View Full Version : Suspected virus - symptoms gradually worsening
Hi there,
I suspect a virus infection but the symptoms until recently have been subtle - a rogue pop-up tab window opening once in a while using Firefox, and a svchost.exe process running occasionally and taking up most of the processor power. AVG scans and Spybot scans do not show anything suspicious, although if I leave the PC for a while sometimes the AVG resident shield will fire up a warning about a Trojan. 2 days ago the PC suddenly rebooted and would not complete a boot-up sequence, rebooting once again before the desktop was complete. I was able to restart by pressing F8 and choosing 'Select Last Known Working Configuration' However the problem seems to be getting worse today and it has been difficult to restart successfully. As requested in your FAQs please find attached the DDS and attach logs. I see from your FAQ that you ask us to post the logs but the program says zip and attach the attach.txt ??
Regards,
Keith
DDS (Ver_10-03-17.01) - NTFSx86
Run by keith at 13:32:49.95 on 26/07/2010
Internet Explorer: 6.0.2900.2149
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.383.56 [GMT 1:00]
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
============== Running Processes ===============
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe 4
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
svchost.exe 4
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\MySQL\MySQL Server 5.1\bin\mysqld.exe
C:\Program Files\Netdrive\ndsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\keith\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.google.com/
uSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
mSearch Page =
mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
uSearchURL,(Default) = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common
files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_04\bin\ssv.dll
BHO: SidebarAutoLaunch Class: {f2aa9440-6328-4933-b7c9-a6ccdf9cbf6d} - c:\program files\yahoo!\browser\YSidebarIEBHO.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uRun: [{95C5721D-2FA0-4EA2-8C50-ADF841EF840B}] "c:\documents and settings\keith\application data\loar\guled.exe"
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil9e.exe
uPolicies-explorer: NoThumbnailCache = 1 (0x1)
mPolicies-explorer: UseDesktopIniCache = 1 (0x1)
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBC} - c:\program
files\java\jre1.6.0_04\bin\ssv.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://game.zylom.com/activex/zylomgamesplayer.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
IFEO: RapportMgmtService.exe - ZASRAKOMONDOHUI31338.EXE
IFEO: RapportService.exe - ZASRAKOMONDOHUI31338.EXE
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\keith\applic~1\mozilla\firefox\profiles\8f26ffzs.default\
FF - prefs.js: browser.startup.homepage -
hxxp://www.google.co.uk/|http://uk.mc867.mail.yahoo.com/mc/welcome?.partner=bt-1&.gx=1&.tm=1264517933&.rand=4iu43c05tk8lv#_pg
=welcome&&.rand=121126838&clean&.jsrand=1109760|http://www.metoffice.gov.uk/weather/uk/radar/|http://www.sat24.com/gb|http://
www.westwind.ch/?link=ukmb,http://www2.wetter3.de/Fax/,.gif,bracknell+00,bracknell+24,bracknell+36,bracknell+48,bracknell+60,
bracknell+72,bracknell+84,bracknell+96,bracknell+120
FF - plugin: c:\documents and settings\keith\application
data\mozilla\firefox\profiles\8f26ffzs.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js -
pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
============= SERVICES / DRIVERS ===============
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-3-27 64288]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-6 335240]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-5-6 27784]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-5-6 108552]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2008-3-7 394952]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-7-6 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-7-6 297752]
R2 ndsvc;NetDrive Service;c:\program files\netdrive\ndsvc.exe [2008-11-7 2566144]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service -->
c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 iadusb;BT Voyager 205 ADSL Router;c:\windows\system32\drivers\glauiad.sys [2008-3-5 30371]
S1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2008-8-4 127768]
S2 assert update;assert update;c:\windows\system32\wildday.exe --> c:\windows\system32\wildday.exe [?]
S2 RDSessMgrSCardSvr;Remote Desktop Help Session Manager RDSessMgrSCardSvr;c:\windows\system32\acluic.exe srv -->
c:\windows\system32\acluic.exe srv [?]
S2 RpcSsMSDTC;Remote Procedure Call (RPC) RpcSsMSDTC;c:\windows\system32\advapi32z.exe srv -->
c:\windows\system32\advapi32z.exe srv [?]
S2 WmiApSrvwscsvc;WMI Performance Adapter WmiApSrvwscsvc;c:\windows\system32\accesso.exe srv -->
c:\windows\system32\accesso.exe srv [?]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1263728]
S3 ndfs;ndfs;c:\program files\netdrive\ndfs.sys [2008-7-3 70400]
=============== Created Last 30 ================
2010-07-24 19:19:09 308782 ----a-w- C:\attachments_2010_07_24.zip
==================== Find3M ====================
============= FINISH: 13:34:19.46 ===============
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_10-03-17.01)
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 26/02/2008 08:29:35
System Uptime: 26/07/2010 13:06:14 (0 hours ago)
Motherboard: ASUSTek Computer INC. | | P4R800-VM
Processor: Intel(R) Pentium(R) 4 CPU 2.80GHz | CPU 1 | 2793/100mhz
==== Disk Partitions =========================
C: is FIXED (NTFS) - 149 GiB total, 87.361 GiB free.
