Wormwhole
2009-12-02, 21:13
Hi there,
My computer was recently infected with malware. i managed to remove most of the infected items (i think) but I have a couple of entries from a Spybot scan that I cant remove;
Fraud.WindowsProtectionSuite (12 entries)
and
Microsoft.Windows.RedirectedHosts (3 entries)
Any help in fixing this would be much appreciated.
when running hijack this i got a pop-up with the following message;
"For some reason your system denied access to the hosts file. if any hijacked domains are in this file, Hijackthis may NOT be able to fix this. etc...
here is my hijackthis log;
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:57:48, on 02/12/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\lg_fwupdate\fwupdate.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\PC Doc Pro v5\PC Doc Pro Scheduler.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\ben\Local Settings\Application Data\Google\Update\1.2.183.13\GoogleCrashHandler.exe
C:\Program Files\ASUS WiFi-AP Solo\RtWLan.exe
C:\Program Files\TerraTec\DMX 6fire\DMX6Fire.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Documents and Settings\ben\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\ben\.COMMgr\complmgr.exe
C:\DOCUME~1\ben\LOCALS~1\Temp\tmp_1378226274.exe
C:\Documents and Settings\ben\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\ben\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\ben\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\ben\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\ben\Desktop\HijackThis.exe
C:\Documents and Settings\ben\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sky.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sky.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided By Sky Broadband
O1 - Hosts: # Copyright (c) 1993-1999 Microsoft Corp.
O1 - Hosts: # Copyright (c) 1993-1999 Microsoft Corp.
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\xRaidSetup.exe boot
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SecurDisc] C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe" blrun
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [ick] ironclk.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [PC Doc Pro Scheduler] C:\Program Files\PC Doc Pro v5\PC Doc Pro Scheduler.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [COM+ Manager] "C:\Documents and Settings\ben\.COMMgr\complmgr.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\ben\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - S-1-5-18 Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE (User 'SYSTEM')
O4 - S-1-5-18 Startup: Logitech . Product Registration.lnk = C:\Program Files\Logitech\QuickCam\eReg.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE (User 'Default user')
O4 - .DEFAULT Startup: Logitech . Product Registration.lnk = C:\Program Files\Logitech\QuickCam\eReg.exe (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: Logitech . Product Registration.lnk = C:\Program Files\Logitech\QuickCam\eReg.exe
O4 - Global Startup: ASUS WiFi-AP Solo.lnk = ?
O4 - Global Startup: DMX 6fire 2496 ControlPanel.lnk = ?
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.sky.com (file missing)
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock32.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1208099488862
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1208466319859
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} (Java Plug-in 1.6.0_07) -
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} (Java Plug-in 1.6.0_13) -
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} -
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} -
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\rdolib.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
--
End of file - 13899 bytes
Hi,
Download DDS and save it to your desktop from here (http://www.techsupportforum.com/sectools/sUBs/dds) or here (http://download.bleepingcomputer.com/sUBs/dds.scr) or here (http://www.forospyware.com/sUBs/dds).
Disable any script blocker, and then double click dds.scr to run the tool.
When done, DDS will open two (2) logs:
DDS.txt
Attach.txt
Save both reports to your desktop. Post them back to your topic.
Wormwhole
2009-12-07, 21:59
Thanks for the reply Blade81
I have attached the two requested reports
DDS (Ver_09-12-01.01) - NTFSx86
Run by ben at 19:52:05.95 on 07/12/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.2047.1415 [GMT 0:00]
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
AV: System Defender *On-access scanning enabled* (Updated) {938E01C4-77AE-463F-9766-8062A1F32B18}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
FW: System Defender *enabled* {AC1931BA-0701-401A-83D1-EA5A9809BE5A}
============== Running Processes ===============
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\lg_fwupdate\fwupdate.exe
C:\WINDOWS\system32\ironclk.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\PC Doc Pro v5\PC Doc Pro Scheduler.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\ben\.COMMgr\complmgr.exe
C:\Program Files\ASUS WiFi-AP Solo\RtWLan.exe
C:\Program Files\TerraTec\DMX 6fire\DMX6Fire.exe
C:\Documents and Settings\ben\Local Settings\Application Data\Google\Update\1.2.183.13\GoogleCrashHandler.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Spotify\spotify.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\PROGRA~1\McAfee\MSM\McSmtFwk.exe
C:\PROGRA~1\COMMON~1\McAfee\MSC\McUICnt.exe
C:\Documents and Settings\ben\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\ben\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\ben\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\ben\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.sky.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uWindow Title = Internet Explorer Provided By Sky Broadband
uDefault_Page_URL = hxxp://www.sky.com
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - No File
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [PC Doc Pro Scheduler] c:\program files\pc doc pro v5\PC Doc Pro Scheduler.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [COM+ Manager] "c:\documents and settings\ben\.commgr\complmgr.exe"
uRun: [Google Update] "c:\documents and settings\ben\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [JMB36X IDE Setup] c:\windows\raidtool\xInsIDE.exe
mRun: [36X Raid Configurer] c:\windows\system32\xRaidSetup.exe boot
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [SecurDisc] c:\program files\nero\nero 7\incd\NBHGui.exe
mRun: [InCD] c:\program files\nero\nero 7\incd\InCD.exe
mRun: [LGODDFU] "c:\program files\lg_fwupdate\fwupdate.exe" blrun
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [ick] ironclk.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [RegistryMonitor1] "c:\windows\temp\CFE.tmp"
StartupFolder: c:\docume~1\ben\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\ben\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\quickcam\eReg.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\asuswi~1.lnk - c:\program files\asus wifi-ap solo\RtWLan.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dmx6fi~1.lnk - c:\program files\terratec\dmx 6fire\DMX6Fire.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.sky.com
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://www.pcpitstop.com/betapit/PCPitStop.CAB
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1208099488862
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1208466319859
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7}
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7}
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: c:\windows\system32\rdolib.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
IFEO: image file execution options - svchost.exe
IFEO: brastk.exe - svchost.exe
Hosts: 74.125.45.100 4-open-davinci.com
Hosts: 74.125.45.100 securitysoftwarepayments.com
Hosts: 74.125.45.100 privatesecuredpayments.com
Hosts: 74.125.45.100 secure.privatesecuredpayments.com
Hosts:
============= SERVICES / DRIVERS ===============
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-3-25 214664]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-5-21 203280]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-5-21 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-5-21 144704]
R3 dmxfire;DMX6fire WDM Audio;c:\windows\system32\drivers\dmx6fire.sys [2003-8-29 148724]
R3 dmxsens;dmxsens;c:\windows\system32\drivers\dmxsens.sys [2003-7-22 403968]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-5-21 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-5-21 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-5-21 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-5-21 40552]
R3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [2008-4-13 176128]
R3 SjyPkt;SjyPkt;c:\windows\system32\drivers\SjyPkt.sys [2008-4-13 13532]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-5-21 34248]
S3 SynasUSB;SynasUSB;c:\windows\system32\drivers\synasUSB.sys [2009-6-8 23288]
S3 vsdatant;vsdatant;\??\c:\windows\system32\vsdatant.sys --> c:\windows\system32\vsdatant.sys [?]
