View Full Version : Win32.autorun.tmp - trojan
Test
Trying to post new thread for the 4th time.
Will edit if successful
Cannot edit and cannot add DDS logs.
Is there a capacity limit on the logs ?
Anyway,
I have spybot installed on my computer, but cannot remove the above trojan.
I have tried removing it in safemode, normal mode and also in system startup mode. The little darling keeps re-appearing.
Any help would be appreciated, like to start with, how to get my logs in this post !!
Many thanks,
John.
Edit
Hello mallinj,
If the infection prevents DDS from running, or being copy/pasted, please start a topic and make note of the situation, provide details of the computer's current symptoms and wait for a response.
Please do not add additional posts as comments, or logs from other scans. Helpers look for topics with a 0 response.
In the Malware Removal Forum, members may not edit their posts. "BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)
Hope that clarifies. ;)
Thanks for the reply.
DDS runs fine, and I have the logs.
However, when I paste them or attach them into this post, I cannot finish the post, it just bombs out to a default Windows Explorer screen to diagnose connection problems.
Sounds like a size of log problem to me.
Is there a specific part of the log(s) you are interested in?
Cheers,
John.
Hi,
Edit out DDS related header lines and see if you're able to post. If not try to get the logs posted via non infected system.
Logs below from CD. Posted on different laptop.
============== Running Processes ===============
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Documents and Settings\All Users\Application Data\BarQuery\barquery153.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\BarQuery\barquery.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\IMESHA~1\MediaBar\DataMngr\DataMngrUI.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\Any1\LOCALS~1\Temp\551.exe
C:\DOCUME~1\Any1\LOCALS~1\Temp\083.exe
C:\DOCUME~1\Any1\LOCALS~1\Temp\208.exe
C:\Documents and Settings\Any1\Local Settings\Temporary Internet Files\Content.IE5\72T8UMFI\dds[1].scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.sky.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
mWinlogon: Shell=Explorer.exe
mWinlogon: Userinit=c:\windows\system32\userinit.exe
mWinlogon: Taskman=c:\recycler\s-1-5-21-7819536444-9359331333-335914085-5716\yv8g67.exe
uWinlogon: Shell=explorer.exe,c:\recycler\s-1-5-21-7819536444-9359331333-335914085-5716\yv8g67.exe
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: {ABB49B3B-AB7D-4ED0-9135-93FD5AA4F69F} - No File
TB: {0974BA1E-64EC-11DE-B2A5-E43756D89593} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [MSConfig] c:\documents and settings\any1\xwponeh.exe \u
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [DataMngr] c:\progra~1\imesha~1\mediabar\datamngr\DataMngrUI.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [nltide_2] regsvr32 /s /n /i:U shell32
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\03e0fbb.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\081cs60.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\0g9iid2.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\0kkaq0r.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\0m3e1qq.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\0p60q3c.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\16mmhyy.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\1bcxd60.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\1bm3e1q.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\1ep2fgb.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\21mmsy5.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\25rmmsy.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\2nii6uu.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\2pka6ww.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\2vb3n1y.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\2ws0ooj.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\5kv38mi.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\6gbmsy5.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\6mmhyyt.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\6nyt086.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\7x2i2pu.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\8sy586w.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\9bc0ne1.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\bmrsnep2fgb.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\brhndtze.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\c1jj083g.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\ccxytku6wb.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\cntu0avwr0.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\csi3kk5l.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\ddyu1q5r1.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\dtupllrhsoe.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\dyje8qrc.exe
StartupFolder: c:\docume~1\any1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\fbmm11yo.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\flm70nje.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\g3injzpfg70.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\gbmsy5uf.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\gm5n1yo70l.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\gw0yo0e3a.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\hcc70jffg.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\hstepalgm.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\i0jzqggw.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\kvvlccs60zf.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\lhcc70jf.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\lhxxtjjf.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\lq81cnoj.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\lrhsny3kk6.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\m5ny3jfaqm.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\mrcs9o25l.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\n0jklbrs0.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\neezqqlc.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\oe6qvrhxij1.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\pu86g81sde.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\rcd70ppgbm.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\rinjzpfg.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\s1ee6glh.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\sy5zvgbb.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\u1alccs60.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\ufqvgrsnd.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\ufw1mns870.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\v706hy0zeu.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\vmhhytez.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\vwcnx1tkkal.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\w3ydzppgbm.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\wcnx1tkka.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\wrx60zfplg.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\wxxijju8.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\x66o86a8.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\xdi6kffb.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\xxijju86.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\xy0uu5v0.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\y3aqqrrnddz.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\y6pq70rx.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\y7epalgm3s.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\ytpp2vwr0.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\yy6pq70rx.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\yy70fbww6.exe
IE: {53F6FCCD-9E22-4d71-86EA-6E43136192AB} - c:\program files\winferno\pc confidential\PCConfidential.exe
IE: {925DAB62-F9AC-4221-806A-057BFB1014AA} - c:\program files\winferno\pc confidential\PCConfidential.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F}
DPF: {1C11B948-582A-433F-A98D-A8C4D5CC64F2} - hxxp://bq.kp.2020.net/planner/Core/Player/2020PlayerAX_Win32.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1262556294453
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} -
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
AppInit_DLLs: c:\progra~1\imesha~1\mediabar\datamngr\datamngr.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll
LSA: Authentication Packages = msv1_0 nwprovau
Hosts: 127.0.0.1 www.spywareinfo.com
============= SERVICES / DRIVERS ===============
R0 tkntlmob;tkntlmob;c:\windows\system32\drivers\tkntlmob.sys [2010-8-12 40128]
R2 BarQuery Service;BarQuery Service;c:\documents and settings\all users\application data\barquery\barquery153.exe [2010-7-10 57600]
=============== Created Last 30 ================
2010-08-16 15:36:49 0 d-----w- c:\windows\pss
2010-08-15 18:01:23 91 ----a-w- c:\windows\wininit.ini
2010-08-12 18:52:19 36864 ----a-w- C:\sssA1234567890.exe
2010-08-12 12:01:33 40128 ----a-w- c:\windows\system32\drivers\tkntlmob.sys
2010-08-12 11:59:56 45568 ---h--w- c:\windows\system32\secupdat.dat
2010-08-12 11:59:56 45568 ---h--w- c:\documents and settings\any1\secupdat.dat
2010-08-12 11:59:56 11776 ---ha-w- c:\documents and settings\any1\xwponeh.exe
2010-08-11 19:33:49 12736 ---ha-w- c:\windows\system32\mlfcache.dat
2010-08-03 18:04:01 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-08-03 17:59:57 17024 -c--a-w- c:\windows\system32\dllcache\ccdecode.sys
2010-08-03 17:59:02 0 d-----r- c:\program files\Skype
==================== Find3M ====================
2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:22:03 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-23 13:44:04 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-21 15:27:11 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-17 14:03:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 07:41:45 1172480 ----a-w- c:\windows\system32\msxml3.dll
2010-01-03 20:32:59 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012010010320100104\index.dat
============= FINISH: 20:56:09.53 ===============
Attach log below. Sorry I do not have Winzip.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_10-03-17.01)
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 03/01/2010 20:20:08
System Uptime: 17/08/2010 20:48:02 (0 hours ago)
Motherboard: TOSHIBA | | EAL20
Processor: Intel(R) Pentium(R) M processor 1.40GHz | BAN | 1398/mhz
==== Disk Partitions =========================
C: is FIXED (NTFS) - 56 GiB total, 49.898 GiB free.
D: is CDROM (UDF)
==== Disabled Device Manager Items =============
Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description:
Device ID: ACPI\CMP0101\2&DABA3FF&0
Manufacturer:
Name:
PNP Device ID: ACPI\CMP0101\2&DABA3FF&0
Service:
==== System Restore Points ===================
RP1: 17/08/2010 20:49:06 - System Checkpoint
==== Installed Programs ======================
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.3.2
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
BarQuery 1.0 build 153
BearShare
Bonjour
CCleaner
ERUNT 1.1j
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB976002-v5)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
iMesh
iTunes
Media Player Codec Pack 3.9.5
MediaBar
MSN
Music Oasis
PC Confidential 2008
QuickTime
Realtek AC'97 Audio
Realtek WLAN Driver
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Skype Toolbars
Skype™ 4.2
Spotify
Spybot - Search & Destroy
TOSHIBA Software Modem
Update for Windows Internet Explorer 8 (KB975364)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB898461)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Yahoo! Software Update
Yahoo! Toolbar
==== Event Viewer Messages From Past Week ========
17/08/2010 20:26:21, error: System Error [1003] - Error code 1000008e, parameter1 c0000005, parameter2 f767b2b7, parameter3 a9cbbb8c, parameter4 00000000.
17/08/2010 15:51:19, error: System Error [1003] - Error code 1000008e, parameter1 c0000005, parameter2 f767b2b7, parameter3 a968c89c, parameter4 00000000.
16/08/2010 10:08:52, error: Dhcp [1002] - The IP address lease 192.168.0.5 for the Network Card with network address 000E357E4542 has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).
16/08/2010 10:07:36, error: Tcpip [4199] - The system detected an address conflict for IP address 192.168.0.5 with the system having network hardware address 00:18:DE:B2:AD:F4. Network operations on this system may be disrupted as a result.
13/08/2010 20:38:33, error: Dhcp [1002] - The IP address lease 192.168.0.4 for the Network Card with network address 000E357E4542 has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).
==== End Of File ===========================
Latest symptoms are loops round the bootup 3 times before windows is finally up.
I am only using the computer minimally, but with the teatimer disabled, perhaps I am picking up more and more problems.
Hi,
Try to use the system as little as possible.
IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.
BearShare
I'd like you to read this thread (http://forums.spybot.info/showthread.php?t=282).
Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).
After that:
Please visit this webpage for download links, and instructions for running ComboFix tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Please ensure you read this guide carefully first.
Please continue as follows:
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.
Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.
Please include the following reports for further review, and so we may continue cleansing the system:
C:\ComboFix.txt
New dds log.
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.
Hi,
Have just completed running combofix.
Report is below. Many thanks for your help so far. Posted from another computer.
ComboFix 10-08-17.04 - Any1 18/08/2010 23:05:56.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.762 [GMT 1:00]
Running from: D:\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\BarQuery
c:\documents and settings\All Users\Application Data\BarQuery\barquery153.exe
c:\documents and settings\Any1\secupdat.dat
c:\documents and settings\Any1\xwponeh.exe
c:\program files\BarQuery
c:\program files\BarQuery\barquery.dll
c:\program files\BarQuery\barquery.exe
c:\program files\BarQuery\uninstall.exe
c:\windows\system32\Drivers\tkntlmob.sys
c:\windows\system32\secupdat.dat
c:\windows\system32\Drivers\tkntlmob.sys . . . is infected!! . . . Failed to find a valid replacement.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_BARQUERY_SERVICE
-------\Service_BarQuery Service
-------\Legacy_tkntlmob
-------\Service_tkntlmob
((((((((((((((((((((((((( Files Created from 2010-07-18 to 2010-08-18 )))))))))))))))))))))))))))))))
.
2010-08-16 19:41 . 2010-08-16 19:42 -------- d-----w- c:\program files\ERUNT
2010-08-12 18:52 . 2010-08-12 18:58 36864 ----a-w- C:\sssA1234567890.exe
2010-08-11 19:33 . 2010-08-11 19:33 12736 ---ha-w- c:\windows\system32\mlfcache.dat
2010-08-03 18:04 . 2010-08-03 18:04 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-08-03 18:04 . 2010-08-18 20:46 -------- d-----w- c:\documents and settings\Any1\Application Data\skypePM
2010-08-03 18:01 . 2010-08-18 20:50 -------- d-----w- c:\documents and settings\Any1\Application Data\Skype
2010-08-03 18:00 . 2008-04-13 23:09 5504 -c--a-w- c:\windows\system32\dllcache\mstee.sys
2010-08-03 18:00 . 2008-04-13 23:09 5504 ----a-w- c:\windows\system32\drivers\MSTEE.sys
2010-08-03 18:00 . 2008-04-13 23:16 10880 -c--a-w- c:\windows\system32\dllcache\ndisip.sys
2010-08-03 18:00 . 2008-04-13 23:16 10880 ----a-w- c:\windows\system32\drivers\NdisIP.sys
2010-08-03 18:00 . 2008-04-13 23:16 15232 -c--a-w- c:\windows\system32\dllcache\streamip.sys
2010-08-03 18:00 . 2008-04-13 23:16 15232 ----a-w- c:\windows\system32\drivers\StreamIP.sys
2010-08-03 18:00 . 2008-04-13 23:16 11136 -c--a-w- c:\windows\system32\dllcache\slip.sys
2010-08-03 18:00 . 2008-04-13 23:16 11136 ----a-w- c:\windows\system32\drivers\SLIP.sys
2010-08-03 18:00 . 2008-04-13 23:16 19200 -c--a-w- c:\windows\system32\dllcache\wstcodec.sys
2010-08-03 18:00 . 2008-04-13 23:16 19200 ----a-w- c:\windows\system32\drivers\WSTCODEC.SYS
2010-08-03 18:00 . 2008-04-13 23:16 85248 -c--a-w- c:\windows\system32\dllcache\nabtsfec.sys
2010-08-03 18:00 . 2008-04-13 23:16 85248 ----a-w- c:\windows\system32\drivers\NABTSFEC.sys
2010-08-03 17:59 . 2008-04-13 23:16 17024 -c--a-w- c:\windows\system32\dllcache\ccdecode.sys
2010-08-03 17:59 . 2008-04-13 23:16 17024 ----a-w- c:\windows\system32\drivers\CCDECODE.sys
2010-08-03 17:59 . 2008-04-14 04:42 53760 -c--a-w- c:\windows\system32\dllcache\vfwwdm32.dll
2010-08-03 17:59 . 2008-04-14 04:42 53760 ----a-w- c:\windows\system32\vfwwdm32.dll
2010-08-03 17:59 . 2008-04-13 23:16 121984 -c--a-w- c:\windows\system32\dllcache\usbvideo.sys
2010-08-03 17:59 . 2008-04-13 23:16 121984 ----a-w- c:\windows\system32\drivers\usbvideo.sys
2010-08-03 17:59 . 2008-04-13 23:15 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
2010-08-03 17:59 . 2008-04-13 23:15 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2010-08-03 17:59 . 2010-08-18 20:55 -------- d-----r- c:\program files\Skype
2010-08-03 17:58 . 2010-08-18 20:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-07-25 12:52 . 2010-07-25 12:52 -------- d-----w- c:\documents and settings\Any1\Application Data\U3
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-18 21:02 . 2010-03-28 17:59 -------- d-----w- c:\program files\iMesh Applications
2010-08-18 20:52 . 2010-03-31 15:53 -------- d-----w- c:\program files\BearShare Applications
2010-08-15 16:34 . 2010-01-24 16:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-08-15 16:07 . 2010-03-28 17:47 -------- d-----w- c:\documents and settings\Any1\Application Data\Spotify
2010-08-12 12:01 . 2010-01-24 16:24 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-07-12 18:19 . 2010-07-12 18:17 -------- d-----w- c:\program files\iTunes
2010-07-12 18:18 . 2010-07-12 18:18 -------- d-----w- c:\program files\iPod
2010-07-12 18:18 . 2010-03-31 15:15 -------- d-----w- c:\program files\Common Files\Apple
2010-07-12 18:11 . 2010-07-12 18:11 -------- d-----w- c:\program files\Bonjour
2010-07-12 18:08 . 2010-07-12 18:08 72504 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe
2010-06-30 12:31 . 2008-04-14 00:42 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:22 . 2008-06-23 15:57 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-23 13:44 . 2008-04-13 20:00 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-21 15:27 . 2008-04-13 19:45 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-17 14:03 . 2008-04-14 00:41 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 14:31 . 2010-01-03 20:13 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-14 07:41 . 2008-04-14 00:42 1172480 ----a-w- c:\windows\system32\msxml3.dll
2010-06-06 16:12 . 2010-06-06 16:12 655360 ----a-w- c:\documents and settings\Any1\Application Data\Spotify\Gracenote\gnsdk_sdkmanager.dll
2010-06-06 16:12 . 2010-06-06 16:12 282624 ----a-w- c:\documents and settings\Any1\Application Data\Spotify\Gracenote\gnsdk_musicid_file.dll
2010-06-06 16:12 . 2010-06-06 16:12 208896 ----a-w- c:\documents and settings\Any1\Application Data\Spotify\Gracenote\gnsdk_dsp.dll
.