D: is CDROM ()
E: is CDROM ()
G: is Removable
H: is Removable
I: is Removable
J: is Removable
==== Disabled Device Manager Items =============
Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Multimedia Controller
Device ID: PCI\VEN_1131&DEV_7134&SUBSYS_48421043&REV_01\4&264A3649&0&38A4
Manufacturer:
Name: Multimedia Controller
PNP Device ID: PCI\VEN_1131&DEV_7134&SUBSYS_48421043&REV_01\4&264A3649&0&38A4
Service:
Class GUID: {4D36E96C-E325-11CE-BFC1-08002BE10318}
Description: Realtek AC'97 Audio
Device ID: PCI\VEN_1002&DEV_4341&SUBSYS_E00D1631&REV_00\3&267A616A&0&A5
Manufacturer: Realtek
Name: Realtek AC'97 Audio
PNP Device ID: PCI\VEN_1002&DEV_4341&SUBSYS_E00D1631&REV_00\3&267A616A&0&A5
Service: ALCXWDM
Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: PCI Modem
Device ID: PCI\VEN_1002&DEV_434D&SUBSYS_30541631&REV_01\3&267A616A&0&A6
Manufacturer:
Name: PCI Modem
PNP Device ID: PCI\VEN_1002&DEV_434D&SUBSYS_30541631&REV_01\3&267A616A&0&A6
Service:
==== System Restore Points ===================
RP312: 26/04/2010 15:52:59 - System Checkpoint
RP313: 27/04/2010 19:14:58 - System Checkpoint
RP314: 29/04/2010 19:11:22 - System Checkpoint
RP315: 03/05/2010 18:48:23 - System Checkpoint
RP316: 06/05/2010 18:01:40 - System Checkpoint
RP317: 10/05/2010 07:58:58 - System Checkpoint
RP318: 11/05/2010 20:15:57 - System Checkpoint
RP319: 15/05/2010 10:40:15 - Installed ACSI Camp Site Guide Europe 2010
RP320: 15/05/2010 14:36:16 - Configured ACSI Camp Site Guide Europe 2010
RP321: 15/05/2010 14:37:41 - Configured ACSI Camp Site Guide Europe 2010
RP322: 16/05/2010 14:40:41 - System Checkpoint
RP323: 18/05/2010 11:49:15 - System Checkpoint
RP324: 20/05/2010 16:44:47 - System Checkpoint
RP325: 21/05/2010 23:15:18 - System Checkpoint
RP326: 23/05/2010 21:05:48 - System Checkpoint
RP327: 24/05/2010 21:43:27 - System Checkpoint
RP328: 26/05/2010 18:13:42 - System Checkpoint
RP329: 28/05/2010 13:51:02 - System Checkpoint
RP330: 01/06/2010 14:19:18 - System Checkpoint
RP331: 03/06/2010 22:02:15 - System Checkpoint
RP332: 10/06/2010 17:53:44 - System Checkpoint
RP333: 11/06/2010 20:48:58 - System Checkpoint
RP334: 13/06/2010 12:52:49 - System Checkpoint
RP335: 16/06/2010 14:47:12 - System Checkpoint
RP336: 20/06/2010 21:24:04 - System Checkpoint
RP337: 22/06/2010 18:41:36 - Avg8 Update
RP338: 26/06/2010 22:16:54 - System Checkpoint
RP339: 29/06/2010 13:46:16 - System Checkpoint
RP340: 01/07/2010 09:01:09 - System Checkpoint
RP341: 02/07/2010 18:16:03 - System Checkpoint
RP342: 17/07/2010 21:11:46 - Avg8 Update
RP343: 18/07/2010 12:36:42 - Avg8 Update
RP344: 21/07/2010 18:28:25 - System Checkpoint
RP345: 25/07/2010 11:02:23 - System Checkpoint
RP346: 26/07/2010 12:36:25 - Restore Operation
==== Installed Programs ======================
ACSI Camp Site Guide Europe 2010
Ad-Aware
Ad-Aware Email Scanner for Outlook
Adobe AIR
Adobe Download Manager
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Reader 8.1.2
Amazon MP3 Downloader 1.0.9
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
AVG Free 8.5
Broadband Desktop Help
BT Voyager 205 ADSL Router
CCleaner (remove only)
Cobian Backup 10
Compatibility Pack for the 2007 Office system
Creative Jukebox Driver
ERUNT 1.1j
FLV Player 2.0, build 24
Harry Potter and the Prisoner of Azkaban(TM)
HijackThis 2.0.2
hp instant support
iTunes
Java(TM) 6 Update 4
Malwarebytes' Anti-Malware
Memory-Map OS Edition Version 5
Microsoft .NET Framework 2.0
Microsoft Bootvis
Microsoft Office Excel Viewer 2003
Microsoft Office PowerPoint Viewer 2003
Microsoft Office Word Viewer 2003
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.5.11)
MP3 Player Recovery Tool
Mr Smooth v1.0
MrSmooth
MySQL Server 5.1
Netdrive
OpenOffice.org 2.4
QuickTime
Realtek AC'97 Audio
Skype™ 3.8
Smart Defrag 1.20
Spybot - Search & Destroy
SpywareBlaster 4.3
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
VNC Free Edition 4.1.3
WebFldrs XP
WINGRIDDS
Winmail Reader 1.1.12
ZoneAlarm
==== Event Viewer Messages From Past Week ========
26/07/2010 12:59:16, error: Service Control Manager [7000] - The SSDP Discovery Service service failed to start due to the following error: The system cannot find the path specified.
26/07/2010 00:42:35, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the TrueVector Internet Monitor service to connect.
26/07/2010 00:42:35, error: Service Control Manager [7000] - The TrueVector Internet Monitor service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
25/07/2010 18:38:11, error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 1 time(s).
25/07/2010 16:35:19, error: Service Control Manager [7034] - The Server service terminated unexpectedly. It has done this 1 time(s).
25/07/2010 16:35:19, error: Service Control Manager [7031] - The Help and Support service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 100 milliseconds: Restart the service.
25/07/2010 11:54:00, error: Service Control Manager [7034] - The Terminal Services service terminated unexpectedly. It has done this 1 time(s).
25/07/2010 11:54:00, error: Service Control Manager [7031] - The DCOM Server Process Launcher service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Reboot the machine.
25/07/2010 01:04:48, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the AVG8 E-mail Scanner service to connect.
25/07/2010 01:04:48, error: Service Control Manager [7000] - The AVG8 E-mail Scanner service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
23/07/2010 15:52:17, error: Service Control Manager [7034] - The Cryptographic Services service terminated unexpectedly. It has done this 2 time(s).
23/07/2010 15:52:17, error: Service Control Manager [7034] - The COM+ Event System service terminated unexpectedly. It has done this 2 time(s).
23/07/2010 15:52:17, error: Service Control Manager [7031] - The Help and Support service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 100 milliseconds: Restart the service.
23/07/2010 14:36:46, error: Service Control Manager [7034] - The Wireless Zero Configuration service terminated unexpectedly. It has done this 1 time(s).
23/07/2010 14:36:46, error: Service Control Manager [7034] - The Windows Time service terminated unexpectedly. It has done this 1 time(s).
23/07/2010 14:36:46, error: Service Control Manager [7034] - The Windows Firewall/Internet Connection Sharing (ICS) service terminated unexpectedly. It has done this 1 time(s).
23/07/2010 14:36:46, error: Service Control Manager [7034] - The System Restore Service service terminated unexpectedly. It has done this 1 time(s).
23/07/2010 14:36:46, error: Service Control Manager [7034] - The System Event Notification service terminated unexpectedly. It has done this 1 time(s).
23/07/2010 14:36:46, error: Service Control Manager [7034] - The Shell Hardware Detection service terminated unexpectedly. It has done this 1 time(s).
23/07/2010 14:36:46, error: Service Control Manager [7034] - The Security Center service terminated unexpectedly. It has done this 1 time(s).