=============== Created Last 30 ================
2009-11-27 00:27:23 0 d-----w- C:\_OTM
2009-11-27 00:20:20 0 d-----w- c:\program files\ESET
2009-11-26 23:55:40 73728 ----a-w- c:\windows\system32\javacpl.cpl
2009-11-26 17:57:48 0 d-----w- c:\program files\trend micro
2009-11-20 18:06:59 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-11-20 17:23:31 0 d-sh--w- c:\documents and settings\ben\.COMMgr
2009-11-20 14:48:55 0 ----a-w- c:\windows\Qkufujehok.bin
2009-11-20 14:48:54 120 ----a-w- c:\windows\Wdoyececisuwaq.dat
2009-11-20 14:45:58 387 ----a-w- c:\windows\system32\uses32.dat
2009-11-20 14:45:58 30 ----a-w- c:\windows\system32\worker.info
2009-11-20 14:45:58 30 ----a-w- c:\windows\system32\thread.xml
2009-11-20 14:45:58 30 ----a-w- c:\windows\system32\config.data
2009-11-20 14:45:58 100 ----a-w- c:\windows\system32\flags.ini
2009-11-20 14:45:55 1 ----a-w- c:\documents and settings\ben\8D.tmp
2009-11-20 14:45:47 88 ----a-w- c:\documents and settings\ben\8B.tmp
2009-11-20 14:45:29 868 ----a-w- c:\windows\system32\984646.exe
2009-11-20 14:45:19 52 ----a-w- C:\NO MORE SPAM.url
2009-11-20 14:44:57 360320 ----a-w- c:\windows\system32\drivers\TCPIP.SYS.ORIGINAL
2009-11-20 14:26:07 0 d-sh--w- c:\docume~1\ben\applic~1\System Defender
2009-11-20 14:25:46 0 d-sh--w- c:\docume~1\alluse~1\applic~1\575570d
2009-11-20 14:17:52 828908 ----a-w- c:\windows\system32\xa.tmp
2009-11-19 22:07:32 0 d-----w- c:\program files\CCleaner
2009-11-18 17:18:22 300544 ----a-w- c:\windows\system32\ironclk.exe
2009-11-17 22:23:10 253754 ----a-w- C:\Mikey_Dread_-_Roots_and_Culture.wav.asd
2009-11-17 22:22:53 31804428 ----a-w- C:\Mikey_Dread_-_Roots_and_Culture.wav
2009-11-17 22:20:15 308002 ----a-w- C:\Mikey_Dread_-_Warrior_Stylee.wav.asd
2009-11-17 22:19:17 23546892 ----a-w- C:\Mikey_Dread_-_Warrior_Stylee.wav
2009-11-08 23:22:11 2352 ----a-w- c:\docume~1\ben\applic~1\mpauth.dat
2009-11-08 01:13:41 3248 ----a-w- c:\windows\system32\wbem\Outlook_01ca6010b55ff16c.mof
==================== Find3M ====================
2009-11-28 02:08:10 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
2009-11-27 22:31:13 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2009-11-26 23:55:24 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-20 21:13:01 1974272 ----a-r- c:\windows\system32\xRaidSetup.exe
2009-11-20 16:15:30 89088 ----a-w- c:\windows\system32\notepad.exe
2009-11-20 16:12:46 166400 ----a-w- c:\windows\regedit.exe
2009-11-20 16:12:12 44544 ----a-w- c:\windows\system32\userinit.exe
2009-11-20 15:29:32 3387392 ----a-w- c:\windows\system32\GPhotos.scr
2009-11-20 15:27:39 53248 -c--a-r- c:\windows\inf\UpdateUSB.exe
2009-11-20 15:16:37 8704 ----a-w- c:\windows\system32\wdfmgr.exe
2009-11-20 15:16:37 8704 ----a-w- c:\windows\system32\uwdf.exe
2009-11-20 15:15:04 90112 ----a-w- c:\windows\system32\odbcconf.exe
2009-11-20 14:51:57 17408 ----a-w- c:\windows\system32\wpdshextautoplay.exe
2009-11-20 14:51:52 16896 ----a-w- c:\windows\system32\tswpfwrp.exe
2009-11-20 14:51:32 36864 ----a-w- c:\windows\system32\lgfwunis.exe
2009-11-20 14:50:49 35328 ----a-w- c:\windows\system32\taskman.exe
2009-11-20 14:50:15 40960 ----a-w- c:\windows\system32\cliconfg.exe
2009-11-20 14:50:11 29184 ----a-w- c:\windows\system32\WS2Fix.exe
2009-11-20 14:50:01 89088 ----a-w- c:\windows\system32\notepad.exe.tmp
2009-11-20 14:49:48 212992 ----a-w- c:\windows\system32\fsquirt.exe
2009-11-20 14:49:32 249856 ----a-w- c:\windows\system32\drmupgds.exe
2009-11-20 14:49:29 303104 ----a-w- c:\windows\system32\plink.exe
2009-11-20 14:49:25 209920 ----a-w- c:\windows\system32\WISPTIS.EXE
2009-11-20 14:49:22 48640 ----a-w- c:\windows\system32\verclsid.exe
2009-11-20 14:48:34 544768 ----a-w- c:\windows\system32\DivXsm.exe
2009-11-20 14:47:47 148992 ----a-w- c:\windows\UNWISE.EXE
2009-11-20 14:47:34 156160 ----a-w- c:\windows\system32\swreg.exe
2009-11-20 14:47:29 105472 ----a-w- c:\windows\system32\IEDFix.C.exe
2009-11-20 14:47:28 105472 ----a-w- c:\windows\system32\IEDFix.exe
2009-11-20 14:47:25 98304 ----a-w- c:\windows\system32\usrmlnka.exe
2009-11-20 14:47:25 90112 ----a-w- c:\windows\system32\usrshuta.exe
2009-11-20 14:47:25 81920 ----a-w- c:\windows\system32\usrprbda.exe
2009-11-20 14:47:25 110080 ----a-w- c:\windows\system32\VACFix.exe
2009-11-20 14:47:23 105472 ----a-w- c:\windows\system32\o4Patch.exe
2009-11-20 14:47:22 104448 ----a-w- c:\windows\system32\pintool.exe
2009-11-20 14:47:19 102304 ----a-w- c:\windows\system32\ATIODE.exe
2009-11-20 14:47:00 73728 ----a-w- c:\windows\amcap.exe
2009-11-20 14:46:59 71168 ----a-w- c:\windows\system32\dumphive.exe
2009-11-20 14:46:59 69632 ----a-w- c:\windows\system32\DSndUp.exe
2009-11-20 14:46:52 81920 ----a-w- c:\windows\system32\HdAShCut.exe
2009-11-20 14:46:50 71680 ----a-w- c:\windows\system32\migpwd.exe
2009-11-20 14:46:47 65536 ----a-w- c:\windows\system32\CleanUp.exe