------- Sigcheck -------
[-] 2008-08-29 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-17 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-06-10 339968]
"AGRSMMSG"="AGRSMMSG.exe" [2004-08-30 88363]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_2"="shell32" [X]
c:\documents and settings\Any1\Start Menu\Programs\Startup\
03e0fbb.exe [2010-8-15 43008]
081cs60.exe [2010-8-14 43008]
0g9iid2.exe [2010-8-15 37888]
0kkaq0r.exe [2010-8-16 43008]
0m3e1qq.exe [2010-8-13 37888]
0p60q3c.exe [2010-8-13 43008]
16mmhyy.exe [2010-8-14 37888]
1bcxd60.exe [2010-8-15 43008]
1bm3e1q.exe [2010-8-13 43008]
1ep2fgb.exe [2010-8-14 43008]
21mmsy5.exe [2010-8-15 43008]
25rmmsy.exe [2010-8-15 43008]
2nii6uu.exe [2010-8-13 37888]
2pka6ww.exe [2010-8-15 43008]
2vb3n1y.exe [2010-8-16 37888]
2ws0ooj.exe [2010-8-15 37376]
5kv38mi.exe [2010-8-15 37888]
6gbmsy5.exe [2010-8-15 43008]
6mmhyyt.exe [2010-8-14 37888]
6nyt086.exe [2010-8-13 37888]
7x2i2pu.exe [2010-8-15 43008]
8sy586w.exe [2010-8-13 43008]
9bc0ne1.exe [2010-8-13 43008]
bmrsnep2fgb.exe [2010-8-14 37888]
brhndtze.exe [2010-8-14 37888]
c1jj083g.exe [2010-8-14 37376]
c1yu6aa70h.exe [2010-8-18 37376]
ccxytku6wb.exe [2010-8-15 43008]
cntu0avwr0.exe [2010-8-14 37888]
csi3kk5l.exe [2010-8-15 43008]
ddyu1q5r1.exe [2010-8-15 43008]
dtupllrhsoe.exe [2010-8-14 43008]
dyje8qrc.exe [2010-8-13 43008]
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
fbmm11yo.exe [2010-8-16 37376]
flm70nje.exe [2010-8-14 43008]
g3injzpfg70.exe [2010-8-16 43008]
gbmsy5uf.exe [2010-8-15 37376]
gm5n1yo70l.exe [2010-8-16 43008]
gw0yo0e3a.exe [2010-8-14 43008]
hcc70jffg.exe [2010-8-16 43008]
hstepalgm.exe [2010-8-14 37888]
i0jzqggw.exe [2010-8-15 43008]
i1eaavrr.exe [2010-8-18 37376]
kvvlccs60zf.exe [2010-8-14 37888]
lhcc70jf.exe [2010-8-16 43008]
lhxxtjjf.exe [2010-8-14 43008]
lq81cnoj.exe [2010-8-15 43008]
lrhsny3kk6.exe [2010-8-14 37888]
m5ny3jfaqm.exe [2010-8-13 37888]
mrcs9o25l.exe [2010-8-15 43008]
n0jklbrs0.exe [2010-8-13 37888]
neezqqlc.exe [2010-8-17 43008]
oe6qvrhxij1.exe [2010-8-13 37888]
pu86g81sde.exe [2010-8-16 43008]
rcd70ppgbm.exe [2010-8-15 43008]
rinjzpfg.exe [2010-8-16 37888]
s1ee6glh.exe [2010-8-15 37376]
sy5zvgbb.exe [2010-8-16 43008]
ttpffbrrndd.exe [2010-8-18 37376]
u1alccs60.exe [2010-8-14 37376]
ufqvgrsnd.exe [2010-8-16 43008]
ufw1mns870.exe [2010-8-13 43008]
v706hy0zeu.exe [2010-8-14 43008]
vmhhytez.exe [2010-8-13 37888]
vwcnx1tkkal.exe [2010-8-15 37376]
w3ydzppgbm.exe [2010-8-15 37888]
wcnx1tkka.exe [2010-8-15 37888]
wrx60zfplg.exe [2010-8-15 43008]
wxxijju8.exe [2010-8-13 37888]
x66o86a8.exe [2010-8-15 37376]
xdi6kffb.exe [2010-8-13 43008]
xookplgbssn.exe [2010-8-18 43008]
xtoo6aa6.exe [2010-8-18 43008]
xtou70a7.exe [2010-8-18 37376]
xxijju86.exe [2010-8-13 43008]
xy0uu5v0.exe [2010-8-13 43008]
y3aqqrrnddz.exe [2010-8-15 43008]
y6pq70rx.exe [2010-8-17 37888]
y7epalgm3s.exe [2010-8-14 43008]
ytpp2vwr0.exe [2010-8-15 37888]
yy6pq70rx.exe [2010-8-17 43008]
yy70fbww6.exe [2010-8-15 37888]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
Contents of the 'Scheduled Tasks' folder
2010-08-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 10:50]
2010-08-18 c:\windows\Tasks\PCConfidential.job
- c:\program files\Winferno\PC Confidential\PCConfidential.exe [2010-04-27 13:10]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.sky.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
DPF: {1C11B948-582A-433F-A98D-A8C4D5CC64F2} - hxxp://bq.kp.2020.net/planner/Core/Player/2020PlayerAX_Win32.cab
.
- - - - ORPHANS REMOVED - - - -
Toolbar-{ABB49B3B-AB7D-4ED0-9135-93FD5AA4F69F} - (no file)
Toolbar-{0974BA1E-64EC-11DE-B2A5-E43756D89593} - (no file)
SafeBoot-tkntlmob.sys
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-18 23:16
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86064ACE]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf766ff28
\Driver\ACPI -> ACPI.sys @ 0xf75c2cb8
\Driver\atapi -> atapi.sys @ 0xf7536852
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0615
ParseProcedure -> ntoskrnl.exe @ 0x8056c3ac
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0615
ParseProcedure -> ntoskrnl.exe @ 0x8056c3ac
NDIS: Intel(R) PRO/Wireless 2200BG Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xf7442bb0
PacketIndicateHandler -> NDIS.sys @ 0xf744fa21
SendHandler -> NDIS.sys @ 0xf742d87b
user & kernel MBR OK
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(756)
c:\windows\system32\WININET.dll
- - - - - - - > 'lsass.exe'(820)
c:\windows\system32\WININET.dll
- - - - - - - > 'explorer.exe'(3872)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\windows\system32\WgaTray.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\system32\wscntfy.exe
c:\windows\AGRSMMSG.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-08-18 23:21:33 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-18 22:21
Pre-Run: 53,677,449,216 bytes free
Post-Run: 53,663,948,800 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
- - End Of File - - D188253B826DF58AEBF2EB72871E1282
Hi,
Show hidden files
-----------------
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.
If found, upload c:\windows\system32\Drivers\tkntlmob.sys file to http://www.virustotal.com and post back the results.
Please Download Rootkit Unhooker (http://www.rootkit.com/vault/DiabloNova/RKUnhookerLE.EXE) Save it to your desktop.
Now double-click on RKUnhookerLE.exe to run it.
Click the Report tab, then click Scan.
Check (Tick) Drivers, Stealth, Files, Code Hooks. Uncheck the rest. then Click OK.
Wait till the scanner has finished and then click File, Save Report.
Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.
Note** you may get this warning it is ok, just ignore
Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?
Hi again.
Did not find the file tkntlmob.sys.
Have run RKUnhookerLE.exe
Report is below :-
RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #1
==============================================
>Drivers
==============================================
0xF6917000 C:\WINDOWS\system32\DRIVERS\w29n51.sys 2220032 bytes (Intel® Corporation, Intel® Wireless LAN Driver)
0x804D7000 C:\WINDOWS\system32\ntoskrnl.exe 2189952 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2189952 bytes
0x804D7000 RAW 2189952 bytes
0x804D7000 WMIxWDM 2189952 bytes
0xBF081000 C:\WINDOWS\System32\ati3duag.dll 2158592 bytes (ATI Technologies Inc. , ati3duag.dll)
0xBF800000 Win32k 1855488 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1855488 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xF6171000 C:\WINDOWS\system32\DRIVERS\AGRSM.sys 1265664 bytes (Agere Systems, SoftModem Device Driver)
0xF6B6D000 C:\WINDOWS\system32\DRIVERS\ati2mtag.sys 860160 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Miniport Driver)
0xF67E4000 C:\WINDOWS\system32\drivers\ALCXWDM.SYS 618496 bytes (Realtek Semiconductor Corp., Realtek AC'97 Audio Driver (WDM))
0xF745A000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xBF290000 C:\WINDOWS\System32\ativvaxx.dll 520192 bytes (ATI Technologies Inc. , Radeon Video Acceleration Universal Driver)
0xAA68F000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xF675E000 C:\WINDOWS\system32\drivers\ALCXSENS.SYS 401408 bytes (Sensaura, Sensaura WDM 3D Audio Driver)
0xEF232000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xAA774000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xAA126000 C:\WINDOWS\system32\DRIVERS\srv.sys 356352 bytes (Microsoft Corporation, Server driver)
0xF68B2000 C:\WINDOWS\system32\DRIVERS\ESM7SK.sys 331776 bytes (ENE Technology Inc., ENE PCI SmartMedia / XD Card Reader Driver)
0xA9D4D000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xBF049000 C:\WINDOWS\System32\ati2cqag.dll 229376 bytes (ATI Technologies Inc., Central Memory Manager / Queue Server Module)
0xBF012000 C:\WINDOWS\System32\ati2dvag.dll 225280 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Display Driver)
0xEF290000 C:\WINDOWS\system32\DRIVERS\rdpdr.sys 196608 bytes (Microsoft Corporation, Microsoft RDP Device redirector)
0xF75BC000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xAA4B8000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xF742D000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xAA6FF000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xAA74C000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xAA4E5000 C:\WINDOWS\system32\DRIVERS\nwrdr.sys 163840 bytes (Microsoft Corporation, NetWare Redirector File System Driver)
0xF7548000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver)
0xAA669000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xF67C0000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xF6B35000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xF687B000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xAA72A000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0x806EE000 ACPI_HAL 131840 bytes
0x806EE000 C:\WINDOWS\system32\hal.dll 131840 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xF7510000 fltMgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xF756E000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xF758D000 pcmcia.sys 122880 bytes (Microsoft Corporation, PCMCIA Bus Driver)
0xF7413000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xF7530000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xAA651000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes
0xF74E7000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xF615A000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xAA5EB000 C:\WINDOWS\system32\DRIVERS\irda.sys 90112 bytes (Microsoft Corporation, IRDA Protocol Driver)
0xAA5D5000 C:\WINDOWS\system32\DRIVERS\nwlnkipx.sys 90112 bytes (Microsoft Corporation, NWLINK2 IPX Protocol Driver)
0xAA453000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xF689E000 C:\WINDOWS\system32\DRIVERS\parport.sys 81920 bytes (Microsoft Corporation, Parallel Port Driver)
0xF6903000 C:\WINDOWS\system32\DRIVERS\sdbus.sys 81920 bytes (Microsoft Corporation, SecureDigital Bus Driver)
0xF6B59000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xAA7CD000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xF74FE000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xF75AB000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xF6149000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xEF384000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xF76DB000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xF769B000 C:\WINDOWS\system32\DRIVERS\nic1394.sys 65536 bytes (Microsoft Corporation, IEEE1394 Ndis Miniport and Call Manager)
0xF77AB000 C:\WINDOWS\system32\DRIVERS\nwlnknb.sys 65536 bytes (Microsoft Corporation, NWLINK2 IPX Netbios Protocol Driver)
0xF761B000 ohci1394.sys 65536 bytes (Microsoft Corporation, 1394 OpenHCI Port Driver)
0xEF3B4000 C:\WINDOWS\system32\DRIVERS\arp1394.sys 61440 bytes (Microsoft Corporation, IP/1394 Arp Client)
0xF6D96000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xF787B000 C:\WINDOWS\system32\DRIVERS\EMS7SK.sys 61440 bytes (ENE Technology Inc., ENE PCI Memory Stick Card Reader Driver)
0xF76EB000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xF773B000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xF059D000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xF762B000 C:\WINDOWS\system32\DRIVERS\1394BUS.SYS 57344 bytes (Microsoft Corporation, 1394 Bus Device Driver)
0xEFE43000 C:\WINDOWS\system32\DRIVERS\nwlnkspx.sys 57344 bytes (Microsoft Corporation, NWLINK2 SPX Protocol Driver)
0xF766B000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xF76BB000 C:\WINDOWS\system32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)
0xF76FB000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xF764B000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xF771B000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xF767B000 agp440.sys 45056 bytes (Microsoft Corporation, 440 NT AGP Filter)
