0e-6240-dd93-198d-45f571d4fd9b} - c:\program files\altcmd\altcmd32.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {510b77fa-78dc-54eb-1954-c32aa5ec61ee}: {ee16ce5a-a23c-4591-be45-cd87af77b015} - c:\windows\system32\vrqzew.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [SmpcSys] c:\apps\smp\SmpSys.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [kdx] c:\program files\kontiki\KHost.exe -all
uRun: [updateMgr] c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe AcRdB7_1_0
uRun: [Google Update] "d:\documents and settings\the family\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [[system]] c:\windows\system32\drivers\services.exe
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [DetectorApp] c:\program files\sonic\digitalmedia le v7\mydvd le\DetectorApp.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [PCMService] "c:\apps\powercinema\PCMService.exe"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32"
mRun: [ACTIVBOARD] c:\apps\aboard\ABoard.exe
mRun: [BJCFD] c:\program files\broadjump\client foundation\CFD.exe
mRun: [Motive SmartBridge] c:\progra~1\ntl\broadb~1\smartb~1\MotiveSB.exe
mRun: [ntl Netguard] "c:\program files\ntl\ntl netguard\RPS.exe"
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [4oD] "c:\program files\kontiki\KHost.exe" -all
mRun: [MsgCenterExe] "c:\program files\common files\real\update_ob\RealOneMessageCenter.exe" -osboot
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Windows System Update] c:\windows\temp\CSRSS.EXE
mRun: [Windows Updater] c:\windows\temp\System.exe
mRun: [Language_Shortcut] c:\windows\temp\IEXPLORE.EXE
mRun: [SYSTRAY_UPDATE] c:\windows\temp\systray.exe
mRun: [[system]] c:\windows\system32\drivers\services.exe
mRun: [System Restore] c:\windows\temp\alg.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: d:\docume~1\thefam~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: d:\documents and settings\the family\start menu\programs\startup\userinit.exe
StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\broadb~1.lnk - c:\program files\ntl\broadband medic\bin\matcli.exe
StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wg111v3\WG111v3.exe
StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} - hxxp://www.shockwave.com/content/dinerdash2/sis/DinerDash2.1.0.0.67.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} - hxxp://update.videoegg.com/Install/Windows/Initial/VideoEggPublisher.exe
DPF: {B516CA4E-A5BA-405C-AFCF-A97F08CC7429} - hxxp://www.shockwave.com/content/burgershop/sis/GoBitGamesPlayer_v4.cab
DPF: {BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19} - hxxp://www.shockwave.com/content/dinerdashfloonthego/sis/ddfotg.1.0.0.33.cab
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://game08.zylom.com/activex/zylomgamesplayer.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D40F5876-A494-4124-8161-82625BB28C06} - hxxp://www.shockwave.com/content/chocolatier2/sis/Chocolatier2Web.1.0.0.10.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://www.shockwave.com/content/zuma/sis/popcaploader_v10.cab
DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} - file:///C:/DRIVERS/snapsys/HDDDiag/bin/npseatools.cab
DPF: {EA6246B4-F380-443F-8727-9AEA3371146C} - hxxp://www.shockwave.com/content/weddingdash/sis/WeddingDash.1.0.0.47.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
AppInit_DLLs: c:\windows\system32\wowfx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: {aa92c67d-b5da-914b-89b4-90cef433ad84}: {48da334f-ec09-4b98-b419-ad5bd76c29aa} - c:\windows\system32\vrqzew.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, snapapi32.dll, digest32.dll, , , , wowfx.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\geBrpoLE
============= SERVICES / DRIVERS ===============
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [2007-10-9 38144]
R2 FWS;Radialpoint Service;c:\program files\ntl\ntl netguard\fws.exe [2005-7-5 274432]
R3 JL2005;JL2005A Toy Camera;c:\windows\system32\drivers\toywdm.sys [2004-6-4 70888]
R3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [2007-12-28 287232]
S1 icyvjrws;icyvjrws;\??\c:\windows\system32\drivers\icyvjrws.sys --> c:\windows\system32\drivers\icyvjrws.sys [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-3-21 1684736]
S3 cel90xbe;cel90xbe;\??\d:\docume~1\thefam~1\locals~1\temp\cel90xbe.sys --> d:\docume~1\thefam~1\locals~1\temp\cel90xbe.sys [?]
=============== Created Last 30 ================
2009-05-01 18:15 <DIR> a-dshr-- C:\autorun.inf
2009-04-27 21:27 <DIR> --d----- c:\program files\Trend Micro
2009-04-27 20:37 <DIR> --d----- c:\windows\system32\xlib254.dll
2009-04-27 20:37 <DIR> --d----- c:\windows\system32\append.dll
2009-04-27 18:32 <DIR> --d----- d:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-04-27 18:32 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-04-25 14:21 54,156 a---h--- c:\windows\QTFont.qfn
2009-04-25 14:21 1,409 a------- c:\windows\QTFont.for
2009-04-24 17:05 118,272 a------- c:\windows\system32\vrqzew.dll
2009-04-24 17:05 118,272 a------- c:\windows\system32\mvyerpjt.dll
2009-04-24 16:56 37,376 -------- c:\windows\system32\vtUlMecY.dll
2009-04-21 19:23 <DIR> --d----- d:\docume~1\thefam~1\applic~1\DriverCure
2009-04-21 19:23 <DIR> --d----- d:\docume~1\alluse~1\applic~1\ParetoLogic
2009-04-21 19:23 <DIR> --d----- d:\docume~1\alluse~1\applic~1\DriverCure
2009-04-21 19:17 <DIR> --dsh--- d:\documents and settings\the family\IECompatCache
2009-04-21 19:07 <DIR> --dsh--- d:\documents and settings\the family\PrivacIE
2009-04-21 19:04 <DIR> --dsh--- d:\documents and settings\the family\IETldCache
2009-04-21 19:01 81,920 a------- c:\windows\system32\ieencode.dll
2009-04-21 19:01 <DIR> --d----- c:\windows\system32\MpEngineStore
2009-04-18 22:43 118,272 a------- c:\windows\system32\isyhvxyp.dll
2009-04-18 22:40 2,850 a--sh--- c:\windows\system32\bceggMoq.ini
2009-04-18 22:32 90,112 a------- c:\windows\system32\wowfx.dll
2009-04-18 22:32 90,112 -------- d:\docume~1\thefam~1\applic~1\nvsvc1024.dll
2009-04-18 22:32 37,376 -------- c:\windows\system32\khfCuVmm.dll
2009-04-18 22:32 57,344 a------- c:\windows\system32\digest32.dll
2009-04-15 21:52 <DIR> --d----- d:\docume~1\thefam~1\applic~1\2K Sports
==================== Find3M ====================
2009-04-06 17:16 34 a------- d:\documents and settings\the family\jagex_runescape_preferences.dat
2009-02-12 00:17 4,304 a------- c:\windows\system32\ealregsnapshot1.reg
2009-02-09 12:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-09 12:13 1,846,784 -------- c:\windows\system32\dllcache\win32k.sys
2009-02-03 18:32 18,085,888 a------- c:\windows\RTHDCPL.EXE
2009-02-03 17:35 35,840 a------- c:\windows\system32\RtkCoInstXP.dll
2008-04-14 01:11 23,552 a------- d:\documents and settings\the family\svchost.exe
2007-12-28 16:02 287,232 a------- c:\windows\inf\wg111v3\wg111v3.sys
2007-12-28 15:59 342,528 a------- c:\windows\inf\wg111v3\vista64\wg111v3.sys
2007-11-27 18:53 63,488 a------- c:\windows\inf\wg111v3\SetDrv64.exe
2007-11-27 18:52 32,768 a------- c:\windows\inf\wg111v3\SetDrv.exe
2007-05-10 20:52 6,420 a------- d:\docume~1\thefam~1\applic~1\wklnhst.dat
2006-12-15 12:30 315,392 a------- c:\windows\inf\wg111v3\InstallDriver.exe
2006-12-15 12:30 212,992 a------- c:\windows\inf\wg111v3\CopyWHQLDriver.exe
2006-12-15 12:30 98,304 a------- c:\windows\inf\wg111v3\UScanM.exe
2006-12-15 12:30 20,480 a------- c:\windows\inf\wg111v3\RTWUPath.exe
2006-12-15 12:30 19,968 a------- c:\windows\inf\wg111v3\RTWREFU.EXE
2006-10-15 16:57 774,144 a------- c:\program files\RngInterstitial.dll
============= FINISH: 13:54:14.92 ===============
Hi,
Please visit this webpage for download links, and instructions for running ComboFix tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Please ensure you read this guide carefully and install the Recovery Console first.
The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
Once installed, you should see a blue screen prompt that says:
The Recovery Console was successfully installed.
Please continue as follows:
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.
Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.
Please include the following reports for further review, and so we may continue cleansing the system:
C:\ComboFix.txt
New dds.txt log.
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.
OriginalMcBlood
2009-05-03, 22:30
Hello again and thanks.
DEP warning messages did not appear on combofix reboot.
Reports follow:
ComboFix 09-05-02.4 - The Family 03/05/2009 19:57.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.2558.1936 [GMT 1:00]
Running from: d:\documents and settings\The Family\Desktop\ComboFix.exe
AV: ntl Netguard Anti-virus *On-access scanning disabled* (Updated)
FW: ntl Netguard Firewall *disabled*
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\bceggMoq.ini
c:\windows\system32\drivers\services.exe
c:\windows\system32\isyhvxyp.dll
c:\windows\system32\khfCuVmm.dll
c:\windows\system32\mvyerpjt.dll
c:\windows\system32\vrqzew.dll
c:\windows\system32\vtUlMecY.dll
c:\windows\system32\wowfx.dll
d:\documents and settings\The Family\Start Menu\Programs\Startup\userinit.exe
d:\documents and settings\The Family\svchost.exe
.
((((((((((((((((((((((((( Files Created from 2009-04-03 to 2009-05-03 )))))))))))))))))))))))))))))))
.
2009-05-03 18:43 . 2009-05-03 18:43 -------- d-----w d:\documents and settings\All Users\Application Data\HP Product Assistant
2009-04-27 20:27 . 2009-04-27 20:27 -------- d-----w c:\program files\Trend Micro
2009-04-27 20:23 . 2009-04-27 20:23 -------- d-----w c:\program files\ERUNT
2009-04-27 19:37 . 2009-04-27 19:37 -------- d-----w c:\windows\system32\append.dll
2009-04-27 19:37 . 2009-04-27 19:37 -------- d-----w c:\windows\system32\xlib254.dll
2009-04-27 17:32 . 2009-04-27 17:39 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-27 17:32 . 2009-04-27 17:39 -------- d-----w d:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-21 18:23 . 2009-04-21 18:23 -------- d-----w d:\documents and settings\The Family\Application Data\DriverCure
2009-04-21 18:23 . 2009-04-21 18:23 -------- d-----w d:\documents and settings\All Users\Application Data\ParetoLogic
2009-04-21 18:23 . 2009-04-22 16:53 -------- d-----w d:\documents and settings\All Users\Application Data\DriverCure
2009-04-21 18:17 . 2009-04-21 18:17 -------- d-sh--w d:\documents and settings\The Family\IECompatCache
2009-04-21 18:07 . 2009-04-21 18:07 -------- d-sh--w d:\documents and settings\The Family\PrivacIE
2009-04-21 18:06 . 2009-04-21 18:06 -------- d-sh--w d:\documents and settings\NetworkService\IETldCache
2009-04-21 18:05 . 2009-04-21 18:05 -------- d-sh--w d:\documents and settings\LocalService\IETldCache
2009-04-21 18:04 . 2009-04-21 18:04 -------- d-sh--w d:\documents and settings\The Family\IETldCache
2009-04-21 18:01 . 2008-04-14 00:11 81920 ----a-w c:\windows\system32\ieencode.dll
2009-04-21 18:01 . 2009-04-21 18:01 -------- d-----w c:\windows\system32\MpEngineStore
2009-04-20 19:58 . 2009-04-20 19:58 -------- d-----w d:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2009-04-18 21:32 . 2006-08-22 17:19 90112 ------w d:\documents and settings\The Family\Application Data\nvsvc1024.dll
2009-04-18 21:32 . 2006-08-23 08:45 57344 ----a-w c:\windows\system32\digest32.dll
2009-04-16 20:38 . 2009-04-16 20:38 -------- d-----w d:\documents and settings\oblivion\Data
2009-04-16 20:38 . 2009-04-16 20:38 -------- d-----w d:\documents and settings\oblivion\lex
2009-04-16 20:38 . 2007-04-04 18:12 7491584 ----a-w d:\documents and settings\oblivion\TESConstructionSet.exe
2009-04-16 20:38 . 2005-02-18 10:23 212992 ----a-w d:\documents and settings\oblivion\ssce5432.dll
2009-04-16 20:38 . 2009-04-16 20:45 -------- d-----w d:\documents and settings\oblivion
2009-04-15 20:52 . 2009-04-15 20:52 -------- d-----w d:\documents and settings\The Family\Application Data\2K Sports
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-03 19:03 . 2006-10-10 20:56 230 ----a-w c:\windows\freedom.backup.dat
2009-05-03 19:01 . 2009-04-21 18:23 378 ----a-w c:\windows\Tasks\DriverCure.job
2009-05-03 19:01 . 2009-04-21 18:23 426 ----a-w c:\windows\Tasks\ParetoLogic Update Version2.job
2009-05-03 19:01 . 2004-08-10 16:04 6 ---ha-w c:\windows\Tasks\SA.DAT
2009-05-02 12:44 . 2006-10-10 20:47 -------- d-----w c:\program files\Common Files\PestPatrol
2009-05-02 12:43 . 2006-10-10 20:47 -------- d-----w c:\program files\Common Files\Command Software
2009-04-25 21:57 . 2009-02-20 01:05 3152 ----a-w d:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-04-21 18:23 . 2009-04-21 18:23 404 ----a-w c:\windows\Tasks\ParetoLogic Registration.job
2009-04-20 19:45 . 2007-09-07 16:37 -------- d-----w c:\program files\EA GAMES
2009-04-18 19:49 . 2009-03-07 13:38 946 ----a-w c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2687666314-1017323166-2936280733-1006.job
2009-04-18 18:30 . 2009-03-07 20:41 248 ----a-w c:\windows\Tasks\Setup my PC.job
2009-04-16 20:38 . 2006-10-10 07:11 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-06 16:16 . 2008-10-08 17:52 34 ----a-w d:\documents and settings\The Family\jagex_runescape_preferences.dat
2009-03-25 11:05 . 2009-03-25 11:05 -------- d-----w c:\program files\Common Files\Adobe AIR
2009-03-25 11:05 . 2009-03-25 11:03 -------- d-----w c:\program files\Common Files\Adobe
2009-03-21 12:29 . 2006-10-10 07:11 -------- d-----w c:\program files\Realtek
2009-03-20 21:45 . 2009-03-20 21:45 -------- d-----w c:\program files\Thrustmaster
2009-03-20 21:16 . 2009-01-17 18:05 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-03-20 21:15 . 2009-01-17 18:05 -------- d-----w c:\program files\AGEIA Technologies
2009-03-20 20:53 . 2009-03-20 20:53 -------- d-----w c:\program files\DIFX
2009-03-19 16:03 . 2009-03-19 16:03 -------- d-----w c:\program files\Common Files\Windows Live
2009-03-07 20:41 . 2009-03-07 20:37 95344 ----a-w d:\documents and settings\The Family.049907920267.000\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-07 20:40 . 2009-03-07 20:40 150 ----a-w d:\documents and settings\The Family.049907920267.000\Local Settings\Application Data\fusioncache.dat
2009-02-20 12:31 . 2006-10-09 23:32 95344 ----a-w d:\documents and settings\The Family\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-02-11 23:17 . 2009-02-11 23:17 4304 ----a-w c:\windows\system32\ealregsnapshot1.reg
2009-02-09 11:13 . 2004-08-10 15:38 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-03 17:32 . 2006-09-28 11:32 18085888 ----a-w c:\windows\RTHDCPL.EXE
2009-02-03 17:22 . 2006-09-28 11:32 5030912 ----a-w c:\windows\system32\drivers\RtkHDAud.sys
2009-02-03 16:35 . 2009-03-21 12:29 35840 ----a-w c:\windows\system32\RtkCoInstXP.dll
2006-10-15 15:57 . 2006-10-15 20:00 774144 ----a-w c:\program files\RngInterstitial.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SmpcSys"="c:\apps\SMP\SmpSys.exe" [2005-11-17 975360]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"kdx"="c:\program files\Kontiki\KHost.exe" [2006-11-08 1040832]
"Google Update"="d:\documents and settings\The Family\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-03-07 133104]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-02-18 13680640]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-22 136600]
"DetectorApp"="c:\program files\Sonic\DigitalMedia LE v7\MyDVD LE\DetectorApp.exe" [2005-10-20 102400]
"PCMService"="c:\apps\Powercinema\PCMService.exe" [2006-02-23 147456]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"ACTIVBOARD"="c:\apps\ABoard\ABoard.exe" [2003-05-02 24576]
"BJCFD"="c:\program files\BroadJump\Client Foundation\CFD.exe" [2003-01-27 376912]
"Motive SmartBridge"="c:\progra~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe" [2003-12-30 380928]
"ntl Netguard"="c:\program files\ntl\ntl Netguard\RPS.exe" [2005-07-05 229376]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-01-18 282624]
"4oD"="c:\program files\Kontiki\KHost.exe" [2006-11-08 1040832]
"MsgCenterExe"="c:\program files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" [2008-05-08 69632]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-05-08 185896]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-02-18 86016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-14 49152]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-02-18 1657376]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2009-02-03 18085888]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
d:\documents and settings\The Family\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
d:\documents and settings\All Users\Start Menu\Programs\Startup\
broadband medic.lnk - c:\program files\ntl\broadband medic\bin\matcli.exe [2006-10-10 217088]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-5-28 53248]
NETGEAR WG111v3 Smart Wizard.lnk - c:\program files\NETGEAR\WG111v3\WG111v3.exe [2008-12-11 2322432]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, snapapi32.dll, digest32.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\AOL 9.0\\aol.exe"=
"c:\\Program Files\\AOL 9.0\\waol.exe"=
"d:\\Documents and Settings\\The Family\\My Documents\\Downloads\\WoW-enGB-Installer-downloader.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\WINDOWS\\system32\\nvsvc32.exe"=
"c:\\WINDOWS\\system32\\wbem\\wmiprvse.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"4719:TCP"= 4719:TCP:4719
R1 icyvjrws;icyvjrws; [x]
R3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2008-08-05 1684736]
R3 cel90xbe;cel90xbe; [x]
S2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\DRIVERS\EAPPkt.sys [2007-10-09 38144]
S2 FWS;Radialpoint Service;c:\program files\ntl\ntl Netguard\fws.exe [2005-07-05 274432]
S3 JL2005;JL2005A Toy Camera;c:\windows\system32\Drivers\toywdm.sys [2004-06-04 70888]
S3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\DRIVERS\wg111v3.sys [2007-12-28 287232]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\M]
\Shell\AutoRun\command - M:\autorun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\N]
\Shell\AutoRun\command - N:\autorun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0968251a-9bb6-11dd-a0b1-001e2aaf0479}]
\Shell\AutoRun\command - J:\setupSNK.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5ccdf9fd-fca0-11db-9be0-0017316f265c}]
\Shell\AutoRun\command - l:\wd_windows_tools\setup.exe
.