23/07/2010 14:36:46, error: Service Control Manager [7034] - The Secondary Logon service terminated unexpectedly. It has done this 1 time(s).
23/07/2010 14:36:46, error: Service Control Manager [7034] - The Network Location Awareness (NLA) service terminated unexpectedly. It has done this 1 time(s).
23/07/2010 14:36:46, error: Service Control Manager [7034] - The Network Connections service terminated unexpectedly. It has done this 1 time(s).
23/07/2010 14:36:46, error: Service Control Manager [7034] - The Distributed Link Tracking Client service terminated unexpectedly. It has done this 1 time(s).
23/07/2010 14:36:46, error: Service Control Manager [7031] - The Windows Management Instrumentation service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
23/07/2010 14:36:46, error: Service Control Manager [7031] - The Themes service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
23/07/2010 14:36:46, error: Service Control Manager [7031] - The Task Scheduler service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 6000 milliseconds: Restart the service.
23/07/2010 14:21:16, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
23/07/2010 14:21:16, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.
==== End Of File ===========================
Hi,
First of all, disable word wrap in notepad to make further logs appear in more readable format, please.
Please download MBRCheck (http://ad13.geekstogo.com/MBRCheck.exe) to your desktop.
1. Double click MBRCheck.exe to run it (Right click and run as Administrator for Vista).
2. It will open a black window, please do not fix anything (if it gives you an option).
3. Exit that window and it will produce a log (MBRCheck_date_time).
4. Please post that log in your reply.
Hi Blade81,
Thanke for getting back to me. Please find the contents of the MBRCheck logfile below. Apologies for making the last logs difficult to read - I have disable word wrap in notepad as you requested.
Regards,
Keith
MBRCheck, version 1.1.1(c) 2010, AD\\.\C: --> \\.\PhysicalDrive0 Size Device Name MBR Status -------------------------------------------- 149 GB \\.\PhysicalDrive0 Unknown MBR codeFound non-standard or infected MBR.Enter 'Y' and hit ENTER for more options, or 'N' to exit: Options: [1] Dump the MBR of a physical disk to file. [2] Restore the MBR of a physical disk with a standard boot code. [3] Exit.Enter your choice: Done! Press ENTER to exit...
Hi,
1. Download this (http://download.bleepingcomputer.com/sUBs/Beta/wCFix.exe) tool to your desktop.
2. Disable protection (some tutorials for disabling here (http://www.bleepingcomputer.com/forums/topic114351.html)) and run the tool.
3. If/when it prompts for recovery console install let it do so. Follow other prompts and don't do anything while the tool is running.
4. When the tool has finished it will create a report. Post back that report + fresh dds.txt and MBRCheck logs.
Good evening Blade81,
Took a while to run the scan - I turned off the AVG and ZoneAlarm security as directed but the scan kept losing focus - it ran for 3 hours with no result then a dialogue box from Microsoft Bootvis appeared and everything seemed to stop so I closed everything down, restarted in Safe Mode and ran the scan from there. This time it went much more smoothly and completed its procedure in about 30 mins. Please find below the 3 scans - ComboFix, DDS and MBRCheck.
Regards,
Keith
ComboFix 10-07-31.01 - keith 01/08/2010 22:55:37.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.383.74 [GMT 1:00]
Running from: c:\documents and settings\keith\Desktop\wCFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\keith\Application Data\Imin
c:\documents and settings\keith\Application Data\Imin\mawu.exe
c:\documents and settings\keith\Application Data\Loar
c:\documents and settings\keith\Application Data\Loar\guled.exe
c:\documents and settings\keith\GoToAssistDownloadHelper.exe
c:\documents and settings\LocalService\Local Settings\Application Data\dcxtfdcxe
c:\documents and settings\LocalService\Local Settings\Application Data\dcxtfdcxe\unygbbctssd.exe
c:\windows\system32\duis.txt
Infected copy of c:\windows\system32\drivers\cdrom.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
\\.\PhysicalDrive0 - Bootkit Whistler was found and disinfected
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_MSUPDATE
-------\Legacy_RDSESSMGRSCARDSVR
-------\Legacy_RPCSSMSDTC
-------\Legacy_WMIAPSRVWSCSVC
-------\Service_RDSessMgrSCardSvr
-------\Service_RpcSsMSDTC
-------\Service_WmiApSrvwscsvc
((((((((((((((((((((((((( Files Created from 2010-07-01 to 2010-08-01 )))))))))))))))))))))))))))))))
.
2010-07-28 18:38 . 2010-07-28 18:39 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-07-26 12:29 . 2010-07-26 12:30 -------- d-----w- c:\program files\ERUNT
2010-07-26 11:39 . 2010-07-26 11:39 -------- d-----w- c:\program files\NOS
2010-07-24 19:19 . 2010-07-24 19:19 308782 ----a-w- C:\attachments_2010_07_24.zip
2010-07-23 11:22 . 2010-07-26 11:37 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-07-23 11:21 . 2010-03-29 07:53 32576 ----a-w- c:\documents and settings\keith\Application Data\Mozilla\Firefox\Profiles\8f26ffzs.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
2010-07-23 11:21 . 2010-03-29 07:53 29984 ----a-w- c:\documents and settings\keith\Application Data\Mozilla\Firefox\Profiles\8f26ffzs.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-01 21:43 . 2010-05-05 18:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-01 21:34 . 2008-09-29 10:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-08-01 21:23 . 2009-10-06 00:40 -------- d-----w- c:\documents and settings\keith\Application Data\Runim
2010-07-28 20:49 . 2010-01-14 18:07 -------- d-----w- c:\documents and settings\keith\Application Data\Exubo
2010-07-28 17:34 . 2008-05-20 08:44 1 ----a-w- c:\documents and settings\keith\Application Data\OpenOffice.org2\user\uno_packages\cache\stamp.sys
2010-07-28 17:32 . 2008-05-20 08:42 -------- d-----w- c:\documents and settings\keith\Application Data\OpenOffice.org2
2010-07-26 11:39 . 2008-02-29 10:47 -------- d-----w- c:\program files\Yahoo!