0xEFDD3000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xF76CB000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xF763B000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xF770B000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xF760B000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xF05CD000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xF05ED000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xF765B000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xF786B000 C:\WINDOWS\system32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0xF772B000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xEFDE3000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xF6D26000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0xF76AB000 C:\WINDOWS\system32\DRIVERS\smcirda.sys 36864 bytes (SMC, SMC IrCC NDIS 5.0 IrDA FIR Device Driver)
0xEF3C4000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xF78C3000 C:\WINDOWS\System32\Drivers\Modem.SYS 32768 bytes (Microsoft Corporation, Modem Device Driver)
0xEFE9D000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xF79CB000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xF788B000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xF79F3000 C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys 24576 bytes (GEAR Software Inc., CD DVD Filter)
0xF79E3000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xF79EB000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xF79D3000 C:\WINDOWS\system32\DRIVERS\RTL8139.SYS 24576 bytes (Realtek Semiconductor Corporation, Realtek RTL8139 NDIS 5.0 Driver)
0xF79C3000 C:\WINDOWS\system32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0xEFEAD000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xEFEA5000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xF7893000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xF03F0000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xF78CB000 C:\WINDOWS\system32\DRIVERS\rasirda.sys 20480 bytes (Microsoft Corporation, IrDA WAN Miniport Driver)
0xF03E8000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel(R) mini-port/call-manager driver)
0xF78D3000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xEFE7D000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xF7A27000 C:\WINDOWS\system32\DRIVERS\BATTC.SYS 16384 bytes (Microsoft Corporation, Battery Class Driver)
0xF7AEB000 C:\WINDOWS\system32\DRIVERS\CmBatt.sys 16384 bytes (Microsoft Corporation, Control Method Battery Driver)
0xF0DA5000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xF4C9B000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xF7A2B000 ACPIEC.sys 12288 bytes (Microsoft Corporation, ACPI Embedded Controller Driver)
0xF7A1F000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xF7A23000 compbatt.sys 12288 bytes (Microsoft Corporation, Composite Battery Driver)
0xF5D5D000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xF7AE3000 C:\WINDOWS\system32\DRIVERS\irenum.sys 12288 bytes (Microsoft Corporation, Infra-Red Bus Enumerator)
0xF73DE000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xEF22A000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xF7B91000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xF7B0F000 dmload.sys 8192 bytes (Microsoft Corp., Veritas Software., NT Disk Manager Startup Driver)
0xF016C000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes
0xF7B8F000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xF7B0D000 intelide.sys 8192 bytes (Microsoft Corporation, Intel PCI IDE Driver)
0xF7B93000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xF7B77000 C:\WINDOWS\System32\Drivers\ParVdm.SYS 8192 bytes (Microsoft Corporation, VDM Parallel Driver)
0xF7B95000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xF7B5F000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xF7B61000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xF7B0B000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0x86288000 C:\WINDOWS\system32\KDCOM.DLL 7040 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xF7C9B000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xF7C42000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xEFE74000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xF7BD4000 C:\WINDOWS\system32\DRIVERS\OPRGHDLR.SYS 4096 bytes (Microsoft Corporation, ACPI Operation Registration Driver)
0xF7BD3000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
!!!!!!!!!!!Hidden driver: 0x862A8999 ?_empty_? 1639 bytes
==============================================
>Stealth
==============================================
0xF7530000 WARNING: suspicious driver modification [atapi.sys::0x862A8999]
==============================================
>Files
==============================================
==============================================
>Hooks
==============================================
ntoskrnl.exe+0x00004AA2, Type: Inline - RelativeJump 0x804DBAA2-->804DBAA9 [ntoskrnl.exe]
[1132]svchost.exe-->mswsock.dll+0x00004057, Type: Inline - RelativeJump 0x71A54057-->00000000 [unknown_code_page]
[1132]svchost.exe-->mswsock.dll+0x0000433A, Type: Inline - RelativeJump 0x71A5433A-->00000000 [unknown_code_page]
[1132]svchost.exe-->mswsock.dll+0x00005847, Type: Inline - RelativeJump 0x71A55847-->00000000 [unknown_code_page]
[1132]svchost.exe-->ntdll.dll-->KiUserExceptionDispatcher, Type: Inline - RelativeJump 0x7C90E47C-->00000000 [unknown_code_page]
[1132]svchost.exe-->ntdll.dll-->NtProtectVirtualMemory, Type: Inline - RelativeJump 0x7C90D6EE-->00000000 [unknown_code_page]
[1132]svchost.exe-->ntdll.dll-->NtWriteVirtualMemory, Type: Inline - RelativeJump 0x7C90DFAE-->00000000 [unknown_code_page]
[1132]svchost.exe-->user32.dll-->GetCursorPos, Type: Inline - RelativeJump 0x7E42974E-->00000000 [unknown_code_page]
[1236]explorer.exe-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77DD1218-->00000000 [shimeng.dll]
[1236]explorer.exe-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77F110B4-->00000000 [shimeng.dll]
[1236]explorer.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x01001268-->00000000 [shimeng.dll]
[1236]explorer.exe-->mswsock.dll+0x00004057, Type: Inline - RelativeJump 0x71A54057-->00000000 [unknown_code_page]
[1236]explorer.exe-->mswsock.dll+0x0000433A, Type: Inline - RelativeJump 0x71A5433A-->00000000 [unknown_code_page]
[1236]explorer.exe-->mswsock.dll+0x00005847, Type: Inline - RelativeJump 0x71A55847-->00000000 [unknown_code_page]
[1236]explorer.exe-->ntdll.dll-->KiUserExceptionDispatcher, Type: Inline - RelativeJump 0x7C90E47C-->00000000 [unknown_code_page]
[1236]explorer.exe-->ntdll.dll-->NtProtectVirtualMemory, Type: Inline - RelativeJump 0x7C90D6EE-->00000000 [unknown_code_page]
[1236]explorer.exe-->ntdll.dll-->NtWriteVirtualMemory, Type: Inline - RelativeJump 0x7C90DFAE-->00000000 [unknown_code_page]
[1236]explorer.exe-->shell32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7C9C15A4-->00000000 [shimeng.dll]
[1236]explorer.exe-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7E41133C-->00000000 [shimeng.dll]
Many thanks,
John.
Hi,
Please run ComboFix again letting it update itself. Post back the report + fresh dds.txt log.
Hello again.
Combofix and DDS logs attached below.
Thankyou. John.
ComboFix 10-08-18.04 - Any1 19/08/2010 21:33:17.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.769 [GMT 1:00]
Running from: c:\documents and settings\Any1\My Documents\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\6to4ex.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_6TO4
-------\Service_6to4
((((((((((((((((((((((((( Files Created from 2010-07-19 to 2010-08-19 )))))))))))))))))))))))))))))))
.
2010-08-16 19:41 . 2010-08-16 19:42 -------- d-----w- c:\program files\ERUNT
2010-08-12 18:52 . 2010-08-12 18:58 36864 ----a-w- C:\sssA1234567890.exe
2010-08-11 19:33 . 2010-08-11 19:33 12736 ---ha-w- c:\windows\system32\mlfcache.dat
2010-08-03 18:04 . 2010-08-03 18:04 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-08-03 18:04 . 2010-08-18 20:46 -------- d-----w- c:\documents and settings\Any1\Application Data\skypePM
2010-08-03 18:01 . 2010-08-18 20:50 -------- d-----w- c:\documents and settings\Any1\Application Data\Skype
2010-08-03 18:00 . 2008-04-13 23:09 5504 -c--a-w- c:\windows\system32\dllcache\mstee.sys
2010-08-03 18:00 . 2008-04-13 23:09 5504 ----a-w- c:\windows\system32\drivers\MSTEE.sys
2010-08-03 18:00 . 2008-04-13 23:16 10880 -c--a-w- c:\windows\system32\dllcache\ndisip.sys
2010-08-03 18:00 . 2008-04-13 23:16 10880 ----a-w- c:\windows\system32\drivers\NdisIP.sys
2010-08-03 18:00 . 2008-04-13 23:16 15232 -c--a-w- c:\windows\system32\dllcache\streamip.sys
2010-08-03 18:00 . 2008-04-13 23:16 15232 ----a-w- c:\windows\system32\drivers\StreamIP.sys
2010-08-03 18:00 . 2008-04-13 23:16 11136 -c--a-w- c:\windows\system32\dllcache\slip.sys
2010-08-03 18:00 . 2008-04-13 23:16 11136 ----a-w- c:\windows\system32\drivers\SLIP.sys
2010-08-03 18:00 . 2008-04-13 23:16 19200 -c--a-w- c:\windows\system32\dllcache\wstcodec.sys
2010-08-03 18:00 . 2008-04-13 23:16 19200 ----a-w- c:\windows\system32\drivers\WSTCODEC.SYS
2010-08-03 18:00 . 2008-04-13 23:16 85248 -c--a-w- c:\windows\system32\dllcache\nabtsfec.sys
2010-08-03 18:00 . 2008-04-13 23:16 85248 ----a-w- c:\windows\system32\drivers\NABTSFEC.sys
2010-08-03 17:59 . 2008-04-13 23:16 17024 -c--a-w- c:\windows\system32\dllcache\ccdecode.sys
2010-08-03 17:59 . 2008-04-13 23:16 17024 ----a-w- c:\windows\system32\drivers\CCDECODE.sys
2010-08-03 17:59 . 2008-04-14 04:42 53760 -c--a-w- c:\windows\system32\dllcache\vfwwdm32.dll
2010-08-03 17:59 . 2008-04-14 04:42 53760 ----a-w- c:\windows\system32\vfwwdm32.dll
2010-08-03 17:59 . 2008-04-13 23:16 121984 -c--a-w- c:\windows\system32\dllcache\usbvideo.sys
2010-08-03 17:59 . 2008-04-13 23:16 121984 ----a-w- c:\windows\system32\drivers\usbvideo.sys
2010-08-03 17:59 . 2008-04-13 23:15 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
2010-08-03 17:59 . 2008-04-13 23:15 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2010-08-03 17:59 . 2010-08-18 20:55 -------- d-----r- c:\program files\Skype
2010-08-03 17:58 . 2010-08-18 20:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-07-25 12:52 . 2010-07-25 12:52 -------- d-----w- c:\documents and settings\Any1\Application Data\U3
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-18 21:02 . 2010-03-28 17:59 -------- d-----w- c:\program files\iMesh Applications
2010-08-15 16:34 . 2010-01-24 16:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-08-15 16:07 . 2010-03-28 17:47 -------- d-----w- c:\documents and settings\Any1\Application Data\Spotify
2010-08-12 12:01 . 2010-01-24 16:24 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-07-12 18:19 . 2010-07-12 18:17 -------- d-----w- c:\program files\iTunes
2010-07-12 18:18 . 2010-07-12 18:18 -------- d-----w- c:\program files\iPod
2010-07-12 18:18 . 2010-03-31 15:15 -------- d-----w- c:\program files\Common Files\Apple
2010-07-12 18:11 . 2010-07-12 18:11 -------- d-----w- c:\program files\Bonjour
2010-07-12 18:08 . 2010-07-12 18:08 72504 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe
2010-06-30 12:31 . 2008-04-14 00:42 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:22 . 2008-06-23 15:57 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-23 13:44 . 2008-04-13 20:00 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-21 15:27 . 2008-04-13 19:45 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-17 14:03 . 2008-04-14 00:41 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 14:31 . 2010-01-03 20:13 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-14 07:41 . 2008-04-14 00:42 1172480 ----a-w- c:\windows\system32\msxml3.dll
2010-06-06 16:12 . 2010-06-06 16:12 655360 ----a-w- c:\documents and settings\Any1\Application Data\Spotify\Gracenote\gnsdk_sdkmanager.dll
2010-06-06 16:12 . 2010-06-06 16:12 282624 ----a-w- c:\documents and settings\Any1\Application Data\Spotify\Gracenote\gnsdk_musicid_file.dll
2010-06-06 16:12 . 2010-06-06 16:12 208896 ----a-w- c:\documents and settings\Any1\Application Data\Spotify\Gracenote\gnsdk_dsp.dll
.