Contents of the 'Scheduled Tasks' folder
2009-04-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2687666314-1017323166-2936280733-1006.job
- d:\documents and settings\The Family\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-03-07 13:38]
2009-04-18 c:\windows\Tasks\Setup my PC.job
- c:\apps\SMP\PCSETUP.EXE [2005-11-17 09:03]
.
- - - - ORPHANS REMOVED - - - -
BHO-{ee16ce5a-a23c-4591-be45-cd87af77b015} - c:\windows\system32\vrqzew.dll
HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
HKLM-Run-ISUSPM Startup - c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
HKLM-Run-ISUSScheduler - c:\program files\Common Files\InstallShield\UpdateService\issch.exe
ShellExecuteHooks-{48da334f-ec09-4b98-b419-ad5bd76c29aa} - c:\windows\system32\vrqzew.dll
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ntlworld.com/
uSearchMigratedDefaultURL = hxxp://search.msn.co.uk/previewx.aspx?q={searchTerms}&FORM=CBPW&first=1&noredir=1
uInternet Connection Wizard,ShellNext = hxxp://www.ntlworld.com/welcome
uInternet Settings,ProxyOverride = 127.0.0.1
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {B516CA4E-A5BA-405C-AFCF-A97F08CC7429} - hxxp://www.shockwave.com/content/burgershop/sis/GoBitGamesPlayer_v4.cab
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://game08.zylom.com/activex/zylomgamesplayer.cab
DPF: {D40F5876-A494-4124-8161-82625BB28C06} - hxxp://www.shockwave.com/content/chocolatier2/sis/Chocolatier2Web.1.0.0.10.cab
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-03 20:03
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-2687666314-1017323166-2936280733-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
[HKEY_USERS\S-1-5-21-2687666314-1017323166-2936280733-1006\Software\SecuROM\License information*]
"datasecu"=hex:6a,b8,24,27,32,5c,ae,29,48,f4,7e,8a,3a,ca,02,ad,ed,48,f1,c3,ba,
d8,05,92,a0,0d,49,76,f6,72,92,04,b1,2f,00,af,95,cc,fc,da,e2,00,05,e5,09,95,\
"rkeysecu"=hex:36,4e,91,58,c0,fd,da,b0,58,97,27,be,96,e2,71,a0
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'lsass.exe'(1308)
c:\windows\system32\wininet.dll
- - - - - - - > 'explorer.exe'(3068)
c:\progra~1\ntl\BROADB~1\SMARTB~1\SBHook.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\apps\Powercinema\Kernel\TV\CLCapSvc.exe
c:\apps\Powercinema\Kernel\CLML_NTService\CLMLServer.exe
c:\program files\Common Files\Command Software\dvpapi.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Kontiki\KService.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\program files\Sonic\DigitalMedia LE v7\MyDVD LE\USBDeviceService.exe
c:\windows\system32\searchindexer.exe
c:\apps\Powercinema\Kernel\TV\CLSched.exe
c:\apps\ABOARD\AOSD.EXE
c:\windows\system32\searchprotocolhost.exe
c:\windows\system32\wscntfy.exe
c:\program files\ntl\broadband medic\bin\mpbtn.exe
c:\program files\HP\Digital Imaging\bin\hpqgalry.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
c:\windows\system32\searchfilterhost.exe
.
**************************************************************************
.
Completion time: 2009-05-03 20:09 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-03 19:08
Pre-Run: 3,335,065,600 bytes free
Post-Run: 3,214,286,848 bytes free
Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
266 --- E O F --- 2009-04-18 12:54
DDS report:
DDS (Ver_09-03-16.01) - NTFSx86
Run by The Family at 20:18:00.42 on 03/05/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.2558.1842 [GMT 1:00]
AV: ntl Netguard Anti-virus *On-access scanning enabled* (Updated)
FW: ntl Netguard Firewall *enabled*
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\ntl\ntl Netguard\fws.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
c:\APPS\Powercinema\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Sonic\DigitalMedia LE v7\MyDVD LE\USBDeviceService.exe
C:\WINDOWS\system32\SearchIndexer.exe
c:\APPS\Powercinema\Kernel\TV\CLSched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\APPS\Powercinema\PCMService.exe
C:\apps\ABoard\ABoard.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
C:\apps\ABoard\AOSD.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\APPS\SMP\SmpSys.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
D:\Documents and Settings\The Family\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\ntl\broadband medic\bin\mpbtn.exe
C:\Program Files\NETGEAR\WG111v3\WG111v3.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
D:\Documents and Settings\The Family\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
D:\Documents and Settings\The Family\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
D:\Documents and Settings\The Family\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\ntl\ntl Netguard\Rps.exe
D:\Documents and Settings\The Family\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
D:\Documents and Settings\The Family\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.ntlworld.com/
uSearchMigratedDefaultURL = hxxp://search.msn.co.uk/previewx.aspx?q={searchTerms}&FORM=CBPW&first=1&noredir=1
uInternet Connection Wizard,ShellNext = hxxp://www.ntlworld.com/welcome
uInternet Settings,ProxyOverride = 127.0.0.1
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: PopKill Class: {3c060ea2-e6a9-4e49-a530-d4657b8c449a} - c:\program files\ntl\ntl netguard\pkR.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: ZKBho Class: {56071e0d-c61b-11d3-b41c-00e02927a304} - c:\program files\ntl\ntl netguard\FBHR.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [SmpcSys] c:\apps\smp\SmpSys.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [kdx] c:\program files\kontiki\KHost.exe -all
uRun: [Google Update] "d:\documents and settings\the family\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [DetectorApp] c:\program files\sonic\digitalmedia le v7\mydvd le\DetectorApp.exe
mRun: [PCMService] "c:\apps\powercinema\PCMService.exe"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32"
mRun: [ACTIVBOARD] c:\apps\aboard\ABoard.exe
mRun: [BJCFD] c:\program files\broadjump\client foundation\CFD.exe
mRun: [Motive SmartBridge] c:\progra~1\ntl\broadb~1\smartb~1\MotiveSB.exe
mRun: [ntl Netguard] "c:\program files\ntl\ntl netguard\RPS.exe"
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [4oD] "c:\program files\kontiki\KHost.exe" -all
mRun: [MsgCenterExe] "c:\program files\common files\real\update_ob\RealOneMessageCenter.exe" -osboot
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: d:\docume~1\thefam~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\broadb~1.lnk - c:\program files\ntl\broadband medic\bin\matcli.exe
StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wg111v3\WG111v3.exe
StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} - hxxp://www.shockwave.com/content/dinerdash2/sis/DinerDash2.1.0.0.67.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} - hxxp://update.videoegg.com/Install/Windows/Initial/VideoEggPublisher.exe
DPF: {B516CA4E-A5BA-405C-AFCF-A97F08CC7429} - hxxp://www.shockwave.com/content/burgershop/sis/GoBitGamesPlayer_v4.cab
DPF: {BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19} - hxxp://www.shockwave.com/content/dinerdashfloonthego/sis/ddfotg.1.0.0.33.cab
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://game08.zylom.com/activex/zylomgamesplayer.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D40F5876-A494-4124-8161-82625BB28C06} - hxxp://www.shockwave.com/content/chocolatier2/sis/Chocolatier2Web.1.0.0.10.cab
DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} - file:///C:/DRIVERS/snapsys/HDDDiag/bin/npseatools.cab
DPF: {EA6246B4-F380-443F-8727-9AEA3371146C} - hxxp://www.shockwave.com/content/weddingdash/sis/WeddingDash.1.0.0.47.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, snapapi32.dll, digest32.dll
============= SERVICES / DRIVERS ===============
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [2007-10-9 38144]
R2 FWS;Radialpoint Service;c:\program files\ntl\ntl netguard\fws.exe [2005-7-5 274432]
R3 JL2005;JL2005A Toy Camera;c:\windows\system32\drivers\toywdm.sys [2004-6-4 70888]
R3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [2007-12-28 287232]
S1 icyvjrws;icyvjrws;\??\c:\windows\system32\drivers\icyvjrws.sys --> c:\windows\system32\drivers\icyvjrws.sys [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-3-21 1684736]
S3 cel90xbe;cel90xbe;\??\d:\docume~1\thefam~1\locals~1\temp\cel90xbe.sys --> d:\docume~1\thefam~1\locals~1\temp\cel90xbe.sys [?]
=============== Created Last 30 ================
2009-05-03 19:56 161,792 a------- c:\windows\SWREG.exe
2009-05-03 19:56 98,816 a------- c:\windows\sed.exe
2009-05-01 18:15 <DIR> a-dshr-- C:\autorun.inf
2009-04-27 21:27 <DIR> --d----- c:\program files\Trend Micro
2009-04-27 20:37 <DIR> --d----- c:\windows\system32\xlib254.dll
2009-04-27 20:37 <DIR> --d----- c:\windows\system32\append.dll
2009-04-27 18:32 <DIR> --d----- d:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-04-27 18:32 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-04-25 14:21 54,156 a---h--- c:\windows\QTFont.qfn
2009-04-25 14:21 1,409 a------- c:\windows\QTFont.for
2009-04-21 19:23 <DIR> --d----- d:\docume~1\thefam~1\applic~1\DriverCure
2009-04-21 19:23 <DIR> --d----- d:\docume~1\alluse~1\applic~1\ParetoLogic
2009-04-21 19:23 <DIR> --d----- d:\docume~1\alluse~1\applic~1\DriverCure
2009-04-21 19:17 <DIR> --dsh--- d:\documents and settings\the family\IECompatCache
2009-04-21 19:07 <DIR> --dsh--- d:\documents and settings\the family\PrivacIE
2009-04-21 19:04 <DIR> --dsh--- d:\documents and settings\the family\IETldCache
2009-04-21 19:01 81,920 a------- c:\windows\system32\ieencode.dll
2009-04-21 19:01 <DIR> --d----- c:\windows\system32\MpEngineStore
2009-04-18 22:32 90,112 -------- d:\docume~1\thefam~1\applic~1\nvsvc1024.dll
2009-04-18 22:32 57,344 a------- c:\windows\system32\digest32.dll
2009-04-15 21:52 <DIR> --d----- d:\docume~1\thefam~1\applic~1\2K Sports
==================== Find3M ====================
2009-04-06 17:16 34 a------- d:\documents and settings\the family\jagex_runescape_preferences.dat
2009-02-12 00:17 4,304 a------- c:\windows\system32\ealregsnapshot1.reg
2009-02-09 12:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-09 12:13 1,846,784 -------- c:\windows\system32\dllcache\win32k.sys
2009-02-03 18:32 18,085,888 a------- c:\windows\RTHDCPL.EXE
2009-02-03 17:35 35,840 a------- c:\windows\system32\RtkCoInstXP.dll
2007-12-28 16:02 287,232 a------- c:\windows\inf\wg111v3\wg111v3.sys
2007-12-28 15:59 342,528 a------- c:\windows\inf\wg111v3\vista64\wg111v3.sys
2007-11-27 18:53 63,488 a------- c:\windows\inf\wg111v3\SetDrv64.exe
2007-11-27 18:52 32,768 a------- c:\windows\inf\wg111v3\SetDrv.exe
2007-05-10 20:52 6,420 a------- d:\docume~1\thefam~1\applic~1\wklnhst.dat
2006-12-15 12:30 315,392 a------- c:\windows\inf\wg111v3\InstallDriver.exe
2006-12-15 12:30 212,992 a------- c:\windows\inf\wg111v3\CopyWHQLDriver.exe
2006-12-15 12:30 98,304 a------- c:\windows\inf\wg111v3\UScanM.exe
2006-12-15 12:30 20,480 a------- c:\windows\inf\wg111v3\RTWUPath.exe
2006-12-15 12:30 19,968 a------- c:\windows\inf\wg111v3\RTWREFU.EXE
2006-10-15 16:57 774,144 a------- c:\program files\RngInterstitial.dll
============= FINISH: 20:18:17.43 ===============
Other report attached.
Hi again,
Show hidden files
-----------------
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.
Upload following files (if found) to http://www.virustotal.com and post back the results:
c:\windows\system32\digest32.dll
c:\windows\system32\snapapi32.dll
Open notepad and copy/paste the text in the quotebox below into it:
Driver::
icyvjrws
cel90xbe
DDS::
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
File::
C:\WINDOWS\TEMP\System.exe
C:\WINDOWS\csauie1.ocx
D:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6B0D69EF.wmf
D:\Documents and Settings\The Family\Application Data\nvsvc1024.dll
D:\Documents and Settings\The Family\Application Data\Sun\Java\Deployment\cache\6.0\25\650d0659-68161e1c
D:\Documents and Settings\The Family\Application Data\Sun\Java\Deployment\cache\6.0\44\232f2a6c-75a95481
D:\Documents and Settings\The Family\Application Data\Sun\Java\Deployment\cache\6.0\47\bd7ce2f-6f01188c
D:\Documents and Settings\The Family\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-51fad18-3450a110.zip
D:\Documents and Settings\The Family\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6b13a7e7-52495110.zip
D:\Documents and Settings\The Family\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6d00d9f7-4fb0852d.zip
K:\My Documents 2\Downloads 2\downloaded stuff originals\Pro Evolution Soccer 2009 crack - [ pes2009.exe ].exe Infected: Trojan.Win32.VB.kki 1
K:\Programs 2\KONAMI\Pro Evolution 2009\cracked exe(s)\Pro Evolution Soccer 2009 crack - [ pes2009.exe ].exe
c:\windows\system32\drivers\icyvjrws.sys
Save this as
CFScript
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
Empty recycler bin.
Uninstall old Adobe Reader versions and get the latest one here (http://www.filehippo.com/download_adobe_reader/) or get Foxit Reader here (http://www.foxitsoftware.com/pdf/reader_2/down_reader.htm). Make sure you don't install toolbar if choose Foxit Reader!
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...
Updating Java:
Download the latest version of Java Runtime Environment (JRE) 6 Update 13 (http://java.sun.com/javase/downloads/index.jsp).
Click the
Download
button to the right.
Select Windows on platform combobox and check the box that says:
Accept License Agreement. Click continue.
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u13-windows-i586-p.exe to install the newest version. Uncheck MSN toolbar if it's offered there.
Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.
Double-click ATF Cleaner.exe to open it
Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.
If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Click Exit on the Main menu to close the program.
Please run an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/virusscanner) as instructed in the screenshot here (http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif).
Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log.
OriginalMcBlood
2009-05-04, 17:13
Open notepad and copy/paste the text in the quotebox below into it:
Driver::
icyvjrws
cel90xbe
DDS::
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
File::
C:\WINDOWS\TEMP\System.exe
C:\WINDOWS\csauie1.ocx
D:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6B0D69EF.wmf
D:\Documents and Settings\The Family\Application Data\nvsvc1024.dll
D:\Documents and Settings\The Family\Application Data\Sun\Java\Deployment\cache\6.0\25\650d0659-68161e1c
D:\Documents and Settings\The Family\Application Data\Sun\Java\Deployment\cache\6.0\44\232f2a6c-75a95481
D:\Documents and Settings\The Family\Application Data\Sun\Java\Deployment\cache\6.0\47\bd7ce2f-6f01188c
D:\Documents and Settings\The Family\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-51fad18-3450a110.zip
D:\Documents and Settings\The Family\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6b13a7e7-52495110.zip
D:\Documents and Settings\The Family\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6d00d9f7-4fb0852d.zip
K:\My Documents 2\Downloads 2\downloaded stuff originals\Pro Evolution Soccer 2009 crack - [ pes2009.exe ].exe Infected: Trojan.Win32.VB.kki 1
K:\Programs 2\KONAMI\Pro Evolution 2009\cracked exe(s)\Pro Evolution Soccer 2009 crack - [ pes2009.exe ].exe
c:\windows\system32\drivers\icyvjrws.sys
Save this as
CFScript
As instructed I unistalled and deleted programs and files that may compromise the security of the PC.
As mentioned in an earlier post I ran another KOS after this and as K appeared to be clean I disconnected it from the PC. The script above includes an address to a drive which is no longer there and also a file which no longer exists deleted and deleted from recycle bin.
More than happy to reconnect drive if needed or do you wish me to omit these lines of code from the script. Or will it be fine with these lines in. The potential for combo fix to seriously damage the computer scares me and I do not want to make any errors.
Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.
Double-click ATF Cleaner.exe to open it
Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.
If you use Firefox (http://forums.spybot.info/vbglossar.php?do=showentry&item=Firefox):
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
If you use Opera (http://forums.spybot.info/vbglossar.php?do=showentry&item=Opera):
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Click Exit on the Main menu to close the program.
At the minute I have 2 browsers on that machine I.E7 and Google Chrome therefore neither Firefox or opera. Although I plan to switch to firefox when the pc is secure.
I currently have no access to the infected machine so this part of the message may be redundant but I wanted to query before I go and follow your instructions on the infected pc.
Also I though I had the latest versions of Java and Adobe as I update all of this type of software on at least a monthly basis in my maintenance routine virus, spyware scans, defrag and applicable updates. I do it mainly to prevent this type of vunerability but maybe something has gone wrong in the updates!
Will follow instructions when I have access to the machine later today will post when complete but the KOS took approximately 5 hours the first time and 7 hours the second time but should be less if K does not need to be scanned as this held the majority of the files.
Thanks
OriginalMcBlood
2009-05-04, 20:52
Hello I have done the virus total scan results are attached.
I have also updated Java and Adobe as requested, although adobe reader appeared to be the same version 9.1.
I have also used ATF so ignore question regarding this in previous post.
All I need now is clarification with regards to the cfs script for use with combofix and I will run this, dds and KOS and post.
as always thank you.
Hi
You can leave those K: drive related items off the cfscript.
OriginalMcBlood
2009-05-04, 22:44
Hi please find logs below and attached will post kos when completed.
