View Full Version : Help required computer is infected
Hi here is my hijack this logfile I hope I did it right
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:31:20, on 06/10/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Comodo\CBOClean\BOC425.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\FinePixViewer\QuickDCF2.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\msa.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\SYSTEM32\bgsvcgen.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\FastNetSrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\McShield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\HPZipm12.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sky.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.search.yahoo.com/search?fr=mcafee&p=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.co.uk/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided By Sky Broadband
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [ter8m] RUNDLL32.EXE C:\WINDOWS\system32\msxm192z.dll,w
O4 - HKLM\..\Run: [BOC-425] C:\PROGRA~1\Comodo\CBOClean\BOC425.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\scott williamson\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Exif Launcher 2.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.sky.com (file missing)
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - https://mysupport.nai.com/amiuptodate/bin/1,0,0,7/McUpdatePortal.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-gb/1,0,0,21/mcgdmgr.cab
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\SYSTEM32\bgsvcgen.exe
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: fastnetsrv Service (fastnetsrv) - Sigma Designs In - C:\WINDOWS\system32\FastNetSrv.exe
O23 - Service: Google Update Service (gupdate1c9b1e3241c1022) (gupdate1c9b1e3241c1022) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\McShield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
--
End of file - 10056 bytes
Hello
Welcome to Safer Networking.
Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.
Download TFC (http://oldtimer.geekstogo.com/TFC.exe) to your desktop
Close any open windows.
Double click the TFC icon to run the program
TFC will close all open programs itself in order to run,
Click the Start button to begin the process.
Allow TFC to run uninterrupted.
The program should not take long to finish it's job
Once its finished it should automatically reboot your machine,
if it doesn't, manually reboot to ensure a complete clean
Please download Malwarebytes' Anti-Malware from Here (http://www.besttechie.net/tools/mbam-setup.exe) or Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)
Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
http://forums.whatthetech.com/post_a4255_MBAM.PNG
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected .
When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
Post the report and also a new HJT log please
Malwarebytes' Anti-Malware 1.41
Database version: 2925
Windows 5.1.2600 Service Pack 3
08/10/2009 21:09:12
mbam-log-2009-10-08 (21-09-12).txt
Scan type: Quick Scan
Objects scanned: 106922
Time elapsed: 9 minute(s), 28 second(s)
Memory Processes Infected: 1
Memory Modules Infected: 1
Registry Keys Infected: 17
Registry Values Infected: 12
Registry Data Items Infected: 3
Folders Infected: 1
Files Infected: 24
Memory Processes Infected:
C:\WINDOWS\SYSTEM32\FastNetSrv.exe (Backdoor.Bot) -> Unloaded process successfully.
Memory Modules Infected:
c:\WINDOWS\SYSTEM32\BtwSrv.dll (Trojan.Agent) -> Delete on reboot.
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\btwsrv (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\btwsrv (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\btwsrv (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\fastnetsrv (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\fastnetsrv (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\fastnetsrv (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_BTWSRV (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\NordBull (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\AGprotect (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\tcpsr (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ter8m (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\BuildW (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\FirstInstallFlag (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\guid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\i (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\uid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Ulrn (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Update (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\UpdateNew (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mBt (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\udfa (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mfa (Backdoor.Bot) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
Folders Infected:
C:\Documents and Settings\scott williamson\Start Menu\Programs\Protection System (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
Files Infected:
c:\WINDOWS\SYSTEM32\BtwSrv.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\FastNetSrv.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\lsm32.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\MSINET.oca (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\opeia.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\wmdtc.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\01KLMNOP\w[1].bin (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\01KLMNOP\w[2].bin (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\01KLMNOP\w[3].bin (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\G8O1T6VE\w[1].bin (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\G8O1T6VE\w[2].bin (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\QRABUDEX\w[1].bin (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\QRABUDEX\w[2].bin (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\QRABUDEX\w[3].bin (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\YRRJVSYR\w[1].bin (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\YRRJVSYR\w[2].bin (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\msa.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\scott williamson\Start Menu\Programs\Protection System\Live Support.lnk (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
C:\Documents and Settings\scott williamson\Start Menu\Programs\Protection System\Protection System.lnk (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
C:\Documents and Settings\scott williamson\Start Menu\Programs\Protection System\Uninstall.lnk (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\_id.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\FInstall.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\BM0b831bb3.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
HJT Logfile
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:17:10, on 08/10/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Comodo\CBOClean\BOC425.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\FinePixViewer\QuickDCF2.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\SYSTEM32\bgsvcgen.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\McShield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sky.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.search.yahoo.com/search?fr=mcafee&p=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.co.uk/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided By Sky Broadband
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [BOC-425] C:\PROGRA~1\Comodo\CBOClean\BOC425.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\scott williamson\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Exif Launcher 2.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.sky.com (file missing)
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - https://mysupport.nai.com/amiuptodate/bin/1,0,0,7/McUpdatePortal.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-gb/1,0,0,21/mcgdmgr.cab
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\SYSTEM32\bgsvcgen.exe
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Update Service (gupdate1c9b1e3241c1022) (gupdate1c9b1e3241c1022) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\McShield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
--
End of file - 9886 bytes
Hope this is ok
HI\i,
You did just fine, just a heads up as some of what Malwarebytes removed was a backdoor trojan, you should access a known clean computer and change all your passwords for sites you visit and any online accounts.
Download TFC (http://oldtimer.geekstogo.com/TFC.exe) to your desktop
Close any open windows.
Double click the TFC icon to run the program
TFC will close all open programs itself in order to run,
Click the Start button to begin the process.
Allow TFC to run uninterrupted.
The program should not take long to finish it's job
Once its finished it should automatically reboot your machine,
if it doesn't, manually reboot to ensure a complete clean
Download ComboFix from one of these locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)
* IMPORTANT !!! Save ComboFix.exe to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
http://i24.photobucket.com/albums/c30/ken545/RcAuto1.gif
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://i24.photobucket.com/albums/c30/ken545/whatnext.jpg
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.
