PDA

View Full Version : Resilient Malware



Antylus
2010-10-06, 18:17
Hi all,

Yesterday, I noticed that my computer had slowed down and that Windows Media Player, in particular, had ground to a halt. I attempted to update Spybot and realised that something was blocking my access. Downloading various anti-malware utilities, I discovered that the infection was also preventing these programs from opening – a problem sometimes remedied by altering their file names. Finally, in the Windows Security Centre, AVG’s virus protection was described as ‘off’ and this could not be corrected.

So far, I have run Spybot, SuperAntiSpyware and Malwarebyte’s Anti-Malware. I have attached the removal logs along with those requested. The computer is now performing better (programs can update and AVG has recommenced virus and malware protection) but certain files are still being prevented from opening.

Thanks in advance for your assistance,

Antylus

DDS log:

DDS (Ver_10-10-05.01) - NTFSx86
Run by Adam at 15:44:33.72 on 06/10/2010
Internet Explorer: 9.0.7930.16406 BrowserJavaVersion: 1.6.0_21
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2038.877 [GMT 1:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: AVG Anti-Virus Free *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
C:\Windows\System32\WLTRYSVC.EXE
C:\Windows\System32\bcmwltry.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\ABBYY\FineReader\9.00\Licensing\PE\NetworkLicenseServer.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Hotspot Shield\bin\openvpnas.exe
C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe
C:\Program Files\Hotspot Shield\bin\hsswd.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Macrium\Reflect\ReflectService.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Sony\Content Transfer\ContentTransferWMDetector.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Windows\sttray.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\ehome\ehmsas.exe
c:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
C:\Program Files\Hotspot Shield\bin\openvpntray.exe
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Users\Adam\Downloads\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uWindow Title = Internet Explorer provided by Dell
mDefault_Page_URL = hxxp://www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=3070906
uInternet Connection Wizard,ShellNext = yes
uInternet Connection Wizard,ShellNext = hxxp://www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=3070906
uInternet Connection Wizard,ShellNext = \0\0
uInternet Connection Wizard,ShellNext = about:NoAdd-ons
uInternet Connection Wizard,ShellNext = about:SecurityRisk
uInternet Connection Wizard,ShellNext = yes
uInternet Connection Wizard,ShellNext = 0a000000
uInternet Connection Wizard,ShellNext = yes
uInternet Connection Wizard,ShellNext = 01000000
uInternet Connection Wizard,ShellNext = yes
uInternet Connection Wizard,ShellNext = 1a000000
uInternet Connection Wizard,ShellNext = 1a000000
uInternet Connection Wizard,ShellNext = yes
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: PodcastBHO Class: {65134fdf-f8a5-4b3d-91d9-cdf273cfd578} - c:\program files\common files\doubletwist\IEPodcastPlugin.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\2.0.301.7164\swg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Hotspot Shield Class: {f9e4a054-e9b1-4bc3-83a3-76a1ae736170} - c:\program files\hotspot shield\hssie\HssIE.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
TB: Veoh Browser Plug-in: {d0943516-5076-4020-a3b5-aefaf26ab263} - c:\program files\veoh networks\veoh\plugins\reg\VeohToolbar.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
mRun: [ContentTransferWMDetector.exe] c:\program files\sony\content transfer\ContentTransferWMDetector.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [SigmatelSysTrayApp] sttray.exe
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\users\adam\appdata\roaming\microsoft\windows\start menu\programs\startup\HotSync Manager.lnk.disabled
StartupFolder: c:\users\adam\appdata\roaming\microsoft\windows\start menu\programs\startup\OneNote 2007 Screen Clipper and Launcher.lnk.disabled
StartupFolder: c:\users\adam\appdata\roaming\microsoft\windows\start menu\programs\startup\OneNote Table Of Contents.onetoc2
StartupFolder: c:\programdata\microsoft\windows\start menu\programs\startup\Adobe Gamma Loader.lnk.disabled
StartupFolder: c:\programdata\microsoft\windows\start menu\programs\startup\Adobe Reader Speed Launch.lnk.disabled
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\programdata\microsoft\windows\start menu\programs\startup\Dataviz Messenger.lnk.disabled
StartupFolder: c:\programdata\microsoft\windows\start menu\programs\startup\Digital Line Detect.lnk.disabled
StartupFolder: c:\programdata\microsoft\windows\start menu\programs\startup\HP Digital Imaging Monitor.lnk.disabled
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe
StartupFolder: c:\programdata\microsoft\windows\start menu\programs\startup\Privoxy.lnk.disabled
StartupFolder: c:\programdata\microsoft\windows\start menu\programs\startup\QuickSet.lnk.disabled
StartupFolder: c:\programdata\microsoft\windows\start menu\programs\startup\VPN Client.lnk.disabled
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: 55963676-2F5E-4BAF-AC28-CF26AA587566 - vpnweb.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {40F576AD-8680-4F9E-9490-99D069CD665F} - hxxp://srtest-cdn.systemrequirementslab.com.s3.amazonaws.com/bin/sysreqlabdetect.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: avgrsstx.dll c:\progra~1\google\google~1\GOEC62~1.DLL
STS: Windows DreamScene: {e31004d1-a431-41b8-826f-e902f9d95c81} - %SystemRoot%\System32\DreamScene.dll
STS: Deskscapes Class: {ec654325-1273-c2a9-2b7c-45d29bce68fb} - c:\program files\stardock\object desktop\deskscapes\deskscapes.dll
STS: Stardock Vista ControlPanel Extension: {ec654325-1273-c2a9-2b7c-45d29bce68fd} - c:\program files\stardock\object desktop\deskscapes\DesktopControlPanel.dll
STS: StardockDreamController: {ec654325-1273-c2a9-2b7c-45d29bce68ff} - c:\program files\stardock\object desktop\deskscapes\DreamControl.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\adam\appdata\roaming\mozilla\firefox\profiles\nuhnsxic.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
FF - component: c:\users\adam\appdata\roaming\mozilla\firefox\profiles\nuhnsxic.default\extensions\piclens@cooliris.com\components\cooliris.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npaudio.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npavi32.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npbeatnk.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npchime.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\NPDocBox.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npnul32.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\NPOFF12.DLL
FF - plugin: c:\program files\netscape\communicator\program\plugins\nppdf32.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\nppl3260.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npqtplugin.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npqtplugin2.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npqtplugin3.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npqtplugin4.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npqtplugin5.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npqtplugin6.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npqtplugin7.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\nprfxins.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\nprjplug.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\nprpjplug.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npswf32.dll
FF - plugin: c:\program files\veoh networks\veoh\plugins\noreg\NPVeohVersion.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\npWebPlayerVideoPluginATL.dll
FF - plugin: c:\program files\virtual earth 3d\npVE3D.dll
FF - plugin: c:\users\adam\appdata\roaming\mozilla\firefox\profiles\nuhnsxic.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
FF - plugin: c:\users\adam\appdata\roaming\mozilla\plugins\npcoolirisplugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