ComboFix 09-05-02.4 - The Family 04/05/2009 20:04.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.2558.1991 [GMT 1:00]
Running from: d:\documents and settings\The Family\Desktop\ComboFix.exe
Command switches used :: d:\documents and settings\The Family\Desktop\CFScript.txt
AV: ntl Netguard Anti-virus *On-access scanning disabled* (Updated)
FW: ntl Netguard Firewall *disabled*
FILE ::
c:\windows\csauie1.ocx
c:\windows\system32\drivers\icyvjrws.sys
c:\windows\TEMP\System.exe
d:\documents and settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6B0D69EF.wmf
d:\documents and settings\The Family\Application Data\nvsvc1024.dll
d:\documents and settings\The Family\Application Data\Sun\Java\Deployment\cache\6.0\25\650d0659-68161e1c
d:\documents and settings\The Family\Application Data\Sun\Java\Deployment\cache\6.0\44\232f2a6c-75a95481
d:\documents and settings\The Family\Application Data\Sun\Java\Deployment\cache\6.0\47\bd7ce2f-6f01188c
d:\documents and settings\The Family\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-51fad18-3450a110.zip
d:\documents and settings\The Family\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6b13a7e7-52495110.zip
d:\documents and settings\The Family\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6d00d9f7-4fb0852d.zip
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\csauie1.ocx
d:\documents and settings\The Family\Application Data\nvsvc1024.dll
d:\documents and settings\The Family\Application Data\Sun\Java\Deployment\cache\6.0\25\650d0659-68161e1c
d:\documents and settings\The Family\Application Data\Sun\Java\Deployment\cache\6.0\44\232f2a6c-75a95481
d:\documents and settings\The Family\Application Data\Sun\Java\Deployment\cache\6.0\47\bd7ce2f-6f01188c
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_CEL90XBE
-------\Service_cel90xbe
-------\Service_icyvjrws
((((((((((((((((((((((((( Files Created from 2009-04-04 to 2009-05-04 )))))))))))))))))))))))))))))))
.
2009-05-04 17:12 . 2009-05-04 17:12 -------- d-----w c:\program files\Common Files\Adobe
2009-05-03 18:43 . 2009-05-03 18:43 -------- d-----w d:\documents and settings\All Users\Application Data\HP Product Assistant
2009-04-27 20:27 . 2009-04-27 20:27 -------- d-----w c:\program files\Trend Micro
2009-04-27 20:23 . 2009-04-27 20:23 -------- d-----w c:\program files\ERUNT
2009-04-27 19:37 . 2009-04-27 19:37 -------- d-----w c:\windows\system32\append.dll
2009-04-27 19:37 . 2009-04-27 19:37 -------- d-----w c:\windows\system32\xlib254.dll
2009-04-27 17:32 . 2009-04-27 17:39 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-27 17:32 . 2009-04-27 17:39 -------- d-----w d:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-21 18:23 . 2009-04-21 18:23 -------- d-----w d:\documents and settings\The Family\Application Data\DriverCure
2009-04-21 18:23 . 2009-04-21 18:23 -------- d-----w d:\documents and settings\All Users\Application Data\ParetoLogic
2009-04-21 18:23 . 2009-04-22 16:53 -------- d-----w d:\documents and settings\All Users\Application Data\DriverCure
2009-04-21 18:17 . 2009-04-21 18:17 -------- d-sh--w d:\documents and settings\The Family\IECompatCache
2009-04-21 18:07 . 2009-04-21 18:07 -------- d-sh--w d:\documents and settings\The Family\PrivacIE
2009-04-21 18:06 . 2009-04-21 18:06 -------- d-sh--w d:\documents and settings\NetworkService\IETldCache
2009-04-21 18:05 . 2009-04-21 18:05 -------- d-sh--w d:\documents and settings\LocalService\IETldCache
2009-04-21 18:04 . 2009-04-21 18:04 -------- d-sh--w d:\documents and settings\The Family\IETldCache
2009-04-21 18:01 . 2008-04-14 00:11 81920 ----a-w c:\windows\system32\ieencode.dll
2009-04-21 18:01 . 2009-04-21 18:01 -------- d-----w c:\windows\system32\MpEngineStore
2009-04-20 19:58 . 2009-04-20 19:58 -------- d-----w d:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2009-04-18 21:32 . 2006-08-23 08:45 57344 ----a-w c:\windows\system32\digest32.dll
2009-04-16 20:38 . 2009-04-16 20:38 -------- d-----w d:\documents and settings\oblivion\Data
2009-04-16 20:38 . 2009-04-16 20:38 -------- d-----w d:\documents and settings\oblivion\lex
2009-04-16 20:38 . 2007-04-04 18:12 7491584 ----a-w d:\documents and settings\oblivion\TESConstructionSet.exe
2009-04-16 20:38 . 2005-02-18 10:23 212992 ----a-w d:\documents and settings\oblivion\ssce5432.dll
2009-04-16 20:38 . 2009-04-16 20:45 -------- d-----w d:\documents and settings\oblivion
2009-04-15 20:52 . 2009-04-15 20:52 -------- d-----w d:\documents and settings\The Family\Application Data\2K Sports
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-04 19:09 . 2006-10-10 20:56 230 ----a-w c:\windows\freedom.backup.dat
2009-05-04 19:07 . 2004-08-10 16:04 6 ---ha-w c:\windows\Tasks\SA.DAT
2009-05-04 18:30 . 2009-03-07 20:41 248 ----a-w c:\windows\Tasks\Setup my PC.job
2009-05-04 18:27 . 2009-03-07 13:38 946 ----a-w c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2687666314-1017323166-2936280733-1006.job
2009-05-04 17:36 . 2006-10-10 07:11 -------- d-----w c:\program files\Java
2009-05-04 17:31 . 2008-12-22 13:41 410984 ----a-w c:\windows\system32\deploytk.dll
2009-05-03 19:01 . 2009-04-21 18:23 378 ----a-w c:\windows\Tasks\DriverCure.job
2009-05-03 19:01 . 2009-04-21 18:23 426 ----a-w c:\windows\Tasks\ParetoLogic Update Version2.job
2009-05-02 12:44 . 2006-10-10 20:47 -------- d-----w c:\program files\Common Files\PestPatrol
2009-05-02 12:43 . 2006-10-10 20:47 -------- d-----w c:\program files\Common Files\Command Software
2009-04-25 21:57 . 2009-02-20 01:05 3152 ----a-w d:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-04-21 18:23 . 2009-04-21 18:23 404 ----a-w c:\windows\Tasks\ParetoLogic Registration.job
2009-04-20 19:45 . 2007-09-07 16:37 -------- d-----w c:\program files\EA GAMES
2009-04-16 20:38 . 2006-10-10 07:11 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-06 16:16 . 2008-10-08 17:52 34 ----a-w d:\documents and settings\The Family\jagex_runescape_preferences.dat
2009-03-25 11:05 . 2009-03-25 11:05 -------- d-----w c:\program files\Common Files\Adobe AIR
2009-03-21 12:29 . 2006-10-10 07:11 -------- d-----w c:\program files\Realtek
2009-03-20 21:45 . 2009-03-20 21:45 -------- d-----w c:\program files\Thrustmaster
2009-03-20 21:16 . 2009-01-17 18:05 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-03-20 21:15 . 2009-01-17 18:05 -------- d-----w c:\program files\AGEIA Technologies
2009-03-20 20:53 . 2009-03-20 20:53 -------- d-----w c:\program files\DIFX
2009-03-19 16:03 . 2009-03-19 16:03 -------- d-----w c:\program files\Common Files\Windows Live
2009-03-07 20:41 . 2009-03-07 20:37 95344 ----a-w d:\documents and settings\The Family.049907920267.000\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-07 20:40 . 2009-03-07 20:40 150 ----a-w d:\documents and settings\The Family.049907920267.000\Local Settings\Application Data\fusioncache.dat
2009-02-20 12:31 . 2006-10-09 23:32 95344 ----a-w d:\documents and settings\The Family\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-02-11 23:17 . 2009-02-11 23:17 4304 ----a-w c:\windows\system32\ealregsnapshot1.reg
2009-02-09 11:13 . 2004-08-10 15:38 1846784 ----a-w c:\windows\system32\win32k.sys
2006-10-15 15:57 . 2006-10-15 20:00 774144 ----a-w c:\program files\RngInterstitial.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-05-03_19.03.29 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-05-03 19:02 . 2009-05-03 19:02 32768 c:\windows\Temp\Temporary Internet Files\Content.IE5\index.dat
+ 2009-05-04 19:08 . 2009-05-04 19:08 32768 c:\windows\Temp\Temporary Internet Files\Content.IE5\index.dat
+ 2009-05-04 18:14 . 2009-05-04 18:14 16384 c:\windows\Temp\Perflib_Perfdata_524.dat
+ 2009-05-04 19:07 . 2009-05-04 19:07 16384 c:\windows\Temp\Perflib_Perfdata_2e4.dat
+ 2009-05-04 19:07 . 2009-05-04 19:07 16384 c:\windows\Temp\Perflib_Perfdata_2cc.dat
+ 2009-05-04 19:08 . 2009-05-04 19:08 16384 c:\windows\Temp\History\History.IE5\index.dat
- 2009-05-03 19:02 . 2009-05-03 19:02 16384 c:\windows\Temp\History\History.IE5\index.dat
+ 2009-05-04 19:08 . 2009-05-04 19:08 16384 c:\windows\Temp\Cookies\index.dat
- 2009-05-03 19:02 . 2009-05-03 19:02 16384 c:\windows\Temp\Cookies\index.dat
- 2006-10-09 23:24 . 2009-05-03 19:01 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2006-10-09 23:24 . 2009-05-04 19:07 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2006-10-09 23:24 . 2009-05-03 19:01 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2006-10-09 23:24 . 2009-05-04 19:07 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2006-10-09 23:24 . 2009-05-03 19:01 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2006-10-09 23:24 . 2009-05-04 19:07 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-02-18 21:56 . 2006-09-05 14:27 581632 c:\windows\system32\snapapi32.dll
+ 2009-02-18 21:56 . 2006-08-31 15:42 581632 c:\windows\system32\snapapi32.dll
+ 2009-05-04 17:31 . 2009-05-04 17:31 148888 c:\windows\system32\javaws.exe
- 2008-12-22 13:41 . 2008-12-22 13:41 148888 c:\windows\system32\javaws.exe
- 2008-12-22 13:41 . 2008-12-22 13:41 144792 c:\windows\system32\javaw.exe
+ 2009-05-04 17:31 . 2009-05-04 17:31 144792 c:\windows\system32\javaw.exe
- 2008-12-22 13:41 . 2008-12-22 13:41 144792 c:\windows\system32\java.exe
+ 2009-05-04 17:31 . 2009-05-04 17:31 144792 c:\windows\system32\java.exe
+ 2009-05-04 16:44 . 2009-05-04 16:44 544768 c:\windows\ERDNT\AutoBackup\04-05-2009\Users\00000002\UsrClass.dat
+ 2009-05-04 16:44 . 2005-10-20 11:02 163328 c:\windows\ERDNT\AutoBackup\04-05-2009\ERDNT.EXE
+ 2009-05-04 16:44 . 2009-05-04 16:44 11935744 c:\windows\ERDNT\AutoBackup\04-05-2009\Users\00000001\ntuser.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{56071E0D-C61B-11D3-B41C-00E02927A304}]
2005-07-05 14:30 135168 ----a-w c:\program files\ntl\ntl Netguard\FBHR.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
2009-05-04 17:31 320920 ----a-w c:\program files\Java\jre6\bin\ssv.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
2009-02-17 16:11 408440 ----a-w c:\program files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
2009-05-04 17:31 35840 ----a-w c:\program files\Java\jre6\bin\jp2ssv.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
2009-05-04 17:31 73728 ----a-w c:\program files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SmpcSys"="c:\apps\SMP\SmpSys.exe" [2005-11-17 975360]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"kdx"="c:\program files\Kontiki\KHost.exe" [2006-11-08 1040832]
"Google Update"="d:\documents and settings\The Family\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-03-07 133104]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-02-18 13680640]
"DetectorApp"="c:\program files\Sonic\DigitalMedia LE v7\MyDVD LE\DetectorApp.exe" [2005-10-20 102400]
"PCMService"="c:\apps\Powercinema\PCMService.exe" [2006-02-23 147456]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"ACTIVBOARD"="c:\apps\ABoard\ABoard.exe" [2003-05-02 24576]
"BJCFD"="c:\program files\BroadJump\Client Foundation\CFD.exe" [2003-01-27 376912]
"Motive SmartBridge"="c:\progra~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe" [2003-12-30 380928]
"ntl Netguard"="c:\program files\ntl\ntl Netguard\RPS.exe" [2005-07-05 229376]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-01-18 282624]
"4oD"="c:\program files\Kontiki\KHost.exe" [2006-11-08 1040832]
"MsgCenterExe"="c:\program files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" [2008-05-08 69632]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-05-08 185896]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-02-18 86016]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-14 49152]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-04 148888]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-02-18 1657376]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2009-02-03 18085888]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
d:\documents and settings\The Family\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
d:\documents and settings\All Users\Start Menu\Programs\Startup\
broadband medic.lnk - c:\program files\ntl\broadband medic\bin\matcli.exe [2006-10-10 217088]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-5-28 53248]
NETGEAR WG111v3 Smart Wizard.lnk - c:\program files\NETGEAR\WG111v3\WG111v3.exe [2008-12-11 2322432]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"WebCheck"= {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - c:\windows\system32\webcheck.dll [2008-12-20 233472]
"UPnPMonitor"= {e57ce738-33e8-4c51-8354-bb4de9d215d1} - c:\windows\system32\upnpui.dll [2008-04-14 239616]
"WPDShServiceObj"= {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll [2006-10-18 133632]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, snapapi32.dll, digest32.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\AOL 9.0\\aol.exe"=
"c:\\Program Files\\AOL 9.0\\waol.exe"=
"d:\\Documents and Settings\\The Family\\My Documents\\Downloads\\WoW-enGB-Installer-downloader.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\WINDOWS\\system32\\nvsvc32.exe"=
"c:\\WINDOWS\\system32\\wbem\\wmiprvse.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"4719:TCP"= 4719:TCP:4719
R3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2008-08-05 1684736]
S2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\DRIVERS\EAPPkt.sys [2007-10-09 38144]
S2 FWS;Radialpoint Service;c:\program files\ntl\ntl Netguard\fws.exe [2005-07-05 274432]
S3 JL2005;JL2005A Toy Camera;c:\windows\system32\Drivers\toywdm.sys [2004-06-04 70888]
S3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\DRIVERS\wg111v3.sys [2007-12-28 287232]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\M]
\Shell\AutoRun\command - M:\autorun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\N]
\Shell\AutoRun\command - N:\autorun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0968251a-9bb6-11dd-a0b1-001e2aaf0479}]
\Shell\AutoRun\command - J:\setupSNK.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5ccdf9fd-fca0-11db-9be0-0017316f265c}]
\Shell\AutoRun\command - l:\wd_windows_tools\setup.exe
.
Contents of the 'Scheduled Tasks' folder
2009-05-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2687666314-1017323166-2936280733-1006.job
- d:\documents and settings\The Family\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-03-07 13:38]
2009-05-04 c:\windows\Tasks\Setup my PC.job
- c:\apps\SMP\PCSETUP.EXE [2005-11-17 09:03]
.
- - - - ORPHANS REMOVED - - - -
SharedTaskScheduler-{8C7461EF-2B13-11d2-BE35-3078302C2030} - %SystemRoot%\system32\browseui.dll
ShellExecuteHooks-{AEB6717E-7E19-11d0-97EE-00C04FD91972} - shell32.dll
SSODL-PostBootReminder-{7849596a-48ea-486e-8937-a2a3009f31a9} - %SystemRoot%\system32\SHELL32.dll
SSODL-CDBurn-{fbeb8a05-beee-4442-804e-409d6c4515e9} - %SystemRoot%\system32\SHELL32.dll
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ntlworld.com/
uSearchMigratedDefaultURL = hxxp://search.msn.co.uk/previewx.aspx?q={searchTerms}&FORM=CBPW&first=1&noredir=1
uInternet Connection Wizard,ShellNext = hxxp://www.ntlworld.com/welcome
uInternet Settings,ProxyOverride = 127.0.0.1
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: {{e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {{FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\Messenger\msmsgs.exe
IE: {{92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\MICROS~3\OFFICE11\REFIEBAR.DLL
IE: {{CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {{DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
Filter: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - c:\windows\system32\urlmon.dll
Filter: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - c:\windows\system32\urlmon.dll
Filter: lzdhtml - {8f6b0360-b80d-11d0-a9b3-006097942311} - c:\windows\system32\urlmon.dll
Filter: text/webviewhtml - {733AC4CB-F1A4-11d0-B951-00A0C90312E1} -
Filter: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - c:\progra~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\HP\hpcoretech\comp\hpuiprot.dll
Handler: file - {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - c:\windows\system32\urlmon.dll
Handler: ftp - {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - c:\windows\system32\urlmon.dll
Handler: gopher - {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - c:\windows\system32\urlmon.dll
Handler: http - {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - c:\windows\system32\urlmon.dll
Handler: http\0x00000001 - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - c:\progra~1\COMMON~1\System\OLEDB~1\MSDAIPP.DLL
Handler: http\oledb - {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - c:\progra~1\COMMON~1\System\OLEDB~1\MSDAIPP.DLL
Handler: https - {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - c:\windows\system32\urlmon.dll
Handler: https\0x00000001 - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - c:\progra~1\COMMON~1\System\OLEDB~1\MSDAIPP.DLL
Handler: https\oledb - {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - c:\progra~1\COMMON~1\System\OLEDB~1\MSDAIPP.DLL
Handler: ipp\0x00000001 - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - c:\progra~1\COMMON~1\System\OLEDB~1\MSDAIPP.DLL
Handler: its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - c:\windows\system32\itss.dll
Handler: livecall - {828030A1-22C1-4009-854F-8E305202313F} - c:\progra~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
Handler: local - {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - c:\windows\system32\urlmon.dll
Handler: mk - {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - c:\windows\system32\urlmon.dll
Handler: ms-its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - c:\windows\system32\itss.dll
Handler: msdaipp\0x00000001 - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - c:\progra~1\COMMON~1\System\OLEDB~1\MSDAIPP.DLL
Handler: msdaipp\oledb - {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - c:\progra~1\COMMON~1\System\OLEDB~1\MSDAIPP.DLL
Handler: msnim - {828030A1-22C1-4009-854F-8E305202313F} - c:\progra~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
Handler: sysimage - {76E67A63-06E9-11D2-A840-006008059382} -
Handler: tv - {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - c:\windows\system32\msvidctl.dll
Name-Space Handler: mk\* - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - c:\windows\system32\itss.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} - hxxp://www.shockwave.com/content/dinerdash2/sis/DinerDash2.1.0.0.67.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} - hxxp://update.videoegg.com/Install/Windows/Initial/VideoEggPublisher.exe
DPF: {B516CA4E-A5BA-405C-AFCF-A97F08CC7429} - hxxp://www.shockwave.com/content/burgershop/sis/GoBitGamesPlayer_v4.cab
DPF: {BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19} - hxxp://www.shockwave.com/content/dinerdashfloonthego/sis/ddfotg.1.0.0.33.cab
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://game08.zylom.com/activex/zylomgamesplayer.cab
DPF: {D40F5876-A494-4124-8161-82625BB28C06} - hxxp://www.shockwave.com/content/chocolatier2/sis/Chocolatier2Web.1.0.0.10.cab
DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} - file:///C:/DRIVERS/snapsys/HDDDiag/bin/npseatools.cab
DPF: {EA6246B4-F380-443F-8727-9AEA3371146C} - hxxp://www.shockwave.com/content/weddingdash/sis/WeddingDash.1.0.0.47.cab
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-04 20:09
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-2687666314-1017323166-2936280733-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
[HKEY_USERS\S-1-5-21-2687666314-1017323166-2936280733-1006\Software\SecuROM\License information*]
"datasecu"=hex:6a,b8,24,27,32,5c,ae,29,48,f4,7e,8a,3a,ca,02,ad,ed,48,f1,c3,ba,
d8,05,92,a0,0d,49,76,f6,72,92,04,b1,2f,00,af,95,cc,fc,da,e2,00,05,e5,09,95,\
"rkeysecu"=hex:36,4e,91,58,c0,fd,da,b0,58,97,27,be,96,e2,71,a0
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(2908)
c:\progra~1\ntl\BROADB~1\SMARTB~1\SBHook.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\apps\Powercinema\Kernel\TV\CLCapSvc.exe
c:\apps\Powercinema\Kernel\CLML_NTService\CLMLServer.exe
c:\program files\Common Files\Command Software\dvpapi.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Kontiki\KService.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\program files\Sonic\DigitalMedia LE v7\MyDVD LE\USBDeviceService.exe
c:\windows\system32\searchindexer.exe
c:\apps\Powercinema\Kernel\TV\CLSched.exe
c:\apps\ABOARD\AOSD.EXE
c:\windows\system32\searchprotocolhost.exe
c:\program files\HP\Digital Imaging\bin\hpqgalry.exe
c:\windows\system32\wscntfy.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
c:\windows\system32\searchfilterhost.exe
.