2009-11-20 14:46:46 65536 ----a-w- c:\windows\system32\Synsopos.exe
2009-11-20 14:46:45 100864 ----a-w- c:\windows\system32\swxcacls.exe
2009-11-20 14:46:43 47584 ----a-w- c:\windows\system32\ATIODCLI.exe
2009-11-20 14:46:02 741376 ----a-w- c:\windows\iun6002.exe
2009-11-20 14:45:40 614400 ----a-w- c:\windows\system32\ati2sgag.exe
2009-11-20 14:45:39 105984 ----a-w- c:\windows\system32\netsh.exe.tmp
2009-11-20 14:44:58 46080 ----a-w- c:\windows\system32\Ati2mdxx.exe
2009-11-20 14:44:58 360320 ----a-w- c:\windows\system32\drivers\TCPIP.SYS
2009-11-20 14:44:58 146432 ----a-w- c:\windows\system32\WudfHost.exe
2009-11-20 14:44:53 104960 ----a-w- c:\windows\system32\404Fix.exe
2009-11-20 14:44:47 185344 ----a-w- C:\UNWISE.EXE
2009-11-20 14:44:41 106496 ----a-w- c:\windows\unvise32.exe
2009-11-05 13:56:26 38400 ---ha-w- c:\windows\system32\mlfcache.dat
2009-09-11 14:33:52 133632 ----a-w- c:\windows\system32\msv1_0.dll
============= FINISH: 19:53:45.75 ===============
Hi,
Please visit this webpage for download links, and instructions for running ComboFix tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Please ensure you read this guide carefully first.
Please continue as follows:
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.
Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.
Please include the following reports for further review, and so we may continue cleansing the system:
C:\ComboFix.txt
New dds log.
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.
Wormwhole
2009-12-08, 22:18
Hi Blade81, thanks again.
Here is the requested log;
(i have also attached the 2nd DDS log also)
ComboFix 09-12-08.03 - ben 08/12/2009 19:45:47.1.4 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.2047.1545 [GMT 0:00]
Running from: c:\documents and settings\ben\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Resident AV is active
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\ben\Application Data\System Defender
c:\documents and settings\ben\Application Data\System Defender\cookies.sqlite
c:\documents and settings\ben\Application Data\System Defender\Instructions.ini
c:\documents and settings\ben\Start Menu\Programs\Startup\Logitech . Product Registration.lnk
c:\program files\Mozilla Firefox\searchplugins\search.xml
c:\windows\system32\404Fix.exe
c:\windows\system32\984646.exe
c:\windows\system32\config.data
c:\windows\system32\dumphive.exe
c:\windows\system32\flags.ini
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\Install.txt
c:\windows\system32\o4Patch.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\thread.xml
c:\windows\system32\tmp.reg
c:\windows\system32\uses32.dat
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\worker.info
c:\windows\system32\WS2Fix.exe
c:\windows\system32\xa.tmp
c:\windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
E:\install.exe
c:\windows\regedit.exe . . . is infected!! . . .Failed to restore. Attempting to replace on reboot
Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :p
c:\windows\system32\userinit.exe . . . is infected!!
c:\windows\system32\atmadm.exe . . . is infected!!
c:\windows\system32\attrib.exe . . . is infected!!
c:\windows\system32\auditusr.exe . . . is infected!!
c:\windows\system32\chkdsk.exe . . . is infected!!
c:\windows\system32\chkntfs.exe . . . is infected!!
c:\windows\system32\cidaemon.exe . . . is infected!!
c:\windows\system32\ckcnv.exe . . . is infected!!
c:\windows\system32\clipsrv.exe . . . is infected!!
c:\windows\system32\cmmon32.exe . . . is infected!!
c:\windows\system32\control.exe . . . is infected!!
c:\windows\system32\convert.exe . . . is infected!!
c:\windows\system32\doskey.exe . . . is infected!!
c:\windows\system32\dumprep.exe . . . is infected!!
c:\windows\system32\esentutl.exe . . . is infected!!
c:\windows\system32\eventvwr.exe . . . is infected!!
c:\windows\system32\fc.exe . . . is infected!!
c:\windows\system32\find.exe . . . is infected!!
c:\windows\system32\finger.exe . . . is infected!!
c:\windows\system32\forcedos.exe . . . is infected!!
c:\windows\system32\fsquirt.exe . . . is infected!!
c:\windows\system32\ftp.exe . . . is infected!!
c:\windows\system32\grpconv.exe . . . is infected!!
c:\windows\system32\help.exe . . . is infected!!
c:\windows\system32\hostname.exe . . . is infected!!
c:\windows\system32\ipsec6.exe . . . is infected!!
c:\windows\system32\label.exe . . . is infected!!
c:\windows\system32\lpq.exe . . . is infected!!
c:\windows\system32\lpr.exe . . . is infected!!
c:\windows\system32\mountvol.exe . . . is infected!!
c:\windows\system32\mrinfo.exe . . . is infected!!
c:\windows\system32\msdtc.exe . . . is infected!!
c:\windows\system32\msswchx.exe . . . is infected!!
c:\windows\system32\mstinit.exe . . . is infected!!
c:\windows\system32\net.exe . . . is infected!!
c:\windows\system32\netstat.exe . . . is infected!!