*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
Hi I will have to post my combofix and HJT logfiles separately
ComboFix 09-10-07.05 - scott williamson 09/10/2009 8:00.3.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.20 [GMT 1:00]
Running from: c:\documents and settings\scott williamson\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Created a new restore point
* Resident AV is active
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\8913996.exe
C:\9560663.exe
c:\windows\Fonts\mlog
c:\windows\Install.txt
c:\windows\Installer\2c83f.msp
c:\windows\Installer\531a0c.msp
c:\windows\system32\Install.txt
Infected copy of c:\windows\regedit.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\regedit.exe
Infected copy of c:\windows\SYSTEM32\DRIVERS\atapi.sys was found and disinfected
Kitty ate it :)
Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\userinit.exe
Infected copy of c:\windows\hh.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\hh.exe
Infected copy of c:\windows\notepad.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\notepad.exe
Infected copy of c:\windows\slrundll.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\slrundll.exe
Infected copy of c:\windows\TASKMAN.EXE was found and disinfected
Restored copy from - c:\i386\TASKMAN.EXE
Infected copy of c:\windows\TWUNK_32.EXE was found and disinfected
Restored copy from - c:\system volume information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP404\A0059593.EXE
Infected copy of c:\windows\winhlp32.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\winhlp32.exe
Infected copy of c:\windows\INF\unregmp2.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\unregmp2.exe
Infected copy of c:\windows\SYSTEM32\accwiz.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\accwiz.exe
Infected copy of c:\windows\SYSTEM32\actmovie.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\actmovie.exe
Infected copy of c:\windows\SYSTEM32\ahui.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\ahui.exe
Infected copy of c:\windows\SYSTEM32\alg.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\alg.exe
Infected copy of c:\windows\SYSTEM32\ARP.EXE was found and disinfected
Restored copy from - c:\i386\ARP.EXE
Infected copy of c:\windows\SYSTEM32\at.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\at.exe
Infected copy of c:\windows\SYSTEM32\atmadm.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\atmadm.exe
Infected copy of c:\windows\SYSTEM32\attrib.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\attrib.exe
Infected copy of c:\windows\SYSTEM32\auditusr.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\auditusr.exe
Infected copy of c:\windows\SYSTEM32\blastcln.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\blastcln.exe
Infected copy of c:\windows\SYSTEM32\BOOTOK.EXE was found and disinfected
Restored copy from - c:\i386\BOOTOK.EXE
Infected copy of c:\windows\SYSTEM32\BOOTVRFY.EXE was found and disinfected
Restored copy from - c:\i386\BOOTVRFY.EXE
Infected copy of c:\windows\SYSTEM32\cacls.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\cacls.exe
Infected copy of c:\windows\SYSTEM32\CALC.EXE was found and disinfected
Restored copy from - c:\i386\CALC.EXE
Infected copy of c:\windows\SYSTEM32\CHARMAP.EXE was found and disinfected
Restored copy from - c:\i386\CHARMAP.EXE
Infected copy of c:\windows\SYSTEM32\CHKDSK.EXE was found and disinfected
Restored copy from - c:\i386\CHKDSK.EXE
Infected copy of c:\windows\SYSTEM32\CHKNTFS.EXE was found and disinfected
Restored copy from - c:\i386\CHKNTFS.EXE
Infected copy of c:\windows\SYSTEM32\CIDAEMON.EXE was found and disinfected
Restored copy from - c:\i386\CIDAEMON.EXE
Infected copy of c:\windows\SYSTEM32\cisvc.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\cisvc.exe
Infected copy of c:\windows\SYSTEM32\CKCNV.EXE was found and disinfected
Restored copy from - c:\i386\CKCNV.EXE
Infected copy of c:\windows\SYSTEM32\cleanmgr.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\cleanmgr.exe
Infected copy of c:\windows\SYSTEM32\clipbrd.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\clipbrd.exe
Infected copy of c:\windows\SYSTEM32\clipsrv.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\clipsrv.exe
Infected copy of c:\windows\SYSTEM32\cmd.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\cmd.exe
Infected copy of c:\windows\SYSTEM32\cmdl32.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\cmdl32.exe
Infected copy of c:\windows\SYSTEM32\cmmon32.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\cmmon32.exe
Infected copy of c:\windows\SYSTEM32\cmstp.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\cmstp.exe
Infected copy of c:\windows\SYSTEM32\COMP.EXE was found and disinfected
Restored copy from - c:\i386\COMP.EXE
Infected copy of c:\windows\SYSTEM32\COMPACT.EXE was found and disinfected
Restored copy from - c:\i386\COMPACT.EXE
Infected copy of c:\windows\SYSTEM32\conime.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\conime.exe
Infected copy of c:\windows\SYSTEM32\CONTROL.EXE was found and disinfected
Restored copy from - c:\i386\CONTROL.EXE
Infected copy of c:\windows\SYSTEM32\CONVERT.EXE was found and disinfected
Restored copy from - c:\i386\CONVERT.EXE
Infected copy of c:\windows\SYSTEM32\cscript.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\cscript.exe
Infected copy of c:\windows\SYSTEM32\ctfmon.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\ctfmon.exe
Infected copy of c:\windows\SYSTEM32\dcomcnfg.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\dcomcnfg.exe
Infected copy of c:\windows\SYSTEM32\ddeshare.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\ddeshare.exe
Infected copy of c:\windows\SYSTEM32\defrag.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\defrag.exe
Infected copy of c:\windows\SYSTEM32\dfrgfat.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\dfrgfat.exe
Infected copy of c:\windows\SYSTEM32\dfrgntfs.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\dfrgntfs.exe
Infected copy of c:\windows\SYSTEM32\diantz.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\diantz.exe
Infected copy of c:\windows\SYSTEM32\diskpart.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\diskpart.exe
Infected copy of c:\windows\SYSTEM32\DISKPERF.EXE was found and disinfected
Restored copy from - c:\i386\DISKPERF.EXE
Infected copy of c:\windows\SYSTEM32\dllhost.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\dllhost.exe
Infected copy of c:\windows\SYSTEM32\DLLHST3G.EXE was found and disinfected
Restored copy from - c:\i386\DLLHST3G.EXE
Infected copy of c:\windows\SYSTEM32\dmadmin.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\dmadmin.exe
Infected copy of c:\windows\SYSTEM32\dmremote.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\dmremote.exe
Infected copy of c:\windows\SYSTEM32\DOSKEY.EXE was found and disinfected
Restored copy from - c:\i386\DOSKEY.EXE
Infected copy of c:\windows\SYSTEM32\dplaysvr.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\dplaysvr.exe
Infected copy of c:\windows\SYSTEM32\dpnsvr.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\dpnsvr.exe
Infected copy of c:\windows\SYSTEM32\dpvsetup.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\dpvsetup.exe