2010-07-26 11:39 . 2008-03-05 00:16 -------- d-----w- c:\program files\Common Files\Scanner
2010-07-19 11:04 . 2010-02-19 23:36 -------- d-----w- c:\documents and settings\keith\Application Data\Erahuq
2010-07-03 08:42 . 2008-05-02 16:52 -------- d-----w- c:\documents and settings\keith\Application Data\Catea
2010-06-14 18:34 . 2010-06-14 18:33 -------- d-----w- c:\program files\Cobian Backup 10
2010-06-12 11:02 . 2009-10-10 12:02 -------- d-----w- c:\documents and settings\keith\Application Data\Xoat
2010-06-08 15:56 . 2008-09-23 17:08 22539719 ----a-w- c:\windows\Internet Logs\tvDebug.zip
2010-06-06 23:11 . 2010-05-10 06:01 -------- d-----w- c:\documents and settings\keith\Application Data\Qygyow
2010-05-15 10:06 . 2010-05-15 11:39 52224 ----a-w- c:\windows\Internet Logs\xDB2.tmp
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 919016]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-07-18 2048352]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-06-10 14336]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil9e.exe" [2007-11-21 218496]
c:\documents and settings\Default User\Start Menu\Programs\Startup\
zutee.exe [2010-8-1 133632]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"UseDesktopIniCache"= 1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoThumbnailCache"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-21 23:06 11952 ------w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Broadband Desktop Help.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Broadband Desktop Help.lnk
backup=c:\windows\pss\Broadband Desktop Help.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^keith^Start Menu^Programs^Startup^OpenOffice.org 2.4.lnk]
path=c:\documents and settings\keith\Start Menu\Programs\Startup\OpenOffice.org 2.4.lnk
backup=c:\windows\pss\OpenOffice.org 2.4.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-01-11 22:16 39792 ------w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIModeChange]
2001-09-04 12:24 28672 ------w- c:\windows\system32\Ati2mdxx.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2004-02-24 21:10 335872 ------w- c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
2004-06-10 16:15 14336 ------w- c:\windows\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-07-13 13:03 292128 ------w- c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
2005-06-22 14:29 417792 ------w- c:\progra~1\BTBROA~1\Help\SMARTB~1\BTHelpNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-06-10 18:25 1667584 ------w- c:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Netdrive]
2008-11-07 09:42 3110400 ------w- c:\program files\Netdrive\netdrive.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-05-26 16:18 413696 ------w- c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2007-04-16 15:28 577536 ------w- c:\windows\soundman.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-12-14 02:42 144784 ------w- c:\program files\Java\jre1.6.0_04\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Lavasoft Ad-Aware Service"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\Netdrive\\ndsvc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Memory-Map\\OS-5\\mm3d.exe"=
"c:\\Program Files\\Memory-Map\\OS-5\\MMNav.exe"=
"c:\\Program Files\\Memory-Map\\OS-5\\showmmcrypt.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [27/03/2010 13:28 64288]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [06/05/2008 11:50 335240]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [06/05/2008 11:50 108552]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [06/07/2008 00:39 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [06/07/2008 00:39 297752]
R2 ndsvc;NetDrive Service;c:\program files\Netdrive\ndsvc.exe [07/11/2008 10:42 2566144]
S2 assert update;assert update;c:\windows\system32\wildday.exe --> c:\windows\system32\wildday.exe [?]
S3 iadusb;BT Voyager 205 ADSL Router;c:\windows\system32\drivers\glauiad.sys [05/03/2008 01:16 30371]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [04/02/2010 16:52 1263728]
S3 ndfs;ndfs;c:\program files\Netdrive\ndfs.sys [03/07/2008 19:33 70400]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
2010-06-19 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 12:27]
2010-06-27 c:\windows\Tasks\SmartDefrag.job
- c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe [2009-10-14 08:22]
2010-04-30 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2008-09-29 08:42]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
uSearchURL,(Default) = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://game.zylom.com/activex/zylomgamesplayer.cab
FF - ProfilePath - c:\documents and settings\keith\Application Data\Mozilla\Firefox\Profiles\8f26ffzs.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/|http://uk.mc867.mail.yahoo.com/mc/welcome?.partner=bt-1&.gx=1&.tm=1264517933&.rand=4iu43c05tk8lv#_pg=welcome&&.rand=121126838&clean&.jsrand=1109760|http://www.metoffice.gov.uk/weather/uk/radar/|http://www.sat24.com/gb|http://www.westwind.ch/?link=ukmb,http://www2.wetter3.de/Fax/,.gif,bracknell+00,bracknell+24,bracknell+36,bracknell+48,bracknell+60,bracknell+72,bracknell+84,bracknell+96,bracknell+120
FF - plugin: c:\documents and settings\keith\Application Data\Mozilla\Firefox\Profiles\8f26ffzs.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-{95C5721D-2FA0-4EA2-8C50-ADF841EF840B} - c:\documents and settings\keith\Application Data\Loar\guled.exe
HKCU-Run-{C4CDF226-05B2-668A-B196-67E3CB2ED9F8} - c:\documents and settings\keith\Application Data\Imin\mawu.exe
MSConfigStartUp-MsnMsgr - c:\program files\MSN Messenger\MsnMsgr.Exe
MSConfigStartUp-Yahoo! Pager - c:\progra~1\Yahoo!\MESSEN~2\ypager.exe
MSConfigStartUp-YBrowser - c:\progra~1\Yahoo!\browser\ybrwicon.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-01 23:10
Windows 5.1.2600 Service Pack 2, v.2149 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet006\Services\MySQL]
"ImagePath"="\"c:\program files\MySQL\MySQL Server 5.1\bin\mysqld\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.1\my.ini\" MySQL"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(572)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\MySQL\MySQL Server 5.1\bin\mysqld.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-08-01 23:13:57 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-01 22:13
Pre-Run: 93,326,053,376 bytes free
Post-Run: 93,560,545,280 bytes free
- - End Of File - - DB67524980F7409D6B1A52E8C93C6D90
DDS (Ver_10-03-17.01) - NTFSx86
Run by keith at 23:16:13.68 on 01/08/2010
Internet Explorer: 6.0.2900.2149
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.383.123 [GMT 1:00]
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
============== Running Processes ===============
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\MySQL\MySQL Server 5.1\bin\mysqld.exe
C:\Program Files\Netdrive\ndsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\keith\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.google.com/
mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
uSearchURL,(Default) = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_04\bin\ssv.dll
BHO: SidebarAutoLaunch Class: {f2aa9440-6328-4933-b7c9-a6ccdf9cbf6d} - c:\program files\yahoo!\browser\YSidebarIEBHO.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil9e.exe
uPolicies-explorer: NoThumbnailCache = 1 (0x1)