------- Sigcheck -------
[-] 2008-08-29 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((( SnapShot@2010-08-18_22.16.45 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-08-19 11:11 . 2010-08-19 11:11 28672 c:\windows\ERDNT\AutoBackup\19-08-2010\Users\00000002\UsrClass.dat
+ 2010-08-19 11:11 . 2005-10-20 11:02 163328 c:\windows\ERDNT\AutoBackup\19-08-2010\ERDNT.EXE
+ 2010-08-19 11:11 . 2010-08-19 11:11 6901760 c:\windows\ERDNT\AutoBackup\19-08-2010\Users\00000001\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-17 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-06-10 339968]
"AGRSMMSG"="AGRSMMSG.exe" [2004-08-30 88363]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_2"="shell32" [X]
c:\documents and settings\Any1\Start Menu\Programs\Startup\
03e0fbb.exe [2010-8-15 43008]
081cs60.exe [2010-8-14 43008]
0g9iid2.exe [2010-8-15 37888]
0kkaq0r.exe [2010-8-16 43008]
0m3e1qq.exe [2010-8-13 37888]
0p60q3c.exe [2010-8-13 43008]
16mmhyy.exe [2010-8-14 37888]
1bcxd60.exe [2010-8-15 43008]
1bm3e1q.exe [2010-8-13 43008]
1ep2fgb.exe [2010-8-14 43008]
21mmsy5.exe [2010-8-15 43008]
25rmmsy.exe [2010-8-15 43008]
2nii6uu.exe [2010-8-13 37888]
2pka6ww.exe [2010-8-15 43008]
2vb3n1y.exe [2010-8-16 37888]
2ws0ooj.exe [2010-8-15 37376]
5kv38mi.exe [2010-8-15 37888]
6gbmsy5.exe [2010-8-15 43008]
6mmhyyt.exe [2010-8-14 37888]
6nyt086.exe [2010-8-13 37888]
7x2i2pu.exe [2010-8-15 43008]
8sy586w.exe [2010-8-13 43008]
9bc0ne1.exe [2010-8-13 43008]
bmrsnep2fgb.exe [2010-8-14 37888]
brhndtze.exe [2010-8-14 37888]
c1jj083g.exe [2010-8-14 37376]
c1yu6aa70h.exe [2010-8-18 37376]
ccxytku6wb.exe [2010-8-15 43008]
cntu0avwr0.exe [2010-8-14 37888]
csi3kk5l.exe [2010-8-15 43008]
ddyu1q5r1.exe [2010-8-15 43008]
dtupllrhsoe.exe [2010-8-14 43008]
dyje8qrc.exe [2010-8-13 43008]
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
fbmm11yo.exe [2010-8-16 37376]
flm70nje.exe [2010-8-14 43008]
g3injzpfg70.exe [2010-8-16 43008]
gbmsy5uf.exe [2010-8-15 37376]
gm5n1yo70l.exe [2010-8-16 43008]
gw0yo0e3a.exe [2010-8-14 43008]
hcc70jffg.exe [2010-8-16 43008]
hstepalgm.exe [2010-8-14 37888]
i0jzqggw.exe [2010-8-15 43008]
i1eaavrr.exe [2010-8-18 37376]
kvvlccs60zf.exe [2010-8-14 37888]
lhcc70jf.exe [2010-8-16 43008]
lhxxtjjf.exe [2010-8-14 43008]
lq81cnoj.exe [2010-8-15 43008]
lrhsny3kk6.exe [2010-8-14 37888]
m5ny3jfaqm.exe [2010-8-13 37888]
mrcs9o25l.exe [2010-8-15 43008]
n0jklbrs0.exe [2010-8-13 37888]
neezqqlc.exe [2010-8-17 43008]
oe6qvrhxij1.exe [2010-8-13 37888]
pu86g81sde.exe [2010-8-16 43008]
rcd70ppgbm.exe [2010-8-15 43008]
rinjzpfg.exe [2010-8-16 37888]
s1ee6glh.exe [2010-8-15 37376]
sy5zvgbb.exe [2010-8-16 43008]
ttpffbrrndd.exe [2010-8-18 37376]
u1alccs60.exe [2010-8-14 37376]
ufqvgrsnd.exe [2010-8-16 43008]
ufw1mns870.exe [2010-8-13 43008]
v706hy0zeu.exe [2010-8-14 43008]
vmhhytez.exe [2010-8-13 37888]
vwcnx1tkkal.exe [2010-8-15 37376]
w3ydzppgbm.exe [2010-8-15 37888]
wcnx1tkka.exe [2010-8-15 37888]
wrx60zfplg.exe [2010-8-15 43008]
wxxijju8.exe [2010-8-13 37888]
x66o86a8.exe [2010-8-15 37376]
xdi6kffb.exe [2010-8-13 43008]
xookplgbssn.exe [2010-8-18 43008]
xtoo6aa6.exe [2010-8-18 43008]
xtou70a7.exe [2010-8-18 37376]
xxijju86.exe [2010-8-13 43008]
xy0uu5v0.exe [2010-8-13 43008]
y3aqqrrnddz.exe [2010-8-15 43008]
y6pq70rx.exe [2010-8-17 37888]
y7epalgm3s.exe [2010-8-14 43008]
ytpp2vwr0.exe [2010-8-15 37888]
yy6pq70rx.exe [2010-8-17 43008]
yy70fbww6.exe [2010-8-15 37888]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tkntlmob.sys]
@=""
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
Contents of the 'Scheduled Tasks' folder
2010-08-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 10:50]
2010-08-19 c:\windows\Tasks\PCConfidential.job
- c:\program files\Winferno\PC Confidential\PCConfidential.exe [2010-04-27 13:10]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.sky.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
DPF: {1C11B948-582A-433F-A98D-A8C4D5CC64F2} - hxxp://bq.kp.2020.net/planner/Core/Player/2020PlayerAX_Win32.cab
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-19 21:42
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86036ACE]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf766ff28
\Driver\ACPI -> ACPI.sys @ 0xf75c2cb8
\Driver\atapi -> atapi.sys @ 0xf7536852
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0615
ParseProcedure -> ntoskrnl.exe @ 0x8056c3ac
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0615
ParseProcedure -> ntoskrnl.exe @ 0x8056c3ac
NDIS: Intel(R) PRO/Wireless 2200BG Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xf7442bb0
PacketIndicateHandler -> NDIS.sys @ 0xf7431a0d
SendHandler -> NDIS.sys @ 0xf7445b40
user & kernel MBR OK
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(756)
c:\windows\system32\WININET.dll
- - - - - - - > 'lsass.exe'(816)
c:\windows\system32\WININET.dll
- - - - - - - > 'explorer.exe'(2884)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\WgaTray.exe
c:\windows\AGRSMMSG.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-08-19 21:47:36 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-19 20:47
ComboFix2.txt 2010-08-18 22:21
Pre-Run: 53,622,427,648 bytes free
Post-Run: 53,625,536,512 bytes free
- - End Of File - - 5E3C0CB08609629EFB91295C969C53FF
DDS (Ver_10-03-17.01) - NTFSx86
Run by Any1 at 21:56:08.17 on 19/08/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.692 [GMT 1:00]
============== Running Processes ===============
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Any1\My Documents\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.sky.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [nltide_2] regsvr32 /s /n /i:U shell32
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\03e0fbb.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\081cs60.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\0g9iid2.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\0kkaq0r.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\0m3e1qq.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\0p60q3c.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\16mmhyy.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\1bcxd60.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\1bm3e1q.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\1ep2fgb.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\21mmsy5.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\25rmmsy.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\2nii6uu.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\2pka6ww.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\2vb3n1y.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\2ws0ooj.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\5kv38mi.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\6gbmsy5.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\6mmhyyt.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\6nyt086.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\7x2i2pu.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\8sy586w.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\9bc0ne1.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\bmrsnep2fgb.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\brhndtze.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\c1jj083g.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\c1yu6aa70h.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\ccxytku6wb.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\cntu0avwr0.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\csi3kk5l.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\ddyu1q5r1.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\dtupllrhsoe.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\dyje8qrc.exe
StartupFolder: c:\docume~1\any1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\fbmm11yo.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\flm70nje.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\g3injzpfg70.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\gbmsy5uf.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\gm5n1yo70l.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\gw0yo0e3a.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\hcc70jffg.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\hstepalgm.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\i0jzqggw.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\i1eaavrr.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\kvvlccs60zf.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\lhcc70jf.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\lhxxtjjf.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\lq81cnoj.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\lrhsny3kk6.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\m5ny3jfaqm.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\mrcs9o25l.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\n0jklbrs0.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\neezqqlc.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\oe6qvrhxij1.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\pu86g81sde.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\rcd70ppgbm.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\rinjzpfg.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\s1ee6glh.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\sy5zvgbb.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\ttpffbrrndd.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\u1alccs60.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\ufqvgrsnd.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\ufw1mns870.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\v706hy0zeu.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\vmhhytez.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\vwcnx1tkkal.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\w3ydzppgbm.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\wcnx1tkka.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\wrx60zfplg.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\wxxijju8.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\x66o86a8.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\xdi6kffb.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\xookplgbssn.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\xtoo6aa6.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\xtou70a7.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\xxijju86.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\xy0uu5v0.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\y3aqqrrnddz.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\y6pq70rx.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\y7epalgm3s.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\ytpp2vwr0.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\yy6pq70rx.exe
StartupFolder: c:\documents and settings\any1\start menu\programs\startup\yy70fbww6.exe
IE: {53F6FCCD-9E22-4d71-86EA-6E43136192AB} - c:\program files\winferno\pc confidential\PCConfidential.exe
IE: {925DAB62-F9AC-4221-806A-057BFB1014AA} - c:\program files\winferno\pc confidential\PCConfidential.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F}
DPF: {1C11B948-582A-433F-A98D-A8C4D5CC64F2} - hxxp://bq.kp.2020.net/planner/Core/Player/2020PlayerAX_Win32.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1262556294453
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll
LSA: Authentication Packages = msv1_0 nwprovau
============= SERVICES / DRIVERS ===============
=============== Created Last 30 ================
2010-08-18 22:01:06 0 d-sha-r- C:\cmdcons
2010-08-18 21:58:08 98816 ----a-w- c:\windows\sed.exe
2010-08-18 21:58:08 77312 ----a-w- c:\windows\MBR.exe
2010-08-18 21:58:08 256512 ----a-w- c:\windows\PEV.exe
2010-08-18 21:58:08 161792 ----a-w- c:\windows\SWREG.exe
2010-08-18 20:55:35 0 d-----w- c:\windows\system32\appmgmt
2010-08-16 15:36:49 0 d-----w- c:\windows\pss
2010-08-15 18:01:23 91 ----a-w- c:\windows\wininit.ini
2010-08-12 18:52:19 36864 ----a-w- C:\sssA1234567890.exe
2010-08-11 19:33:49 12736 ---ha-w- c:\windows\system32\mlfcache.dat
2010-08-03 18:04:01 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-08-03 17:59:57 17024 -c--a-w- c:\windows\system32\dllcache\ccdecode.sys
2010-08-03 17:59:02 0 d-----r- c:\program files\Skype
==================== Find3M ====================
2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:22:03 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-23 13:44:04 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-21 15:27:11 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-17 14:03:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 07:41:45 1172480 ----a-w- c:\windows\system32\msxml3.dll
2010-01-03 20:32:59 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012010010320100104\index.dat
============= FINISH: 21:57:10.92 ===============
Hi again,
Open notepad and copy/paste the text in the quotebox below into it:
http://forums.spybot.info/showthread.php?t=59046
Collect::
C:\sssA1234567890.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\03e0fbb.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\081cs60.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\0g9iid2.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\0m3e1qq.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\16mmhyy.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\c1jj083g.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\c1yu6aa70h.exe
File::
c:\documents and settings\Any1\Start Menu\Programs\Startup\0kkaq0r.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\0p60q3c.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\1bcxd60.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\1bm3e1q.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\1ep2fgb.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\21mmsy5.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\25rmmsy.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\2nii6uu.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\2pka6ww.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\2vb3n1y.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\2ws0ooj.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\5kv38mi.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\6gbmsy5.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\6mmhyyt.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\6nyt086.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\7x2i2pu.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\8sy586w.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\9bc0ne1.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\bmrsnep2fgb.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\brhndtze.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\ccxytku6wb.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\cntu0avwr0.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\csi3kk5l.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\ddyu1q5r1.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\dtupllrhsoe.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\dyje8qrc.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\fbmm11yo.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\flm70nje.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\g3injzpfg70.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\gbmsy5uf.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\gm5n1yo70l.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\gw0yo0e3a.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\hcc70jffg.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\hstepalgm.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\i0jzqggw.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\i1eaavrr.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\kvvlccs60zf.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\lhcc70jf.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\lhxxtjjf.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\lq81cnoj.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\lrhsny3kk6.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\m5ny3jfaqm.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\mrcs9o25l.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\n0jklbrs0.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\neezqqlc.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\oe6qvrhxij1.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\pu86g81sde.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\rcd70ppgbm.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\rinjzpfg.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\s1ee6glh.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\sy5zvgbb.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\ttpffbrrndd.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\u1alccs60.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\ufqvgrsnd.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\ufw1mns870.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\v706hy0zeu.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\vmhhytez.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\vwcnx1tkkal.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\w3ydzppgbm.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\wcnx1tkka.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\wrx60zfplg.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\wxxijju8.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\x66o86a8.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\xdi6kffb.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\xookplgbssn.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\xtoo6aa6.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\xtou70a7.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\xxijju86.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\xy0uu5v0.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\y3aqqrrnddz.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\y6pq70rx.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\y7epalgm3s.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\ytpp2vwr0.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\yy6pq70rx.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\yy70fbww6.exe
Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tkntlmob.sys]
Save this as
CFScript
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.
Get 9.3.3 and 9.3.4 updates for Adobe Reader here (http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows) or get Foxit Reader here (http://www.foxitsoftware.com/pdf/reader_2/down_reader.htm). Make sure you don't install toolbar if choose Foxit Reader! You may also check free readers introduced here (http://pdfreaders.org/).
Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.
Double-click ATF Cleaner.exe to open it
Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.
If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Click Exit on the Main menu to close the program.
* Go here (http://www.eset.eu/online-scanner) to run an online scanner from ESET.
Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is UNchecked.
Click Scan
Wait for the scan to finish.
Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log.
Hi,
Attached are reports as requested.
Many thanks,
John.