Infected copy of c:\windows\SYSTEM32\DRWTSN32.EXE was found and disinfected
Restored copy from - c:\i386\DRWTSN32.EXE
Infected copy of c:\windows\SYSTEM32\dumprep.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\dumprep.exe
Infected copy of c:\windows\SYSTEM32\DVDPLAY.EXE was found and disinfected
Restored copy from - c:\i386\DVDPLAY.EXE
Infected copy of c:\windows\SYSTEM32\dvdupgrd.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\dvdupgrd.exe
Infected copy of c:\windows\SYSTEM32\dwwin.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\dwwin.exe
Infected copy of c:\windows\SYSTEM32\dxdiag.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\dxdiag.exe
Infected copy of c:\windows\SYSTEM32\ESENTUTL.EXE was found and disinfected
Restored copy from - c:\i386\ESENTUTL.EXE
Infected copy of c:\windows\SYSTEM32\eudcedit.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\eudcedit.exe
Infected copy of c:\windows\SYSTEM32\EVENTVWR.EXE was found and disinfected
Restored copy from - c:\i386\EVENTVWR.EXE
Infected copy of c:\windows\SYSTEM32\EXPAND.EXE was found and disinfected
Restored copy from - c:\i386\EXPAND.EXE
Infected copy of c:\windows\SYSTEM32\extrac32.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\extrac32.exe
Infected copy of c:\windows\SYSTEM32\FC.EXE was found and disinfected
Restored copy from - c:\i386\FC.EXE
Infected copy of c:\windows\SYSTEM32\FIND.EXE was found and disinfected
Restored copy from - c:\i386\FIND.EXE
Infected copy of c:\windows\SYSTEM32\findstr.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\findstr.exe
Infected copy of c:\windows\SYSTEM32\FINGER.EXE was found and disinfected
Restored copy from - c:\i386\FINGER.EXE
Infected copy of c:\windows\SYSTEM32\FIXMAPI.EXE was found and disinfected
Restored copy from - c:\i386\FIXMAPI.EXE
Infected copy of c:\windows\SYSTEM32\fltmc.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\fltmc.exe
Infected copy of c:\windows\SYSTEM32\fontview.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\fontview.exe
Infected copy of c:\windows\SYSTEM32\forcedos.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\forcedos.exe
Infected copy of c:\windows\SYSTEM32\FREECELL.EXE was found and disinfected
Restored copy from - c:\i386\FREECELL.EXE
Infected copy of c:\windows\SYSTEM32\fsquirt.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\fsquirt.exe
Infected copy of c:\windows\SYSTEM32\FSUTIL.EXE was found and disinfected
Restored copy from - c:\i386\FSUTIL.EXE
Infected copy of c:\windows\SYSTEM32\ftp.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\ftp.exe
Infected copy of c:\windows\SYSTEM32\fxsclnt.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\fxsclnt.exe
Infected copy of c:\windows\SYSTEM32\fxscover.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\fxscover.exe
Infected copy of c:\windows\SYSTEM32\FXSSEND.EXE was found and disinfected
Restored copy from - c:\i386\FXSSEND.EXE
Infected copy of c:\windows\SYSTEM32\fxssvc.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\fxssvc.exe
Infected copy of c:\windows\SYSTEM32\grpconv.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\grpconv.exe
Infected copy of c:\windows\SYSTEM32\help.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\help.exe
Infected copy of c:\windows\SYSTEM32\HOSTNAME.EXE was found and disinfected
Restored copy from - c:\i386\HOSTNAME.EXE
Infected copy of c:\windows\SYSTEM32\ie4uinit.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\ie4uinit.exe
Infected copy of c:\windows\SYSTEM32\iexpress.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\iexpress.exe
Infected copy of c:\windows\SYSTEM32\imapi.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\imapi.exe
Infected copy of c:\windows\SYSTEM32\ipconfig.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\ipconfig.exe
Infected copy of c:\windows\SYSTEM32\IPSEC6.EXE was found and disinfected
Restored copy from - c:\i386\IPSEC6.EXE
Infected copy of c:\windows\SYSTEM32\ipv6.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\ipv6.exe
Infected copy of c:\windows\SYSTEM32\ipxroute.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\ipxroute.exe
Infected copy of c:\windows\SYSTEM32\LABEL.EXE was found and disinfected
Restored copy from - c:\i386\LABEL.EXE
Infected copy of c:\windows\SYSTEM32\LIGHTS.EXE was found and disinfected
Restored copy from - c:\i386\LIGHTS.EXE
Infected copy of c:\windows\SYSTEM32\LNKSTUB.EXE was found and disinfected
Restored copy from - c:\i386\LNKSTUB.EXE
Infected copy of c:\windows\SYSTEM32\locator.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\locator.exe
Infected copy of c:\windows\SYSTEM32\LODCTR.EXE was found and disinfected
Restored copy from - c:\i386\LODCTR.EXE
Infected copy of c:\windows\SYSTEM32\logagent.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\logagent.exe
Infected copy of c:\windows\SYSTEM32\logman.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\logman.exe
Infected copy of c:\windows\SYSTEM32\LOGOFF.EXE was found and disinfected
Restored copy from - c:\i386\LOGOFF.EXE
Infected copy of c:\windows\SYSTEM32\logonui.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\logonui.exe
Infected copy of c:\windows\SYSTEM32\LPQ.EXE was found and disinfected
Restored copy from - c:\i386\LPQ.EXE
Infected copy of c:\windows\SYSTEM32\LPR.EXE was found and disinfected
Restored copy from - c:\i386\LPR.EXE
Infected copy of c:\windows\SYSTEM32\magnify.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\magnify.exe
Infected copy of c:\windows\SYSTEM32\makecab.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\makecab.exe
Infected copy of c:\windows\SYSTEM32\mmc.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\mmc.exe
Infected copy of c:\windows\SYSTEM32\mmcperf.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\mmcperf.exe
Infected copy of c:\windows\SYSTEM32\mnmsrvc.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\mnmsrvc.exe
Infected copy of c:\windows\SYSTEM32\mobsync.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\mobsync.exe
Infected copy of c:\windows\SYSTEM32\MOUNTVOL.EXE was found and disinfected
Restored copy from - c:\i386\MOUNTVOL.EXE
Infected copy of c:\windows\SYSTEM32\mplay32.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\mplay32.exe
Infected copy of c:\windows\SYSTEM32\MPNOTIFY.EXE was found and disinfected
Restored copy from - c:\i386\MPNOTIFY.EXE
Infected copy of c:\windows\SYSTEM32\MRINFO.EXE was found and disinfected
Restored copy from - c:\i386\MRINFO.EXE
Infected copy of c:\windows\SYSTEM32\msdtc.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\msdtc.exe
Infected copy of c:\windows\SYSTEM32\MSG.EXE was found and disinfected
Restored copy from - c:\i386\MSG.EXE
Infected copy of c:\windows\SYSTEM32\MSHEARTS.EXE was found and disinfected
Restored copy from - c:\i386\MSHEARTS.EXE
Infected copy of c:\windows\SYSTEM32\mshta.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\mshta.exe
Infected copy of c:\windows\SYSTEM32\msiexec.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\msiexec.exe
Infected copy of c:\windows\SYSTEM32\mspaint.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\mspaint.exe
Infected copy of c:\windows\SYSTEM32\MSSWCHX.EXE was found and disinfected
Restored copy from - c:\i386\MSSWCHX.EXE