Infected copy of c:\windows\system32\notepad.exe was found and disinfected
Restored copy from - c:\windows\notepad.exe
c:\windows\system32\odbcconf.exe . . . is infected!!
c:\windows\system32\osuninst.exe . . . is infected!!
c:\windows\system32\ping6.exe . . . is infected!!
c:\windows\system32\print.exe . . . is infected!!
c:\windows\system32\proxycfg.exe . . . is infected!!
c:\windows\system32\rasautou.exe . . . is infected!!
c:\windows\system32\rasdial.exe . . . is infected!!
c:\windows\system32\rcimlby.exe . . . is infected!!
c:\windows\system32\rdsaddin.exe . . . is infected!!
c:\windows\system32\recover.exe . . . is infected!!
c:\windows\system32\regini.exe . . . is infected!!
c:\windows\system32\regsvr32.exe . . . is infected!!
c:\windows\system32\replace.exe . . . is infected!!
c:\windows\system32\reset.exe . . . is infected!!
c:\windows\system32\rexec.exe . . . is infected!!
c:\windows\system32\rsh.exe . . . is infected!!
c:\windows\system32\rundll32.exe . . . is infected!!
c:\windows\system32\runonce.exe . . . is infected!!
c:\windows\system32\savedump.exe . . . is infected!!
c:\windows\system32\sc.exe . . . is infected!!
c:\windows\system32\sfc.exe . . . is infected!!
c:\windows\system32\shadow.exe . . . is infected!!
c:\windows\system32\shmgrate.exe . . . is infected!!
c:\windows\system32\smbinst.exe . . . is infected!!
c:\windows\system32\spiisupd.exe . . . is infected!!
c:\windows\system32\spnpinst.exe . . . is infected!!
c:\windows\system32\stimon.exe . . . is infected!!
c:\windows\system32\subst.exe . . . is infected!!
c:\windows\system32\syskey.exe . . . is infected!!
c:\windows\system32\tcmsetup.exe . . . is infected!!
c:\windows\system32\tracert.exe . . . is infected!!
c:\windows\system32\tscon.exe . . . is infected!!
c:\windows\system32\tscupgrd.exe . . . is infected!!
c:\windows\system32\tsdiscon.exe . . . is infected!!
c:\windows\system32\typeperf.exe . . . is infected!!
c:\windows\system32\usrmlnka.exe . . . is infected!!
c:\windows\system32\usrprbda.exe . . . is infected!!
c:\windows\system32\usrshuta.exe . . . is infected!!
c:\windows\system32\vssadmin.exe . . . is infected!!
Infected copy of c:\windows\system32\winhlp32.exe was found and disinfected
Restored copy from - c:\windows\winhlp32.exe
c:\windows\system32\winmsd.exe . . . is infected!!
c:\windows\system32\wscntfy.exe . . . is infected!!
Infected copy of c:\windows\regedit.exe was found and disinfected
Restored copy from - c:\system volume information\_restore{F0D53265-AC51-4BA1-AB79-32F269A4058C}\RP425\A0185634.exe
.
((((((((((((((((((((((((( Files Created from 2009-11-08 to 2009-12-08 )))))))))))))))))))))))))))))))
.
2009-12-02 18:54 . 2009-12-02 18:54 -------- d-----w- c:\program files\ERUNT
2009-11-27 00:27 . 2009-11-27 00:27 -------- d-----w- C:\_OTM
2009-11-27 00:20 . 2009-11-27 00:20 -------- d-----w- c:\program files\ESET
2009-11-26 18:42 . 2009-11-26 18:42 -------- d-----w- c:\program files\Opera
2009-11-26 18:28 . 2009-11-26 18:28 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-11-26 18:27 . 2009-11-26 18:43 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-11-26 17:57 . 2009-11-26 18:42 -------- d-----w- c:\program files\trend micro
2009-11-26 17:57 . 2009-11-26 18:00 -------- d-----w- C:\rsit
2009-11-26 17:37 . 2009-11-26 17:37 -------- d-----w- c:\documents and settings\ben\Local Settings\Application Data\Opera
2009-11-20 21:14 . 2009-11-20 21:14 -------- d-----w- c:\program files\Common Files\Apple
2009-11-20 18:06 . 2009-11-23 14:14 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-11-20 17:23 . 2009-12-02 18:34 -------- d-sh--w- c:\documents and settings\ben\.COMMgr
2009-11-20 14:48 . 2009-11-20 14:48 0 ----a-w- c:\windows\Qkufujehok.bin
2009-11-20 14:48 . 2009-11-20 14:48 120 ----a-w- c:\windows\Wdoyececisuwaq.dat
2009-11-20 14:48 . 2009-11-20 14:48 -------- d-----w- c:\documents and settings\ben\Local Settings\Application Data\{C575523F-7166-49EE-B795-3779BCC6A736}
2009-11-20 14:36 . 2009-11-20 14:36 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Mozilla
2009-11-20 14:25 . 2009-11-20 16:19 -------- d-sh--w- c:\documents and settings\All Users\Application Data\575570d
2009-11-19 22:07 . 2009-11-19 22:07 -------- d-----w- c:\program files\CCleaner
2009-11-18 17:18 . 2009-11-19 12:27 300544 ----a-w- c:\windows\system32\ironclk.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-08 20:03 . 2008-05-08 21:42 -------- d-----w- c:\program files\lg_fwupdate
2009-12-07 18:51 . 2009-07-09 22:31 -------- d-----w- c:\documents and settings\ben\Application Data\Spotify
2009-12-05 19:27 . 2008-05-15 21:05 -------- d-----w- c:\program files\Steam
2009-11-30 18:57 . 2008-04-19 14:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-28 16:57 . 2008-12-28 13:22 -------- d-----w- c:\program files\LiveOnlineFooty.com
2009-11-28 03:54 . 2009-06-19 18:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Logishrd
2009-11-28 03:54 . 2009-06-19 18:04 -------- d-----w- c:\program files\Common Files\LogiShrd
2009-11-28 02:08 . 2009-06-19 18:11 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
2009-11-27 22:47 . 2009-05-16 21:04 -------- d-----w- c:\documents and settings\ben\Application Data\Yahoo!