mPolicies-explorer: UseDesktopIniCache = 1 (0x1)
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_04\bin\ssv.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://game.zylom.com/activex/zylomgamesplayer.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\keith\applic~1\mozilla\firefox\profiles\8f26ffzs.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/|http://uk.mc867.mail.yahoo.com/mc/welcome?.partner=bt-1&.gx=1&.tm=1264517933&.rand=4iu43c05tk8lv#_pg=welcome&&.rand=121126838&clean&.jsrand=1109760|http://www.metoffice.gov.uk/weather/uk/radar/|http://www.sat24.com/gb|http://www.westwind.ch/?link=ukmb,http://www2.wetter3.de/Fax/,.gif,bracknell+00,bracknell+24,bracknell+36,bracknell+48,bracknell+60,bracknell+72,bracknell+84,bracknell+96,bracknell+120
FF - plugin: c:\documents and settings\keith\application data\mozilla\firefox\profiles\8f26ffzs.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
============= SERVICES / DRIVERS ===============
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-3-27 64288]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-6 335240]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-5-6 27784]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-5-6 108552]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2008-3-7 394952]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-7-6 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-7-6 297752]
R2 ndsvc;NetDrive Service;c:\program files\netdrive\ndsvc.exe [2008-11-7 2566144]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 iadusb;BT Voyager 205 ADSL Router;c:\windows\system32\drivers\glauiad.sys [2008-3-5 30371]
S1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2008-8-4 127768]
S2 assert update;assert update;c:\windows\system32\wildday.exe --> c:\windows\system32\wildday.exe [?]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1263728]
S3 ndfs;ndfs;c:\program files\netdrive\ndfs.sys [2008-7-3 70400]
=============== Created Last 30 ================
2010-08-01 18:26:15 0 d-sha-r- C:\cmdcons
2010-08-01 18:22:14 98816 ----a-w- c:\windows\sed.exe
2010-08-01 18:22:14 77312 ----a-w- c:\windows\MBR.exe
2010-08-01 18:22:14 256512 ----a-w- c:\windows\PEV.exe
2010-08-01 18:22:14 161792 ----a-w- c:\windows\SWREG.exe
2010-07-24 19:19:09 308782 ----a-w- C:\attachments_2010_07_24.zip
==================== Find3M ====================
============= FINISH: 23:16:32.42 ===============
DDS (Ver_10-03-17.01) - NTFSx86
Run by keith at 23:16:13.68 on 01/08/2010
Internet Explorer: 6.0.2900.2149
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.383.123 [GMT 1:00]
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
============== Running Processes ===============
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\MySQL\MySQL Server 5.1\bin\mysqld.exe
C:\Program Files\Netdrive\ndsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\keith\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.google.com/
mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
uSearchURL,(Default) = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_04\bin\ssv.dll
BHO: SidebarAutoLaunch Class: {f2aa9440-6328-4933-b7c9-a6ccdf9cbf6d} - c:\program files\yahoo!\browser\YSidebarIEBHO.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil9e.exe
uPolicies-explorer: NoThumbnailCache = 1 (0x1)
mPolicies-explorer: UseDesktopIniCache = 1 (0x1)
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_04\bin\ssv.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://game.zylom.com/activex/zylomgamesplayer.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\keith\applic~1\mozilla\firefox\profiles\8f26ffzs.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/|http://uk.mc867.mail.yahoo.com/mc/welcome?.partner=bt-1&.gx=1&.tm=1264517933&.rand=4iu43c05tk8lv#_pg=welcome&&.rand=121126838&clean&.jsrand=1109760|http://www.metoffice.gov.uk/weather/uk/radar/|http://www.sat24.com/gb|http://www.westwind.ch/?link=ukmb,http://www2.wetter3.de/Fax/,.gif,bracknell+00,bracknell+24,bracknell+36,bracknell+48,bracknell+60,bracknell+72,bracknell+84,bracknell+96,bracknell+120
FF - plugin: c:\documents and settings\keith\application data\mozilla\firefox\profiles\8f26ffzs.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
============= SERVICES / DRIVERS ===============
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-3-27 64288]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-6 335240]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-5-6 27784]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-5-6 108552]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2008-3-7 394952]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-7-6 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-7-6 297752]
R2 ndsvc;NetDrive Service;c:\program files\netdrive\ndsvc.exe [2008-11-7 2566144]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 iadusb;BT Voyager 205 ADSL Router;c:\windows\system32\drivers\glauiad.sys [2008-3-5 30371]
S1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2008-8-4 127768]
S2 assert update;assert update;c:\windows\system32\wildday.exe --> c:\windows\system32\wildday.exe [?]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1263728]
S3 ndfs;ndfs;c:\program files\netdrive\ndfs.sys [2008-7-3 70400]
=============== Created Last 30 ================
2010-08-01 18:26:15 0 d-sha-r- C:\cmdcons
2010-08-01 18:22:14 98816 ----a-w- c:\windows\sed.exe
2010-08-01 18:22:14 77312 ----a-w- c:\windows\MBR.exe
2010-08-01 18:22:14 256512 ----a-w- c:\windows\PEV.exe
2010-08-01 18:22:14 161792 ----a-w- c:\windows\SWREG.exe
2010-07-24 19:19:09 308782 ----a-w- C:\attachments_2010_07_24.zip
==================== Find3M ====================
============= FINISH: 23:16:32.42 ===============
MBRCheck, version 1.1.1
(c) 2010, AD
\\.\C: --> \\.\PhysicalDrive0
Size Device Name MBR Status
--------------------------------------------
149 GB \\.\PhysicalDrive0 Windows XP MBR code detected
Done! Press ENTER to exit...
Hi again,
Open notepad and copy/paste the text in the quotebox below into it:
http://forums.spybot.info/showthread.php?t=58703
Collect::
c:\documents and settings\Default User\Start Menu\Programs\Startup\zutee.exe
c:\windows\system32\wildday.exe
DirLook::
c:\documents and settings\keith\Application Data\Runim
c:\documents and settings\keith\Application Data\Exubo
c:\documents and settings\keith\Application Data\Erahuq
c:\documents and settings\keith\Application Data\Catea
c:\documents and settings\keith\Application Data\Xoat
c:\documents and settings\keith\Application Data\Qygyow
Driver::
"assert update"
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
Save this as
CFScript
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Close all browser windows and refering to the picture above, drag CFScript into WcFix.exe
Then post the resultant log.
Uninstall old Adobe Reader versions and get the latest one with updates (9.3 and updates 9.3.2 & 9.3.3) here (http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows) or get Foxit Reader here (http://www.foxitsoftware.com/pdf/reader_2/down_reader.htm). Make sure you don't install toolbar if choose Foxit Reader! You may also check free readers introduced here (http://pdfreaders.org/).
Uninstall vulnerable Flash versions by following instructions here (http://kb2.adobe.com/cps/141/tn_14157.html). Fresh version can be obtained here (http://get.adobe.com/flashplayer/).