**************************************************************************
.
Completion time: 2009-05-04 20:14 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-04 19:13
ComboFix2.txt 2009-05-03 19:09
Pre-Run: 3,098,062,848 bytes free
Post-Run: 3,089,707,008 bytes free
Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
353 --- E O F --- 2009-04-18 12:54
DDS (Ver_09-03-16.01) - NTFSx86
Run by The Family at 20:21:45.34 on 04/05/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.2558.1973 [GMT 1:00]
AV: ntl Netguard Anti-virus *On-access scanning disabled* (Updated)
FW: ntl Netguard Firewall *disabled*
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\ntl\ntl Netguard\fws.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
c:\APPS\Powercinema\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Sonic\DigitalMedia LE v7\MyDVD LE\USBDeviceService.exe
C:\WINDOWS\system32\SearchIndexer.exe
c:\APPS\Powercinema\Kernel\TV\CLSched.exe
C:\APPS\Powercinema\PCMService.exe
C:\apps\ABoard\ABoard.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
C:\apps\ABoard\AOSD.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\APPS\SMP\SmpSys.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Documents and Settings\The Family\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\NETGEAR\WG111v3\WG111v3.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
D:\Documents and Settings\The Family\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.ntlworld.com/
uSearchMigratedDefaultURL = hxxp://search.msn.co.uk/previewx.aspx?q={searchTerms}&FORM=CBPW&first=1&noredir=1
uInternet Connection Wizard,ShellNext = hxxp://www.ntlworld.com/welcome
uInternet Settings,ProxyOverride = 127.0.0.1
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: PopKill Class: {3c060ea2-e6a9-4e49-a530-d4657b8c449a} - c:\program files\ntl\ntl netguard\pkR.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: ZKBho Class: {56071e0d-c61b-11d3-b41c-00e02927a304} - c:\program files\ntl\ntl netguard\FBHR.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [SmpcSys] c:\apps\smp\SmpSys.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [kdx] c:\program files\kontiki\KHost.exe -all
uRun: [Google Update] "d:\documents and settings\the family\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [DetectorApp] c:\program files\sonic\digitalmedia le v7\mydvd le\DetectorApp.exe
mRun: [PCMService] "c:\apps\powercinema\PCMService.exe"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32"
mRun: [ACTIVBOARD] c:\apps\aboard\ABoard.exe
mRun: [BJCFD] c:\program files\broadjump\client foundation\CFD.exe
mRun: [Motive SmartBridge] c:\progra~1\ntl\broadb~1\smartb~1\MotiveSB.exe
mRun: [ntl Netguard] "c:\program files\ntl\ntl netguard\RPS.exe"
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [4oD] "c:\program files\kontiki\KHost.exe" -all
mRun: [MsgCenterExe] "c:\program files\common files\real\update_ob\RealOneMessageCenter.exe" -osboot
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: d:\docume~1\thefam~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\broadb~1.lnk - c:\program files\ntl\broadband medic\bin\matcli.exe
StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wg111v3\WG111v3.exe
StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} - hxxp://www.shockwave.com/content/dinerdash2/sis/DinerDash2.1.0.0.67.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} - hxxp://update.videoegg.com/Install/Windows/Initial/VideoEggPublisher.exe
DPF: {B516CA4E-A5BA-405C-AFCF-A97F08CC7429} - hxxp://www.shockwave.com/content/burgershop/sis/GoBitGamesPlayer_v4.cab
DPF: {BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19} - hxxp://www.shockwave.com/content/dinerdashfloonthego/sis/ddfotg.1.0.0.33.cab
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://game08.zylom.com/activex/zylomgamesplayer.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D40F5876-A494-4124-8161-82625BB28C06} - hxxp://www.shockwave.com/content/chocolatier2/sis/Chocolatier2Web.1.0.0.10.cab
DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} - file:///C:/DRIVERS/snapsys/HDDDiag/bin/npseatools.cab
DPF: {EA6246B4-F380-443F-8727-9AEA3371146C} - hxxp://www.shockwave.com/content/weddingdash/sis/WeddingDash.1.0.0.47.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, snapapi32.dll, digest32.dll
============= SERVICES / DRIVERS ===============
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [2007-10-9 38144]
R2 FWS;Radialpoint Service;c:\program files\ntl\ntl netguard\fws.exe [2005-7-5 274432]
R3 JL2005;JL2005A Toy Camera;c:\windows\system32\drivers\toywdm.sys [2004-6-4 70888]
R3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [2007-12-28 287232]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-3-21 1684736]
=============== Created Last 30 ================
2009-05-03 19:56 161,792 a------- c:\windows\SWREG.exe
2009-05-03 19:56 98,816 a------- c:\windows\sed.exe
2009-05-01 18:15 <DIR> a-dshr-- C:\autorun.inf
2009-04-27 21:27 <DIR> --d----- c:\program files\Trend Micro
2009-04-27 20:37 <DIR> --d----- c:\windows\system32\xlib254.dll
2009-04-27 20:37 <DIR> --d----- c:\windows\system32\append.dll
2009-04-27 18:32 <DIR> --d----- d:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-04-27 18:32 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-04-25 14:21 54,156 a---h--- c:\windows\QTFont.qfn
2009-04-25 14:21 1,409 a------- c:\windows\QTFont.for
2009-04-21 19:23 <DIR> --d----- d:\docume~1\thefam~1\applic~1\DriverCure
2009-04-21 19:23 <DIR> --d----- d:\docume~1\alluse~1\applic~1\ParetoLogic
2009-04-21 19:23 <DIR> --d----- d:\docume~1\alluse~1\applic~1\DriverCure
2009-04-21 19:17 <DIR> --dsh--- d:\documents and settings\the family\IECompatCache
2009-04-21 19:07 <DIR> --dsh--- d:\documents and settings\the family\PrivacIE
2009-04-21 19:04 <DIR> --dsh--- d:\documents and settings\the family\IETldCache
2009-04-21 19:01 81,920 a------- c:\windows\system32\ieencode.dll
2009-04-21 19:01 <DIR> --d----- c:\windows\system32\MpEngineStore
2009-04-18 22:32 57,344 a------- c:\windows\system32\digest32.dll
2009-04-15 21:52 <DIR> --d----- d:\docume~1\thefam~1\applic~1\2K Sports
==================== Find3M ====================
2009-05-04 18:31 410,984 a------- c:\windows\system32\deploytk.dll
2009-04-06 17:16 34 a------- d:\documents and settings\the family\jagex_runescape_preferences.dat
2009-02-12 00:17 4,304 a------- c:\windows\system32\ealregsnapshot1.reg
2009-02-09 12:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-09 12:13 1,846,784 -------- c:\windows\system32\dllcache\win32k.sys
2007-12-28 16:02 287,232 a------- c:\windows\inf\wg111v3\wg111v3.sys
2007-12-28 15:59 342,528 a------- c:\windows\inf\wg111v3\vista64\wg111v3.sys
2007-11-27 18:53 63,488 a------- c:\windows\inf\wg111v3\SetDrv64.exe
2007-11-27 18:52 32,768 a------- c:\windows\inf\wg111v3\SetDrv.exe
2007-05-10 20:52 6,420 a------- d:\docume~1\thefam~1\applic~1\wklnhst.dat
2006-12-15 12:30 315,392 a------- c:\windows\inf\wg111v3\InstallDriver.exe
2006-12-15 12:30 212,992 a------- c:\windows\inf\wg111v3\CopyWHQLDriver.exe
2006-12-15 12:30 98,304 a------- c:\windows\inf\wg111v3\UScanM.exe
2006-12-15 12:30 20,480 a------- c:\windows\inf\wg111v3\RTWUPath.exe
2006-12-15 12:30 19,968 a------- c:\windows\inf\wg111v3\RTWREFU.EXE
2006-10-15 16:57 774,144 a------- c:\program files\RngInterstitial.dll
============= FINISH: 20:21:56.75 ===============
OriginalMcBlood
2009-05-05, 01:13
oh well this is interesting infected objects has increased from 45 when I last ran KOS, after uninstalling and deleting files that compromised security (not posted), to 392 on this scan after it has been treated to a good cleaning.
I hope this is it getting worse before it gets better phase!
Here is the KOS log
Cheers Original McBlood
KASPERSKY ONLINE SCANNER 7.0 REPORT
Monday, May 4, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Monday, May 04, 2009 21:19:49
Records in database: 2130243
--------------------------------------------------------------------------------
Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
Scan statistics:
Files scanned: 111104
Threat name: 7
Infected objects: 392
Suspicious objects: 1
Duration of the scan: 02:14:43
File name / Threat name / Threats count
C:\Qoobox\Quarantine\C\WINDOWS\csauie1.ocx.vir Infected: not-a-virus:AdWare.Win32.Coupons.u 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\services.exe.vir Infected: Backdoor.Win32.SdBot.jpe 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\isyhvxyp.dll.vir Infected: Packed.Win32.Krap.n 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\khfCuVmm.dll.vir Infected: Trojan-Downloader.Win32.BHO.kml 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\mvyerpjt.dll.vir Infected: Packed.Win32.Krap.n 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\vrqzew.dll.vir Infected: Packed.Win32.Krap.n 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\vtUlMecY.dll.vir Infected: Trojan-Downloader.Win32.BHO.kml 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\wowfx.dll.vir Infected: Trojan.Win32.Agent.alos 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\_wowfx_.dll.zip Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP722\A0260522.dll Infected: Trojan.Win32.BHO.hxd 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\A0260542.dll Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\A0260544.dll Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\A0260545.dll Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\A0260546.dll Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\A0260547.dll Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\A0260548.dll Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\A0260549.dll Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\A0260550.dll Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\A0260551.dll Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\A0260552.dll Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\A0260557.dll Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\A0260558.dll Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\A0260559.dll Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\A0260560.dll Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\A0260561.dll Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\A0260563.dll Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\A0260564.dll Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\A0260565.dll Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\A0260566.dll Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\A0260568.dll Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\A0260569.dll Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\A0260570.dll Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\A0260571.dll Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\A0260572.dll Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\A0260573.dll Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\A0260574.dll Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\A0260575.dll Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\A0260576.dll Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\A0260577.dll Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\A0260578.dll Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\A0260579.dll Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\A0260586.dll Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\A0260587.dll Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\A0260588.dll Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\A0260589.dll Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\A0260590.dll Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\A0260591.dll Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\A0260592.dll Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\A0260593.dll Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\A0260594.dll Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\A0260595.dll Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\A0260596.dll Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\A0260597.dll Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\A0260598.dll Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\A0260599.dll Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\A0260600.dll Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\A0260601.dll Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\A0260602.dll Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\A0260603.dll Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\A0260604.dll Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\A0260605.dll Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\A0260606.dll Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\A0260607.dll Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\A0260608.dll Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\A0260609.dll Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\A0260610.dll Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\A0260611.dll Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\A0260612.dll Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\A0260613.dll Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\A0260614.dll Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\A0260615.dll Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\A0260616.dll Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\A0260620.dll Infected: Packed.Win32.Krap.n 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\A0260621.dll Infected: Trojan-Downloader.Win32.BHO.kml 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\A0260622.dll Infected: Packed.Win32.Krap.n 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-1.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-10.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-100.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-101.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-102.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-103.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-104.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-105.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-106.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-107.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-108.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-109.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-11.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-110.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-111.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-112.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-113.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-114.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-115.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-116.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-117.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-118.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-119.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-12.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-120.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-121.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-122.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-123.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-124.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-125.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-126.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-127.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-128.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-129.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-13.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-130.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-131.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-132.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-133.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-134.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-14.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-15.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-16.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-17.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-18.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-19.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-2.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-20.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-21.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-22.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-23.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-24.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-25.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-26.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-27.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-28.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-29.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-3.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-30.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-31.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-32.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-33.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-34.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-35.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-36.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-37.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-38.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-39.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-4.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-40.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-41.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-42.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-43.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-44.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-45.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-46.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-47.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-48.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-49.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-5.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-50.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-51.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-52.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-53.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-54.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-55.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-56.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-57.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-58.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-59.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-6.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-60.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-61.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-62.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-63.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-64.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-65.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-66.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-67.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-68.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-69.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-7.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-70.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-71.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-72.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-73.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-74.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-75.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-76.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-77.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-78.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-79.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-8.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-80.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-81.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-82.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-83.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-84.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-85.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-86.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-87.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-88.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-89.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-9.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-90.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-91.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-92.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-93.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-94.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-95.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-96.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-97.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-98.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\snapshot\MFEX-99.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP724\A0261972.dll Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP724\A0262023.dll Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP724\snapshot\MFEX-1.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\A0263169.dll Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\A0263178.exe Infected: Backdoor.Win32.SdBot.jpe 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\A0263205.dll Infected: Packed.Win32.Krap.n 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\A0263206.dll Infected: Trojan-Downloader.Win32.BHO.kml 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\A0263207.dll Infected: Packed.Win32.Krap.n 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\A0263208.dll Infected: Packed.Win32.Krap.n 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\A0263209.dll Infected: Trojan-Downloader.Win32.BHO.kml 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\A0263222.dll Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-1.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-10.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-100.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-101.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-102.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-103.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-104.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-105.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-106.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-107.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-108.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-109.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-11.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-110.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-111.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-112.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-113.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-114.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-115.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-116.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-117.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-118.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-119.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-12.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-120.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-121.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-122.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-123.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-124.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-125.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-126.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-127.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-128.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-129.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-13.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-130.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-131.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-132.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-133.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-134.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-135.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-136.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-137.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-138.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-139.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-14.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-140.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-141.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-142.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-143.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-144.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-145.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-146.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-147.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-148.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-149.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-15.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-150.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-151.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-152.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-153.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-154.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-155.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-156.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-157.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-158.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-159.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-16.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-160.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-161.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-162.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-163.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-164.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-165.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-166.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-167.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-168.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-169.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-17.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-170.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-171.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-18.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-19.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-2.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-20.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-21.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-22.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-23.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-24.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-25.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-26.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-27.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-28.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-29.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-3.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-30.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-31.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-32.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-33.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-34.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-35.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-36.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-37.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-38.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-39.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-4.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-40.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-41.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-42.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-43.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-44.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-45.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-46.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-47.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-48.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-49.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-5.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-50.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-51.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-52.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-53.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-54.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-55.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-56.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-57.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-58.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-59.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-6.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-60.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-61.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-62.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-63.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-64.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-65.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-66.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-67.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-68.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-69.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-7.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-70.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-71.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-72.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-73.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-74.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-75.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-76.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-77.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-78.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-79.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-8.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-80.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-81.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-82.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-83.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-84.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-85.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-86.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-87.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-88.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-89.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-9.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-90.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-91.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-92.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-93.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-94.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-95.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-96.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-97.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-98.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\snapshot\MFEX-99.DAT Infected: Trojan.Win32.Agent.alos 1
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP732\A0264034.ocx Infected: not-a-virus:AdWare.Win32.Coupons.u 1
D:\Documents and Settings\The Family\Local Settings\Application Data\Identities\{D688B133-BB08-44AA-9610-0788232F351C}\Microsoft\Outlook Express\Dylan.dbx Suspicious: Trojan-Spy.HTML.Fraud.gen 1
The selected area was scanned.
Hi
Most of those bad findings are in system restore and ComboFix quarantined items.
Go thru email messages in following mail box and delete suspicious looking ones:
D:\Documents and Settings\The Family\Local Settings\Application Data\Identities\{D688B133-BB08-44AA-9610-0788232F351C}\Microsoft\Outlook Express\Dylan.dbx
Please download Malwarebytes' Anti-Malware (http://www.besttechie.net/tools/mbam-setup.exe) to your desktop.
Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Please post contents of that file & dds.txt file contents in your next reply. How's the system running?
OriginalMcBlood
2009-05-05, 18:07
The system runs fine. That was never an issue but with 2 gb of ram and a 3 ghz dual core surfing will practically not even register.
As it is in the process of being cleaned at the moment I have not used it with the exception of what you have requested and the cleaning process.
One thing that has resulted from the work so far is that a few days before my first post on this thread on boot up MS DEP kicked in and it would throw up about 5 - 10 DDM proxy messages program shut down ( access protected areas, blah blah). These could just be closed and everything ran fine. They do not appear at all now. I take this as an indication that potentially the most dangerous infection has been irradicated.
These DDM proxy messages were the reason I DLed Spybot and the resulting scan results prompted the post.
I have never had a problem with this machine performance wise. The registry could do with a clean out, some missing Dlls for one of the smartbridges but that is to be expected after 3-4 years of use. I could do with updating some of my drivers but I can not find a source that I trust 100% and I am not 100% which drivers are needed, got all the standard ones up to date GPU, sound, peripherals etc but some of the more less obvious I am sure need updating.