2009-11-27 22:31 . 2009-06-19 18:12 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2009-11-26 23:55 . 2009-05-20 18:30 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-26 23:50 . 2008-04-20 06:58 -------- d-----w- c:\program files\Java
2009-11-26 18:42 . 2008-04-21 19:00 -------- d-----w- c:\program files\Common Files\Adobe
2009-11-26 18:27 . 2009-11-26 18:27 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2009-11-26 17:18 . 2009-05-21 17:58 -------- d-----w- c:\program files\McAfee
2009-11-20 21:23 . 2009-11-08 23:22 2352 ----a-w- c:\documents and settings\ben\Application Data\mpauth.dat
2009-11-20 21:13 . 2008-04-13 14:11 1974272 ----a-r- c:\windows\system32\xRaidSetup.exe
2009-11-20 16:12 . 2004-08-03 23:56 44544 ----a-w- c:\windows\system32\userinit.exe
2009-11-20 15:35 . 2004-08-03 23:56 166400 ----a-w- c:\windows\regedit.exe
2009-11-20 15:29 . 2009-05-01 18:30 3387392 ----a-w- c:\windows\system32\GPhotos.scr
2009-11-20 15:27 . 2008-04-13 13:58 53248 -c--a-r- c:\windows\inf\UpdateUSB.exe
2009-11-20 15:16 . 2005-01-28 12:44 8704 ----a-w- c:\windows\system32\wdfmgr.exe
2009-11-20 15:16 . 2005-01-28 12:44 8704 ----a-w- c:\windows\system32\uwdf.exe
2009-11-20 15:15 . 2004-08-03 23:56 90112 ----a-w- c:\windows\system32\odbcconf.exe
2009-11-20 14:51 . 2006-10-18 19:00 17408 ----a-w- c:\windows\system32\wpdshextautoplay.exe
2009-11-20 14:51 . 2007-10-09 11:58 16896 ----a-w- c:\windows\system32\tswpfwrp.exe
2009-11-20 14:51 . 2008-05-08 21:42 36864 ----a-w- c:\windows\system32\lgfwunis.exe
2009-11-20 14:50 . 2001-08-23 12:00 35328 ----a-w- c:\windows\system32\taskman.exe
2009-11-20 14:50 . 2004-08-03 23:56 40960 ----a-w- c:\windows\system32\cliconfg.exe
2009-11-20 14:50 . 2004-08-03 23:56 89088 ----a-w- c:\windows\system32\notepad.exe.tmp
2009-11-20 14:49 . 2004-08-03 23:56 212992 ----a-w- c:\windows\system32\fsquirt.exe
2009-11-20 14:49 . 2006-10-18 19:00 249856 ----a-w- c:\windows\system32\drmupgds.exe
2009-11-20 14:49 . 2009-02-11 20:38 303104 ----a-w- c:\windows\system32\plink.exe
2009-11-20 14:49 . 2002-08-21 04:13 209920 ----a-w- c:\windows\system32\WISPTIS.EXE
2009-11-20 14:49 . 2006-03-17 00:38 48640 ----a-w- c:\windows\system32\verclsid.exe
2009-11-20 14:48 . 2008-03-21 20:30 544768 ----a-w- c:\windows\system32\DivXsm.exe
2009-11-20 14:47 . 2008-05-19 20:09 148992 ----a-w- c:\windows\UNWISE.EXE
2009-11-20 14:47 . 2001-08-17 22:37 98304 ----a-w- c:\windows\system32\usrmlnka.exe
2009-11-20 14:47 . 2001-08-17 22:37 90112 ----a-w- c:\windows\system32\usrshuta.exe
2009-11-20 14:47 . 2001-08-17 22:37 81920 ----a-w- c:\windows\system32\usrprbda.exe
2009-11-20 14:47 . 2005-10-28 22:49 104448 ----a-w- c:\windows\system32\pintool.exe
2009-11-20 14:47 . 2007-07-20 02:19 102304 ----a-w- c:\windows\system32\ATIODE.exe
2009-11-20 14:47 . 2008-05-12 19:39 73728 ----a-w- c:\windows\amcap.exe
2009-11-20 14:46 . 2008-04-13 14:07 69632 ----a-w- c:\windows\system32\DSndUp.exe
2009-11-20 14:46 . 2004-10-27 14:21 81920 ----a-w- c:\windows\system32\HdAShCut.exe
2009-11-20 14:46 . 2001-08-23 12:00 71680 ----a-w- c:\windows\system32\migpwd.exe
2009-11-20 14:46 . 2008-04-13 14:07 65536 ----a-w- c:\windows\system32\CleanUp.exe
2009-11-20 14:46 . 2009-06-08 19:47 65536 ----a-w- c:\windows\system32\Synsopos.exe
2009-11-20 14:46 . 2007-07-20 02:19 47584 ----a-w- c:\windows\system32\ATIODCLI.exe
2009-11-20 14:46 . 2008-04-21 20:49 741376 ----a-w- c:\windows\iun6002.exe
2009-11-20 14:45 . 2009-11-20 14:45 1 ----a-w- c:\documents and settings\ben\8D.tmp
2009-11-20 14:45 . 2009-11-20 14:45 88 ----a-w- c:\documents and settings\ben\8B.tmp
2009-11-20 14:45 . 2008-04-13 15:14 614400 ----a-w- c:\windows\system32\ati2sgag.exe
2009-11-20 14:45 . 2004-08-03 23:56 105984 ----a-w- c:\windows\system32\netsh.exe.tmp
2009-11-20 14:44 . 2007-11-02 04:01 46080 ----a-w- c:\windows\system32\Ati2mdxx.exe
2009-11-20 14:44 . 2006-09-28 17:56 146432 ----a-w- c:\windows\system32\WudfHost.exe
2009-11-20 14:44 . 2004-08-03 22:14 360320 ----a-w- c:\windows\system32\drivers\TCPIP.SYS
2009-11-20 14:44 . 2009-11-20 14:44 360320 ----a-w- c:\windows\system32\drivers\TCPIP.SYS.ORIGINAL
2009-11-20 14:44 . 2008-04-21 20:18 185344 ----a-w- C:\UNWISE.EXE
2009-11-20 14:44 . 2008-05-14 18:43 106496 ----a-w- c:\windows\unvise32.exe
2009-11-07 13:06 . 2009-11-20 14:26 443384 ----a-w- c:\documents and settings\All Users\Application Data\575570d\sqlite3.dll
2009-11-07 13:06 . 2009-11-20 14:26 710136 ----a-w- c:\documents and settings\All Users\Application Data\575570d\mozcrt19.dll
2009-11-05 13:58 . 2009-11-05 13:58 -------- d-----w- c:\documents and settings\ben\Application Data\Malwarebytes
2009-11-05 13:58 . 2009-11-05 13:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-05 13:58 . 2009-11-05 13:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-05 13:56 . 2009-11-05 13:56 38400 ---ha-w- c:\windows\system32\mlfcache.dat
2009-11-05 13:56 . 2009-11-05 13:56 -------- d-----w- c:\documents and settings\ben\Application Data\Apple Computer
2009-11-03 19:22 . 2008-05-09 21:05 -------- d-----w- c:\program files\Yahoo!