Infected copy of c:\windows\SYSTEM32\mstinit.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\mstinit.exe
Infected copy of c:\windows\SYSTEM32\mstsc.exe was found and disinfected
Restored copy from - c:\windows\$NtServicePackUninstall$\mstsc.exe
Infected copy of c:\windows\SYSTEM32\napstat.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\napstat.exe
Infected copy of c:\windows\SYSTEM32\narrator.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\narrator.exe
Infected copy of c:\windows\SYSTEM32\NBTSTAT.EXE was found and disinfected
Restored copy from - c:\i386\NBTSTAT.EXE
Infected copy of c:\windows\SYSTEM32\nddeapir.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\nddeapir.exe
Infected copy of c:\windows\SYSTEM32\net.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\net.exe
Infected copy of c:\windows\SYSTEM32\net1.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\net1.exe
Infected copy of c:\windows\SYSTEM32\netdde.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\netdde.exe
Infected copy of c:\windows\SYSTEM32\netsetup.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\netsetup.exe
Infected copy of c:\windows\SYSTEM32\netsh.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\netsh.exe
Infected copy of c:\windows\SYSTEM32\netstat.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\netstat.exe
Infected copy of c:\windows\SYSTEM32\nslookup.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\nslookup.exe
Infected copy of c:\windows\SYSTEM32\NTSD.EXE was found and disinfected
Restored copy from - c:\i386\NTSD.EXE
Infected copy of c:\windows\SYSTEM32\ntvdm.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\ntvdm.exe
Infected copy of c:\windows\SYSTEM32\odbcad32.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\odbcad32.exe
Infected copy of c:\windows\SYSTEM32\odbcconf.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\odbcconf.exe
Infected copy of c:\windows\SYSTEM32\osk.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\osk.exe
Infected copy of c:\windows\SYSTEM32\OSUNINST.EXE was found and disinfected
Restored copy from - c:\i386\OSUNINST.EXE
Infected copy of c:\windows\SYSTEM32\packager.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\packager.exe
Infected copy of c:\windows\SYSTEM32\PATHPING.EXE was found and disinfected
Restored copy from - c:\i386\PATHPING.EXE
Infected copy of c:\windows\SYSTEM32\PENTNT.EXE was found and disinfected
Restored copy from - c:\i386\PENTNT.EXE
Infected copy of c:\windows\SYSTEM32\perfmon.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\perfmon.exe
Infected copy of c:\windows\SYSTEM32\ping.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\ping.exe
Infected copy of c:\windows\SYSTEM32\PING6.EXE was found and disinfected
Restored copy from - c:\i386\PING6.EXE
Infected copy of c:\windows\SYSTEM32\powercfg.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\powercfg.exe
Infected copy of c:\windows\SYSTEM32\PRINT.EXE was found and disinfected
Restored copy from - c:\i386\PRINT.EXE
Infected copy of c:\windows\SYSTEM32\progman.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\progman.exe
Infected copy of c:\windows\SYSTEM32\proquota.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe
Infected copy of c:\windows\SYSTEM32\proxycfg.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\proxycfg.exe
Infected copy of c:\windows\SYSTEM32\QAPPSRV.EXE was found and disinfected
Restored copy from - c:\i386\QAPPSRV.EXE
Infected copy of c:\windows\SYSTEM32\qprocess.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\qprocess.exe
Infected copy of c:\windows\SYSTEM32\QWINSTA.EXE was found and disinfected
Restored copy from - c:\i386\QWINSTA.EXE
Infected copy of c:\windows\SYSTEM32\RASAUTOU.EXE was found and disinfected
Restored copy from - c:\i386\RASAUTOU.EXE
Infected copy of c:\windows\SYSTEM32\RASDIAL.EXE was found and disinfected
Restored copy from - c:\i386\RASDIAL.EXE
Infected copy of c:\windows\SYSTEM32\rasphone.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\rasphone.exe
Infected copy of c:\windows\SYSTEM32\rcimlby.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\rcimlby.exe
Infected copy of c:\windows\SYSTEM32\rcp.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\rcp.exe
Infected copy of c:\windows\SYSTEM32\rdpclip.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\rdpclip.exe
Infected copy of c:\windows\SYSTEM32\rdsaddin.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\rdsaddin.exe
Infected copy of c:\windows\SYSTEM32\rdshost.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\rdshost.exe
Infected copy of c:\windows\SYSTEM32\RECOVER.EXE was found and disinfected
Restored copy from - c:\i386\RECOVER.EXE
Infected copy of c:\windows\SYSTEM32\reg.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\reg.exe
Infected copy of c:\windows\SYSTEM32\REGEDT32.EXE was found and disinfected
Restored copy from - c:\i386\REGEDT32.EXE
Infected copy of c:\windows\SYSTEM32\REGINI.EXE was found and disinfected
Restored copy from - c:\i386\REGINI.EXE
Infected copy of c:\windows\SYSTEM32\regsvr32.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\regsvr32.exe
Infected copy of c:\windows\SYSTEM32\REGWIZ.EXE was found and disinfected
Restored copy from - c:\i386\REGWIZ.EXE
Infected copy of c:\windows\SYSTEM32\REPLACE.EXE was found and disinfected
Restored copy from - c:\i386\REPLACE.EXE
Infected copy of c:\windows\SYSTEM32\RESET.EXE was found and disinfected
Restored copy from - c:\i386\RESET.EXE
Infected copy of c:\windows\SYSTEM32\rexec.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\rexec.exe
Infected copy of c:\windows\SYSTEM32\ROUTE.EXE was found and disinfected
Restored copy from - c:\i386\ROUTE.EXE
Infected copy of c:\windows\SYSTEM32\ROUTEMON.EXE was found and disinfected
Restored copy from - c:\i386\ROUTEMON.EXE
Infected copy of c:\windows\SYSTEM32\rsh.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\rsh.exe
Infected copy of c:\windows\SYSTEM32\RSM.EXE was found and disinfected
Restored copy from - c:\i386\RSM.EXE
Infected copy of c:\windows\SYSTEM32\RSMSINK.EXE was found and disinfected
Restored copy from - c:\i386\RSMSINK.EXE
Infected copy of c:\windows\SYSTEM32\RSMUI.EXE was found and disinfected
Restored copy from - c:\i386\RSMUI.EXE
Infected copy of c:\windows\SYSTEM32\RSVP.EXE was found and disinfected
Restored copy from - c:\i386\RSVP.EXE
Infected copy of c:\windows\SYSTEM32\rtcshare.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\rtcshare.exe
Infected copy of c:\windows\SYSTEM32\RUNAS.EXE was found and disinfected
Restored copy from - c:\i386\RUNAS.EXE
Infected copy of c:\windows\SYSTEM32\rundll32.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\rundll32.exe
Infected copy of c:\windows\SYSTEM32\runonce.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\runonce.exe
Infected copy of c:\windows\SYSTEM32\RWINSTA.EXE was found and disinfected
Restored copy from - c:\i386\RWINSTA.EXE
Infected copy of c:\windows\SYSTEM32\savedump.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\savedump.exe
Infected copy of c:\windows\SYSTEM32\sc.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\sc.exe
Infected copy of c:\windows\SYSTEM32\scardsvr.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\scardsvr.exe