ComboFix 10-08-18.04 - Any1 20/08/2010 20:26:45.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.755 [GMT 1:00]
Running from: c:\documents and settings\Any1\My Documents\ComboFix.exe
Command switches used :: c:\documents and settings\Any1\My Documents\CFScript.txt
* Created a new restore point
FILE ::
"c:\documents and settings\Any1\Start Menu\Programs\Startup\0kkaq0r.exe"
"c:\documents and settings\Any1\Start Menu\Programs\Startup\0p60q3c.exe"
"c:\documents and settings\Any1\Start Menu\Programs\Startup\1bcxd60.exe"
"c:\documents and settings\Any1\Start Menu\Programs\Startup\1bm3e1q.exe"
"c:\documents and settings\Any1\Start Menu\Programs\Startup\1ep2fgb.exe"
"c:\documents and settings\Any1\Start Menu\Programs\Startup\21mmsy5.exe"
"c:\documents and settings\Any1\Start Menu\Programs\Startup\25rmmsy.exe"
"c:\documents and settings\Any1\Start Menu\Programs\Startup\2nii6uu.exe"
"c:\documents and settings\Any1\Start Menu\Programs\Startup\2pka6ww.exe"
"c:\documents and settings\Any1\Start Menu\Programs\Startup\2vb3n1y.exe"
"c:\documents and settings\Any1\Start Menu\Programs\Startup\2ws0ooj.exe"
"c:\documents and settings\Any1\Start Menu\Programs\Startup\5kv38mi.exe"
"c:\documents and settings\Any1\Start Menu\Programs\Startup\6gbmsy5.exe"
"c:\documents and settings\Any1\Start Menu\Programs\Startup\6mmhyyt.exe"
"c:\documents and settings\Any1\Start Menu\Programs\Startup\6nyt086.exe"
"c:\documents and settings\Any1\Start Menu\Programs\Startup\7x2i2pu.exe"
"c:\documents and settings\Any1\Start Menu\Programs\Startup\8sy586w.exe"
"c:\documents and settings\Any1\Start Menu\Programs\Startup\9bc0ne1.exe"
"c:\documents and settings\Any1\Start Menu\Programs\Startup\bmrsnep2fgb.exe"
"c:\documents and settings\Any1\Start Menu\Programs\Startup\brhndtze.exe"
"c:\documents and settings\Any1\Start Menu\Programs\Startup\ccxytku6wb.exe"
"c:\documents and settings\Any1\Start Menu\Programs\Startup\cntu0avwr0.exe"
"c:\documents and settings\Any1\Start Menu\Programs\Startup\csi3kk5l.exe"
"c:\documents and settings\Any1\Start Menu\Programs\Startup\ddyu1q5r1.exe"
"c:\documents and settings\Any1\Start Menu\Programs\Startup\dtupllrhsoe.exe"
"c:\documents and settings\Any1\Start Menu\Programs\Startup\dyje8qrc.exe"
"c:\documents and settings\Any1\Start Menu\Programs\Startup\fbmm11yo.exe"
"c:\documents and settings\Any1\Start Menu\Programs\Startup\flm70nje.exe"
"c:\documents and settings\Any1\Start Menu\Programs\Startup\g3injzpfg70.exe"
"c:\documents and settings\Any1\Start Menu\Programs\Startup\gbmsy5uf.exe"
"c:\documents and settings\Any1\Start Menu\Programs\Startup\gm5n1yo70l.exe"
"c:\documents and settings\Any1\Start Menu\Programs\Startup\gw0yo0e3a.exe"
"c:\documents and settings\Any1\Start Menu\Programs\Startup\hcc70jffg.exe"
"c:\documents and settings\Any1\Start Menu\Programs\Startup\hstepalgm.exe"
"c:\documents and settings\Any1\Start Menu\Programs\Startup\i0jzqggw.exe"
"c:\documents and settings\Any1\Start Menu\Programs\Startup\i1eaavrr.exe"
"c:\documents and settings\Any1\Start Menu\Programs\Startup\kvvlccs60zf.exe"
"c:\documents and settings\Any1\Start Menu\Programs\Startup\lhcc70jf.exe"
"c:\documents and settings\Any1\Start Menu\Programs\Startup\lhxxtjjf.exe"
"c:\documents and settings\Any1\Start Menu\Programs\Startup\lq81cnoj.exe"
"c:\documents and settings\Any1\Start Menu\Programs\Startup\lrhsny3kk6.exe"
"c:\documents and settings\Any1\Start Menu\Programs\Startup\m5ny3jfaqm.exe"
"c:\documents and settings\Any1\Start Menu\Programs\Startup\mrcs9o25l.exe"
"c:\documents and settings\Any1\Start Menu\Programs\Startup\n0jklbrs0.exe"
"c:\documents and settings\Any1\Start Menu\Programs\Startup\neezqqlc.exe"
"c:\documents and settings\Any1\Start Menu\Programs\Startup\oe6qvrhxij1.exe"
"c:\documents and settings\Any1\Start Menu\Programs\Startup\pu86g81sde.exe"
"c:\documents and settings\Any1\Start Menu\Programs\Startup\rcd70ppgbm.exe"
"c:\documents and settings\Any1\Start Menu\Programs\Startup\rinjzpfg.exe"
"c:\documents and settings\Any1\Start Menu\Programs\Startup\s1ee6glh.exe"
"c:\documents and settings\Any1\Start Menu\Programs\Startup\sy5zvgbb.exe"
"c:\documents and settings\Any1\Start Menu\Programs\Startup\ttpffbrrndd.exe"
"c:\documents and settings\Any1\Start Menu\Programs\Startup\u1alccs60.exe"
"c:\documents and settings\Any1\Start Menu\Programs\Startup\ufqvgrsnd.exe"
"c:\documents and settings\Any1\Start Menu\Programs\Startup\ufw1mns870.exe"
"c:\documents and settings\Any1\Start Menu\Programs\Startup\v706hy0zeu.exe"
"c:\documents and settings\Any1\Start Menu\Programs\Startup\vmhhytez.exe"
"c:\documents and settings\Any1\Start Menu\Programs\Startup\vwcnx1tkkal.exe"
"c:\documents and settings\Any1\Start Menu\Programs\Startup\w3ydzppgbm.exe"
"c:\documents and settings\Any1\Start Menu\Programs\Startup\wcnx1tkka.exe"
"c:\documents and settings\Any1\Start Menu\Programs\Startup\wrx60zfplg.exe"
"c:\documents and settings\Any1\Start Menu\Programs\Startup\wxxijju8.exe"
"c:\documents and settings\Any1\Start Menu\Programs\Startup\x66o86a8.exe"
"c:\documents and settings\Any1\Start Menu\Programs\Startup\xdi6kffb.exe"
"c:\documents and settings\Any1\Start Menu\Programs\Startup\xookplgbssn.exe"
"c:\documents and settings\Any1\Start Menu\Programs\Startup\xtoo6aa6.exe"
"c:\documents and settings\Any1\Start Menu\Programs\Startup\xtou70a7.exe"
"c:\documents and settings\Any1\Start Menu\Programs\Startup\xxijju86.exe"
"c:\documents and settings\Any1\Start Menu\Programs\Startup\xy0uu5v0.exe"
"c:\documents and settings\Any1\Start Menu\Programs\Startup\y3aqqrrnddz.exe"
"c:\documents and settings\Any1\Start Menu\Programs\Startup\y6pq70rx.exe"
"c:\documents and settings\Any1\Start Menu\Programs\Startup\y7epalgm3s.exe"
"c:\documents and settings\Any1\Start Menu\Programs\Startup\ytpp2vwr0.exe"
"c:\documents and settings\Any1\Start Menu\Programs\Startup\yy6pq70rx.exe"
"c:\documents and settings\Any1\Start Menu\Programs\Startup\yy70fbww6.exe"
file zipped: c:\documents and settings\Any1\Start Menu\Programs\Startup\03e0fbb.exe
file zipped: c:\documents and settings\Any1\Start Menu\Programs\Startup\081cs60.exe
file zipped: c:\documents and settings\Any1\Start Menu\Programs\Startup\0g9iid2.exe
file zipped: c:\documents and settings\Any1\Start Menu\Programs\Startup\0m3e1qq.exe
file zipped: c:\documents and settings\Any1\Start Menu\Programs\Startup\16mmhyy.exe
file zipped: c:\documents and settings\Any1\Start Menu\Programs\Startup\c1jj083g.exe
file zipped: c:\documents and settings\Any1\Start Menu\Programs\Startup\c1yu6aa70h.exe
file zipped: C:\sssA1234567890.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Any1\Start Menu\Programs\Startup\03e0fbb.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\081cs60.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\0g9iid2.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\0kkaq0r.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\0m3e1qq.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\0p60q3c.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\16mmhyy.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\1bcxd60.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\1bm3e1q.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\1ep2fgb.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\21mmsy5.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\25rmmsy.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\2nii6uu.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\2pka6ww.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\2vb3n1y.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\2ws0ooj.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\5kv38mi.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\6gbmsy5.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\6mmhyyt.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\6nyt086.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\7x2i2pu.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\8sy586w.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\9bc0ne1.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\bmrsnep2fgb.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\brhndtze.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\c1jj083g.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\c1yu6aa70h.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\ccxytku6wb.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\cntu0avwr0.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\csi3kk5l.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\ddyu1q5r1.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\dtupllrhsoe.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\dyje8qrc.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\fbmm11yo.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\flm70nje.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\g3injzpfg70.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\gbmsy5uf.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\gm5n1yo70l.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\gw0yo0e3a.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\hcc70jffg.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\hstepalgm.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\i0jzqggw.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\i1eaavrr.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\kvvlccs60zf.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\lhcc70jf.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\lhxxtjjf.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\lq81cnoj.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\lrhsny3kk6.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\m5ny3jfaqm.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\mrcs9o25l.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\n0jklbrs0.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\neezqqlc.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\oe6qvrhxij1.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\pu86g81sde.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\rcd70ppgbm.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\rinjzpfg.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\s1ee6glh.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\sy5zvgbb.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\ttpffbrrndd.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\u1alccs60.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\ufqvgrsnd.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\ufw1mns870.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\v706hy0zeu.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\vmhhytez.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\vwcnx1tkkal.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\w3ydzppgbm.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\wcnx1tkka.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\wrx60zfplg.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\wxxijju8.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\x66o86a8.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\xdi6kffb.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\xookplgbssn.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\xtoo6aa6.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\xtou70a7.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\xxijju86.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\xy0uu5v0.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\y3aqqrrnddz.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\y6pq70rx.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\y7epalgm3s.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\ytpp2vwr0.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\yy6pq70rx.exe
c:\documents and settings\Any1\Start Menu\Programs\Startup\yy70fbww6.exe
C:\sssA1234567890.exe
.
((((((((((((((((((((((((( Files Created from 2010-07-20 to 2010-08-20 )))))))))))))))))))))))))))))))
.
2010-08-16 19:41 . 2010-08-16 19:42 -------- d-----w- c:\program files\ERUNT
2010-08-11 19:33 . 2010-08-11 19:33 12736 ---ha-w- c:\windows\system32\mlfcache.dat
2010-08-03 18:04 . 2010-08-03 18:04 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-08-03 18:04 . 2010-08-18 20:46 -------- d-----w- c:\documents and settings\Any1\Application Data\skypePM
2010-08-03 18:01 . 2010-08-18 20:50 -------- d-----w- c:\documents and settings\Any1\Application Data\Skype
2010-08-03 18:00 . 2008-04-13 23:09 5504 -c--a-w- c:\windows\system32\dllcache\mstee.sys
2010-08-03 18:00 . 2008-04-13 23:09 5504 ----a-w- c:\windows\system32\drivers\MSTEE.sys
2010-08-03 18:00 . 2008-04-13 23:16 10880 -c--a-w- c:\windows\system32\dllcache\ndisip.sys
2010-08-03 18:00 . 2008-04-13 23:16 10880 ----a-w- c:\windows\system32\drivers\NdisIP.sys
2010-08-03 18:00 . 2008-04-13 23:16 15232 -c--a-w- c:\windows\system32\dllcache\streamip.sys
2010-08-03 18:00 . 2008-04-13 23:16 15232 ----a-w- c:\windows\system32\drivers\StreamIP.sys
2010-08-03 18:00 . 2008-04-13 23:16 11136 -c--a-w- c:\windows\system32\dllcache\slip.sys
2010-08-03 18:00 . 2008-04-13 23:16 11136 ----a-w- c:\windows\system32\drivers\SLIP.sys
2010-08-03 18:00 . 2008-04-13 23:16 19200 -c--a-w- c:\windows\system32\dllcache\wstcodec.sys
2010-08-03 18:00 . 2008-04-13 23:16 19200 ----a-w- c:\windows\system32\drivers\WSTCODEC.SYS
2010-08-03 18:00 . 2008-04-13 23:16 85248 -c--a-w- c:\windows\system32\dllcache\nabtsfec.sys
2010-08-03 18:00 . 2008-04-13 23:16 85248 ----a-w- c:\windows\system32\drivers\NABTSFEC.sys
2010-08-03 17:59 . 2008-04-13 23:16 17024 -c--a-w- c:\windows\system32\dllcache\ccdecode.sys
2010-08-03 17:59 . 2008-04-13 23:16 17024 ----a-w- c:\windows\system32\drivers\CCDECODE.sys
2010-08-03 17:59 . 2008-04-14 04:42 53760 -c--a-w- c:\windows\system32\dllcache\vfwwdm32.dll
2010-08-03 17:59 . 2008-04-14 04:42 53760 ----a-w- c:\windows\system32\vfwwdm32.dll
2010-08-03 17:59 . 2008-04-13 23:16 121984 -c--a-w- c:\windows\system32\dllcache\usbvideo.sys
2010-08-03 17:59 . 2008-04-13 23:16 121984 ----a-w- c:\windows\system32\drivers\usbvideo.sys
2010-08-03 17:59 . 2008-04-13 23:15 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
2010-08-03 17:59 . 2008-04-13 23:15 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2010-08-03 17:59 . 2010-08-18 20:55 -------- d-----r- c:\program files\Skype
2010-08-03 17:58 . 2010-08-18 20:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-07-25 12:52 . 2010-07-25 12:52 -------- d-----w- c:\documents and settings\Any1\Application Data\U3
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-18 21:02 . 2010-03-28 17:59 -------- d-----w- c:\program files\iMesh Applications
2010-08-15 16:34 . 2010-01-24 16:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-08-15 16:07 . 2010-03-28 17:47 -------- d-----w- c:\documents and settings\Any1\Application Data\Spotify
2010-08-12 12:01 . 2010-01-24 16:24 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-07-12 18:19 . 2010-07-12 18:17 -------- d-----w- c:\program files\iTunes
2010-07-12 18:18 . 2010-07-12 18:18 -------- d-----w- c:\program files\iPod
2010-07-12 18:18 . 2010-03-31 15:15 -------- d-----w- c:\program files\Common Files\Apple
2010-07-12 18:11 . 2010-07-12 18:11 -------- d-----w- c:\program files\Bonjour
2010-07-12 18:08 . 2010-07-12 18:08 72504 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe
2010-06-30 12:31 . 2008-04-14 00:42 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:22 . 2008-06-23 15:57 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-23 13:44 . 2008-04-13 20:00 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-21 15:27 . 2008-04-13 19:45 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-17 14:03 . 2008-04-14 00:41 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 14:31 . 2010-01-03 20:13 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-14 07:41 . 2008-04-14 00:42 1172480 ----a-w- c:\windows\system32\msxml3.dll
2010-06-06 16:12 . 2010-06-06 16:12 655360 ----a-w- c:\documents and settings\Any1\Application Data\Spotify\Gracenote\gnsdk_sdkmanager.dll
2010-06-06 16:12 . 2010-06-06 16:12 282624 ----a-w- c:\documents and settings\Any1\Application Data\Spotify\Gracenote\gnsdk_musicid_file.dll
2010-06-06 16:12 . 2010-06-06 16:12 208896 ----a-w- c:\documents and settings\Any1\Application Data\Spotify\Gracenote\gnsdk_dsp.dll
.