============= SERVICES / DRIVERS ===============

R0 hotcore3;Hotcore helper;c:\windows\system32\drivers\hotcore3.sys [2009-12-21 40496]
R0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\drivers\pssnap.sys [2008-5-20 15328]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-6-18 216400]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-6-18 29584]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-1-31 243024]
R1 PSMounter;PSMounter;c:\windows\system32\drivers\psmounter.sys [2008-7-8 31712]
R1 RapportBuka;RapportBuka;c:\windows\system32\drivers\RapportBuka.sys [2010-3-2 390528]
R1 RapportKELL;RapportKELL;c:\program files\trusteer\rapport\bin\RapportKELL.sys [2010-7-1 59240]
R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2010-7-1 166632]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 ABBYY.Licensing.FineReader.Professional.9.0;ABBYY FineReader 9.0 PE Licensing Service;c:\program files\common files\abbyy\finereader\9.00\licensing\pe\NetworkLicenseServer.exe [2007-12-6 660768]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-7-16 921952]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-16 308136]
R2 HssWd;Hotspot Shield Monitoring Service;c:\program files\hotspot shield\bin\hsswd.exe -product hss --> c:\program files\hotspot shield\bin\hsswd.exe -product HSS [?]
R2 iPodDrv;iPodDrv;c:\windows\system32\drivers\iPodDrv.sys [2010-3-10 6656]
R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2010-7-1 840936]
R2 ReflectService;Macrium Reflect Scheduling Services;c:\program files\macrium\reflect\ReflectService.exe [2008-8-10 252896]
R2 StarWindServiceAE;StarWind AE Service;c:\program files\alcohol soft\alcohol 52\starwind\StarWindServiceAE.exe [2007-5-28 275968]
R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\cisco\cisco anyconnect vpn client\vpnagent.exe [2009-12-17 497856]
R3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-9-11 21504]
S2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\adobe\photoshop elements 3.0\photoshopelementsfileagent.exe --> c:\program files\adobe\photoshop elements 3.0\PhotoshopElementsFileAgent.exe [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-27 135664]
S2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\adobe\photoshop elements 3.0\photoshopelementsdeviceconnect.exe --> c:\program files\adobe\photoshop elements 3.0\PhotoshopElementsDeviceConnect.exe [?]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2007-9-6 30192]
S3 hwmobilehsn;High Speed USB Modem and USB Serial For Normal;c:\windows\system32\drivers\hwmob01.sys [2010-4-19 106240]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2009-3-19 136704]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [2009-3-19 8320]
S3 pmxmouse;PMXMOUSE;c:\windows\system32\drivers\pmxmouse.sys [2007-9-6 23232]
S3 pmxusblf;PMXUSBLF;c:\windows\system32\drivers\pmxusblf.sys [2007-9-6 19008]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