I have a realtime CPU and RAM usage indicator in my task bar at all times and I have not seen any increase in the usage of either over the last few days/ weeks.
The Pc as I said seemed to be 100% clean until the DEP kicked in. This now just makes me wonder how long stuff has been hiding in here. As I said I like to keep this pc in shape and it is scanned (defrag, software update etc..) at a minimum monthly but more often weekly if not more with my anti virus/spyware.
I will follow instructions and post results when I have access to the infected machine later today.
cheers.
OriginalMcBlood
2009-05-05, 23:01
okay here you go:
logs are too long to post so all attached, too big to attach so zipped and attached
over 1000 infected files found and most of them outwith quarantine.
Hi again,
This (http://forums.spybot.info/showthread.php?t=279) topic may give you some idea what reason might had led to the infection.
Uninstall Macromedia Flash Player 8 and get the latest one here (http://www.adobe.com/go/getflash).
Any symptoms left?
OriginalMcBlood
2009-05-06, 00:29
unfortunately yes.
started a second malware bytes scan after posting scans. It finished about 10 mins ago and 2 infected files showed up one was snapapi.dll and I can not remeber the other I did not delete I just exited out of malware bytes because I did not want to clear anything with out your okay incase it messed up the cleaning process.
Should I run malware bytes again keep the log and just delete and check with another scan?
thanks.
Hi
Yes, run scan again and let it quarantine all findings. Post back the report & a fresh dds.txt log.
OriginalMcBlood
2009-05-06, 21:01
Slightly different from your instructions ran a scan quarantined and deleted before you posted sorry.
Anyway here are the logs:
Malwarebytes' Anti-Malware 1.36
Database version: 2078
Windows 5.1.2600 Service Pack 3
05/05/2009 23:54:04
mbam-log-2009-05-05 (23-54-04).txt
Scan type: Full Scan (C:\|D:\|E:\|F:\|G:\|H:\|I:\|)
Objects scanned: 222831
Time elapsed: 1 hour(s), 16 minute(s), 31 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders (Trojan.Agent) -> Data: snapapi32.dll -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\snapapi32.dll (Trojan.Agent) -> Quarantined and deleted successfully.
Looks better again. How's the system performing?
OriginalMcBlood
2009-05-07, 18:56
I spent approximately 10 hours yesterday running alternate spybot, MBAM scan cycles and each app would find between 1 and 6 infected items, files or other. Most commonly these were registry items. It was different infection types each time, video egg and win32 being the most common. The apps would then state that the infections were successfully quarantined and deleted only for more to show up on the next scan.
On about the 4th cycle spybot turned up clean, hooray but then on the MBAM part of the cycle infections were found, quarantined and deleted. So I carried on cycling the scans. Spybot round 5, clean, okay good so far; MBAM round 5 clean.
Hooray!:2thumb:
I'll run another cycle of both scans later today but it is looking good. I have updated everything. I will install secunia PSI and file hippo, switch to firefox as a browser and lock it down tight and double check the info from your last post for the best ways to avoid this again and software to use etc Everything should be plain sailing from here.
Thanks alot for all your help on this I know this has been a particulary long one. It really is appreciated.Feel free to have warm happy feeling inside and a sense of true philanthrophy.
So in the words of Douglas Adams "so long and thanks for all the fish"
OriginalMcBlood.
You're welcome :) Before I give you all clean with final instructions (uninstalling ComboFix etc) I want to see if anything bad still shows up. Please let me know in a few days how the things are and post a fresh dds.txt log then.
OriginalMcBlood
2009-05-10, 17:25
Hello,
unfortunately I'm back again. I have gone back to using the pc as normal. I have ran a number of scans over the last few days and the results are interesting.
They seem to have an almost random nature sometimes they turn up blank (clean) but most often they have about 2 signs of infection always reported as successfully deleted. These 2 are normally different every time most commonly Trojan agents "videoegg" and "snapapi.dll" they will have an entry in the system32 folder and a registry entry.
Yesterday I had a little consistency in that 2 successive scans turned up with the same findings; Snapapi entries.
Included is the mbam log from yesterday and DDS scans from earlier today.
Thanks.
Malwarebytes' Anti-Malware 1.36
Database version: 2101
Windows 5.1.2600 Service Pack 3
09/05/2009 22:26:53
mbam-log-2009-05-09 (22-26-53).txt
Scan type: Full Scan (C:\|D:\|E:\|F:\|G:\|H:\|I:\|K:\|)
Objects scanned: 360260
Time elapsed: 1 hour(s), 53 minute(s), 37 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders (Trojan.Agent) -> Data: snapapi32.dll -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\snapapi32.dll (Trojan.Agent) -> Quarantined and deleted successfully.
DDS (Ver_09-03-16.01) - NTFSx86
Run by The Family at 15:07:29.04 on 10/05/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.2558.1819 [GMT 1:00]
AV: ntl Netguard Anti-virus *On-access scanning enabled* (Updated)
FW: ntl Netguard Firewall *enabled*
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\ntl\ntl Netguard\fws.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
c:\APPS\Powercinema\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Sonic\DigitalMedia LE v7\MyDVD LE\USBDeviceService.exe
C:\WINDOWS\system32\SearchIndexer.exe
c:\APPS\Powercinema\Kernel\TV\CLSched.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Sonic\DigitalMedia LE v7\MyDVD LE\DetectorApp.exe
C:\APPS\Powercinema\PCMService.exe
C:\apps\ABoard\ABoard.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
C:\apps\ABoard\AOSD.exe
C:\Program Files\ntl\ntl Netguard\RPS.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\APPS\SMP\SmpSys.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Documents and Settings\The Family\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\ntl\broadband medic\bin\mpbtn.exe
C:\Program Files\NETGEAR\WG111v3\WG111v3.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Secunia\PSI\psi.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
D:\Documents and Settings\The Family\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.ntlworld.com/
uSearchMigratedDefaultURL = hxxp://search.msn.co.uk/previewx.aspx?q={searchTerms}&FORM=CBPW&first=1&noredir=1
uInternet Connection Wizard,ShellNext = hxxp://www.ntlworld.com/welcome
uInternet Settings,ProxyOverride = 127.0.0.1
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: PopKill Class: {3c060ea2-e6a9-4e49-a530-d4657b8c449a} - c:\program files\ntl\ntl netguard\pkR.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: ZKBho Class: {56071e0d-c61b-11d3-b41c-00e02927a304} - c:\program files\ntl\ntl netguard\FBHR.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {ee16ce5a-a23c-4591-be45-cd87af77b015} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [SmpcSys] c:\apps\smp\SmpSys.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [kdx] c:\program files\kontiki\KHost.exe -all
uRun: [Google Update] "d:\documents and settings\the family\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe" -autorun
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [DetectorApp] c:\program files\sonic\digitalmedia le v7\mydvd le\DetectorApp.exe
mRun: [PCMService] "c:\apps\powercinema\PCMService.exe"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32"
mRun: [ACTIVBOARD] c:\apps\aboard\ABoard.exe
mRun: [BJCFD] c:\program files\broadjump\client foundation\CFD.exe
mRun: [Motive SmartBridge] c:\progra~1\ntl\broadb~1\smartb~1\MotiveSB.exe
mRun: [ntl Netguard] "c:\program files\ntl\ntl netguard\RPS.exe"
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [4oD] "c:\program files\kontiki\KHost.exe" -all
mRun: [MsgCenterExe] "c:\program files\common files\real\update_ob\RealOneMessageCenter.exe" -osboot
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: d:\docume~1\thefam~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: d:\docume~1\thefam~1\startm~1\programs\startup\secuni~1.lnk - c:\program files\secunia\psi\psi.exe
StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\broadb~1.lnk - c:\program files\ntl\broadband medic\bin\matcli.exe
StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wg111v3\WG111v3.exe
StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} - hxxp://www.shockwave.com/content/dinerdash2/sis/DinerDash2.1.0.0.67.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {B516CA4E-A5BA-405C-AFCF-A97F08CC7429} - hxxp://www.shockwave.com/content/burgershop/sis/GoBitGamesPlayer_v4.cab
DPF: {BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19} - hxxp://www.shockwave.com/content/dinerdashfloonthego/sis/ddfotg.1.0.0.33.cab
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://game08.zylom.com/activex/zylomgamesplayer.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D40F5876-A494-4124-8161-82625BB28C06} - hxxp://www.shockwave.com/content/chocolatier2/sis/Chocolatier2Web.1.0.0.10.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A}
DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} - file:///C:/DRIVERS/snapsys/HDDDiag/bin/npseatools.cab
DPF: {EA6246B4-F380-443F-8727-9AEA3371146C} - hxxp://www.shockwave.com/content/weddingdash/sis/WeddingDash.1.0.0.47.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
================= FIREFOX ===================
FF - ProfilePath - d:\docume~1\thefam~1\applic~1\mozilla\firefox\profiles\1i8880in.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.ntlworld.com/
FF - plugin: c:\program files\real\realarcade\plugins\mozilla\npracplug.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - plugin: d:\documents and settings\the family\local settings\application data\google\update\1.2.145.5\npGoogleOneClick8.dll
---- FIREFOX POLICIES ----
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
============= SERVICES / DRIVERS ===============
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [2007-10-9 38144]
R2 FWS;Radialpoint Service;c:\program files\ntl\ntl netguard\fws.exe [2005-7-5 274432]
R3 JL2005;JL2005A Toy Camera;c:\windows\system32\drivers\toywdm.sys [2004-6-4 70888]
R3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [2007-12-28 287232]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-3-21 1684736]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2009-3-24 7808]
=============== Created Last 30 ================
2009-05-10 14:55 <DIR> --d----- C:\OEMSettings
2009-05-07 21:30 <DIR> --d----- d:\docume~1\alluse~1\applic~1\DAEMON Tools Lite
2009-05-07 21:30 <DIR> --d----- c:\program files\DAEMON Tools Toolbar
2009-05-07 21:30 <DIR> --d----- c:\program files\DAEMON Tools Lite
2009-05-07 21:23 <DIR> --d----- c:\windows\NV24243848.TMP
2009-05-07 21:13 <DIR> --d----- d:\docume~1\thefam~1\applic~1\DAEMON Tools Lite
2009-05-07 20:50 <DIR> --d----- c:\program files\Mozilla Firefox 3.5 Beta 4
2009-05-07 20:41 <DIR> --d----- c:\program files\Secunia
2009-05-05 23:59 401,408 -------- c:\windows\system32\dllcache\rpcss.dll
2009-05-05 23:59 284,160 -------- c:\windows\system32\dllcache\pdh.dll
2009-05-05 23:59 110,592 -------- c:\windows\system32\dllcache\services.exe
2009-05-05 23:59 35,328 -------- c:\windows\system32\dllcache\sc.exe
2009-05-05 23:59 729,088 -------- c:\windows\system32\dllcache\lsasrv.dll
2009-05-05 23:59 617,472 -------- c:\windows\system32\dllcache\advapi32.dll
2009-05-05 23:59 473,600 -------- c:\windows\system32\dllcache\fastprox.dll
2009-05-05 23:59 453,120 -------- c:\windows\system32\dllcache\wmiprvsd.dll
2009-05-05 23:59 227,840 -------- c:\windows\system32\dllcache\wmiprvse.exe
2009-05-05 23:59 714,752 -------- c:\windows\system32\dllcache\ntdll.dll
2009-05-05 22:35 <DIR> --d----- c:\windows\system32\Adobe
2009-05-05 18:52 <DIR> --d----- d:\docume~1\thefam~1\applic~1\Malwarebytes
2009-05-05 18:52 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-05-05 18:52 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-05 18:52 <DIR> --d----- d:\docume~1\alluse~1\applic~1\Malwarebytes
2009-05-05 18:52 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-05-03 19:56 161,792 a------- c:\windows\SWREG.exe
2009-05-03 19:56 98,816 a------- c:\windows\sed.exe
2009-05-01 18:15 <DIR> a-dshr-- C:\autorun.inf
2009-04-27 21:27 <DIR> --d----- c:\program files\Trend Micro
2009-04-27 18:32 <DIR> --d----- d:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-04-27 18:32 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-04-25 14:21 54,156 a---h--- c:\windows\QTFont.qfn
2009-04-25 14:21 1,409 a------- c:\windows\QTFont.for
2009-04-21 19:23 <DIR> --d----- d:\docume~1\thefam~1\applic~1\DriverCure
2009-04-21 19:23 <DIR> --d----- d:\docume~1\alluse~1\applic~1\ParetoLogic
2009-04-21 19:23 <DIR> --d----- d:\docume~1\alluse~1\applic~1\DriverCure
2009-04-21 19:17 <DIR> --dsh--- d:\documents and settings\the family\IECompatCache
2009-04-21 19:07 <DIR> --dsh--- d:\documents and settings\the family\PrivacIE
2009-04-21 19:04 <DIR> --dsh--- d:\documents and settings\the family\IETldCache
2009-04-21 19:01 78,336 a------- c:\windows\system32\ieencode.dll
2009-04-21 19:01 <DIR> --d----- c:\windows\system32\MpEngineStore
2009-04-16 17:45 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-04-16 17:45 1,203,922 -------- c:\windows\system32\dllcache\sysmain.sdb
2009-04-16 17:45 215,552 -------- c:\windows\system32\dllcache\wordpad.exe
2009-04-15 21:52 <DIR> --d----- d:\docume~1\thefam~1\applic~1\2K Sports
==================== Find3M ====================
2009-05-07 21:13 721,904 a------- c:\windows\system32\drivers\sptd.sys
2009-05-04 18:31 410,984 a------- c:\windows\system32\deploytk.dll
2009-04-06 17:16 34 a------- d:\documents and settings\the family\jagex_runescape_preferences.dat
2009-03-27 08:14 453,152 a------- c:\windows\system32\NVUNINST.EXE
2009-03-24 12:03 7,808 a------- c:\windows\system32\drivers\psi_mf.sys
2009-03-21 15:06 989,696 -------- c:\windows\system32\dllcache\kernel32.dll
2009-03-06 15:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-03 01:18 826,368 a------- c:\windows\system32\wininet.dll
2009-03-03 01:18 826,368 a------- c:\windows\system32\dllcache\wininet.dll
2009-02-28 05:54 636,072 a------- c:\windows\system32\dllcache\iexplore.exe
2009-02-20 11:20 70,656 a------- c:\windows\system32\dllcache\ie4uinit.exe
2009-02-20 11:20 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-02-20 06:14 161,792 a------- c:\windows\system32\dllcache\ieakui.dll
2009-02-12 00:17 4,304 a------- c:\windows\system32\ealregsnapshot1.reg
2007-12-28 15:02 287,232 a------- c:\windows\inf\wg111v3\wg111v3.sys
2007-12-28 14:59 342,528 a------- c:\windows\inf\wg111v3\vista64\wg111v3.sys
2007-11-27 17:53 63,488 a------- c:\windows\inf\wg111v3\SetDrv64.exe
2007-11-27 17:52 32,768 a------- c:\windows\inf\wg111v3\SetDrv.exe
2007-05-10 20:52 6,420 a------- d:\docume~1\thefam~1\applic~1\wklnhst.dat
2006-12-15 11:30 315,392 a------- c:\windows\inf\wg111v3\InstallDriver.exe
2006-12-15 11:30 212,992 a------- c:\windows\inf\wg111v3\CopyWHQLDriver.exe
2006-12-15 11:30 98,304 a------- c:\windows\inf\wg111v3\UScanM.exe
2006-12-15 11:30 20,480 a------- c:\windows\inf\wg111v3\RTWUPath.exe
2006-12-15 11:30 19,968 a------- c:\windows\inf\wg111v3\RTWREFU.EXE
2006-10-15 16:57 774,144 a------- c:\program files\RngInterstitial.dll
============= FINISH: 15:08:08.56 ===============
Hi
Uninstall VideoEgg Publisher. DAEMON Tools Toolbar should be uninstalled as well. Have you noticed if those findings appear after using removable drive in the system?
OriginalMcBlood
2009-05-10, 19:25
Done although it stated daemon tools toolbar already removed I did not install it.
I also have no idea what video egg was/is and I was not aware it was installed possibly put on by someone else using pc although my kids are meant to be under strict instructions not to download anything before I give it the ok! I do not think that is happening, well earlier file findings prove it.
Having put the usb drive back on makes no difference to the scan results or performance. I have ran scans with it both attached and not, there seems to be no affect on scan or effect to results.
I will start another scan just now and post result with new dds but as I have said it may turn up clean this time only to turn up infected if I ran one immediately after.
Hi
You could reboot the system between the scans to see if something in startup brings bad items back.
OriginalMcBlood
2009-05-10, 22:21
hi,
here are the logs it has now found these infected items on 3 successive scans.
Two other things that may be worth mentioning are:
1) Processes system running on idle before clean were normally 60 or 61 now 59 and that includes MBAM, spybot and Secuna PSI. So I think I have been running with an infested system for quite some time.
2) The latency between commanding a program to run and it beginning has magnified by a factor of about 3 if not more since clean.
Anyway logs:
Malwarebytes' Anti-Malware 1.36
Database version: 2104
Windows 5.1.2600 Service Pack 3
10/05/2009 20:03:23
mbam-log-2009-05-10 (20-03-23).txt
Scan type: Full Scan (C:\|D:\|E:\|F:\|G:\|H:\|I:\|K:\|)
Objects scanned: 360783
Time elapsed: 2 hour(s), 19 minute(s), 2 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders (Trojan.Agent) -> Data: snapapi32.dll -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\snapapi32.dll (Trojan.Agent) -> Quarantined and deleted successfully.