------- Sigcheck -------
[-] 2008-08-29 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((( SnapShot@2010-08-18_22.16.45 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-08-20 19:09 . 2010-08-20 19:09 28672 c:\windows\ERDNT\AutoBackup\20-08-2010\Users\00000002\UsrClass.dat
+ 2010-08-19 11:11 . 2010-08-19 11:11 28672 c:\windows\ERDNT\AutoBackup\19-08-2010\Users\00000002\UsrClass.dat
+ 2010-08-20 19:09 . 2005-10-20 11:02 163328 c:\windows\ERDNT\AutoBackup\20-08-2010\ERDNT.EXE
+ 2010-08-19 11:11 . 2005-10-20 11:02 163328 c:\windows\ERDNT\AutoBackup\19-08-2010\ERDNT.EXE
+ 2010-08-20 19:09 . 2010-08-20 19:09 6901760 c:\windows\ERDNT\AutoBackup\20-08-2010\Users\00000001\NTUSER.DAT
+ 2010-08-19 11:11 . 2010-08-19 11:11 6901760 c:\windows\ERDNT\AutoBackup\19-08-2010\Users\00000001\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-17 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-06-10 339968]
"AGRSMMSG"="AGRSMMSG.exe" [2004-08-30 88363]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_2"="shell32" [X]
c:\documents and settings\Any1\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
Contents of the 'Scheduled Tasks' folder
2010-08-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 10:50]
2010-08-19 c:\windows\Tasks\PCConfidential.job
- c:\program files\Winferno\PC Confidential\PCConfidential.exe [2010-04-27 13:10]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.sky.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
DPF: {1C11B948-582A-433F-A98D-A8C4D5CC64F2} - hxxp://bq.kp.2020.net/planner/Core/Player/2020PlayerAX_Win32.cab
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-20 20:35
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x862A5ACE]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf766ff28
\Driver\ACPI -> ACPI.sys @ 0xf75c2cb8
\Driver\atapi -> atapi.sys @ 0xf7536852
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0615
ParseProcedure -> ntoskrnl.exe @ 0x8056c3ac
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0615
ParseProcedure -> ntoskrnl.exe @ 0x8056c3ac
NDIS: Intel(R) PRO/Wireless 2200BG Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xf7442bb0
PacketIndicateHandler -> NDIS.sys @ 0xf7431a0d
SendHandler -> NDIS.sys @ 0xf7445b40
user & kernel MBR OK
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(760)
c:\windows\system32\WININET.dll
- - - - - - - > 'lsass.exe'(820)
c:\windows\system32\WININET.dll
.
Completion time: 2010-08-20 20:38:56
ComboFix-quarantined-files.txt 2010-08-20 19:38
ComboFix2.txt 2010-08-19 20:47
ComboFix3.txt 2010-08-18 22:21
Pre-Run: 53,563,887,616 bytes free
Post-Run: 53,552,730,112 bytes free
- - End Of File - - 52EE18694C0AC91CBD28F1BC5BED32D1
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Bredolabfb5.zip Win32/Bagle.gen.zip worm
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\RegistryHelper1.zip Win32/Bagle.gen.zip worm
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\RegistryHelper2.zip Win32/Bagle.gen.zip worm
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\RegistryHelper3.zip Win32/Bagle.gen.zip worm
C:\Qoobox\Quarantine\C\Documents and Settings\Any1\xwponeh.exe.vir Win32/Tofsee.AA trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Any1\Start Menu\Programs\Startup\0kkaq0r.exe.vir a variant of Win32/Injector.CQE trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Any1\Start Menu\Programs\Startup\0p60q3c.exe.vir a variant of Win32/Injector.CQE trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Any1\Start Menu\Programs\Startup\1bcxd60.exe.vir a variant of Win32/Injector.CQE trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Any1\Start Menu\Programs\Startup\1bm3e1q.exe.vir a variant of Win32/Injector.CQE trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Any1\Start Menu\Programs\Startup\1ep2fgb.exe.vir a variant of Win32/Injector.CQE trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Any1\Start Menu\Programs\Startup\21mmsy5.exe.vir a variant of Win32/Injector.CQE trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Any1\Start Menu\Programs\Startup\25rmmsy.exe.vir a variant of Win32/Injector.CQE trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Any1\Start Menu\Programs\Startup\2nii6uu.exe.vir a variant of Win32/Injector.CQD trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Any1\Start Menu\Programs\Startup\2pka6ww.exe.vir a variant of Win32/Injector.CQE trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Any1\Start Menu\Programs\Startup\2vb3n1y.exe.vir a variant of Win32/Injector.CQD trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Any1\Start Menu\Programs\Startup\2ws0ooj.exe.vir a variant of Win32/Injector.CQD trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Any1\Start Menu\Programs\Startup\5kv38mi.exe.vir a variant of Win32/Injector.CQD trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Any1\Start Menu\Programs\Startup\6gbmsy5.exe.vir a variant of Win32/Injector.CQE trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Any1\Start Menu\Programs\Startup\6mmhyyt.exe.vir Win32/Lethic.AA trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Any1\Start Menu\Programs\Startup\6nyt086.exe.vir a variant of Win32/Injector.CQD trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Any1\Start Menu\Programs\Startup\7x2i2pu.exe.vir a variant of Win32/Injector.CQE trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Any1\Start Menu\Programs\Startup\8sy586w.exe.vir a variant of Win32/Injector.CQE trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Any1\Start Menu\Programs\Startup\9bc0ne1.exe.vir a variant of Win32/Injector.CQE trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Any1\Start Menu\Programs\Startup\bmrsnep2fgb.exe.vir a variant of Win32/Injector.CQD trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Any1\Start Menu\Programs\Startup\brhndtze.exe.vir a variant of Win32/Injector.CQD trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Any1\Start Menu\Programs\Startup\ccxytku6wb.exe.vir a variant of Win32/Injector.CQE trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Any1\Start Menu\Programs\Startup\cntu0avwr0.exe.vir a variant of Win32/Injector.CQD trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Any1\Start Menu\Programs\Startup\csi3kk5l.exe.vir a variant of Win32/Injector.CQE trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Any1\Start Menu\Programs\Startup\ddyu1q5r1.exe.vir a variant of Win32/Injector.CQE trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Any1\Start Menu\Programs\Startup\dtupllrhsoe.exe.vir a variant of Win32/Injector.CQE trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Any1\Start Menu\Programs\Startup\dyje8qrc.exe.vir a variant of Win32/Injector.CQE trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Any1\Start Menu\Programs\Startup\fbmm11yo.exe.vir a variant of Win32/Injector.CQD trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Any1\Start Menu\Programs\Startup\flm70nje.exe.vir a variant of Win32/Injector.CQE trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Any1\Start Menu\Programs\Startup\g3injzpfg70.exe.vir a variant of Win32/Injector.CQE trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Any1\Start Menu\Programs\Startup\gbmsy5uf.exe.vir a variant of Win32/Injector.CQD trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Any1\Start Menu\Programs\Startup\gm5n1yo70l.exe.vir a variant of Win32/Injector.CQE trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Any1\Start Menu\Programs\Startup\gw0yo0e3a.exe.vir a variant of Win32/Injector.CQE trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Any1\Start Menu\Programs\Startup\hcc70jffg.exe.vir a variant of Win32/Injector.CQE trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Any1\Start Menu\Programs\Startup\hstepalgm.exe.vir a variant of Win32/Injector.CQD trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Any1\Start Menu\Programs\Startup\i0jzqggw.exe.vir a variant of Win32/Injector.CQE trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Any1\Start Menu\Programs\Startup\i1eaavrr.exe.vir a variant of Win32/Injector.CQD trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Any1\Start Menu\Programs\Startup\kvvlccs60zf.exe.vir a variant of Win32/Injector.CQD trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Any1\Start Menu\Programs\Startup\lhcc70jf.exe.vir a variant of Win32/Injector.CQE trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Any1\Start Menu\Programs\Startup\lhxxtjjf.exe.vir a variant of Win32/Injector.CQE trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Any1\Start Menu\Programs\Startup\lq81cnoj.exe.vir a variant of Win32/Injector.CQE trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Any1\Start Menu\Programs\Startup\lrhsny3kk6.exe.vir Win32/Lethic.AA trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Any1\Start Menu\Programs\Startup\m5ny3jfaqm.exe.vir a variant of Win32/Injector.CQD trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Any1\Start Menu\Programs\Startup\mrcs9o25l.exe.vir a variant of Win32/Injector.CQE trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Any1\Start Menu\Programs\Startup\n0jklbrs0.exe.vir Win32/Lethic.AA trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Any1\Start Menu\Programs\Startup\neezqqlc.exe.vir a variant of Win32/Injector.CQE trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Any1\Start Menu\Programs\Startup\oe6qvrhxij1.exe.vir a variant of Win32/Injector.CQD trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Any1\Start Menu\Programs\Startup\pu86g81sde.exe.vir a variant of Win32/Injector.CQE trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Any1\Start Menu\Programs\Startup\rcd70ppgbm.exe.vir a variant of Win32/Injector.CQE trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Any1\Start Menu\Programs\Startup\rinjzpfg.exe.vir a variant of Win32/Injector.CQD trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Any1\Start Menu\Programs\Startup\s1ee6glh.exe.vir a variant of Win32/Injector.CQD trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Any1\Start Menu\Programs\Startup\sy5zvgbb.exe.vir a variant of Win32/Injector.CQE trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Any1\Start Menu\Programs\Startup\ttpffbrrndd.exe.vir a variant of Win32/Injector.CQD trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Any1\Start Menu\Programs\Startup\u1alccs60.exe.vir a variant of Win32/Injector.CQD trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Any1\Start Menu\Programs\Startup\ufqvgrsnd.exe.vir a variant of Win32/Injector.CQE trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Any1\Start Menu\Programs\Startup\ufw1mns870.exe.vir a variant of Win32/Injector.CQE trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Any1\Start Menu\Programs\Startup\v706hy0zeu.exe.vir a variant of Win32/Injector.CQE trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Any1\Start Menu\Programs\Startup\vmhhytez.exe.vir a variant of Win32/Injector.CQD trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Any1\Start Menu\Programs\Startup\vwcnx1tkkal.exe.vir a variant of Win32/Injector.CQD trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Any1\Start Menu\Programs\Startup\w3ydzppgbm.exe.vir a variant of Win32/Injector.CQD trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Any1\Start Menu\Programs\Startup\wcnx1tkka.exe.vir a variant of Win32/Injector.CQD trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Any1\Start Menu\Programs\Startup\wrx60zfplg.exe.vir a variant of Win32/Injector.CQE trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Any1\Start Menu\Programs\Startup\wxxijju8.exe.vir a variant of Win32/Injector.CQD trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Any1\Start Menu\Programs\Startup\x66o86a8.exe.vir a variant of Win32/Injector.CQD trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Any1\Start Menu\Programs\Startup\xdi6kffb.exe.vir a variant of Win32/Injector.CQE trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Any1\Start Menu\Programs\Startup\xookplgbssn.exe.vir a variant of Win32/Injector.CQB trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Any1\Start Menu\Programs\Startup\xtoo6aa6.exe.vir a variant of Win32/Injector.CQB trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Any1\Start Menu\Programs\Startup\xtou70a7.exe.vir a variant of Win32/Injector.CQD trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Any1\Start Menu\Programs\Startup\xxijju86.exe.vir a variant of Win32/Injector.CQE trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Any1\Start Menu\Programs\Startup\xy0uu5v0.exe.vir a variant of Win32/Injector.CQE trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Any1\Start Menu\Programs\Startup\y3aqqrrnddz.exe.vir a variant of Win32/Injector.CQE trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Any1\Start Menu\Programs\Startup\y6pq70rx.exe.vir a variant of Win32/Injector.CQD trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Any1\Start Menu\Programs\Startup\y7epalgm3s.exe.vir a variant of Win32/Injector.CQE trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Any1\Start Menu\Programs\Startup\ytpp2vwr0.exe.vir a variant of Win32/Injector.CQD trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Any1\Start Menu\Programs\Startup\yy6pq70rx.exe.vir a variant of Win32/Injector.CQE trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Any1\Start Menu\Programs\Startup\yy70fbww6.exe.vir a variant of Win32/Injector.CQD trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\6to4ex.dll.vir a variant of Win32/Routmo.N trojan