=============== Created Last 30 ================

2010-10-06 11:43:43 -------- d-----w- c:\users\adam\appdata\roaming\SUPERAntiSpyware.com
2010-10-06 11:43:43 -------- d-----w- c:\progra~2\SUPERAntiSpyware.com
2010-10-06 11:40:21 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-10-06 11:37:05 2400229 ----a-w- C:\MGtools.exe
2010-10-06 11:23:16 6291456 ---ha-w- c:\users\adam\appdata\local\IconCache.db
2010-10-06 11:21:58 20 ----a-w- c:\users\adam\defogger_reenable
2010-10-06 00:20:27 -------- d-----w- c:\users\adam\appdata\roaming\Malwarebytes
2010-10-06 00:17:03 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-06 00:17:01 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-06 00:17:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-06 00:17:01 -------- d-----w- c:\progra~2\Malwarebytes
2010-09-29 08:33:40 2048 ----a-w- c:\windows\system32\tzres.dll
2010-09-27 16:39:03 -------- d-----w- C:\Hotspot Shield
2010-09-27 16:38:57 -------- d-----w- c:\program files\Hotspot Shield
2010-09-27 02:25:10 -------- d-----w- c:\program files\Windows Portable Devices
2010-09-27 02:24:26 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_07_00.Wdf
2010-09-27 02:22:38 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2010-09-27 02:06:07 92672 ----a-w- c:\windows\system32\UIAnimation.dll
2010-09-27 02:06:06 3023360 ----a-w- c:\windows\system32\UIRibbon.dll
2010-09-27 02:06:06 1164800 ----a-w- c:\windows\system32\UIRibbonRes.dll
2010-09-27 02:03:52 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2010-09-27 02:03:52 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2010-09-27 02:03:52 234496 ----a-w- c:\windows\system32\oleacc.dll
2010-09-25 18:34:01 -------- d-----w- c:\progra~2\DivX
2010-09-25 18:00:53 979456 ----a-w- c:\windows\system32\MFH264Dec.dll
2010-09-25 18:00:53 797184 ----a-w- c:\windows\system32\FntCache.dll
2010-09-25 18:00:53 680960 ----a-w- c:\windows\system32\d2d1.dll
2010-09-25 18:00:53 357376 ----a-w- c:\windows\system32\MFHEAACdec.dll
2010-09-25 18:00:53 302592 ----a-w- c:\windows\system32\mfmp4src.dll
2010-09-25 18:00:53 280064 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2010-09-25 18:00:53 261632 ----a-w- c:\windows\system32\mfreadwrite.dll
2010-09-25 18:00:53 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2010-09-25 18:00:53 161280 ----a-w- c:\windows\system32\d3d10_1.dll
2010-09-25 18:00:53 135680 ----a-w- c:\windows\system32\XpsRasterService.dll
2010-09-25 18:00:53 1174528 ----a-w- c:\windows\system32\d3d10warp.dll
2010-09-25 18:00:53 1068032 ----a-w- c:\windows\system32\DWrite.dll
2010-09-25 17:58:46 -------- d-----w- c:\program files\Feedback Tool
2010-09-25 12:21:37 -------- d-----w- c:\windows\system32\eu-ES
2010-09-25 12:21:37 -------- d-----w- c:\windows\system32\ca-ES
2010-09-25 12:21:35 -------- d-----w- c:\windows\system32\vi-VN
2010-09-25 11:08:14 -------- d-----w- c:\windows\system32\EventProviders
2010-09-22 19:19:02 37376 ----a-w- c:\windows\system32\drivers\HssDrv.sys
2010-09-18 16:41:46 -------- d-----w- c:\users\adam\appdata\local\Amazon
2010-09-18 10:19:11 -------- d-----w- c:\users\adam\appdata\local\Cisco
2010-09-18 10:10:57 -------- d-----w- c:\program files\Cisco
2010-09-18 10:10:47 -------- d-----w- c:\progra~2\Cisco
2010-09-17 02:02:21 -------- d-----w- C:\52a3bb0b6e95a19f0af21e
2010-09-16 18:26:35 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-09-15 21:58:02 502272 ----a-w- c:\windows\system32\usp10.dll
2010-09-15 21:57:57 128000 ----a-w- c:\windows\system32\spoolsv.exe
2010-09-15 21:57:54 317952 ----a-w- c:\windows\system32\MP4SDECD.DLL
2010-09-15 21:57:47 739328 ----a-w- c:\windows\system32\inetcomm.dll
2010-09-08 19:52:29 -------- d-----w- c:\users\adam\appdata\roaming\InfraRecorder
2010-09-08 19:50:28 -------- d-----w- c:\program files\InfraRecorder