DDS (Ver_09-03-16.01) - NTFSx86
Run by The Family at 20:04:44.50 on 10/05/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.2558.1292 [GMT 1:00]
AV: ntl Netguard Anti-virus *On-access scanning enabled* (Updated)
FW: ntl Netguard Firewall *enabled*
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\ntl\ntl Netguard\fws.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
c:\APPS\Powercinema\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Sonic\DigitalMedia LE v7\MyDVD LE\USBDeviceService.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
c:\APPS\Powercinema\Kernel\TV\CLSched.exe
C:\Program Files\Sonic\DigitalMedia LE v7\MyDVD LE\DetectorApp.exe
C:\APPS\Powercinema\PCMService.exe
C:\apps\ABoard\ABoard.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
C:\apps\ABoard\AOSD.exe
C:\Program Files\ntl\ntl Netguard\RPS.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\APPS\SMP\SmpSys.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Documents and Settings\The Family\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\NETGEAR\WG111v3\WG111v3.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\NETGEAR\WG111v3\WG111v3.exe
D:\DOCUME~1\THEFAM~1\LOCALS~1\Temp\5F.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox 3.5 Beta 4\firefox.exe
D:\Documents and Settings\The Family\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.ntlworld.com/
uSearchMigratedDefaultURL = hxxp://search.msn.co.uk/previewx.aspx?q={searchTerms}&FORM=CBPW&first=1&noredir=1
uInternet Connection Wizard,ShellNext = hxxp://www.ntlworld.com/welcome
uInternet Settings,ProxyOverride = 127.0.0.1
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: PopKill Class: {3c060ea2-e6a9-4e49-a530-d4657b8c449a} - c:\program files\ntl\ntl netguard\pkR.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: ZKBho Class: {56071e0d-c61b-11d3-b41c-00e02927a304} - c:\program files\ntl\ntl netguard\FBHR.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {ee16ce5a-a23c-4591-be45-cd87af77b015} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [SmpcSys] c:\apps\smp\SmpSys.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [kdx] c:\program files\kontiki\KHost.exe -all
uRun: [Google Update] "d:\documents and settings\the family\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe" -autorun
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [DetectorApp] c:\program files\sonic\digitalmedia le v7\mydvd le\DetectorApp.exe
mRun: [PCMService] "c:\apps\powercinema\PCMService.exe"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32"
mRun: [ACTIVBOARD] c:\apps\aboard\ABoard.exe
mRun: [BJCFD] c:\program files\broadjump\client foundation\CFD.exe
mRun: [Motive SmartBridge] c:\progra~1\ntl\broadb~1\smartb~1\MotiveSB.exe
mRun: [ntl Netguard] "c:\program files\ntl\ntl netguard\RPS.exe"
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [4oD] "c:\program files\kontiki\KHost.exe" -all
mRun: [MsgCenterExe] "c:\program files\common files\real\update_ob\RealOneMessageCenter.exe" -osboot
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRunOnce: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: d:\docume~1\thefam~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: d:\docume~1\thefam~1\startm~1\programs\startup\secuni~1.lnk - c:\program files\secunia\psi\psi.exe
StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\broadb~1.lnk - c:\program files\ntl\broadband medic\bin\matcli.exe
StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wg111v3\WG111v3.exe
StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} - hxxp://www.shockwave.com/content/dinerdash2/sis/DinerDash2.1.0.0.67.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {B516CA4E-A5BA-405C-AFCF-A97F08CC7429} - hxxp://www.shockwave.com/content/burgershop/sis/GoBitGamesPlayer_v4.cab
DPF: {BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19} - hxxp://www.shockwave.com/content/dinerdashfloonthego/sis/ddfotg.1.0.0.33.cab
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://game08.zylom.com/activex/zylomgamesplayer.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D40F5876-A494-4124-8161-82625BB28C06} - hxxp://www.shockwave.com/content/chocolatier2/sis/Chocolatier2Web.1.0.0.10.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A}
DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} - file:///C:/DRIVERS/snapsys/HDDDiag/bin/npseatools.cab
DPF: {EA6246B4-F380-443F-8727-9AEA3371146C} - hxxp://www.shockwave.com/content/weddingdash/sis/WeddingDash.1.0.0.47.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
================= FIREFOX ===================
FF - ProfilePath - d:\docume~1\thefam~1\applic~1\mozilla\firefox\profiles\1i8880in.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.ntlworld.com/
FF - plugin: c:\program files\real\realarcade\plugins\mozilla\npracplug.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - plugin: d:\documents and settings\the family\local settings\application data\google\update\1.2.145.5\npGoogleOneClick8.dll
---- FIREFOX POLICIES ----
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
============= SERVICES / DRIVERS ===============
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [2007-10-9 38144]
R2 FWS;Radialpoint Service;c:\program files\ntl\ntl netguard\fws.exe [2005-7-5 274432]
R3 JL2005;JL2005A Toy Camera;c:\windows\system32\drivers\toywdm.sys [2004-6-4 70888]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-5-5 38496]
R3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [2007-12-28 287232]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-3-21 1684736]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2009-3-24 7808]
=============== Created Last 30 ================
2009-05-10 20:03 61,440 a------- c:\windows\system32\drivers\khqv.sys
2009-05-10 14:55 <DIR> --d----- C:\OEMSettings
2009-05-07 21:30 <DIR> --d----- d:\docume~1\alluse~1\applic~1\DAEMON Tools Lite
2009-05-07 21:30 <DIR> --d----- c:\program files\DAEMON Tools Toolbar
2009-05-07 21:30 <DIR> --d----- c:\program files\DAEMON Tools Lite
2009-05-07 21:23 <DIR> --d----- c:\windows\NV24243848.TMP
2009-05-07 21:13 <DIR> --d----- d:\docume~1\thefam~1\applic~1\DAEMON Tools Lite
2009-05-07 20:50 <DIR> --d----- c:\program files\Mozilla Firefox 3.5 Beta 4
2009-05-07 20:41 <DIR> --d----- c:\program files\Secunia
2009-05-05 23:59 401,408 -------- c:\windows\system32\dllcache\rpcss.dll
2009-05-05 23:59 284,160 -------- c:\windows\system32\dllcache\pdh.dll
2009-05-05 23:59 110,592 -------- c:\windows\system32\dllcache\services.exe
2009-05-05 23:59 35,328 -------- c:\windows\system32\dllcache\sc.exe
2009-05-05 23:59 729,088 -------- c:\windows\system32\dllcache\lsasrv.dll
2009-05-05 23:59 617,472 -------- c:\windows\system32\dllcache\advapi32.dll
2009-05-05 23:59 473,600 -------- c:\windows\system32\dllcache\fastprox.dll
2009-05-05 23:59 453,120 -------- c:\windows\system32\dllcache\wmiprvsd.dll
2009-05-05 23:59 227,840 -------- c:\windows\system32\dllcache\wmiprvse.exe
2009-05-05 23:59 714,752 -------- c:\windows\system32\dllcache\ntdll.dll
2009-05-05 22:35 <DIR> --d----- c:\windows\system32\Adobe
2009-05-05 18:52 <DIR> --d----- d:\docume~1\thefam~1\applic~1\Malwarebytes
2009-05-05 18:52 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-05-05 18:52 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-05 18:52 <DIR> --d----- d:\docume~1\alluse~1\applic~1\Malwarebytes
2009-05-05 18:52 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-05-03 19:56 161,792 a------- c:\windows\SWREG.exe
2009-05-03 19:56 98,816 a------- c:\windows\sed.exe
2009-05-01 18:15 <DIR> a-dshr-- C:\autorun.inf
2009-04-27 21:27 <DIR> --d----- c:\program files\Trend Micro
2009-04-27 18:32 <DIR> --d----- d:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-04-27 18:32 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-04-25 14:21 54,156 a---h--- c:\windows\QTFont.qfn
2009-04-25 14:21 1,409 a------- c:\windows\QTFont.for
2009-04-21 19:23 <DIR> --d----- d:\docume~1\thefam~1\applic~1\DriverCure
2009-04-21 19:23 <DIR> --d----- d:\docume~1\alluse~1\applic~1\ParetoLogic
2009-04-21 19:23 <DIR> --d----- d:\docume~1\alluse~1\applic~1\DriverCure
2009-04-21 19:17 <DIR> --dsh--- d:\documents and settings\the family\IECompatCache
2009-04-21 19:07 <DIR> --dsh--- d:\documents and settings\the family\PrivacIE
2009-04-21 19:04 <DIR> --dsh--- d:\documents and settings\the family\IETldCache
2009-04-21 19:01 78,336 a------- c:\windows\system32\ieencode.dll
2009-04-21 19:01 <DIR> --d----- c:\windows\system32\MpEngineStore
2009-04-16 17:45 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-04-16 17:45 1,203,922 -------- c:\windows\system32\dllcache\sysmain.sdb
2009-04-16 17:45 215,552 -------- c:\windows\system32\dllcache\wordpad.exe
2009-04-15 21:52 <DIR> --d----- d:\docume~1\thefam~1\applic~1\2K Sports
==================== Find3M ====================
2009-05-07 21:13 721,904 a------- c:\windows\system32\drivers\sptd.sys
2009-05-04 18:31 410,984 a------- c:\windows\system32\deploytk.dll
2009-04-06 17:16 34 a------- d:\documents and settings\the family\jagex_runescape_preferences.dat
2009-03-27 08:14 453,152 a------- c:\windows\system32\NVUNINST.EXE
2009-03-24 12:03 7,808 a------- c:\windows\system32\drivers\psi_mf.sys
2009-03-21 15:06 989,696 -------- c:\windows\system32\dllcache\kernel32.dll
2009-03-06 15:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-03 01:18 826,368 a------- c:\windows\system32\wininet.dll
2009-03-03 01:18 826,368 a------- c:\windows\system32\dllcache\wininet.dll
2009-02-28 05:54 636,072 a------- c:\windows\system32\dllcache\iexplore.exe
2009-02-20 11:20 70,656 a------- c:\windows\system32\dllcache\ie4uinit.exe
2009-02-20 11:20 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-02-20 06:14 161,792 a------- c:\windows\system32\dllcache\ieakui.dll
2009-02-12 00:17 4,304 a------- c:\windows\system32\ealregsnapshot1.reg
2007-12-28 15:02 287,232 a------- c:\windows\inf\wg111v3\wg111v3.sys
2007-12-28 14:59 342,528 a------- c:\windows\inf\wg111v3\vista64\wg111v3.sys
2007-11-27 17:53 63,488 a------- c:\windows\inf\wg111v3\SetDrv64.exe
2007-11-27 17:52 32,768 a------- c:\windows\inf\wg111v3\SetDrv.exe
2007-05-10 20:52 6,420 a------- d:\docume~1\thefam~1\applic~1\wklnhst.dat
2006-12-15 11:30 315,392 a------- c:\windows\inf\wg111v3\InstallDriver.exe
2006-12-15 11:30 212,992 a------- c:\windows\inf\wg111v3\CopyWHQLDriver.exe
2006-12-15 11:30 98,304 a------- c:\windows\inf\wg111v3\UScanM.exe
2006-12-15 11:30 20,480 a------- c:\windows\inf\wg111v3\RTWUPath.exe
2006-12-15 11:30 19,968 a------- c:\windows\inf\wg111v3\RTWREFU.EXE
2006-10-15 16:57 774,144 a------- c:\program files\RngInterstitial.dll
============= FINISH: 20:05:23.92 ===============
OriginalMcBlood
2009-05-11, 02:53
I have rebooted and rescaned but mbam has found these infections again i have not ran another dds as mbam results the same I would imagine dds the same again.
Most recent mbam scan result:
Malwarebytes' Anti-Malware 1.36
Database version: 2104
Windows 5.1.2600 Service Pack 3
11/05/2009 00:49:10
mbam-log-2009-05-11 (00-49-10).txt
Scan type: Full Scan (C:\|D:\|E:\|F:\|G:\|H:\|I:\|K:\|)
Objects scanned: 360885
Time elapsed: 1 hour(s), 48 minute(s), 47 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders (Trojan.Agent) -> Data: snapapi32.dll -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\snapapi32.dll (Trojan.Agent) -> Quarantined and deleted successfully.
Hi
Disable TeaTimer.
Have those external drives plugged in that you've lately used with the system.
Open notepad and copy/paste the text in the quotebox below into it:
File::
D:\DOCUME~1\THEFAM~1\LOCALS~1\Temp\5F.exe
c:\windows\system32\drivers\khqv.sys
DDS::
uInternet Settings,ProxyOverride = 127.0.0.1
BHO: {ee16ce5a-a23c-4591-be45-cd87af77b015} - No File
Save this as
CFScript
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log. Re-run Kaspersky online scanner & post back its report and fresh dds.txt file contents.
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
OriginalMcBlood
2009-05-12, 12:23
Sorry for the delay but KOS took over 6 hours to run with the K: drive attached.
Combofix, KOS and DDS scripts are zipped and attached.
There are 2 things to note:
1) From the combfix log "2009-05-10 13:55 . 2009-05-10 13:55 -------- d-----w C:\OEMSettings"
This was me flashing the Bios, I assume.
2) Also from the combofix log in the firewall authorised applications section
"k:\\Programs 2\\Rockstar Games\\Grand Theft Auto IV\\GTAIV.exe"=
This is not on the windows firewall exception list. I double checked. I also run a second firewall on this system supplied by my ISP it is not on this exception list either.
I also have a question, on the DDS (created last 30) it states
"2009-05-11 20:08 581,632 a------- c:\windows\system32\snapapi32.dll"
Do you know what this is? Its entry is 2 minutes after combofix. Is this related to combofix?
This is the file that most recently has consistently shown up as an infected item in the scans with an associated infected registry entry.
It does not show on the KOS, but!?
Oh and I have just noticed a 3rd thing to mention. From the KOS "D:\Documents and Settings\The Family\Local Settings\Application Data\Identities\{D688B133-BB08-44AA-9610-0788232F351C}\Microsoft\Outlook Express\Dylan.dbx Suspicious: Trojan-Spy.HTML.Fraud.gen 1"
I have been through this mailbox and deleted anything that looked suspicious but we have seen this entry on an earlier scan ( it subsequently disappeared but here it is again.). I also tried to get to the folder to delete direct from there however although I could locate the folder when I went in it was empty. I think I have xp set up to show me everything so ? Also when I clicked on folder properties it stated that the folder was empty.
Anyway on we go.......
Thanks.
Hi
No, that snapapi32.dll file is not related to ComboFix.
I wouldn't worry about that mail related Kaspersky finding. If you have checked messages and no suspicious one is present then the finding is possibly false positive.
Please run following test:
1. Run MBAM and let it clean it findings.
2. Immediately after successful cleaning reboot the system.
3. Run another MBAM scan and let it clean findings if found.
4. If findings were found, make sure system is disconnected from internet. Then reboot and run another MBAM scan.
Download GMER (http://www.gmer.net/gmer.zip) and save it your desktop:
Extract it to your desktop and double-click GMER.exe
Click rootkit-tab and then scan.
Don't check
Show All
box while scanning in progress!
When scanning is ready, click Copy.
This copies log to clipboard
Post log in your reply.
* Go here (http://www.eset.eu/eos/eset-online-scanner) to run an online scanner from ESET.
Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is UNchecked and the option Scan unwanted applications is checkmarked.
Click Scan
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log & a fresh dds.txt log as a reply to this topic.
OriginalMcBlood
2009-05-13, 11:30
Hi,
This is just a partial progress report as I did not have time to complete all the steps from your last post.
I have ran 3 sequential MBAM scans.
1) Same result as previous with only Snapapi32.dll file and registry entries.
2) Same result as previous with only Snapapi32.dll file and registry entries.
3) (with no internet connection) no signs of infection found.
As mentioned I did not have the time to carry out the next 2 steps and unfortunately I may not have the time for another 48 to 72 hours. I will try to squeeze it in when I have a minute because it is only a 5 min job to download install and start the scans.
I wanted to post as it has never been more than 24 hours between my posts. We have now been working on this for 2 weeks and I will not let it beat me. It has long gone past the point were it would have been cost effective (classing time as a resource) just to reformat the drive and reinstall everything. It has even gone past the point were it would have been more cost effective to throw the drive out of a window buy a new drive and all the software that is on this current drive and start from scratch!
I have not said thanks for a while so thank you I just wonder if you regret picking this thread up or view it as a learning experience? (do not answer that).
I will post as soon as I am able until then once again thanks. OriginalMcBlood.
Thanks for the heads up.
I just wonder if you regret picking this thread up or view it as a learning experience? (do not answer that).
You can probably guess the answer anyway ;)
OriginalMcBlood
2009-05-14, 23:55
Hello,
good news and bad news.
Good news I was able to get on the infected unit earlier than expected.
Bad news I can not get Eset to run on the unit at all.
It will only go to the point where it asks if I wish to install active X I click yes and then nothing, like nothing at all, no error messages, no pages reloading loading, no change of page, no increased system resource (cpu/ ram) nothing, nada, zilch!!
I must have tried 20 times always the same.
Good news I got Gmer to run. No easy task it kept shutting down with the old favourite "whatever application is running" has encountered an unexpected error an needs to close. Blah, blah, blah.
In fact and call me slow on the uptake but this has been happening to a lot of applications with increased frequency ( I.E 7 practically every 2-3 clicks) for about 2-3 months hello dopey this is probably this infection. I just thought that the os has been used for so long and is so cluttered that is was just being a pain.
Anyway here is the GMER log and new DDS let me know what you want to scan with or if there is a solution to the ESet problem.
GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-05-14 21:09:50
Windows 5.1.2600 Service Pack 3
---- System - GMER 1.0.15 ----
SSDT spre.sys ZwCreateKey [0xB9EA70E0]
SSDT spre.sys ZwEnumerateKey [0xB9EC5CA4]
SSDT spre.sys ZwEnumerateValueKey [0xB9EC6032]
SSDT spre.sys ZwOpenKey [0xB9EA70C0]
SSDT spre.sys ZwQueryKey [0xB9EC610A]
SSDT spre.sys ZwQueryValueKey [0xB9EC5F8A]
SSDT spre.sys ZwSetValueKey [0xB9EC619C]
INT 0x62 ? 8ACD4BF8
INT 0x73 ? 8ABA2F00
INT 0x73 ? 8ABA2F00
INT 0x73 ? 8ABA2F00
INT 0x83 ? 8ACC4BF8
Code 8924DD28 ZwCreateSection
Code 892B8EE8 ZwDuplicateObject
Code 8924FEE8 ZwSetInformationFile
Code 8A845018 ZwSetSystemInformation
Code 8929ED28 ZwWriteFile
Code 8924DD27 NtCreateSection
Code 892B8EE7 NtDuplicateObject
Code 8924FEE7 NtSetInformationFile
Code 8929ED27 NtWriteFile
---- Kernel code sections - GMER 1.0.15 ----
? spre.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload B95888AC 5 Bytes JMP 8ABA24E0
.text ac3xzg1z.SYS B8D60386 35 Bytes [00, 00, 00, 00, 00, 00, 20, ...]
.text ac3xzg1z.SYS B8D603AA 24 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
.text ac3xzg1z.SYS B8D603C4 3 Bytes [00, 70, 02] {ADD [EAX+0x2], DH}
.text ac3xzg1z.SYS B8D603C9 1 Byte [30]
.text ac3xzg1z.SYS B8D603C9 11 Bytes [30, 00, 00, 00, 5C, 02, 00, ...] {XOR [EAX], AL; ADD [EAX], AL; POP ESP; ADD AL, [EAX]; ADD [EAX], AL; ADD [EAX], AL}
.text ...