C:\System Volume Information\_restore{66971694-BB6C-4B8A-A97E-01949B4BFD14}\RP3\A0000288.exe a variant of Win32/Injector.CRC trojan
C:\System Volume Information\_restore{66971694-BB6C-4B8A-A97E-01949B4BFD14}\RP3\A0000290.exe Win32/Tofsee.AA trojan
C:\System Volume Information\_restore{66971694-BB6C-4B8A-A97E-01949B4BFD14}\RP3\A0000570.dll a variant of Win32/Routmo.N trojan
C:\System Volume Information\_restore{66971694-BB6C-4B8A-A97E-01949B4BFD14}\RP4\A0000836.exe a variant of Win32/Injector.CQE trojan
C:\System Volume Information\_restore{66971694-BB6C-4B8A-A97E-01949B4BFD14}\RP4\A0000838.exe a variant of Win32/Injector.CQE trojan
C:\System Volume Information\_restore{66971694-BB6C-4B8A-A97E-01949B4BFD14}\RP4\A0000840.exe a variant of Win32/Injector.CQE trojan
C:\System Volume Information\_restore{66971694-BB6C-4B8A-A97E-01949B4BFD14}\RP4\A0000841.exe a variant of Win32/Injector.CQE trojan
C:\System Volume Information\_restore{66971694-BB6C-4B8A-A97E-01949B4BFD14}\RP4\A0000842.exe a variant of Win32/Injector.CQE trojan
C:\System Volume Information\_restore{66971694-BB6C-4B8A-A97E-01949B4BFD14}\RP4\A0000843.exe a variant of Win32/Injector.CQE trojan
C:\System Volume Information\_restore{66971694-BB6C-4B8A-A97E-01949B4BFD14}\RP4\A0000844.exe a variant of Win32/Injector.CQE trojan
C:\System Volume Information\_restore{66971694-BB6C-4B8A-A97E-01949B4BFD14}\RP4\A0000845.exe a variant of Win32/Injector.CQD trojan
C:\System Volume Information\_restore{66971694-BB6C-4B8A-A97E-01949B4BFD14}\RP4\A0000846.exe a variant of Win32/Injector.CQE trojan
C:\System Volume Information\_restore{66971694-BB6C-4B8A-A97E-01949B4BFD14}\RP4\A0000847.exe a variant of Win32/Injector.CQD trojan
C:\System Volume Information\_restore{66971694-BB6C-4B8A-A97E-01949B4BFD14}\RP4\A0000848.exe a variant of Win32/Injector.CQD trojan
C:\System Volume Information\_restore{66971694-BB6C-4B8A-A97E-01949B4BFD14}\RP4\A0000849.exe a variant of Win32/Injector.CQD trojan
C:\System Volume Information\_restore{66971694-BB6C-4B8A-A97E-01949B4BFD14}\RP4\A0000850.exe a variant of Win32/Injector.CQE trojan
C:\System Volume Information\_restore{66971694-BB6C-4B8A-A97E-01949B4BFD14}\RP4\A0000851.exe Win32/Lethic.AA trojan
C:\System Volume Information\_restore{66971694-BB6C-4B8A-A97E-01949B4BFD14}\RP4\A0000852.exe a variant of Win32/Injector.CQD trojan
C:\System Volume Information\_restore{66971694-BB6C-4B8A-A97E-01949B4BFD14}\RP4\A0000853.exe a variant of Win32/Injector.CQE trojan
C:\System Volume Information\_restore{66971694-BB6C-4B8A-A97E-01949B4BFD14}\RP4\A0000854.exe a variant of Win32/Injector.CQE trojan
C:\System Volume Information\_restore{66971694-BB6C-4B8A-A97E-01949B4BFD14}\RP4\A0000855.exe a variant of Win32/Injector.CQE trojan
C:\System Volume Information\_restore{66971694-BB6C-4B8A-A97E-01949B4BFD14}\RP4\A0000856.exe a variant of Win32/Injector.CQD trojan
C:\System Volume Information\_restore{66971694-BB6C-4B8A-A97E-01949B4BFD14}\RP4\A0000857.exe a variant of Win32/Injector.CQD trojan
C:\System Volume Information\_restore{66971694-BB6C-4B8A-A97E-01949B4BFD14}\RP4\A0000860.exe a variant of Win32/Injector.CQE trojan
C:\System Volume Information\_restore{66971694-BB6C-4B8A-A97E-01949B4BFD14}\RP4\A0000861.exe a variant of Win32/Injector.CQD trojan
C:\System Volume Information\_restore{66971694-BB6C-4B8A-A97E-01949B4BFD14}\RP4\A0000862.exe a variant of Win32/Injector.CQE trojan
C:\System Volume Information\_restore{66971694-BB6C-4B8A-A97E-01949B4BFD14}\RP4\A0000863.exe a variant of Win32/Injector.CQE trojan
C:\System Volume Information\_restore{66971694-BB6C-4B8A-A97E-01949B4BFD14}\RP4\A0000864.exe a variant of Win32/Injector.CQE trojan
C:\System Volume Information\_restore{66971694-BB6C-4B8A-A97E-01949B4BFD14}\RP4\A0000865.exe a variant of Win32/Injector.CQE trojan
C:\System Volume Information\_restore{66971694-BB6C-4B8A-A97E-01949B4BFD14}\RP4\A0000866.exe a variant of Win32/Injector.CQD trojan
C:\System Volume Information\_restore{66971694-BB6C-4B8A-A97E-01949B4BFD14}\RP4\A0000867.exe a variant of Win32/Injector.CQE trojan
C:\System Volume Information\_restore{66971694-BB6C-4B8A-A97E-01949B4BFD14}\RP4\A0000868.exe a variant of Win32/Injector.CQE trojan
C:\System Volume Information\_restore{66971694-BB6C-4B8A-A97E-01949B4BFD14}\RP4\A0000869.exe a variant of Win32/Injector.CQD trojan
C:\System Volume Information\_restore{66971694-BB6C-4B8A-A97E-01949B4BFD14}\RP4\A0000870.exe a variant of Win32/Injector.CQE trojan
C:\System Volume Information\_restore{66971694-BB6C-4B8A-A97E-01949B4BFD14}\RP4\A0000871.exe a variant of Win32/Injector.CQE trojan
C:\System Volume Information\_restore{66971694-BB6C-4B8A-A97E-01949B4BFD14}\RP4\A0000872.exe a variant of Win32/Injector.CQE trojan
C:\System Volume Information\_restore{66971694-BB6C-4B8A-A97E-01949B4BFD14}\RP4\A0000873.exe a variant of Win32/Injector.CQD trojan
C:\System Volume Information\_restore{66971694-BB6C-4B8A-A97E-01949B4BFD14}\RP4\A0000874.exe a variant of Win32/Injector.CQE trojan
C:\System Volume Information\_restore{66971694-BB6C-4B8A-A97E-01949B4BFD14}\RP4\A0000875.exe a variant of Win32/Injector.CQD trojan
C:\System Volume Information\_restore{66971694-BB6C-4B8A-A97E-01949B4BFD14}\RP4\A0000876.exe a variant of Win32/Injector.CQD trojan
C:\System Volume Information\_restore{66971694-BB6C-4B8A-A97E-01949B4BFD14}\RP4\A0000877.exe a variant of Win32/Injector.CQE trojan
C:\System Volume Information\_restore{66971694-BB6C-4B8A-A97E-01949B4BFD14}\RP4\A0000878.exe a variant of Win32/Injector.CQE trojan
C:\System Volume Information\_restore{66971694-BB6C-4B8A-A97E-01949B4BFD14}\RP4\A0000879.exe a variant of Win32/Injector.CQE trojan
C:\System Volume Information\_restore{66971694-BB6C-4B8A-A97E-01949B4BFD14}\RP4\A0000880.exe Win32/Lethic.AA trojan
C:\System Volume Information\_restore{66971694-BB6C-4B8A-A97E-01949B4BFD14}\RP4\A0000881.exe a variant of Win32/Injector.CQD trojan
C:\System Volume Information\_restore{66971694-BB6C-4B8A-A97E-01949B4BFD14}\RP4\A0000882.exe a variant of Win32/Injector.CQE trojan
C:\System Volume Information\_restore{66971694-BB6C-4B8A-A97E-01949B4BFD14}\RP4\A0000883.exe Win32/Lethic.AA trojan
C:\System Volume Information\_restore{66971694-BB6C-4B8A-A97E-01949B4BFD14}\RP4\A0000884.exe a variant of Win32/Injector.CQE trojan
C:\System Volume Information\_restore{66971694-BB6C-4B8A-A97E-01949B4BFD14}\RP4\A0000885.exe a variant of Win32/Injector.CQD trojan
C:\System Volume Information\_restore{66971694-BB6C-4B8A-A97E-01949B4BFD14}\RP4\A0000886.exe a variant of Win32/Injector.CQE trojan
C:\System Volume Information\_restore{66971694-BB6C-4B8A-A97E-01949B4BFD14}\RP4\A0000887.exe a variant of Win32/Injector.CQE trojan
C:\System Volume Information\_restore{66971694-BB6C-4B8A-A97E-01949B4BFD14}\RP4\A0000888.exe a variant of Win32/Injector.CQD trojan
C:\System Volume Information\_restore{66971694-BB6C-4B8A-A97E-01949B4BFD14}\RP4\A0000889.exe a variant of Win32/Injector.CQD trojan
C:\System Volume Information\_restore{66971694-BB6C-4B8A-A97E-01949B4BFD14}\RP4\A0000890.exe a variant of Win32/Injector.CQE trojan
C:\System Volume Information\_restore{66971694-BB6C-4B8A-A97E-01949B4BFD14}\RP4\A0000891.exe a variant of Win32/Injector.CQD trojan
C:\System Volume Information\_restore{66971694-BB6C-4B8A-A97E-01949B4BFD14}\RP4\A0000892.exe a variant of Win32/Injector.CQD trojan
C:\System Volume Information\_restore{66971694-BB6C-4B8A-A97E-01949B4BFD14}\RP4\A0000893.exe a variant of Win32/Injector.CQE trojan
C:\System Volume Information\_restore{66971694-BB6C-4B8A-A97E-01949B4BFD14}\RP4\A0000894.exe a variant of Win32/Injector.CQE trojan
C:\System Volume Information\_restore{66971694-BB6C-4B8A-A97E-01949B4BFD14}\RP4\A0000895.exe a variant of Win32/Injector.CQE trojan
C:\System Volume Information\_restore{66971694-BB6C-4B8A-A97E-01949B4BFD14}\RP4\A0000896.exe a variant of Win32/Injector.CQD trojan
C:\System Volume Information\_restore{66971694-BB6C-4B8A-A97E-01949B4BFD14}\RP4\A0000897.exe a variant of Win32/Injector.CQD trojan
C:\System Volume Information\_restore{66971694-BB6C-4B8A-A97E-01949B4BFD14}\RP4\A0000898.exe a variant of Win32/Injector.CQD trojan
C:\System Volume Information\_restore{66971694-BB6C-4B8A-A97E-01949B4BFD14}\RP4\A0000899.exe a variant of Win32/Injector.CQD trojan
C:\System Volume Information\_restore{66971694-BB6C-4B8A-A97E-01949B4BFD14}\RP4\A0000900.exe a variant of Win32/Injector.CQE trojan
C:\System Volume Information\_restore{66971694-BB6C-4B8A-A97E-01949B4BFD14}\RP4\A0000901.exe a variant of Win32/Injector.CQD trojan
C:\System Volume Information\_restore{66971694-BB6C-4B8A-A97E-01949B4BFD14}\RP4\A0000902.exe a variant of Win32/Injector.CQD trojan
C:\System Volume Information\_restore{66971694-BB6C-4B8A-A97E-01949B4BFD14}\RP4\A0000903.exe a variant of Win32/Injector.CQE trojan
C:\System Volume Information\_restore{66971694-BB6C-4B8A-A97E-01949B4BFD14}\RP4\A0000904.exe a variant of Win32/Injector.CQB trojan
C:\System Volume Information\_restore{66971694-BB6C-4B8A-A97E-01949B4BFD14}\RP4\A0000905.exe a variant of Win32/Injector.CQB trojan
C:\System Volume Information\_restore{66971694-BB6C-4B8A-A97E-01949B4BFD14}\RP4\A0000906.exe a variant of Win32/Injector.CQD trojan
C:\System Volume Information\_restore{66971694-BB6C-4B8A-A97E-01949B4BFD14}\RP4\A0000907.exe a variant of Win32/Injector.CQE trojan
C:\System Volume Information\_restore{66971694-BB6C-4B8A-A97E-01949B4BFD14}\RP4\A0000908.exe a variant of Win32/Injector.CQE trojan
C:\System Volume Information\_restore{66971694-BB6C-4B8A-A97E-01949B4BFD14}\RP4\A0000909.exe a variant of Win32/Injector.CQE trojan
C:\System Volume Information\_restore{66971694-BB6C-4B8A-A97E-01949B4BFD14}\RP4\A0000910.exe a variant of Win32/Injector.CQD trojan
C:\System Volume Information\_restore{66971694-BB6C-4B8A-A97E-01949B4BFD14}\RP4\A0000911.exe a variant of Win32/Injector.CQE trojan
C:\System Volume Information\_restore{66971694-BB6C-4B8A-A97E-01949B4BFD14}\RP4\A0000912.exe a variant of Win32/Injector.CQD trojan
C:\System Volume Information\_restore{66971694-BB6C-4B8A-A97E-01949B4BFD14}\RP4\A0000913.exe a variant of Win32/Injector.CQE trojan
C:\System Volume Information\_restore{66971694-BB6C-4B8A-A97E-01949B4BFD14}\RP4\A0000914.exe a variant of Win32/Injector.CQD trojan
DDS (Ver_10-03-17.01) - NTFSx86
Run by Any1 at 21:29:43.12 on 20/08/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.642 [GMT 1:00]
============== Running Processes ===============
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Any1\My Documents\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.sky.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [nltide_2] regsvr32 /s /n /i:U shell32
StartupFolder: c:\docume~1\any1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
IE: {53F6FCCD-9E22-4d71-86EA-6E43136192AB} - c:\program files\winferno\pc confidential\PCConfidential.exe
IE: {925DAB62-F9AC-4221-806A-057BFB1014AA} - c:\program files\winferno\pc confidential\PCConfidential.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F}
DPF: {1C11B948-582A-433F-A98D-A8C4D5CC64F2} - hxxp://bq.kp.2020.net/planner/Core/Player/2020PlayerAX_Win32.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1262556294453
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll
LSA: Authentication Packages = msv1_0 nwprovau
============= SERVICES / DRIVERS ===============
=============== Created Last 30 ================
2010-08-20 20:09:20 0 d-----w- c:\program files\ESET
2010-08-20 19:26:27 1213 ----a-w- C:\CF-Submit.htm
2010-08-18 22:01:06 0 d-sha-r- C:\cmdcons
2010-08-18 21:58:08 98816 ----a-w- c:\windows\sed.exe
2010-08-18 21:58:08 77312 ----a-w- c:\windows\MBR.exe
2010-08-18 21:58:08 256512 ----a-w- c:\windows\PEV.exe
2010-08-18 21:58:08 161792 ----a-w- c:\windows\SWREG.exe
2010-08-18 20:55:35 0 d-----w- c:\windows\system32\appmgmt
2010-08-16 15:36:49 0 d-----w- c:\windows\pss
2010-08-15 18:01:23 91 ----a-w- c:\windows\wininit.ini
2010-08-11 19:33:49 12736 ---ha-w- c:\windows\system32\mlfcache.dat
2010-08-03 18:04:01 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-08-03 17:59:57 17024 -c--a-w- c:\windows\system32\dllcache\ccdecode.sys
2010-08-03 17:59:02 0 d-----r- c:\program files\Skype
==================== Find3M ====================
2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:22:03 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-23 13:44:04 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-17 14:03:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 07:41:45 1172480 ----a-w- c:\windows\system32\msxml3.dll
2010-01-03 20:32:59 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012010010320100104\index.dat
============= FINISH: 21:31:01.03 ===============
Note:
After running ESET, it asked me to upload something for further analysis.