Infected copy of c:\windows\SYSTEM32\sdbinst.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\sdbinst.exe
Infected copy of c:\windows\SYSTEM32\sessmgr.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\sessmgr.exe
Infected copy of c:\windows\SYSTEM32\sethc.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\sethc.exe
Infected copy of c:\windows\SYSTEM32\setup.exe was found and disinfected
Restored copy from - c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Infected copy of c:\windows\SYSTEM32\setupn.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\setupn.exe
Infected copy of c:\windows\SYSTEM32\SFC.EXE was found and disinfected
Restored copy from - c:\i386\SFC.EXE
Infected copy of c:\windows\SYSTEM32\SHADOW.EXE was found and disinfected
Restored copy from - c:\i386\SHADOW.EXE
Infected copy of c:\windows\SYSTEM32\shmgrate.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\shmgrate.exe
Infected copy of c:\windows\SYSTEM32\shrpubw.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\shrpubw.exe
Infected copy of c:\windows\SYSTEM32\shutdown.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\shutdown.exe
Infected copy of c:\windows\SYSTEM32\sigverif.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\sigverif.exe
Infected copy of c:\windows\SYSTEM32\skeys.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\skeys.exe
Infected copy of c:\windows\SYSTEM32\slserv.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\slserv.exe
Infected copy of c:\windows\SYSTEM32\smbinst.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\smbinst.exe
Infected copy of c:\windows\SYSTEM32\smlogsvc.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\smlogsvc.exe
Infected copy of c:\windows\SYSTEM32\sndrec32.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\sndrec32.exe
Infected copy of c:\windows\SYSTEM32\SNDVOL32.EXE was found and disinfected
Restored copy from - c:\i386\SNDVOL32.EXE
Infected copy of c:\windows\SYSTEM32\SOL.EXE was found and disinfected
Restored copy from - c:\i386\SOL.EXE
Infected copy of c:\windows\SYSTEM32\sort.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\sort.exe
Infected copy of c:\windows\SYSTEM32\spider.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\spider.exe
Infected copy of c:\windows\SYSTEM32\spnpinst.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\spnpinst.exe
Infected copy of c:\windows\SYSTEM32\stimon.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\stimon.exe
Infected copy of c:\windows\SYSTEM32\SUBST.EXE was found and disinfected
Restored copy from - c:\i386\SUBST.EXE
Infected copy of c:\windows\SYSTEM32\SYNCAPP.EXE was found and disinfected
Restored copy from - c:\i386\SYNCAPP.EXE
Infected copy of c:\windows\SYSTEM32\SYSKEY.EXE was found and disinfected
Restored copy from - c:\i386\SYSKEY.EXE
Infected copy of c:\windows\SYSTEM32\sysocmgr.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\sysocmgr.exe
Infected copy of c:\windows\SYSTEM32\SYSTRAY.EXE was found and disinfected
Restored copy from - c:\i386\SYSTRAY.EXE
Infected copy of c:\windows\SYSTEM32\taskmgr.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\taskmgr.exe
Infected copy of c:\windows\SYSTEM32\TCMSETUP.EXE was found and disinfected
Restored copy from - c:\i386\TCMSETUP.EXE
Infected copy of c:\windows\SYSTEM32\TCPSVCS.EXE was found and disinfected
Restored copy from - c:\i386\TCPSVCS.EXE
Infected copy of c:\windows\SYSTEM32\telnet.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\telnet.exe
Infected copy of c:\windows\SYSTEM32\TFTP.EXE was found and disinfected
Restored copy from - c:\i386\TFTP.EXE
Infected copy of c:\windows\SYSTEM32\tourstart.exe was found and disinfected
Restored copy from - c:\windows\$NtServicePackUninstall$\tourstart.exe
Infected copy of c:\windows\SYSTEM32\tracert.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\tracert.exe
Infected copy of c:\windows\SYSTEM32\TRACERT6.EXE was found and disinfected
Restored copy from - c:\i386\TRACERT6.EXE
Infected copy of c:\windows\SYSTEM32\TSCON.EXE was found and disinfected
Restored copy from - c:\i386\TSCON.EXE
Infected copy of c:\windows\SYSTEM32\TSDISCON.EXE was found and disinfected
Restored copy from - c:\i386\TSDISCON.EXE
Infected copy of c:\windows\SYSTEM32\TSKILL.EXE was found and disinfected
Restored copy from - c:\i386\TSKILL.EXE
Infected copy of c:\windows\SYSTEM32\TSSHUTDN.EXE was found and disinfected
Restored copy from - c:\i386\TSSHUTDN.EXE
Infected copy of c:\windows\SYSTEM32\UNLODCTR.EXE was found and disinfected
Restored copy from - c:\i386\UNLODCTR.EXE
Infected copy of c:\windows\SYSTEM32\upnpcont.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\upnpcont.exe
Infected copy of c:\windows\SYSTEM32\ups.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\ups.exe
Infected copy of c:\windows\SYSTEM32\USRMLNKA.EXE was found and disinfected
Restored copy from - c:\i386\USRMLNKA.EXE
Infected copy of c:\windows\SYSTEM32\USRPRBDA.EXE was found and disinfected
Restored copy from - c:\i386\USRPRBDA.EXE
Infected copy of c:\windows\SYSTEM32\USRSHUTA.EXE was found and disinfected
Restored copy from - c:\i386\USRSHUTA.EXE
Infected copy of c:\windows\SYSTEM32\utilman.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\utilman.exe
Infected copy of c:\windows\SYSTEM32\VERIFIER.EXE was found and disinfected
Restored copy from - c:\i386\VERIFIER.EXE
Infected copy of c:\windows\SYSTEM32\VSSADMIN.EXE was found and disinfected
Restored copy from - c:\i386\VSSADMIN.EXE
Infected copy of c:\windows\SYSTEM32\vssvc.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\vssvc.exe
Infected copy of c:\windows\SYSTEM32\W32TM.EXE was found and disinfected
Restored copy from - c:\i386\W32TM.EXE
Infected copy of c:\windows\SYSTEM32\wextract.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\wextract.exe
Infected copy of c:\windows\SYSTEM32\wiaacmgr.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\wiaacmgr.exe
Infected copy of c:\windows\SYSTEM32\WINMINE.EXE was found and disinfected
Restored copy from - c:\i386\WINMINE.EXE
Infected copy of c:\windows\SYSTEM32\WINMSD.EXE was found and disinfected
Restored copy from - c:\i386\WINMSD.EXE
Infected copy of c:\windows\SYSTEM32\winver.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\winver.exe
Infected copy of c:\windows\SYSTEM32\wpabaln.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\wpabaln.exe
Infected copy of c:\windows\SYSTEM32\wpnpinst.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\wpnpinst.exe
Infected copy of c:\windows\SYSTEM32\WRITE.EXE was found and disinfected
Restored copy from - c:\i386\WRITE.EXE
Infected copy of c:\windows\SYSTEM32\wscntfy.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\wscntfy.exe
Infected copy of c:\windows\SYSTEM32\wscript.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\wscript.exe
Infected copy of c:\windows\SYSTEM32\WUPDMGR.EXE was found and disinfected
Restored copy from - c:\i386\WUPDMGR.EXE
Infected copy of c:\windows\SYSTEM32\xcopy.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\xcopy.exe
Infected copy of c:\windows\SYSTEM32\WBEM\wmiapsrv.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\wmiapsrv.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_TCPSR
((((((((((((((((((((((((( Files Created from 2009-09-09 to 2009-10-09 )))))))))))))))))))))))))))))))
.