2009-11-03 14:46 . 2008-05-09 21:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-10-10 07:07 . 2009-11-26 18:28 38208 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-09-22 23:00 . 2009-07-07 00:52 10686001 ----a-w- c:\documents and settings\ben\Application Data\Azureus\plugins\azump\mplayer.exe
2009-09-17 22:18 . 2008-04-13 15:23 46096 -c--a-w- c:\documents and settings\ben\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-16 09:22 . 2009-05-21 17:59 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-09-16 09:22 . 2009-05-21 17:59 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-09-16 09:22 . 2009-05-21 17:59 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-09-16 09:22 . 2009-03-25 10:06 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-09-16 09:22 . 2009-05-21 17:55 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-09-11 14:33 . 2004-08-03 23:56 133632 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 14:54 . 2009-11-05 13:58 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 14:53 . 2009-11-05 13:58 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
.
------- Sigcheck -------
[-] 2009-11-20 . 073941D59AE065910064B728DEE981EE . 360320 . . [5.1.2600.3394] . . c:\windows\system32\drivers\TCPIP.SYS
[-] 2009-11-20 . 073941D59AE065910064B728DEE981EE . 360320 . . [5.1.2600.3394] . . c:\windows\system32\dllcache\TCPIP.SYS
[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[7] 2008-06-20 . 744E57C99232201AE98C49168B918F48 . 360960 . . [5.1.2600.3394] . . c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[-] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\tcpip.sys
[7] 2007-10-30 . 90CAFF4B094573449A0872A0F919B178 . 360064 . . [5.1.2600.3244] . . c:\windows\$NtUninstallKB951748$\tcpip.sys
[7] 2007-10-30 . 64798ECFA43D78C7178375FCDD16D8C8 . 360832 . . [5.1.2600.3244] . . c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
[7] 2004-08-03 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB941644$\tcpip.sys
[-] 2009-11-20 . 7D08EF9A768F937F696F0D5C6CD7711A . 44544 . . [5.1.2600.2180] . . c:\windows\system32\userinit.exe
[-] 2009-11-20 . D2470230C5B396E7D2919E33884DDA0B . 46080 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\userinit.exe
[-] 2009-11-20 . 044BEEF03328EB40B85B794EA413BE07 . 33792 . . [5.1.2600.2180] . . c:\windows\system32\wscntfy.exe
[-] 2009-11-20 . 3F0AAFB7B06ECE3348DF9F4867D8169E . 33792 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\wscntfy.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"PC Doc Pro Scheduler"="c:\program files\PC Doc Pro v5\PC Doc Pro Scheduler.exe" [2009-06-16 183784]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"COM+ Manager"="c:\documents and settings\ben\.COMMgr\complmgr.exe" [2009-12-08 371712]
"Google Update"="c:\documents and settings\ben\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-11-27 135664]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2009-11-20 40792]
"36X Raid Configurer"="c:\windows\system32\xRaidSetup.exe" [2009-11-20 1974272]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-11-20 110592]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-04-19 185896]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"SecurDisc"="c:\program files\Nero\Nero 7\InCD\NBHGui.exe" [2007-05-15 1628208]
"InCD"="c:\program files\Nero\Nero 7\InCD\InCD.exe" [2007-05-15 1057328]
"LGODDFU"="c:\program files\lg_fwupdate\fwupdate.exe" [2008-05-08 249856]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-20 413696]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"ick"="ironclk.exe" [2009-11-19 300544]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-26 149280]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360]
c:\documents and settings\ben\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
ASUS WiFi-AP Solo.lnk - c:\program files\ASUS WiFi-AP Solo\RtWLan.exe [2008-4-13 987136]
DMX 6fire 2496 ControlPanel.lnk - c:\program files\TerraTec\DMX 6fire\DMX6Fire.exe [2008-4-17 335872]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
2008-02-26 01:23 443968 ----a-w- c:\program files\Picasa2\PicasaMediaDetector.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
2009-11-20 15:37 749568 -c--a-w- c:\program files\Analog Devices\SoundMAX\SMax4.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2009-11-20 15:37 888832 -c--a-r- c:\program files\Analog Devices\Core\smax4pnp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-11-20 14:50 2280448 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2009-10-24 03:05 1217808 ----a-w- c:\program files\Steam\Steam.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-11-26 23:55 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Ableton\\Live 6.0.1\\Program\\Live 6.0.1.exe"=
"c:\\Program Files\\Steam\\SteamApps\\bencottle\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\company of heroes\\RelicDownloader\\RelicDownloader.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\Cyanide\\GameCenter\\GameCenter.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\company of heroes\\help.htm"=
"c:\\Program Files\\Steam\\SteamApps\\common\\company of heroes\\RelicCOH.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\fifa manager 10\\Manager10.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [21/05/2009 18:02 203280]
R3 dmxfire;DMX6fire WDM Audio;c:\windows\system32\drivers\dmx6fire.sys [29/08/2003 08:30 148724]
R3 dmxsens;dmxsens;c:\windows\system32\drivers\dmxsens.sys [22/07/2003 13:07 403968]
R3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [13/04/2008 14:13 176128]
R3 SjyPkt;SjyPkt;c:\windows\system32\drivers\SjyPkt.sys [13/04/2008 14:13 13532]
S3 SynasUSB;SynasUSB;c:\windows\system32\drivers\synasUSB.sys [08/06/2009 19:47 23288]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - SJYPKT
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.sky.com/
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {{08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.sky.com
.