---- User code sections - GMER 1.0.15 ----
.text C:\WINDOWS\system32\SearchIndexer.exe[1016] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
---- Kernel IAT/EAT - GMER 1.0.15 ----
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B9EA8042] spre.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B9EA813E] spre.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B9EA80C0] spre.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B9EA8800] spre.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B9EA86D6] spre.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [B9EB7E9C] spre.sys
IAT \SystemRoot\System32\Drivers\ac3xzg1z.SYS[HAL.dll!KfAcquireSpinLock] 18C4830E
IAT \SystemRoot\System32\Drivers\ac3xzg1z.SYS[HAL.dll!READ_PORT_UCHAR] 1C8D9E88
IAT \SystemRoot\System32\Drivers\ac3xzg1z.SYS[HAL.dll!KeGetCurrentIrql] 9E880000
IAT \SystemRoot\System32\Drivers\ac3xzg1z.SYS[HAL.dll!KfRaiseIrql] 00001CA9
IAT \SystemRoot\System32\Drivers\ac3xzg1z.SYS[HAL.dll!KfLowerIrql] 0E798366
IAT \SystemRoot\System32\Drivers\ac3xzg1z.SYS[HAL.dll!HalGetInterruptVector] 74AAB000
IAT \SystemRoot\System32\Drivers\ac3xzg1z.SYS[HAL.dll!HalTranslateBusAddress] 8186C636
IAT \SystemRoot\System32\Drivers\ac3xzg1z.SYS[HAL.dll!KeStallExecutionProcessor] 1A00001C
IAT \SystemRoot\System32\Drivers\ac3xzg1z.SYS[HAL.dll!KfReleaseSpinLock] 1C8386C6
IAT \SystemRoot\System32\Drivers\ac3xzg1z.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] C6020000
IAT \SystemRoot\System32\Drivers\ac3xzg1z.SYS[HAL.dll!READ_PORT_USHORT] 001C8E86
IAT \SystemRoot\System32\Drivers\ac3xzg1z.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 86C60200
IAT \SystemRoot\System32\Drivers\ac3xzg1z.SYS[HAL.dll!WRITE_PORT_UCHAR] 00001CAA
IAT \SystemRoot\System32\Drivers\ac3xzg1z.SYS[WMILIB.SYS!WmiSystemControl] 8800001C
IAT \SystemRoot\System32\Drivers\ac3xzg1z.SYS[WMILIB.SYS!WmiCompleteRequest] 001CB19E
---- Devices - GMER 1.0.15 ----
Device \FileSystem\Ntfs \Ntfs 8ACC21F8
Device \FileSystem\Fastfat \FatCdrom Code 89270EE8
Device \FileSystem\Fastfat \FatCdrom 8976F500
AttachedDevice \Driver\Tcpip \Device\Ip FreeTdi.sys (Radialpoint Filter/Radialpoint Inc.)
Device \Driver\USBSTOR \Device\0000009d 8A48A500
Device \Driver\USBSTOR \Device\0000009e 8A48A500
Device \Driver\USBSTOR \Device\0000009f 8A48A500
Device \Driver\usbohci \Device\USBPDO-0 8AAE2500
Device \Driver\usbehci \Device\USBPDO-1 8ABA1500
Device \Driver\USBSTOR \Device\000000a0 8A48A500
AttachedDevice \Driver\Tcpip \Device\Tcp FreeTdi.sys (Radialpoint Filter/Radialpoint Inc.)
Device \Driver\USBSTOR \Device\000000a1 8A48A500
Device \Driver\Ftdisk \Device\HarddiskVolume1 8ACD51F8
Device \Driver\Ftdisk \Device\HarddiskVolume2 8ACD51F8
Device \Driver\Cdrom \Device\CdRom0 8AAE1500
Device \Driver\PCI_PNP8824 \Device\00000072 spre.sys
Device \Driver\Ftdisk \Device\HarddiskVolume3 8ACD51F8
Device \Driver\sptd \Device\226437574 spre.sys
Device \Driver\Ftdisk \Device\HarddiskVolume4 8ACD51F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{F98986A8-5616-4B7E-9F28-27E689093F5E} 8A48D500
Device \Driver\NetBT \Device\NetBt_Wins_Export 8A48D500
Device \Driver\nvata \Device\00000091 8ACC41F8
Device \Driver\NetBT \Device\NetbiosSmb 8A48D500
AttachedDevice \Driver\Tcpip \Device\Udp FreeTdi.sys (Radialpoint Filter/Radialpoint Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp FreeTdi.sys (Radialpoint Filter/Radialpoint Inc.)
Device \Driver\usbohci \Device\USBFDO-0 8AAE2500
Device \Driver\USBSTOR \Device\00000099 8A48A500
Device \Driver\nvata \Device\NvAta0 8ACC41F8
Device \Driver\usbehci \Device\USBFDO-1 8ABA1500
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8AA53500
Device \FileSystem\MRxSmb \Device\LanmanRedirector 8AA53500
Device \Driver\Ftdisk \Device\FtControl 8ACD51F8
Device \Driver\USBSTOR \Device\0000009a 8A48A500
Device \Driver\ac3xzg1z \Device\Scsi\ac3xzg1z1 8A9FB1F8
Device \FileSystem\Fastfat \Fat Code 89270EE8
Device \FileSystem\Fastfat \Fat 8976F500
Device \FileSystem\Cdfs \Cdfs 897601F8
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 -667533817
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 -327378777
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xF0 0x6E 0x48 0xA4 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xDE 0xE7 0x34 0x95 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xF2 0x02 0x30 0xFB ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x66 0x71 0x83 0x2E ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x76 0x16 0x8E 0x2C ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x5B 0x6A 0x7A 0x7F ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0xB3 0xDE 0x70 0xE0 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x2A 0x54 0xB3 0x86 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xBD 0xA8 0xDE 0x81 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xA3 0x8E 0x5A 0xD3 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x14 0xBD 0x38 0xFC ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xB0 0x07 0xF5 0xC4 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x46 0xD2 0xA5 0x2B ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x9F 0xF0 0x19 0xC8 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0xAC 0xD5 0xC1 0xAD ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xF0 0x6E 0x48 0xA4 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xDE 0xE7 0x34 0x95 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xF2 0x02 0x30 0xFB ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x66 0x71 0x83 0x2E ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x76 0x16 0x8E 0x2C ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x5B 0x6A 0x7A 0x7F ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0xB3 0xDE 0x70 0xE0 ...
---- EOF - GMER 1.0.15 ----
DDS
DDS (Ver_09-03-16.01) - NTFSx86
Run by The Family at 21:50:55.00 on 14/05/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.2558.1958 [GMT 1:00]
AV: ntl Netguard Anti-virus *On-access scanning enabled* (Updated)
FW: ntl Netguard Firewall *enabled*
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\ntl\ntl Netguard\fws.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
c:\APPS\Powercinema\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Sonic\DigitalMedia LE v7\MyDVD LE\USBDeviceService.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
c:\APPS\Powercinema\Kernel\TV\CLSched.exe
C:\Program Files\Sonic\DigitalMedia LE v7\MyDVD LE\DetectorApp.exe
C:\APPS\Powercinema\PCMService.exe
C:\apps\ABoard\ABoard.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
C:\apps\ABoard\AOSD.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\APPS\SMP\SmpSys.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Documents and Settings\The Family\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\NETGEAR\WG111v3\WG111v3.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\ntl\ntl Netguard\Rps.exe
D:\Documents and Settings\The Family\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.ntlworld.com/
uSearchMigratedDefaultURL = hxxp://search.msn.co.uk/previewx.aspx?q={searchTerms}&FORM=CBPW&first=1&noredir=1
uInternet Connection Wizard,ShellNext = hxxp://www.ntlworld.com/welcome
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: PopKill Class: {3c060ea2-e6a9-4e49-a530-d4657b8c449a} - c:\program files\ntl\ntl netguard\pkR.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: ZKBho Class: {56071e0d-c61b-11d3-b41c-00e02927a304} - c:\program files\ntl\ntl netguard\FBHR.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [SmpcSys] c:\apps\smp\SmpSys.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [kdx] c:\program files\kontiki\KHost.exe -all
uRun: [Google Update] "d:\documents and settings\the family\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe" -autorun
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [DetectorApp] c:\program files\sonic\digitalmedia le v7\mydvd le\DetectorApp.exe
mRun: [PCMService] "c:\apps\powercinema\PCMService.exe"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32"
mRun: [ACTIVBOARD] c:\apps\aboard\ABoard.exe
mRun: [BJCFD] c:\program files\broadjump\client foundation\CFD.exe
mRun: [Motive SmartBridge] c:\progra~1\ntl\broadb~1\smartb~1\MotiveSB.exe
mRun: [ntl Netguard] "c:\program files\ntl\ntl netguard\RPS.exe"
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [4oD] "c:\program files\kontiki\KHost.exe" -all
mRun: [MsgCenterExe] "c:\program files\common files\real\update_ob\RealOneMessageCenter.exe" -osboot
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: d:\docume~1\thefam~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: d:\docume~1\thefam~1\startm~1\programs\startup\secuni~1.lnk - c:\program files\secunia\psi\psi.exe
StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\broadb~1.lnk - c:\program files\ntl\broadband medic\bin\matcli.exe
StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wg111v3\WG111v3.exe
StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} - hxxp://www.shockwave.com/content/dinerdash2/sis/DinerDash2.1.0.0.67.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {B516CA4E-A5BA-405C-AFCF-A97F08CC7429} - hxxp://www.shockwave.com/content/burgershop/sis/GoBitGamesPlayer_v4.cab
DPF: {BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19} - hxxp://www.shockwave.com/content/dinerdashfloonthego/sis/ddfotg.1.0.0.33.cab
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://game08.zylom.com/activex/zylomgamesplayer.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D40F5876-A494-4124-8161-82625BB28C06} - hxxp://www.shockwave.com/content/chocolatier2/sis/Chocolatier2Web.1.0.0.10.cab
DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} - file:///C:/DRIVERS/snapsys/HDDDiag/bin/npseatools.cab
DPF: {EA6246B4-F380-443F-8727-9AEA3371146C} - hxxp://www.shockwave.com/content/weddingdash/sis/WeddingDash.1.0.0.47.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
================= FIREFOX ===================
FF - ProfilePath - d:\docume~1\thefam~1\applic~1\mozilla\firefox\profiles\1i8880in.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.ntlworld.com/
FF - plugin: c:\program files\real\realarcade\plugins\mozilla\npracplug.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - plugin: d:\documents and settings\the family\local settings\application data\google\update\1.2.145.5\npGoogleOneClick8.dll
---- FIREFOX POLICIES ----
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
============= SERVICES / DRIVERS ===============
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [2007-10-9 38144]
R2 FWS;Radialpoint Service;c:\program files\ntl\ntl netguard\fws.exe [2005-7-5 274432]
R3 JL2005;JL2005A Toy Camera;c:\windows\system32\drivers\toywdm.sys [2004-6-4 70888]
R3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [2007-12-28 287232]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-3-21 1684736]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2009-3-24 7808]
=============== Created Last 30 ================
2009-05-11 18:03 <DIR> --d----- C:\ComboFix
2009-05-10 14:55 <DIR> --d----- C:\OEMSettings
2009-05-07 21:30 <DIR> --d----- d:\docume~1\alluse~1\applic~1\DAEMON Tools Lite
2009-05-07 21:30 <DIR> --d----- c:\program files\DAEMON Tools Toolbar
2009-05-07 21:30 <DIR> --d----- c:\program files\DAEMON Tools Lite
2009-05-07 21:23 <DIR> --d----- c:\windows\NV24243848.TMP
2009-05-07 21:13 <DIR> --d----- d:\docume~1\thefam~1\applic~1\DAEMON Tools Lite
2009-05-07 20:50 <DIR> --d----- c:\program files\Mozilla Firefox 3.5 Beta 4
2009-05-07 20:41 <DIR> --d----- c:\program files\Secunia
2009-05-05 23:59 401,408 -------- c:\windows\system32\dllcache\rpcss.dll
2009-05-05 23:59 284,160 -------- c:\windows\system32\dllcache\pdh.dll
2009-05-05 23:59 110,592 -------- c:\windows\system32\dllcache\services.exe
2009-05-05 23:59 35,328 -------- c:\windows\system32\dllcache\sc.exe
2009-05-05 23:59 729,088 -------- c:\windows\system32\dllcache\lsasrv.dll
2009-05-05 23:59 617,472 -------- c:\windows\system32\dllcache\advapi32.dll
2009-05-05 23:59 473,600 -------- c:\windows\system32\dllcache\fastprox.dll
2009-05-05 23:59 453,120 -------- c:\windows\system32\dllcache\wmiprvsd.dll
2009-05-05 23:59 227,840 -------- c:\windows\system32\dllcache\wmiprvse.exe
2009-05-05 23:59 714,752 -------- c:\windows\system32\dllcache\ntdll.dll
2009-05-05 22:35 <DIR> --d----- c:\windows\system32\Adobe
2009-05-05 18:52 <DIR> --d----- d:\docume~1\thefam~1\applic~1\Malwarebytes
2009-05-05 18:52 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-05-05 18:52 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-05 18:52 <DIR> --d----- d:\docume~1\alluse~1\applic~1\Malwarebytes
2009-05-05 18:52 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-05-03 19:56 161,792 a------- c:\windows\SWREG.exe
2009-05-03 19:56 98,816 a------- c:\windows\sed.exe
2009-05-01 18:15 <DIR> a-dshr-- C:\autorun.inf
2009-04-27 21:27 <DIR> --d----- c:\program files\Trend Micro
2009-04-27 18:32 <DIR> --d----- d:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-04-27 18:32 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-04-25 14:21 54,156 a---h--- c:\windows\QTFont.qfn
2009-04-25 14:21 1,409 a------- c:\windows\QTFont.for
2009-04-21 19:23 <DIR> --d----- d:\docume~1\thefam~1\applic~1\DriverCure
2009-04-21 19:23 <DIR> --d----- d:\docume~1\alluse~1\applic~1\ParetoLogic
2009-04-21 19:23 <DIR> --d----- d:\docume~1\alluse~1\applic~1\DriverCure
2009-04-21 19:17 <DIR> --dsh--- d:\documents and settings\the family\IECompatCache
2009-04-21 19:07 <DIR> --dsh--- d:\documents and settings\the family\PrivacIE
2009-04-21 19:04 <DIR> --dsh--- d:\documents and settings\the family\IETldCache
2009-04-21 19:01 78,336 a------- c:\windows\system32\ieencode.dll
2009-04-21 19:01 <DIR> --d----- c:\windows\system32\MpEngineStore
2009-04-16 17:45 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-04-16 17:45 1,203,922 -------- c:\windows\system32\dllcache\sysmain.sdb
2009-04-16 17:45 215,552 -------- c:\windows\system32\dllcache\wordpad.exe
2009-04-15 21:52 <DIR> --d----- d:\docume~1\thefam~1\applic~1\2K Sports
==================== Find3M ====================
2009-05-07 21:13 721,904 a------- c:\windows\system32\drivers\sptd.sys
2009-05-04 18:31 410,984 a------- c:\windows\system32\deploytk.dll
2009-04-06 17:16 34 a------- d:\documents and settings\the family\jagex_runescape_preferences.dat
2009-03-27 08:14 453,152 a------- c:\windows\system32\NVUNINST.EXE
2009-03-24 12:03 7,808 a------- c:\windows\system32\drivers\psi_mf.sys
2009-03-21 15:06 989,696 -------- c:\windows\system32\dllcache\kernel32.dll
2009-03-06 15:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-03 01:18 826,368 a------- c:\windows\system32\wininet.dll
2009-03-03 01:18 826,368 a------- c:\windows\system32\dllcache\wininet.dll
2009-02-28 05:54 636,072 a------- c:\windows\system32\dllcache\iexplore.exe
2009-02-20 11:20 70,656 a------- c:\windows\system32\dllcache\ie4uinit.exe
2009-02-20 11:20 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-02-20 06:14 161,792 a------- c:\windows\system32\dllcache\ieakui.dll
2007-12-28 15:02 287,232 a------- c:\windows\inf\wg111v3\wg111v3.sys
2007-12-28 14:59 342,528 a------- c:\windows\inf\wg111v3\vista64\wg111v3.sys
2007-11-27 17:53 63,488 a------- c:\windows\inf\wg111v3\SetDrv64.exe
2007-11-27 17:52 32,768 a------- c:\windows\inf\wg111v3\SetDrv.exe
2007-05-10 20:52 6,420 a------- d:\docume~1\thefam~1\applic~1\wklnhst.dat
2006-12-15 11:30 315,392 a------- c:\windows\inf\wg111v3\InstallDriver.exe
2006-12-15 11:30 212,992 a------- c:\windows\inf\wg111v3\CopyWHQLDriver.exe
2006-12-15 11:30 98,304 a------- c:\windows\inf\wg111v3\UScanM.exe
2006-12-15 11:30 20,480 a------- c:\windows\inf\wg111v3\RTWUPath.exe
2006-12-15 11:30 19,968 a------- c:\windows\inf\wg111v3\RTWREFU.EXE
2006-10-15 16:57 774,144 a------- c:\program files\RngInterstitial.dll
============= FINISH: 21:51:29.96 ===============
Hi,
Did you still have system disconnected from internet? At least snapapi32.dll file or related registry entries are not appearing in the latest log.
Please download OTListIt2 (http://oldtimer.geekstogo.com/OTListIt2.exe)
Save it to the Desktop
Close all windows and double-click on the OTListIt2.exe file
OK any warning about running OTListIt.
Place a check in the Scan All Users checkbox
Click the Run Scan button
When the scan is complete, two text files are produced on the Desktop: OTListIt.txt , and Extras.txt
Please post the OTListIt.txt and Extras.txt in your reply.
OriginalMcBlood
2009-05-16, 16:17
After (my) last post ran a quick KOS scan -clean, then an offline MBam -clean. At this point I thought it looked hopeful or too good to be true. Ran MBam whilst connected to internet. Guess what snapapi32.dll back.
Went back to try Eset it worked.
C:\Qoobox\Quarantine\C\WINDOWS\system32\bceggMoq.ini.vir Win32/Adware.Virtumonde.NEO application
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\services.exe.vir Win32/Socks.NAH worm
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP722\A0260529.dll probably a variant of Win32/Agent trojan
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\A0260543.ini Win32/Adware.Virtumonde.NEO application
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\A0263178.exe Win32/Socks.NAH worm
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\A0263204.ini Win32/Adware.Virtumonde.NEO application
D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgenthc2.zip Win32/Bagle.gen.zip worm
Can I just go into thes folders and delete. I have been in and checked they were there?
There is a dds from the same time below.
Why does the snapapi32. dll not show on this scan? I assume this is why we are using so many different scanners because different scans are better at picking up different things.