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...
Updating Java:
Download the latest version of Java Runtime Environment (JRE) 6 Update 21 (http://java.sun.com/javase/downloads/index.jsp).
Click the
Download
button to the right.
Select Windows on platform combobox and check the box that says:
Accept License Agreement. Click continue.
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u21-windows-i586-p.exe to install the newest version. Uncheck Carbonite online backup trial if it's offered there.
Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.
Double-click ATF Cleaner.exe to open it
Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.
If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Click Exit on the Main menu to close the program.
Please run an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) as instructed in the screenshot here (http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif).
Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log.
Morning Blade81,
Just to let you know I am trying to run the Kaspersky online scan - I started it last night at 11pm UK time and it is still running now 7 hours later, but very slowly and taking ages over certain files, in fact when I came to the PC this morning there was a Windows dialogue box saying that the script had stopped responding and asking me to cancel or continue. Although scan has been running overnight the elapsed time is only showing 45 minutes scan time.....I may have to stop and rerun as I must go to work. I'll follow up tonight.
Regards,
Keith
Ok. We'll see how it goes :)
Hi Blade81,
Sorry it is taking so long. I still have not been able to run the Kaspersky scan in full yet. Please find the first 2 logs - ComboFix and DDS. I'll try and run the Kaspersky scan again this evening and post then.
Regards,
Keith
ComboFix 10-07-31.01 - keith 02/08/2010 18:54:47.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.383.164 [GMT 1:00]
Running from: c:\documents and settings\keith\Desktop\wCFix.exe
Command switches used :: c:\documents and settings\keith\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
file zipped: c:\documents and settings\Default User\Start Menu\Programs\Startup\zutee.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Default User\Start Menu\Programs\Startup\zutee.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_ASSERT_UPDATE
-------\Service_assert update
((((((((((((((((((((((((( Files Created from 2010-07-02 to 2010-08-02 )))))))))))))))))))))))))))))))
.
2010-07-28 18:38 . 2010-07-28 18:39 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-07-26 12:29 . 2010-07-26 12:30 -------- d-----w- c:\program files\ERUNT
2010-07-26 11:39 . 2010-07-26 11:39 -------- d-----w- c:\program files\NOS
2010-07-24 19:19 . 2010-07-24 19:19 308782 ----a-w- C:\attachments_2010_07_24.zip
2010-07-23 11:22 . 2010-07-26 11:37 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-07-23 11:21 . 2010-03-29 07:53 32576 ----a-w- c:\documents and settings\keith\Application Data\Mozilla\Firefox\Profiles\8f26ffzs.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
2010-07-23 11:21 . 2010-03-29 07:53 29984 ----a-w- c:\documents and settings\keith\Application Data\Mozilla\Firefox\Profiles\8f26ffzs.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-01 21:43 . 2010-05-05 18:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-01 21:34 . 2008-09-29 10:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-08-01 21:23 . 2009-10-06 00:40 -------- d-----w- c:\documents and settings\keith\Application Data\Runim
2010-07-28 20:49 . 2010-01-14 18:07 -------- d-----w- c:\documents and settings\keith\Application Data\Exubo
2010-07-28 17:34 . 2008-05-20 08:44 1 ----a-w- c:\documents and settings\keith\Application Data\OpenOffice.org2\user\uno_packages\cache\stamp.sys
2010-07-28 17:32 . 2008-05-20 08:42 -------- d-----w- c:\documents and settings\keith\Application Data\OpenOffice.org2
2010-07-26 11:39 . 2008-02-29 10:47 -------- d-----w- c:\program files\Yahoo!
2010-07-26 11:39 . 2008-03-05 00:16 -------- d-----w- c:\program files\Common Files\Scanner
2010-07-19 11:04 . 2010-02-19 23:36 -------- d-----w- c:\documents and settings\keith\Application Data\Erahuq
2010-07-03 08:42 . 2008-05-02 16:52 -------- d-----w- c:\documents and settings\keith\Application Data\Catea
2010-06-14 18:34 . 2010-06-14 18:33 -------- d-----w- c:\program files\Cobian Backup 10
2010-06-12 11:02 . 2009-10-10 12:02 -------- d-----w- c:\documents and settings\keith\Application Data\Xoat
2010-06-08 15:56 . 2008-09-23 17:08 22539719 ----a-w- c:\windows\Internet Logs\tvDebug.zip
2010-06-06 23:11 . 2010-05-10 06:01 -------- d-----w- c:\documents and settings\keith\Application Data\Qygyow
2010-05-15 10:06 . 2010-05-15 11:39 52224 ----a-w- c:\windows\Internet Logs\xDB2.tmp
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\documents and settings\keith\Application Data\Catea ----
2010-07-03 08:42 . 2010-07-18 02:18 171304 ----a-w- c:\documents and settings\keith\Application Data\Catea\ylypo.hoo
2010-07-03 08:09 . 2010-07-03 08:09 807 ----a-w- c:\documents and settings\keith\Application Data\Catea\ylypo.tmp
---- Directory of c:\documents and settings\keith\Application Data\Erahuq ----
---- Directory of c:\documents and settings\keith\Application Data\Exubo ----
2010-07-28 20:49 . 2010-07-28 20:49 1907 ----a-w- c:\documents and settings\keith\Application Data\Exubo\zyqo.oko
---- Directory of c:\documents and settings\keith\Application Data\Qygyow ----
---- Directory of c:\documents and settings\keith\Application Data\Runim ----
2010-08-01 21:23 . 2010-08-01 21:33 31895 ----a-w- c:\documents and settings\keith\Application Data\Runim\guomo.tay
---- Directory of c:\documents and settings\keith\Application Data\Xoat ----
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 919016]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-07-18 2048352]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-06-10 14336]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil9e.exe" [2007-11-21 218496]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"UseDesktopIniCache"= 1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoThumbnailCache"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-21 23:06 11952 ------w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Broadband Desktop Help.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Broadband Desktop Help.lnk
backup=c:\windows\pss\Broadband Desktop Help.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^keith^Start Menu^Programs^Startup^OpenOffice.org 2.4.lnk]
path=c:\documents and settings\keith\Start Menu\Programs\Startup\OpenOffice.org 2.4.lnk
backup=c:\windows\pss\OpenOffice.org 2.4.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-01-11 22:16 39792 ------w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIModeChange]