This is :-
C:\Qoobox\Quarantine\[4]-submit_2010-08-20_20.26.07.zip
This was uploaded as requested.
Hi John,
1. Download TDSSKiller (http://support.kaspersky.com/downloads/utils/tdsskiller.zip) and extract its contents into a folder in desired location (i.e. c:\tdsskiller).
2. Execute the file TDSSKiller.exe.
3. Click Start Scan. If threats are found, select cure and click Continue (tool may prompt for a reboot).
4. Post back contents of log file in c: drive root (name should be in UtilityName.Version_Date_Time_log.txt format)
Come back as no threats found.
Log attached below.
Many thanks,
John.
2010/08/21 20:37:26.0031 TDSS rootkit removing tool 2.4.1.2 Aug 16 2010 09:46:23
2010/08/21 20:37:26.0031 ================================================================================
2010/08/21 20:37:26.0031 SystemInfo:
2010/08/21 20:37:26.0031
2010/08/21 20:37:26.0031 OS Version: 5.1.2600 ServicePack: 3.0
2010/08/21 20:37:26.0031 Product type: Workstation
2010/08/21 20:37:26.0031 ComputerName: ANY1-1630B435AA
2010/08/21 20:37:26.0031 UserName: Any1
2010/08/21 20:37:26.0031 Windows directory: C:\WINDOWS
2010/08/21 20:37:26.0031 System windows directory: C:\WINDOWS
2010/08/21 20:37:26.0031 Processor architecture: Intel x86
2010/08/21 20:37:26.0031 Number of processors: 1
2010/08/21 20:37:26.0031 Page size: 0x1000
2010/08/21 20:37:26.0031 Boot type: Normal boot
2010/08/21 20:37:26.0031 ================================================================================
2010/08/21 20:37:26.0234 Initialize success
2010/08/21 20:37:40.0234 ================================================================================
2010/08/21 20:37:40.0234 Scan started
2010/08/21 20:37:40.0234 Mode: Manual;
2010/08/21 20:37:40.0234 ================================================================================
2010/08/21 20:37:40.0765 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/08/21 20:37:40.0828 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
2010/08/21 20:37:40.0937 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2010/08/21 20:37:41.0046 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2010/08/21 20:37:41.0359 AgereSoftModem (052343cd49c8da20c48958cfe73c7d44) C:\WINDOWS\system32\DRIVERS\AGRSM.sys
2010/08/21 20:37:41.0484 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
2010/08/21 20:37:41.0671 ALCXSENS (ba88534a3ceb6161e7432438b9ea4f54) C:\WINDOWS\system32\drivers\ALCXSENS.SYS
2010/08/21 20:37:41.0937 ALCXWDM (5ff6f7e58c798f1474c0bbffc23cb78d) C:\WINDOWS\system32\drivers\ALCXWDM.SYS
2010/08/21 20:37:42.0125 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2010/08/21 20:37:42.0265 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/08/21 20:37:42.0359 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/08/21 20:37:42.0625 ati2mtag (5e3603e9fba29e01f5ffc108276b3005) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
2010/08/21 20:37:42.0750 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/08/21 20:37:42.0843 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/08/21 20:37:42.0937 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/08/21 20:37:43.0312 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/08/21 20:37:43.0390 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2010/08/21 20:37:43.0484 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/08/21 20:37:43.0546 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/08/21 20:37:43.0656 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/08/21 20:37:43.0937 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
2010/08/21 20:37:44.0000 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2010/08/21 20:37:44.0234 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/08/21 20:37:44.0359 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2010/08/21 20:37:44.0625 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2010/08/21 20:37:44.0656 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/08/21 20:37:44.0734 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2010/08/21 20:37:44.0812 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/08/21 20:37:44.0906 EMSCR (6428a1ce5abe3e71a97dfdda0a19546f) C:\WINDOWS\system32\DRIVERS\EMS7SK.sys
2010/08/21 20:37:45.0046 ESMCR (472ea4e9734147f8ada93c4ab944b958) C:\WINDOWS\system32\DRIVERS\ESM7SK.sys
2010/08/21 20:37:45.0234 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/08/21 20:37:45.0312 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
2010/08/21 20:37:45.0390 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2010/08/21 20:37:45.0437 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2010/08/21 20:37:45.0562 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
2010/08/21 20:37:45.0750 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/08/21 20:37:45.0843 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/08/21 20:37:45.0921 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2010/08/21 20:37:46.0031 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/08/21 20:37:46.0171 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/08/21 20:37:46.0437 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/08/21 20:37:46.0484 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/08/21 20:37:46.0625 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2010/08/21 20:37:46.0687 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2010/08/21 20:37:46.0765 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
2010/08/21 20:37:46.0812 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/08/21 20:37:46.0953 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/08/21 20:37:47.0015 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/08/21 20:37:47.0156 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/08/21 20:37:47.0281 irda (aca5e7b54409f9cb5eed97ed0c81120e) C:\WINDOWS\system32\DRIVERS\irda.sys
2010/08/21 20:37:47.0359 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/08/21 20:37:47.0562 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/08/21 20:37:47.0609 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/08/21 20:37:47.0703 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2010/08/21 20:37:47.0843 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/08/21 20:37:47.0953 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/08/21 20:37:48.0125 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2010/08/21 20:37:48.0187 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/08/21 20:37:48.0265 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/08/21 20:37:48.0375 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/08/21 20:37:48.0562 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/08/21 20:37:48.0718 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2010/08/21 20:37:48.0781 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/08/21 20:37:48.0859 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/08/21 20:37:48.0953 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/08/21 20:37:49.0046 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/08/21 20:37:49.0093 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2010/08/21 20:37:49.0187 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2010/08/21 20:37:49.0343 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2010/08/21 20:37:49.0468 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2010/08/21 20:37:49.0578 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2010/08/21 20:37:49.0656 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/08/21 20:37:49.0703 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/08/21 20:37:49.0734 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/08/21 20:37:49.0781 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/08/21 20:37:49.0875 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/08/21 20:37:50.0093 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/08/21 20:37:50.0234 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2010/08/21 20:37:50.0328 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2010/08/21 20:37:50.0421 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/08/21 20:37:50.0609 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/08/21 20:37:50.0687 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/08/21 20:37:50.0765 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/08/21 20:37:50.0843 NwlnkIpx (8b8b1be2dba4025da6786c645f77f123) C:\WINDOWS\system32\DRIVERS\nwlnkipx.sys
2010/08/21 20:37:50.0875 NwlnkNb (56d34a67c05e94e16377c60609741ff8) C:\WINDOWS\system32\DRIVERS\nwlnknb.sys
2010/08/21 20:37:50.0921 NwlnkSpx (c0bb7d1615e1acbdc99757f6ceaf8cf0) C:\WINDOWS\system32\DRIVERS\nwlnkspx.sys
2010/08/21 20:37:50.0968 NWRDR (36b9b950e3d2e100970a48d8bad86740) C:\WINDOWS\system32\DRIVERS\nwrdr.sys
2010/08/21 20:37:51.0078 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2010/08/21 20:37:51.0234 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2010/08/21 20:37:51.0312 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/08/21 20:37:51.0390 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/08/21 20:37:51.0468 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/08/21 20:37:51.0546 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2010/08/21 20:37:51.0671 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
2010/08/21 20:37:52.0125 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/08/21 20:37:52.0203 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/08/21 20:37:52.0265 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/08/21 20:37:52.0468 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/08/21 20:37:52.0546 Rasirda (0207d26ddf796a193ccd9f83047bb5fc) C:\WINDOWS\system32\DRIVERS\rasirda.sys
2010/08/21 20:37:52.0593 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/08/21 20:37:52.0625 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/08/21 20:37:52.0671 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/08/21 20:37:52.0796 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/08/21 20:37:52.0968 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/08/21 20:37:53.0078 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2010/08/21 20:37:53.0171 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/08/21 20:37:53.0281 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/08/21 20:37:53.0500 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS
2010/08/21 20:37:53.0625 sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINDOWS\system32\DRIVERS\sdbus.sys
2010/08/21 20:37:53.0718 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/08/21 20:37:53.0781 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
2010/08/21 20:37:53.0859 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/08/21 20:37:53.0984 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2010/08/21 20:37:54.0046 SMCIRDA (707647a1aa0edb6cbef61b0c75c28ed3) C:\WINDOWS\system32\DRIVERS\smcirda.sys
2010/08/21 20:37:54.0296 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2010/08/21 20:37:54.0437 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/08/21 20:37:54.0531 Srv (da852e3e0bf1cea75d756f9866241e57) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/08/21 20:37:54.0718 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2010/08/21 20:37:54.0828 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/08/21 20:37:54.0921 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2010/08/21 20:37:55.0125 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/08/21 20:37:55.0281 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/08/21 20:37:55.0437 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/08/21 20:37:55.0515 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/08/21 20:37:55.0578 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/08/21 20:37:55.0734 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2010/08/21 20:37:55.0859 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2010/08/21 20:37:55.0984 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/08/21 20:37:56.0171 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/08/21 20:37:56.0234 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/08/21 20:37:56.0296 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2010/08/21 20:37:56.0375 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/08/21 20:37:56.0421 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2010/08/21 20:37:56.0546 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
2010/08/21 20:37:56.0703 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2010/08/21 20:37:56.0859 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/08/21 20:37:57.0140 w29n51 (effab2168b92025bf9a028461e029687) C:\WINDOWS\system32\DRIVERS\w29n51.sys
2010/08/21 20:37:57.0796 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/08/21 20:37:57.0984 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/08/21 20:37:58.0531 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2010/08/21 20:37:58.0750 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2010/08/21 20:37:58.0828 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2010/08/21 20:37:58.0937 ================================================================================
2010/08/21 20:37:58.0937 Scan finished
2010/08/21 20:37:58.0937 ================================================================================
2010/08/21 20:38:17.0125 Deinitialize success
Hi,
Delete these files:
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Bredolabfb5.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\RegistryHelper1.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\RegistryHelper2.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\RegistryHelper3.zip
Any issues left?
Items removed as requested.
I have now re-run spybot search and destroy and it runs cleanly.
Many thanks for your time and effort, it is very much appreciated.
Cheers,
John. :thanks:
You're welcome :)
It's time to secure your system to prevent against further intrusions.
THESE STEPS ARE VERY IMPORTANT
Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Reboot.
3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
NOTE: only do this ONCE,NOT on a regular basis
Now lets uninstall ComboFix:
Click START then RUN
Now copy-paste Combofix /uninstall in the runbox and click OK
Next we remove all used tools.
Please download OTC (http://oldtimer.geekstogo.com/OTC.exe) and save it to desktop.
Double-click OTC.exe.
Click the CleanUp! button.
Select Yes when the
Begin cleanup Process?
prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.
Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
UPDATING WINDOWS AND INTERNET EXPLORER
IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site (http://windowsupdate.microsoft.com/) to get the critical updates.
If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.
Make your Internet Explorer more secure
This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.
hosts file:
Every version of windows has a hosts file as part of them. In a very basic sense, they are used to locate webpages. We can customize a hosts file so that it blocks certain webpages. However, it can slow down certain computers. This is why using a hosts file is optional!!
Download it here (http://www.mvps.org/winhelp2002/hosts.htm). Make sure you read the instructions on how to install the hosts file. There is a good tutorial here (http://www.bleepingcomputer.com/forums/tutorial51.html)
If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
Click the start button (at the lower left hand corner of your screen) Click run In the dialog box, type services.msc hit enter, then locate dns client Highlight it, then double-click it. On the dropdown box, change the setting from automatic to manual. Click ok
Download and run Secunia Personal Software Inspector (PSI) (http://secunia.com/vulnerability_scanning/personal/) and fix its findings.
Get Anti Virus Software and keep it updated - Most AVs will update automatically, but if not I would recommend making updating the AV the first job every time the PC is connected to the internet. An AV that is using defs that are seven days old is not going to be much protection. If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out. Good free antivirus programs are:
Antivir (http://free-av.com/en/download/1/download_avira_antivir_personal__free_antivirus.html)
Avast! (http://www.avast.com/eng/download-avast-home.html)
Good commercial ones are from:
Kaspersky (http://www.kaspersky.com/homeuser) and
ESET (http://www.eset.com/products/index.php)
Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For more info, check this (http://www.bleepingcomputer.com/forums/tutorial60.html) webpage out.
If you don't have a 3rd party firewall or a router behind NAT then I recommend getting one. I recommend either Online Armor Free (http://www.tallemu.com/free-firewall-protection-software.html) or Comodo Firewall Pro (http://www.personalfirewall.comodo.com/download_firewall.html#fw3.0) (If you choose Comodo: Uncheck during installation Install Comodo HopSurf.., Make Comodo my default search provider and Make Comodo Search my homepage and install firewall ONLY!). Both providers have support forums that help with configuration related questions.
Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Once again, please post and tell me how things are going with your system... problems etc.
Have a great day,
Blade :cool:
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help. :)
Note:If it has been three days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh DDS log and a link to your previous thread.
If it has been less than three days since your last response and you need the thread re-opened, please send me or other MOD a private message (pm). A valid, working link to the closed topic is required.