I have also ran OTListIt2 and I have zipped with post
DDS (Ver_09-03-16.01) - NTFSx86
Run by The Family at 23:50:26.34 on 15/05/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.2558.1804 [GMT 1:00]
AV: ntl Netguard Anti-virus *On-access scanning enabled* (Updated)
FW: ntl Netguard Firewall *enabled*
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\ntl\ntl Netguard\fws.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
c:\APPS\Powercinema\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Sonic\DigitalMedia LE v7\MyDVD LE\USBDeviceService.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
c:\APPS\Powercinema\Kernel\TV\CLSched.exe
C:\Program Files\Sonic\DigitalMedia LE v7\MyDVD LE\DetectorApp.exe
C:\APPS\Powercinema\PCMService.exe
C:\apps\ABoard\ABoard.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
C:\apps\ABoard\AOSD.exe
C:\Program Files\ntl\ntl Netguard\RPS.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\APPS\SMP\SmpSys.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Documents and Settings\The Family\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\NETGEAR\WG111v3\WG111v3.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\WINDOWS\system32\NvCplUI.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
D:\Documents and Settings\The Family\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.ntlworld.com/
uSearchMigratedDefaultURL = hxxp://search.msn.co.uk/previewx.aspx?q={searchTerms}&FORM=CBPW&first=1&noredir=1
uInternet Connection Wizard,ShellNext = hxxp://www.ntlworld.com/welcome
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: PopKill Class: {3c060ea2-e6a9-4e49-a530-d4657b8c449a} - c:\program files\ntl\ntl netguard\pkR.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: ZKBho Class: {56071e0d-c61b-11d3-b41c-00e02927a304} - c:\program files\ntl\ntl netguard\FBHR.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [SmpcSys] c:\apps\smp\SmpSys.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [kdx] c:\program files\kontiki\KHost.exe -all
uRun: [Google Update] "d:\documents and settings\the family\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe" -autorun
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [DetectorApp] c:\program files\sonic\digitalmedia le v7\mydvd le\DetectorApp.exe
mRun: [PCMService] "c:\apps\powercinema\PCMService.exe"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32"
mRun: [ACTIVBOARD] c:\apps\aboard\ABoard.exe
mRun: [BJCFD] c:\program files\broadjump\client foundation\CFD.exe
mRun: [Motive SmartBridge] c:\progra~1\ntl\broadb~1\smartb~1\MotiveSB.exe
mRun: [ntl Netguard] "c:\program files\ntl\ntl netguard\RPS.exe"
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [4oD] "c:\program files\kontiki\KHost.exe" -all
mRun: [MsgCenterExe] "c:\program files\common files\real\update_ob\RealOneMessageCenter.exe" -osboot
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: d:\docume~1\thefam~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: d:\docume~1\thefam~1\startm~1\programs\startup\secuni~1.lnk - c:\program files\secunia\psi\psi.exe
StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\broadb~1.lnk - c:\program files\ntl\broadband medic\bin\matcli.exe
StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wg111v3\WG111v3.exe
StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab (file://c:\windows\java\classes\xmldso.cab)
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} - hxxp://www.shockwave.com/content/dinerdash2/sis/DinerDash2.1.0.0.67.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {B516CA4E-A5BA-405C-AFCF-A97F08CC7429} - hxxp://www.shockwave.com/content/burgershop/sis/GoBitGamesPlayer_v4.cab
DPF: {BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19} - hxxp://www.shockwave.com/content/dinerdashfloonthego/sis/ddfotg.1.0.0.33.cab
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://game08.zylom.com/activex/zylomgamesplayer.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D40F5876-A494-4124-8161-82625BB28C06} - hxxp://www.shockwave.com/content/chocolatier2/sis/Chocolatier2Web.1.0.0.10.cab
DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} - file:///C:/DRIVERS/snapsys/HDDDiag/bin/npseatools.cab (file:///C:/DRIVERS/snapsys/HDDDiag/bin/npseatools.cab)
DPF: {EA6246B4-F380-443F-8727-9AEA3371146C} - hxxp://www.shockwave.com/content/weddingdash/sis/WeddingDash.1.0.0.47.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, snapapi32.dll
================= FIREFOX ===================
FF - ProfilePath - d:\docume~1\thefam~1\applic~1\mozilla\firefox\profiles\1i8880in.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.ntlworld.com/
FF - plugin: c:\program files\real\realarcade\plugins\mozilla\npracplug.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - plugin: d:\documents and settings\the family\local settings\application data\google\update\1.2.145.5\npGoogleOneClick8.dll
---- FIREFOX POLICIES ----
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json (https://www.google.com/loc/json)");
============= SERVICES / DRIVERS ===============
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [2007-10-9 38144]
R2 FWS;Radialpoint Service;c:\program files\ntl\ntl netguard\fws.exe [2005-7-5 274432]
R3 JL2005;JL2005A Toy Camera;c:\windows\system32\drivers\toywdm.sys [2004-6-4 70888]
R3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [2007-12-28 287232]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-3-21 1684736]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2009-3-24 7808]
=============== Created Last 30 ================
2009-05-15 22:35 <DIR> --d----- c:\program files\ESET
2009-05-15 21:11 581,632 a------- c:\windows\system32\snapapi32.dll
2009-05-11 18:03 <DIR> --d----- C:\ComboFix
2009-05-10 14:55 <DIR> --d----- C:\OEMSettings
2009-05-07 21:30 <DIR> --d----- d:\docume~1\alluse~1\applic~1\DAEMON Tools Lite
2009-05-07 21:30 <DIR> --d----- c:\program files\DAEMON Tools Toolbar
2009-05-07 21:30 <DIR> --d----- c:\program files\DAEMON Tools Lite
2009-05-07 21:23 <DIR> --d----- c:\windows\NV24243848.TMP
2009-05-07 21:13 <DIR> --d----- d:\docume~1\thefam~1\applic~1\DAEMON Tools Lite
2009-05-07 20:50 <DIR> --d----- c:\program files\Mozilla Firefox 3.5 Beta 4
2009-05-07 20:41 <DIR> --d----- c:\program files\Secunia
2009-05-05 23:59 401,408 -------- c:\windows\system32\dllcache\rpcss.dll
2009-05-05 23:59 284,160 -------- c:\windows\system32\dllcache\pdh.dll
2009-05-05 23:59 110,592 -------- c:\windows\system32\dllcache\services.exe
2009-05-05 23:59 35,328 -------- c:\windows\system32\dllcache\sc.exe
2009-05-05 23:59 729,088 -------- c:\windows\system32\dllcache\lsasrv.dll
2009-05-05 23:59 617,472 -------- c:\windows\system32\dllcache\advapi32.dll
2009-05-05 23:59 473,600 -------- c:\windows\system32\dllcache\fastprox.dll
2009-05-05 23:59 453,120 -------- c:\windows\system32\dllcache\wmiprvsd.dll
2009-05-05 23:59 227,840 -------- c:\windows\system32\dllcache\wmiprvse.exe
2009-05-05 23:59 714,752 -------- c:\windows\system32\dllcache\ntdll.dll
2009-05-05 22:35 <DIR> --d----- c:\windows\system32\Adobe
2009-05-05 18:52 <DIR> --d----- d:\docume~1\thefam~1\applic~1\Malwarebytes
2009-05-05 18:52 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-05-05 18:52 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-05 18:52 <DIR> --d----- d:\docume~1\alluse~1\applic~1\Malwarebytes
2009-05-05 18:52 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-05-03 19:56 161,792 a------- c:\windows\SWREG.exe
2009-05-03 19:56 98,816 a------- c:\windows\sed.exe
2009-05-01 18:15 <DIR> a-dshr-- C:\autorun.inf
2009-04-27 21:27 <DIR> --d----- c:\program files\Trend Micro
2009-04-27 18:32 <DIR> --d----- d:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-04-27 18:32 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-04-25 14:21 54,156 a---h--- c:\windows\QTFont.qfn
2009-04-25 14:21 1,409 a------- c:\windows\QTFont.for
2009-04-21 19:23 <DIR> --d----- d:\docume~1\thefam~1\applic~1\DriverCure
2009-04-21 19:23 <DIR> --d----- d:\docume~1\alluse~1\applic~1\ParetoLogic
2009-04-21 19:23 <DIR> --d----- d:\docume~1\alluse~1\applic~1\DriverCure
2009-04-21 19:17 <DIR> --dsh--- d:\documents and settings\the family\IECompatCache
2009-04-21 19:07 <DIR> --dsh--- d:\documents and settings\the family\PrivacIE
2009-04-21 19:04 <DIR> --dsh--- d:\documents and settings\the family\IETldCache
2009-04-21 19:01 78,336 a------- c:\windows\system32\ieencode.dll
2009-04-21 19:01 <DIR> --d----- c:\windows\system32\MpEngineStore
2009-04-16 17:45 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-04-16 17:45 1,203,922 -------- c:\windows\system32\dllcache\sysmain.sdb
2009-04-16 17:45 215,552 -------- c:\windows\system32\dllcache\wordpad.exe
==================== Find3M ====================
2009-05-07 21:13 721,904 a------- c:\windows\system32\drivers\sptd.sys
2009-05-04 18:31 410,984 a------- c:\windows\system32\deploytk.dll
2009-04-06 17:16 34 a------- d:\documents and settings\the family\jagex_runescape_preferences.dat
2009-03-27 08:14 453,152 a------- c:\windows\system32\NVUNINST.EXE
2009-03-24 12:03 7,808 a------- c:\windows\system32\drivers\psi_mf.sys
2009-03-21 15:06 989,696 -------- c:\windows\system32\dllcache\kernel32.dll
2009-03-06 15:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-03 01:18 826,368 a------- c:\windows\system32\wininet.dll
2009-03-03 01:18 826,368 a------- c:\windows\system32\dllcache\wininet.dll
2009-02-28 05:54 636,072 a------- c:\windows\system32\dllcache\iexplore.exe
2009-02-20 11:20 70,656 a------- c:\windows\system32\dllcache\ie4uinit.exe
2009-02-20 11:20 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-02-20 06:14 161,792 a------- c:\windows\system32\dllcache\ieakui.dll
2007-12-28 15:02 287,232 a------- c:\windows\inf\wg111v3\wg111v3.sys
2007-12-28 14:59 342,528 a------- c:\windows\inf\wg111v3\vista64\wg111v3.sys
2007-11-27 17:53 63,488 a------- c:\windows\inf\wg111v3\SetDrv64.exe
2007-11-27 17:52 32,768 a------- c:\windows\inf\wg111v3\SetDrv.exe
2007-05-10 20:52 6,420 a------- d:\docume~1\thefam~1\applic~1\wklnhst.dat
2006-12-15 11:30 315,392 a------- c:\windows\inf\wg111v3\InstallDriver.exe
2006-12-15 11:30 212,992 a------- c:\windows\inf\wg111v3\CopyWHQLDriver.exe
2006-12-15 11:30 98,304 a------- c:\windows\inf\wg111v3\UScanM.exe
2006-12-15 11:30 20,480 a------- c:\windows\inf\wg111v3\RTWUPath.exe
2006-12-15 11:30 19,968 a------- c:\windows\inf\wg111v3\RTWREFU.EXE
2006-10-15 16:57 774,144 a------- c:\program files\RngInterstitial.dll
============= FINISH: 23:51:50.60 ===============
Hi
QooBox and system restore related stuff will be dealt with later. However, you may delete that other finding in Spybot recovery folder.
I shall ask for other opinions on this snapapi32.dll thing. Meanwhile, upload following file to http://www.virustotal.com (rescan those that have been already scanned) and post back the results or links to the results:
c:\windows\system32\snapapi32.dll
I want to see if detection status has changed.
OriginalMcBlood
2009-05-16, 17:55
Here are the virus scan results for snapapi32.dll
file snapapi32.dll received on 05.16.2009 16:46:19 (CET)
Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.05.16 -
AhnLab-V3 5.0.0.2 2009.05.16 -
AntiVir 7.9.0.168 2009.05.15 -
Antiy-AVL 2.0.3.1 2009.05.15 -
Authentium 5.1.2.4 2009.05.16 -
Avast 4.8.1335.0 2009.05.15 -
AVG 8.5.0.336 2009.05.15 -
BitDefender 7.2 2009.05.16 -
CAT-QuickHeal 10.00 2009.05.15 -
ClamAV 0.94.1 2009.05.16 -
Comodo 1157 2009.05.08 -
DrWeb 5.0.0.12182 2009.05.16 -
eSafe 7.0.17.0 2009.05.14 -
eTrust-Vet 31.6.6508 2009.05.16 -
F-Prot 4.4.4.56 2009.05.16 -
F-Secure 8.0.14470.0 2009.05.15 -
Fortinet 3.117.0.0 2009.05.16 -
GData 19 2009.05.16 -
Ikarus T3.1.1.49.0 2009.05.16 -
K7AntiVirus 7.10.735 2009.05.14 -
Kaspersky 7.0.0.125 2009.05.16 -
McAfee 5616 2009.05.15 -
McAfee+Artemis 5616 2009.05.15 -
McAfee-GW-Edition 6.7.6 2009.05.15 -
Microsoft 1.4602 2009.05.16 -
NOD32 4080 2009.05.15 -
Norman 6.01.05 2009.05.16 -
nProtect 2009.1.8.0 2009.05.16 -
Panda 10.0.0.14 2009.05.16 -
PCTools 4.4.2.0 2009.05.16 -
Prevx 3.0 2009.05.16 -
Rising 21.29.52.00 2009.05.16 -
Sophos 4.41.0 2009.05.16 -
Sunbelt 3.2.1858.2 2009.05.16 -
Symantec 1.4.4.12 2009.05.16 -
TheHacker 6.3.4.1.326 2009.05.15 -
TrendMicro 8.950.0.1092 2009.05.15 -
VBA32 3.12.10.5 2009.05.16 -
ViRobot 2009.5.15.1737 2009.05.15 -
VirusBuster 4.6.5.0 2009.05.16 -
Additional information
File size: 581632 bytes
MD5...: 9b1f586cf49e1db21ba246d53a31ff0c
SHA1..: 66f1d3811ce0a2a5854709b0b2991bfe6ace96cc
SHA256: 75e55f8de01b4731ea90454cb8a0f60af68c79ea0f4521178550db13c1d9b020
SHA512: ac93b6236dfa1710e68a845560c9e1c0d668e055452655e9584c4534d7aab1a2<br>77b29ac31b4507de07ea77ea2d150a0cde2fdb97d890ba9e6ba2eda0c67e3bba
ssdeep: 6144:BG6Ycno/breJKvtHS1RczAJ5Jav++W6C3Q61jSqeM+N/1U4Ae4GC2Mf+jW1<br>2/b:cx/XeJKVHS1RczAvwv+36C3QPRMgb4G<br>
PEiD..: -
TrID..: File type identification<br>Win32 Executable Generic (42.3%)<br>Win32 Dynamic Link Library (generic) (37.6%)<br>Generic Win/DOS Executable (9.9%)<br>DOS Executable Generic (9.9%)<br>Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information<br><br>( base data )<br>entrypointaddress.: 0x2a92<br>timedatestamp.....: 0x498c9e77 (Fri Feb 06 20:32:55 2009)<br>machinetype.......: 0x14c (I386)<br><br>( 4 sections )<br>name viradd virsiz rawdsiz ntrpy md5<br>.text 0x1000 0x25c6 0x3000 5.36 fb59f1ea592976013834c174b0ef1c80<br>.rdata 0x4000 0x6e8 0x1000 2.62 fb248850a415ad9059d715de67bcdbb7<br>.data 0x5000 0x879f8 0x88000 7.88 3bb7e21a71ef22e3751f288ef36dd3e9<br>.reloc 0x8d000 0x906 0x1000 1.80 f2501e3e9584067698225df2b007c80f<br><br>( 5 imports ) <br>> KERNEL32.dll: GetTickCount, GetAtomNameA, GetCurrentDirectoryA, FindAtomA, GetLocalTime, lstrlenA, GlobalFindAtomA, GetConsoleTitleA, CloseHandle, SetFileTime, GetCurrentProcess, lstrcatA, lstrcpyA, GetSystemDirectoryA, GetCurrentThread, WriteFile, GetModuleFileNameA, GlobalAddAtomA, lstrcmpA, GetVersion, ExitProcess, IsProcessorFeaturePresent, SystemTimeToFileTime, GetWindowsDirectoryA, GlobalGetAtomNameA, HeapAlloc, GetComputerNameA, GetTempPathA, GetProcessHeap, HeapFree, CreateFileA<br>> ADVAPI32.dll: RegQueryValueExA, RegOpenKeyA, RegSetValueExA, RegCreateKeyA, GetUserNameA, RegCloseKey<br>> USER32.dll: GetCursor, GetWindow, GetDesktopWindow, GetFocus, GetClassNameA, GetCapture, GetClassLongA, GetWindowDC, GetDC, FindWindowA, IsWindowEnabled, IsWindowVisible, GetSysColor, GetActiveWindow, GetWindowLongA<br>> GDI32.dll: GetDeviceCaps, GetTextColor, GetBkColor, GetBkMode<br>> MSVCRT.dll: _ltoa, strlen, strcat, memset, _ftol, atol<br><br>( 1 exports ) <br>DllMain<br>
PDFiD.: -
RDS...: NSRL Reference Data Set<br>
Hi
Are there any other systems in same network with this one we're dealing with?
Open notepad and then copy and paste the bolded lines below into it. Go to File > save as and name the file fixes.bat, change the Save as type to all files and save it to your desktop.
@echo off
ipconfig /all >c:\ipsettings.txt
Double-click on fixes.bat file to execute it. After that c:\ipsettings.txt file should exist. Please post back contents of that file.
Download ERUNT (http://www.softpedia.com/get/Tweak/Registry-Tweak/Erunt-g.shtml)
Save it to your desktop. Run and install this program.
In the box that opens ONLY choose
System registry.
Then click OK.
Click save and then go to File > Exit.
This is so the registry can be restored to this point if we need it. It may take a minute. Just let it go until it's done.
Save text below as fix.reg on Notepad (save it as all files (*.*)) on the Desktop.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{502b4e06-3fe0-472d-b929-e4ecfb50d066}]
"Compatibility Flags"=dword:00000400
It should look like this -> http://users.telenet.be/bluepatchy/miekiemoes/images/reg.gif
Doubleclick fix.reg, press Yes and ok.
OriginalMcBlood
2009-05-17, 16:37
hi,
there are other machines that share this router, 4 in total but they are not networked.
I have followed all your instructions from the last post but I am not comfortable posting this level of specific identifiable information across the net i.e. IP addresses and unit names/identifiers.
If you need info from the txt ask and I will let you know. Sorry if it seems I am being awkward especially after how long we have been working on this but this is outside of my comfort zone.
Hi
It's DNS servers IP addresses that I'm interested in. If you think those are too private to be posted in topic then you can send me details through private messaging system :)
Due to inactivity, this thread will now be closed.
Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.
If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.