2001-09-04 12:24 28672 ------w- c:\windows\system32\Ati2mdxx.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2004-02-24 21:10 335872 ------w- c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
2004-06-10 16:15 14336 ------w- c:\windows\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-07-13 13:03 292128 ------w- c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
2005-06-22 14:29 417792 ------w- c:\progra~1\BTBROA~1\Help\SMARTB~1\BTHelpNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-06-10 18:25 1667584 ------w- c:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Netdrive]
2008-11-07 09:42 3110400 ------w- c:\program files\Netdrive\netdrive.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-05-26 16:18 413696 ------w- c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2007-04-16 15:28 577536 ------w- c:\windows\soundman.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-12-14 02:42 144784 ------w- c:\program files\Java\jre1.6.0_04\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Lavasoft Ad-Aware Service"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\Netdrive\\ndsvc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Memory-Map\\OS-5\\mm3d.exe"=
"c:\\Program Files\\Memory-Map\\OS-5\\MMNav.exe"=
"c:\\Program Files\\Memory-Map\\OS-5\\showmmcrypt.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [27/03/2010 13:28 64288]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [06/05/2008 11:50 335240]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [06/05/2008 11:50 108552]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [06/07/2008 00:39 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [06/07/2008 00:39 297752]
R2 ndsvc;NetDrive Service;c:\program files\Netdrive\ndsvc.exe [07/11/2008 10:42 2566144]
R3 iadusb;BT Voyager 205 ADSL Router;c:\windows\system32\drivers\glauiad.sys [05/03/2008 01:16 30371]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [04/02/2010 16:52 1263728]
S3 ndfs;ndfs;c:\program files\Netdrive\ndfs.sys [03/07/2008 19:33 70400]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
2010-06-19 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 12:27]
2010-04-30 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2008-09-29 08:42]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
uSearchURL,(Default) = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://game.zylom.com/activex/zylomgamesplayer.cab
FF - ProfilePath - c:\documents and settings\keith\Application Data\Mozilla\Firefox\Profiles\8f26ffzs.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/|http://uk.mc867.mail.yahoo.com/mc/welcome?.partner=bt-1&.gx=1&.tm=1264517933&.rand=4iu43c05tk8lv#_pg=welcome&&.rand=121126838&clean&.jsrand=1109760|http://www.metoffice.gov.uk/weather/uk/radar/|http://www.sat24.com/gb|http://www.westwind.ch/?link=ukmb,http://www2.wetter3.de/Fax/,.gif,bracknell+00,bracknell+24,bracknell+36,bracknell+48,bracknell+60,bracknell+72,bracknell+84,bracknell+96,bracknell+120
FF - plugin: c:\documents and settings\keith\Application Data\Mozilla\Firefox\Profiles\8f26ffzs.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-02 19:05
Windows 5.1.2600 Service Pack 2, v.2149 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet006\Services\MySQL]
"ImagePath"="\"c:\program files\MySQL\MySQL Server 5.1\bin\mysqld\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.1\my.ini\" MySQL"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(740)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\MySQL\MySQL Server 5.1\bin\mysqld.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-08-02 19:08:21 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-02 18:08
ComboFix2.txt 2010-08-01 22:13
Pre-Run: 93,556,346,880 bytes free
Post-Run: 93,527,900,160 bytes free
- - End Of File - - C1CF83F5849518025B275B73F298498B
DDS (Ver_10-03-17.01) - NTFSx86
Run by keith at 9:05:18.43 on 04/08/2010
Internet Explorer: 6.0.2900.2149 BrowserJavaVersion: 1.6.0_21
============== Running Processes ===============
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\MySQL\MySQL Server 5.1\bin\mysqld.exe
C:\Program Files\Netdrive\ndsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Documents and Settings\keith\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.google.com/
mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
uSearchURL,(Default) = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SidebarAutoLaunch Class: {f2aa9440-6328-4933-b7c9-a6ccdf9cbf6d} - c:\program files\yahoo!\browser\YSidebarIEBHO.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil9e.exe
uPolicies-explorer: NoThumbnailCache = 1 (0x1)
mPolicies-explorer: UseDesktopIniCache = 1 (0x1)
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://game.zylom.com/activex/zylomgamesplayer.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\keith\applic~1\mozilla\firefox\profiles\8f26ffzs.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/|http://uk.mc867.mail.yahoo.com/mc/welcome?.partner=bt-1&.gx=1&.tm=1264517933&.rand=4iu43c05tk8lv#_pg=welcome&&.rand=121126838&clean&.jsrand=1109760|http://www.metoffice.gov.uk/weather/uk/radar/|http://www.sat24.com/gb|http://www.westwind.ch/?link=ukmb,http://www2.wetter3.de/Fax/,.gif,bracknell+00,bracknell+24,bracknell+36,bracknell+48,bracknell+60,bracknell+72,bracknell+84,bracknell+96,bracknell+120
FF - plugin: c:\documents and settings\keith\application data\mozilla\firefox\profiles\8f26ffzs.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
============= SERVICES / DRIVERS ===============
R? KLIF;KLIF
R? Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service
R? ndfs;ndfs
S? avg8emc;AVG8 E-mail Scanner
S? avg8wd;AVG8 WatchDog
S? AvgLdx86;AVG AVI Loader Driver x86
S? AvgMfx86;AVG On-access Scanner Minifilter Driver x86
S? AvgTdiX;AVG8 Network Redirector
S? iadusb;BT Voyager 205 ADSL Router
S? Lbd;Lbd
S? ndsvc;NetDrive Service
S? vsdatant;vsdatant
S? vsmon;TrueVector Internet Monitor
=============== Created Last 30 ================
2010-08-02 21:31:46 0 d-----w- c:\program files\Sun
2010-08-02 21:31:26 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-08-02 21:31:26 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-08-01 18:26:15 0 d-sha-r- C:\cmdcons
2010-08-01 18:22:14 98816 ----a-w- c:\windows\sed.exe
2010-08-01 18:22:14 77312 ----a-w- c:\windows\MBR.exe
2010-08-01 18:22:14 256512 ----a-w- c:\windows\PEV.exe
2010-08-01 18:22:14 161792 ----a-w- c:\windows\SWREG.exe
2010-07-24 19:19:09 308782 ----a-w- C:\attachments_2010_07_24.zip
==================== Find3M ====================
============= FINISH: 9:08:05.48 ===============
Hi,
Please try ESET scanner instead:
* Go here (http://www.eset.eu/online-scanner) to run an online scanner from ESET.
Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is UNchecked.
Click Scan
Wait for the scan to finish. Post back the report if anything was found.