- - - - ORPHANS REMOVED - - - -
Toolbar-tron - (no file)
Toolbar-tron - (no file)
Toolbar-tron - (no file)
MSConfigStartUp-MsnMsgr - c:\program files\MSN Messenger\msnmsgr.exe
MSConfigStartUp-PcSync - c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe
AddRemove-FabFilter Volcano_is1 - c:\documents and settings\ben\Desktop\New Folder\%VSTPLUGINS%\FabFilter\Volcano\Uninstall\unins000.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-08 20:02
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
COM+ Manager = "c:\documents and settings\ben\.COMMgr\complmgr.exe"?
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1004336348-1454471165-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:eb,d8,e7,44,34,b5,9a,ad,c8,3e,87,7c,01,d1,0b,f0,83,05,21,d9,d3,9d,fd,
5e,c7,7b,20,38,7d,9d,84,47,22,7e,3e,b3,71,bd,ed,9d,3c,a6,06,af,4a,bb,fd,fb,\
"??"=hex:53,79,b5,64,e2,b9,6f,0a,b6,2c,8e,8a,e2,e6,e4,3b
[HKEY_USERS\S-1-5-21-1004336348-1454471165-725345543-1003\Software\SecuROM\License information*]
"datasecu"=hex:bd,2e,72,13,b0,98,d3,ef,fe,db,ba,a2,82,a7,d4,15,9e,8d,da,b6,f1,
7a,9f,ba,f8,c5,9e,f0,61,ed,b0,68,62,9b,3c,e8,fa,34,47,64,70,8f,1e,05,ce,7c,\
"rkeysecu"=hex:93,98,96,68,c2,b3,93,c9,d6,18,c7,48,4b,1f,b8,a0
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(780)
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'explorer.exe'(1628)
c:\windows\system32\WININET.dll
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Nero\Nero 7\InCD\InCDsrv.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\McAfee\MSK\MskSrver.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\windows\system32\wscntfy.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
c:\progra~1\MI3AA1~1\rapimgr.exe
c:\documents and settings\ben\Local Settings\Application Data\Google\Update\1.2.183.13\GoogleCrashHandler.exe
c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
.
**************************************************************************
.
Completion time: 2009-12-08 20:10:33 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-08 20:10
Pre-Run: 16,177,094,656 bytes free
Post-Run: 16,209,223,680 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
- - End Of File - - DD543459AF75C4565CF800AF4F4F2015
Hi,
Please run an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) as instructed in the screenshot here (http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif).
Post back the report.
Wormwhole
2009-12-10, 00:06
Hi Blade81
Here is the requested report;
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Wednesday, December 9, 2009
Operating system: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Wednesday, December 09, 2009 11:12:15
Records in database: 3346997
--------------------------------------------------------------------------------
Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes
Scan area - Critical areas:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
C:\Documents and Settings\ben\Start Menu\Programs\Startup
C:\Program Files
C:\WINDOWS
Scan statistics:
Objects scanned: 84953
Threats found: 4
Infected objects found: 28
Suspicious objects found: 0
Scan duration: 01:17:48
File name / Threat / Threats count
svchost.exe\mswsock32.dll/svchost.exe\mswsock32.dll Infected: Trojan.Win32.Agent.dbjp 3
C:\WINDOWS\system32\mswsock32.dll/C:\WINDOWS\system32\mswsock32.dll Infected: Trojan.Win32.Agent.dbjp 16
spoolsv.exe\mswsock32.dll/spoolsv.exe\mswsock32.dll Infected: Trojan.Win32.Agent.dbjp 1
msksrver.exe\mswsock32.dll/msksrver.exe\mswsock32.dll Infected: Trojan.Win32.Agent.dbjp 1
MpfSrv.exe\mswsock32.dll/MpfSrv.exe\mswsock32.dll Infected: Trojan.Win32.Agent.dbjp 1
C:\Documents and Settings\ben\.COMMgr\complmgr.exe/C:\Documents and Settings\ben\.COMMgr\complmgr.exe Infected: Trojan.Win32.Scar.awqd 1
iexplore.exe\mswsock32.dll/iexplore.exe\mswsock32.dll Infected: Trojan.Win32.Agent.dbjp 1
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\installShell64.exe Infected: Virus.Win32.Virut.ce 1
C:\Program Files\Mozilla Firefox\chrome\error.jar Infected: Trojan.Win32.Agent.aykf 1
C:\WINDOWS\OPTIONS\CABS\PnpX64.exe Infected: Virus.Win32.Virut.ce 1
C:\WINDOWS\system32\mswsock32.dll Infected: Trojan.Win32.Agent.dbjp 1
Selected area has been scanned.
Your system is infected with a nasty variant of Virut (http://www.f-secure.com/v-descs/virus_w32_virut.shtml), a polymorphic file infector (http://www.virusbtn.com/resources/glossary/file_infector_virus.xml) with IRCBot (http://en.wikipedia.org/wiki/IRC_bot) functionality which infects .exe, .scr files, downloads more malicious files to your system, and opens a back door that compromises your computer. Virux (http://blog.trendmicro.com/virux-cases-escalate/) is an even more complex file infector which also infects script files (.php, .asp, and .html). When Virut creates infected files, it also creates non-functional files that are corrupted beyond repair. In many cases the infected files cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files become corrupted and the system may become irreparable.
The virus has a number of bugs in its code, and as a result it may misinfect a proportion of executable files....some W32/Virut.h infections are corrupted beyond repair.McAfee Risk Assessment and Overview of W32/Virut (http://vil.nai.com/vil/content/v_143034.htm)
miekiemoes' Blog on Virut (http://miekiemoes.blogspot.com/2008/06/virut-is-back-again-sigh.html).
Virut and other File infectors - Throwing in the Towel? (http://miekiemoes.blogspot.com/2009/02/virut-and-other-file-infectors-throwing.html)
This kind of infection is contracted and spread by visiting remote, crack (http://en.wikipedia.org/wiki/Cracker_(computing)) and keygen (http://wiki.answers.com/Q/What_is_a_keygen) sites. These type of sites are infested with a smörgåsbord of malware and an increasing source of system infection. However, the CA Security Advisor Research Blog says they have found MySpace user pages carrying the malicious Virut URL. Either way you can end up with a computer system so badly damaged that recovery is not possible and it cannot be repaired. When that happens there is nothing you can do besides reformatting (http://wiki.answers.com/Q/What_does_it_mean_to_reformat_a_computer) and reinstalling the OS.