2009-10-08 17:41 . 2009-10-08 17:41 -------- d-----w- c:\documents and settings\scott williamson\Application Data\Malwarebytes
2009-10-08 17:37 . 2009-09-10 13:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-08 17:37 . 2009-10-08 17:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-08 17:37 . 2009-09-10 13:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-08 17:37 . 2009-10-08 17:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-03 21:54 . 2009-10-03 22:04 212224 ------w- c:\windows\system32\dllcache\ndis.sys
2009-10-03 19:36 . 2009-10-03 19:38 -------- d-----w- C:\Keygen
2009-10-03 10:20 . 2009-10-01 09:29 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-09-10 20:18 . 2009-06-21 21:44 153088 ------w- c:\windows\system32\dllcache\triedit.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-08 17:48 . 2003-11-07 10:25 315392 ----a-w- c:\windows\system32\Jasc Paint Shop Photo Album.scr
2009-10-08 16:35 . 2004-08-04 04:00 182656 ----a-w- c:\windows\system32\drivers\ndis.sys
2009-10-04 09:48 . 2005-11-24 23:08 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-04 07:58 . 2009-10-04 07:58 361600 ----a-w- c:\windows\system32\drivers\TCPIP.SYS.ORIGINAL
2009-10-04 07:58 . 2004-08-04 04:00 361600 ----a-w- c:\windows\system32\drivers\TCPIP.SYS
2009-10-04 07:31 . 2006-05-24 21:47 61440 ----a-w- c:\program files\Uninstall_CDS.exe
2009-10-04 07:31 . 2004-08-04 04:00 41472 ----a-w- c:\windows\system32\ssmarque.scr
2009-10-04 07:31 . 2004-08-04 04:00 39424 ----a-w- c:\windows\system32\ssmyst.scr
2009-10-04 07:31 . 2004-08-04 04:00 40448 ----a-w- c:\windows\system32\ssbezier.scr
2009-10-04 07:24 . 2004-09-22 18:46 67584 ----a-w- c:\windows\system32\uwdf.exe
2009-10-04 07:24 . 2004-08-04 04:00 65024 ----a-w- c:\windows\system32\TSCUPGRD.EXE
2009-10-04 07:24 . 2008-09-17 08:54 41472 ----a-w- c:\windows\system32\spupdwxp.exe
2009-10-04 07:23 . 2004-11-12 20:42 171520 ----a-w- c:\windows\system32\wjview.exe
2009-10-04 07:23 . 2008-05-18 07:34 77824 ----a-w- c:\windows\system32\GenSvcInst.exe
2009-10-04 07:23 . 2004-08-04 04:00 35840 ----a-w- c:\windows\system32\TASKMAN.EXE
2009-10-04 07:22 . 2008-09-17 08:54 53248 ----a-w- c:\windows\system32\slrundll.exe
2009-10-04 07:20 . 2008-09-17 08:54 28160 ----a-w- c:\windows\system32\spdwnwxp.exe
2009-10-04 07:20 . 2004-08-04 04:00 28672 ----a-w- c:\windows\system32\WINHLP32.EXE
2009-10-04 07:14 . 2004-08-04 04:00 72192 ----a-w- c:\windows\system32\MIGPWD.EXE
2009-10-04 07:14 . 1998-03-26 00:00 58368 ----a-w- c:\windows\system32\MAPISRVR.EXE
2009-10-04 07:13 . 2004-11-12 20:42 172032 ----a-w- c:\windows\system32\jview.exe
2009-10-04 07:13 . 2004-11-12 20:42 14848 ----a-w- c:\windows\system32\jdbgmgr.exe
2009-10-04 07:13 . 2004-11-12 20:55 37000 ----a-w- c:\windows\system32\instlsp.exe
2009-10-04 07:13 . 2007-04-18 16:23 86016 ----a-w- c:\windows\system32\HPZinw12.exe
2009-10-04 07:13 . 2008-09-17 08:53 41472 ----a-w- c:\windows\system32\faxpatch.exe
2009-10-03 22:27 . 2006-03-17 00:38 49152 ----a-w- c:\windows\system32\verclsid.exe
2009-10-03 22:24 . 1979-12-31 23:00 139264 ----a-w- c:\windows\system32\Prounstl.exe
2009-10-03 22:22 . 2004-08-04 04:00 89600 ----a-w- c:\windows\system32\notepad.exe
2009-10-03 22:01 . 2007-12-14 20:32 -------- d-----w- c:\documents and settings\scott williamson\Application Data\uTorrent
2009-10-03 21:58 . 2004-11-12 20:42 49152 ----a-w- c:\windows\system32\clspack.exe
2009-10-03 21:58 . 2004-08-04 04:00 40960 ----a-w- c:\windows\system32\cliconfg.exe
2009-10-03 21:57 . 1979-12-31 23:00 86016 ----a-w- c:\windows\system32\Ati2mdxx.exe
2009-10-03 21:56 . 2005-01-07 14:13 298496 ----a-w- c:\windows\uninst.exe
2009-10-03 21:56 . 2004-11-12 20:42 46080 ----a-w- c:\windows\setdebug.exe
2009-10-03 21:56 . 2004-07-19 15:01 63448 ----a-w- c:\windows\SETPWRCG.EXE
2009-10-03 21:56 . 2005-02-28 13:15 745472 ----a-w- c:\windows\iun6002.exe
2009-10-03 21:56 . 2009-09-06 19:30 307200 ----a-w- c:\windows\iun507.exe
2009-10-03 21:56 . 1998-10-29 15:45 327168 ----a-w- c:\windows\IsUninst.exe
2009-10-03 21:55 . 2006-04-20 12:04 184320 ----a-w- c:\windows\emSTI.exe
2009-10-03 21:55 . 2006-04-20 12:04 368640 ----a-w- c:\windows\emAmcap.exe
2009-10-03 21:55 . 2004-10-26 21:58 118784 ----a-w- c:\windows\dla.exe
2009-10-03 21:49 . 2007-04-18 16:23 94208 ----a-w- c:\windows\system32\HPZipm12.exe
2009-09-29 14:39 . 2008-05-18 07:31 -------- d-----w- c:\program files\FinePixViewer
2009-09-24 22:14 . 2007-04-18 17:23 -------- d-----w- c:\documents and settings\scott williamson\Application Data\Image Zone Express
2009-09-21 14:22 . 2007-08-16 18:06 -------- d-----w- c:\program files\MSECache
2009-09-18 14:28 . 2009-09-02 12:19 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-09-10 20:57 . 2007-04-18 16:30 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
2009-09-08 20:44 . 2009-08-11 08:51 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2009-09-06 19:30 . 2009-09-06 19:29 -------- d-----w- c:\program files\RescuePRO
2009-08-19 16:02 . 2009-08-19 16:01 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-08-19 16:02 . 2006-01-27 16:58 -------- d-----w- c:\program files\iTunes
2009-08-19 16:01 . 2006-01-27 16:55 -------- d-----w- c:\program files\iPod
2009-08-19 16:01 . 2007-12-14 23:16 -------- d-----w- c:\program files\Common Files\Apple