Also, delete these folders:
c:\documents and settings\keith\Application Data\Runim
c:\documents and settings\keith\Application Data\Exubo
c:\documents and settings\keith\Application Data\Erahuq
c:\documents and settings\keith\Application Data\Catea
c:\documents and settings\keith\Application Data\Xoat
c:\documents and settings\keith\Application Data\Qygyow
Hi Blade 81,
Please find below the ESET scan results. It's a bit puzzling but I ran the scan overnight then stupidly closed the window this morning before creating the report, so I had to run again. The first window (the one I closed) said there were 2 infections found, however when I ran the scan for the second time (and there were no changes made or programs started - it was run immediately) it found 15 infections per the attached log. How can this be?
I have also deleted the folders you specified.
Regards,
Keith
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinZBot.zip Win32/Bagle.gen.zip worm
C:\Documents and Settings\keith\Application Data\Sun\Java\Deployment\cache\6.0\59\1fbfe33b-1b8530d4 a variant of Win32/Unruy.AA trojan
C:\keith backup\Documents and Settings\Account.183 (Retrieved after unexpected restart.)\Local Settings\Application Data\Identities\{88211156-4518-46D2-9782-BF291C0EAD00}\Microsoft\Outlook Express\Inbox.dbx HTML/TrojanSpy.Bayfraud.CO trojan
C:\Qoobox\Quarantine\C\Documents and Settings\keith\Application Data\Imin\mawu.exe.vir Win32/Spy.Zbot.ZP trojan
C:\Qoobox\Quarantine\C\Documents and Settings\keith\Application Data\Loar\guled.exe.vir a variant of Win32/Kryptik.FUF trojan
C:\Qoobox\Quarantine\C\Documents and Settings\LocalService\Local Settings\Application Data\dcxtfdcxe\unygbbctssd.exe.vir Win32/Adware.SpywareProtect2009 application
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\cdrom.sys.vir Win32/Olmarik.ZC trojan
C:\System Volume Information\_restore{D49656BC-AAC3-47A4-A531-4D4529A2691E}\RP331\A0157891.exe a variant of Win32/Kryptik.EZB trojan
C:\System Volume Information\_restore{D49656BC-AAC3-47A4-A531-4D4529A2691E}\RP331\A0157952.exe a variant of Win32/Kryptik.EUD trojan
C:\System Volume Information\_restore{D49656BC-AAC3-47A4-A531-4D4529A2691E}\RP343\A0165138.exe a variant of Win32/Injector.CKW trojan
C:\System Volume Information\_restore{D49656BC-AAC3-47A4-A531-4D4529A2691E}\RP346\A0178721.exe a variant of Win32/Kryptik.FUF trojan
C:\System Volume Information\_restore{D49656BC-AAC3-47A4-A531-4D4529A2691E}\RP347\A0198180.sys Win32/Olmarik.ZC trojan
C:\System Volume Information\_restore{D49656BC-AAC3-47A4-A531-4D4529A2691E}\RP347\A0198221.exe Win32/Spy.Zbot.ZP trojan
C:\System Volume Information\_restore{D49656BC-AAC3-47A4-A531-4D4529A2691E}\RP347\A0198222.exe a variant of Win32/Kryptik.FUF trojan
C:\System Volume Information\_restore{D49656BC-AAC3-47A4-A531-4D4529A2691E}\RP347\A0198224.exe Win32/Adware.SpywareProtect2009 application
Hi Keith,
One explanation could be that Kaspersky scanner had updated definitions on the second run.
Delete these files:
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinZBot.zip
C:\Documents and Settings\keith\Application Data\Sun\Java\Deployment\cache\6.0\59\1fbfe33b-1b8530d4
Check email messages in the following .pst file and delete suspicious looking email messages if found:
C:\keith backup\Documents and Settings\Account.183 (Retrieved after unexpected restart.)\Local Settings\Application Data\Identities\{88211156-4518-46D2-9782-BF291C0EAD00}\Microsoft\Outlook Express\Inbox.dbx
How's the system running now?
Hi Blade,
Thanks for the possible explanation. That represents quite a significant update in a single day!
I have deleted the first 2 files, as well as that entire Inbox.dbx file - this relates to a previous Inbox and I don't need the messages, so to be sure I have killed the whole thing.
System is running very smoothly now - there are no problems with booting up and no suspect svchost processes running. I have also had no more random new tabs opening up and the machine 'feels' right again!
I'd be grateful if you could identify the virus I had and if there are any long term implications from having this on my system.
Best wishes,
Keith
Hi,
You had Whistler bootkit and TDL infections with some other random stuff there. Those should be gone now but changing online passwords is a recommended move.
Are you still noticing any problems? If not, it's time to secure your system to prevent against further intrusions.
THESE STEPS ARE VERY IMPORTANT
Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Reboot.
3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
NOTE: only do this ONCE,NOT on a regular basis
Now lets uninstall ComboFix:
Click START then RUN
Now copy-paste Combofix /uninstall in the runbox and click OK
UPDATING WINDOWS AND INTERNET EXPLORER
IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site (http://windowsupdate.microsoft.com/) to get the critical updates.
If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.
Make your Internet Explorer more secure
This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.
hosts file:
Every version of windows has a hosts file as part of them. In a very basic sense, they are used to locate webpages. We can customize a hosts file so that it blocks certain webpages. However, it can slow down certain computers. This is why using a hosts file is optional!!
Download it here (http://www.mvps.org/winhelp2002/hosts.htm). Make sure you read the instructions on how to install the hosts file. There is a good tutorial here (http://www.bleepingcomputer.com/forums/tutorial51.html)
If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
Click the start button (at the lower left hand corner of your screen) Click run In the dialog box, type services.msc hit enter, then locate dns client Highlight it, then double-click it. On the dropdown box, change the setting from automatic to manual. Click ok
Download and run Secunia Personal Software Inspector (PSI) (http://secunia.com/vulnerability_scanning/personal/) and fix its findings.
Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Once again, please post and tell me how things are going with your system... problems etc.
Have a great day,
Blade :cool:
Dear Blade,
I have reset the restore points and gone through the rest of your steps outlined above. I use Firefox and was wondering if you have a similar set of points to enhance protection as provided for IE, or is it much more secure in itself?
My PC is back to its old self thanks to your invaluable help.
Many thanks and best wishes,
Keith
Firefox settings are good by default but I recommend getting these addons:
Adblock Plus (http://adblockplus.org/en/installation), WOT (http://www.mywot.com/en/download/ff) and NoScript (https://addons.mozilla.org/firefox/addon/722)
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help. :)
Note:If it has been three days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh DDS log and a link to your previous thread.
If it has been less than three days since your last response and you need the thread re-opened, please send me or other MOD a private message (pm). A valid, working link to the closed topic is required.