...warez and crack web pages are being used by cybercriminals as download sites for malware related to VIRUT and VIRUX. Searches for serial numbers, cracks, and even antivirus products like Trend Micro yield malcodes that come in the form of executables or self-extracting files...quick links in these sites also lead to malicious files. Ads and banners are also infection vectors...Keygen and Crack Sites Distribute VIRUX and FakeAV (http://blog.trendmicro.com/crack-sites-distribute-virux-and-fakeav/)
If your computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. You should change each password using a clean computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? (http://www.dslreports.com/faq/10451)
What Should I Do If I've Become A Victim Of Identity Theft? (http://www.usdoj.gov/criminal/fraud/websites/idtheft.html#whatifvictim)
Identity Theft Victims Guide - What to do (http://www.privacyrights.org/fs/fs17a.htm)
There is no guarantee this infection can be completely removed. In some instances it may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Reinstalling Windows without first wiping the entire hard drive with a repartition and/or format will not remove the infection. The reinstall will only overwrite the Windows files. Any malware on the system will still be there afterwards. Please read:
When should I re-format? How should I reinstall? (http://www.dslreports.com/faq/10063)
Help: I Got Hacked. Now What Do I Do? (http://www.microsoft.com/technet/community/columns/secmgmt/sm0504.mspx)
Where to draw the line? When to recommend a format and reinstall? (http://miekiemoes.blogspot.com/2008/06/malware-removal-where-to-draw-line.html)
If you insist on trying to fix this infection instead of following our advice to reformat and reinstall your operating system, there are various rescue disks available from major anti-virus vendors which you can try. Keep in mind, even the vendors like Kaspersky say there is no quarantee that some files will not get corrupted during the disinfection process. In the end most folks end up reformatting out of frustration after spending hours attempting to repair and remove infected files. IMO the safest and easiest thing to do is just reformat and reinstall Windows.
I DO NOT assume any responsibility for your attempt to repair this infection using any of the following tools. You do this at your own risk and against my advice.
These are links to Anti-virus vendors that offer free LiveCD or Rescue CD files that are used to boot from for repair of unbootable and damaged systems, rescue data, scan the system for virus infections. Burn it as an image to a disk to get a bootable CD. All (except Avira) are in the ISO Image (http://en.wikipedia.org/wiki/ISO_image) file format. Avira uses an EXE that has built-in CD burning capability.
Avira AntiVir Rescue System (http://www.raymond.cc/blog/archives/2008/06/28/free-avira-antivir-rescue-system-cd-to-clean-unremovable-virus/) - Avira's download page (http://www.free-av.com/en/tools/12/avira_antivir_rescue_system.html).
If you encounter problems running the Rescue Disk, you can get further assistance at the Avira Tools Support Forum (http://forum.avira.com/wbb/index.php?page=Board&boardID=210).
Dr Web LiveCD (http://www.freedrweb.com/livecd/). Be sure to print out and follow the instructions provided in the User Manual (ftp://ftp.drweb.com/pub/drweb/livecd/LiveCD-en.pdf).
F-Secure Rescue CD (http://www.techmixer.com/free-f-secure-rescue-bootable-cd-to-clean-virus-and-malware/) - Rescue CD 3.01 released (http://www.f-secure.com/linux-weblog/2008/06/).
Video: How to Remove Malware with F-Secure Rescue CD (http://blog.misec.net/2008/09/19/removing-malware-with-f-secure-rescue-cd/)
If you encounter problems running the Rescue CD, you can get further assistance at the F-Secure Support Forum (http://forum.f-secure.com/default.asp?sectionid=0).
BitDefender LiveCD (http://www.techmixer.com/bitdefender-rescue-cd-with-auto-update-virus-definition-features/) - Index of /rescue_cd (http://download.bitdefender.com/rescue_cd/)
If you encounter problems running the Rescue CD, you can get further assistance at the BitDefender Support Forum (http://forum.bitdefender.com/index.php?showforum=185).
Kaspersky RescueDisk (http://www.techmixer.com/kaspersky-rescue-disk-load-kaspersky-antivirus-2009-using-dos/) - Index of /devbuilds/RescueDisk/ (http://ftp.kaspersky.com/devbuilds/RescueDisk/)
If you encounter problems running the RescueDisk, you can get further assistance at the Kaspersky Support Forum (http://forum.kaspersky.com/index.php?showforum=4).
If you are not sure how to burn an image, please read How to write a CD/DVD image or ISO (http://www.bleepingcomputer.com/tutorials/tutorial114.html). If you need a FREE utility to burn the ISO image, download and use ImgBurn (http://www.imgburn.com/).
Wormwhole
2009-12-14, 13:26
OK, thanks for your help blade.
I'll give that a go.
I have an external harddrive that auto runs when its switched on. I think it might have a few .exe on too.
I'm guessing that might be affected as well right?
How would you suggest I get the other files off that harddrive and onto a new one?
Hi,
You have to disable autorun before plugging external drive in:
1. Download Flash_Disinfector (http://download.bleepingcomputer.com/sUBs/Flash_Disinfector.exe) and save it to your Desktop.
2. After downloading, double-click on Flash_Disinfector to run it.
3. Just follow the prompts and continue until it begin scanning.
4. If asked to insert your flash drive or any removable device including USB Pen Drive and Memory Stick, please do so.
5. It will scan removable drives, wait for the scan to finish. Done.
After that run Kaspersky Online Scanner (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) to check your external drive and delete bad items. The safest way would be to reformat whole external drive though.
Wormwhole
2009-12-14, 22:26
Hi blade,
but should i do this after i have reformatted the PC's harddrive or can i do it now?
And when i reformat the external HD - Should I have already moved the files onto a new one?
thanks
but should i do this after i have reformatted the PC's harddrive or can i do it now?
It can be done after Flash disinfector has been run.
And when i reformat the external HD - Should I have already moved the files onto a new one?Reformat will empty the external drive so you have to move important files before that. Keep in mind that backuping those file types listed in my post earlier (see the Virut related one) should be avoided.