2009-08-19 15:59 . 2009-08-19 15:59 -------- d-----w- c:\program files\Bonjour
2009-08-19 15:58 . 2009-08-19 15:57 -------- d-----w- c:\program files\QuickTime
2009-08-16 22:35 . 2004-12-05 22:41 -------- d-----w- c:\program files\McAfee
2009-08-12 13:42 . 2004-10-26 21:55 -------- d-----w- c:\program files\Java
2009-08-11 08:37 . 2009-08-11 08:37 -------- d-----w- c:\program files\SiteAdvisor
2009-08-06 18:24 . 2004-08-04 04:00 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-06 18:24 . 2004-08-04 04:00 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-06 18:24 . 2005-05-26 03:16 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-06 18:24 . 2004-11-19 15:12 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-06 18:24 . 2004-08-04 04:00 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-08-06 18:24 . 2004-08-04 04:00 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-06 18:23 . 2004-08-04 04:00 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-06 18:23 . 2004-08-04 04:00 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 09:01 . 2004-08-04 04:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-25 04:23 . 2008-12-28 09:44 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-21 22:31 . 2009-07-21 22:31 9232 ----a-w- c:\documents and settings\scott williamson\mqdmmdfl.sys
2009-07-21 22:31 . 2009-07-21 22:31 92064 ----a-w- c:\documents and settings\scott williamson\mqdmmdm.sys
2009-07-21 22:31 . 2009-07-21 22:31 79328 ----a-w- c:\documents and settings\scott williamson\mqdmserd.sys
2009-07-21 22:31 . 2009-07-21 22:31 66656 ----a-w- c:\documents and settings\scott williamson\mqdmbus.sys
2009-07-21 22:31 . 2009-07-21 22:31 6208 ----a-w- c:\documents and settings\scott williamson\mqdmcmnt.sys
2009-07-21 22:31 . 2009-07-21 22:31 5936 ----a-w- c:\documents and settings\scott williamson\mqdmwhnt.sys
2009-07-21 22:31 . 2009-07-21 22:31 4048 ----a-w- c:\documents and settings\scott williamson\mqdmcr.sys
2009-07-21 22:31 . 2007-09-06 09:30 25600 ----a-w- c:\documents and settings\scott williamson\usbsermptxp.sys
2009-07-21 22:31 . 2007-09-06 09:30 22768 ----a-w- c:\documents and settings\scott williamson\usbsermpt.sys
2009-07-17 19:01 . 2004-08-04 04:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-16 11:32 . 2008-08-09 14:48 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2009-07-13 09:08 . 2004-08-04 04:00 286720 ----a-w- c:\windows\system32\wmpdxm.dll
.
------- Sigcheck -------
[-] 2009-10-04 . A29E1209F925A0E9B330E11DA5FC7BAB . 361600 . . [5.1.2600.5625] . . c:\windows\SYSTEM32\DRIVERS\TCPIP.SYS
[-] 2009-10-04 . A29E1209F925A0E9B330E11DA5FC7BAB . 361600 . . [5.1.2600.5625] . . c:\windows\SYSTEM32\DLLCACHE\TCPIP.SYS
[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[7] 2008-06-20 . 2A5554FC5B1E04E131230E3CE035C3F9 . 360320 . . [5.1.2600.3394] . . c:\windows\$NtServicePackUninstall$\tcpip.sys
[7] 2008-06-20 . 744E57C99232201AE98C49168B918F48 . 360960 . . [5.1.2600.3394] . . c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB951748$\tcpip.sys
[7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\tcpip.sys
[-] 2007-10-30 . 90CAFF4B094573449A0872A0F919B178 . 360064 . . [5.1.2600.3244] . . c:\windows\$NtUninstallKB951748_0$\tcpip.sys
[-] 2007-10-30 . 64798ECFA43D78C7178375FCDD16D8C8 . 360832 . . [5.1.2600.3244] . . c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
[-] 2006-04-20 . B2220C618B42A2212A59D91EBD6FC4B4 . 360576 . . [5.1.2600.2892] . . c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
[-] 2006-04-20 . CEE1276A4A71E3F8545D97C1AAD2A6B0 . 359808 . . [5.1.2600.2892] . . c:\windows\$NtUninstallKB941644$\tcpip.sys
[-] 2006-01-13 . 5562CC0A47B2AEF06D3417B733F3C195 . 360448 . . [5.1.2600.2827] . . c:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys
[-] 2006-01-13 . 583E063FDC888CA30D05C2724B0D7EF4 . 359808 . . [5.1.2600.2827] . . c:\windows\$NtUninstallKB917953$\tcpip.sys
[-] 2005-05-25 . 63FDFEA54EB53DE2D863EE454937CE1E . 359936 . . [5.1.2600.2685] . . c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys
[-] 2005-05-25 . 88763A98A4C26C409741B4AA162720C9 . 359808 . . [5.1.2600.2685] . . c:\windows\$NtUninstallKB913446$\tcpip.sys
[7] 2004-08-04 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB893066$\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-27 68856]
"Google Update"="c:\documents and settings\scott williamson\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-02-14 133104]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BOC-425"="c:\progra~1\Comodo\CBOClean\BOC425.exe" [2007-11-26 342272]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Exif Launcher 2.lnk - c:\program files\FinePixViewer\QuickDCF2.exe [2008-5-18 315392]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
R0 Lbd;Lbd;c:\windows\SYSTEM32\DRIVERS\Lbd.sys [28/07/2009 10:07 64160]
R2 BOCore;BOCore;c:\program files\Comodo\CBOClean\BOCore.exe [19/03/2008 11:15 73472]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [03/07/2009 15:49 1028432]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [11/08/2009 09:35 210216]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 20:19 13592]
S2 gupdate1c9b1e3241c1022;Google Update Service (gupdate1c9b1e3241c1022);c:\program files\Google\Update\GoogleUpdate.exe [31/03/2009 10:29 133104]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
BtwSrv
.
Contents of the 'Scheduled Tasks' folder
2009-09-28 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 09:11]
2009-09-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
2009-10-09 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-06-18 13:16]
2009-10-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-31 09:28]
2009-10-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-31 09:28]
2009-10-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-139415666-3503368196-1855859309-1006Core.job
- c:\documents and settings\scott williamson\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-02-14 13:59]
2009-10-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-139415666-3503368196-1855859309-1006UA.job
- c:\documents and settings\scott williamson\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-02-14 13:59]
2004-11-04 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\system32\OOBE\OOBEBALN.EXE [2004-08-04 00:12]
2008-08-09 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2008-08-09 20:26]
2008-08-09 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2008-08-09 20:26]
2009-10-09 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.co.uk/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mWindow Title = Tiscali 10.0
uInternet Connection Wizard,ShellNext = hxxp://www.dell.co.uk/myway
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
IE: {{08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.sky.com
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-Sonic RecordNow! - (no file)
HKCU-Run-eyeBeam SIP Client - (no file)
AddRemove-Yahoo! Anti-Spy - c:\progra~1\Yahoo!\YPSR\unwise32.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-09 08:44
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(3800)
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\progra~1\WINDOW~2\wmpband.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\ati2evxx.exe
c:\progra~1\COMMON~1\Apple\MOBILE~1\bin\APPLEM~4.EXE
c:\windows\SYSTEM32\bgsvcgen.exe
c:\progra~1\Comodo\CBOClean\BOCore.exe
c:\progra~1\Bonjour\MDNSRE~1.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\progra~1\McAfee\MPF\MpfSrv.exe
c:\progra~1\McAfee\MSK\msksrver.exe
c:\windows\SYSTEM32\wdfmgr.exe
c:\windows\SYSTEM32\WBEM\UNSECAPP.EXE
c:\progra~1\McAfee.com\Agent\mcagent.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
.
**************************************************************************
.
Completion time: 2009-10-09 8:50 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-09 07:50
Pre-Run: 72,235,008,000 bytes free
Post-Run: 72,109,019,136 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
817 --- E O F --- 2009-10-06 16:21
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:53:26, on 09/10/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\SYSTEM32\bgsvcgen.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\McShield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\FinePixViewer\QuickDCF2.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.co.uk/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [BOC-425] C:\PROGRA~1\Comodo\CBOClean\BOC425.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\scott williamson\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Exif Launcher 2.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.sky.com (file missing)
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - https://mysupport.nai.com/amiuptodate/bin/1,0,0,7/McUpdatePortal.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-gb/1,0,0,21/mcgdmgr.cab
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\SYSTEM32\bgsvcgen.exe
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Update Service (gupdate1c9b1e3241c1022) (gupdate1c9b1e3241c1022) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\McShield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
--
End of file - 9506 bytes
I hope I did this correctly,thank you for your help with this problem
Hi,
You had a lot of infected files that where replaced, not a good sign.
Download Dr.Web CureIt (ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe) to the desktop:
Doubleclick the drweb-cureit icon to start the program.
press start
Allow the program to run the initial express scan
This will scan the files currently running in memory. If something is found, click the YES button when it asks you if you want to cure it. This is only a short scan.
Note: A pop up may appear during this phase suggesting you purchase their program - click the X at the top right corner of this pop-up to close it.
Once the short scan has finished, check the Complete scan box on the left side, even if nothing was found on the initial scan.
Then click the small green arrow button on the right under the Dr.Web Antivirus picture to start the complete scan. (This scan will take several hours)
During this complete scan - if Dr.Web finds an infection a window will pop up requesting your attention. Select the Cure button.
Note:(If the file cannot be cured, Dr.Web will automatically delete the file)
Once the scan is complete, on the menu bar, click file and choose report list.
Save the report to your desktop. The report will be called DrWeb.csv
Note:this report will need to be renamed to Dr.Web.txt in order to post it on the forum.
Close Dr.Web Cureit.
Please post the Dr.Web.txt report in your next reply
Hi unfortunately my internet service provider (SKY) has disconnected me from the internet for bulk e-mail usage,I think that is what they said,I think this might be something to do with the computer being infected,anyway I have to wait until Monday to sort this out so I will follow your instructions as soon as I have this done.
Once again thank you for your time and patience with this and a donation will be made when sorted
Hi, go to a known clean computer and download DrWebCurIt, copy it to a CD and transfer it to the infected one, run it, save the log and post it to me please
Hi I did what you told me and downloaded DrWebCurIt and ran it, the quick scan finished and nothing was found and when I ran the full scan it scanned for about 1 Hour and then a message came up and it stopped scanning.The message said
qk9r6XP.exe
qk9r6XP.exe has encountered a problem and needs to close.We are sorry for this inconvenience.
There was also amessage to say if I wanted to send this to microsoft.
Thank you once again for helping me
Rescan with Dr Web in Safemode, do a full scan
To Enter Safemode
Go to Start> Shut off your Computer> Restart
As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly,
this will bring up a menu.
Use the Up and Down Arrow Keys to scroll up to Safemode
Then press the Enter Key on your Keyboard
Tutorial if you need it How to boot into Safemode (http://www.bleepingcomputer.com/tutorials/tutorial61.html)
Hi Ken
I did what you said and started up in safe mode and ran DrWeb but the same thing happened and it said it had to close down,pulling my hair out.
Also contacted my internet service provider and they said they will connect me back up until I reformatted my hard drive.
Thanks
Scott
Scott,
With the amount of infected .exe files I am leaning to the fact that this computer is infected with Virut, and this virus is uncleanable. Even if this computer could be cleaned, it would leave it compromised, which means it can never be trusted to do any online transactions like banking or shopping. I feel that you should reformat and do a fresh reinstall of windows. Have to warn you, a system repair won't work, you would be just copying over the bad stuff, this computer needs to be formatted right down to bare metal, even the partitions need to be deleted and a new one created. You can not back up any of your programs and reinstall them as there infected also.
This is what your up against
http://miekiemoes.blogspot.com/2009/02/virut-and-other-file-infectors-throwing.html
You can post here for help with the reinstall.
http://forums.whatthetech.com/Microsoft_Windows_f119.html
Ken
Hi Ken
Just wondered which if ,any of the malware cleaners that i have used shall I reinstall after I have reformated my computer and any other recommendations
I would do a fresh download of these two and run them at least once a week.
TFC <--Yours to keep, run it about once aweek to clean out the clutter.
Malwarebytes <-- Yours to keep also, check for updates and run a scan now and then.
How did I get infected in the first place ?
Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)
Keep in mind if you install some of these programs. Only ONE Anti Virus and only ONE Firewall is recommended, more is overkill and can cause you problems. You can install all the Spyware programs I have listed without any problems. If you install Spyware Blaster and Spyware Guard, they will conflict with the TeaTimer in Spybot , you can still install Spybot Search and Destroy but do not enable the TeaTimer .
Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community
Spybot Search and Destroy 1.6 (http://www.safer-networking.org/en/download/)
Check for Updates/ Immunize and run a Full System Scan on a regular basis. If you install Spyware Blaster ( Recommended ) then do not enable the TeaTimer in Spybot Search and Destroy.
Spyware Blaster (http://www.javacoolsoftware.com/spywareblaster.html) It will prevent most spyware from ever being installed. No scan to run, just update about once a week and enable all protection.
Spyware Guard (http://www.javacoolsoftware.com/spywareguard.html) It offers realtime protection from spyware installation attempts, again, no scan to run, just install it and let it do its thing.
IE-Spyad (http://www.pcworld.com/downloads/file/fid,23332-order,1-page,1-c,antispywaretools/description.html)
IE-Spyad places over 6000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.
Firefox 3 (http://www.mozilla.org/products/firefox/) It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.
Safe Surfn
Ken