==================== Find3M ====================

2010-10-06 11:11:55 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-08-31 23:46:36 1355264 ----a-w- c:\windows\system32\jscript9.dll
2010-08-31 23:44:32 367104 ----a-w- c:\windows\system32\html.iec
2010-08-31 23:44:30 1448448 ----a-w- c:\windows\system32\inetcpl.cpl
2010-08-31 23:44:24 1122304 ----a-w- c:\windows\system32\wininet.dll
2010-08-31 23:44:06 424960 ----a-w- c:\windows\system32\vbscript.dll
2010-08-31 23:43:22 23552 ----a-w- c:\windows\system32\licmgr10.dll
2010-08-31 23:43:12 72704 ----a-w- c:\windows\system32\SetDepNx.exe
2010-08-31 23:43:12 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2010-08-31 23:43:12 114176 ----a-w- c:\windows\system32\iesysprep.dll
2010-08-31 23:43:10 76800 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2010-08-31 23:43:10 74752 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2010-08-31 23:42:58 51200 ----a-w- c:\windows\system32\admparse.dll
2010-08-31 23:42:54 75264 ----a-w- c:\windows\system32\iesetup.dll
2010-08-31 23:42:48 110592 ----a-w- c:\windows\system32\IEAdvpack.dll
2010-08-31 23:42:42 150016 ----a-w- c:\windows\system32\iexpress.exe
2010-08-31 23:42:42 149504 ----a-w- c:\windows\system32\wextract.exe
2010-08-31 23:42:20 33280 ----a-w- c:\windows\system32\imgutil.dll
2010-08-31 23:42:16 48640 ----a-w- c:\windows\system32\mshtmler.dll
2010-08-31 23:42:12 11264 ----a-w- c:\windows\system32\mshta.exe
2010-08-31 23:42:10 2381824 ----a-w- c:\windows\system32\mshtml.tlb
2010-08-31 23:42:04 63488 ----a-w- c:\windows\system32\tdc.ocx
2010-08-31 23:41:46 160768 ----a-w- c:\windows\system32\msls31.dll
2010-08-20 09:35:22 339968 ----a-w- c:\windows\system32\RapportBuka.dll
2010-08-12 04:07:46 133616 ------w- c:\windows\system32\PxAFS.DLL
2010-08-12 04:07:46 126448 ------w- c:\windows\system32\pxinsi64.exe
2010-08-12 04:07:46 123888 ------w- c:\windows\system32\pxcpyi64.exe
2010-07-16 17:47:55 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2005-02-22 16:55:02 81920 --sh--r- c:\windows\system32\aac_parser.ax
2005-08-12 09:04:06 606208 --sha-w- c:\windows\system32\CoreAAC.ax
2005-01-17 23:26:36 179200 --sh--r- c:\windows\system32\DiracSplitter.ax
2005-02-12 23:00:00 186880 --sh--r- c:\windows\system32\RLOgg.ax
2005-02-12 23:00:00 51712 --sh--r- c:\windows\system32\RLSpeexDec.ax
2005-02-12 23:00:00 67584 --sh--r- c:\windows\system32\RLTheoraDec.ax
2005-02-05 23:00:00 92672 --sh--r- c:\windows\system32\RLVorbisDec.ax

============= FINISH: 15:48:13.47 ===============

ken545
2010-10-10, 15:25
:snwelcome:


Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.

Until we deem your system clean I am going to ask you not to install or uninstall any software or hardware execpt for the programs we may run.

Malwarebytes removed entries related to your computer being hijacked from the uKraine, I am sure there is more we cant see.

Run this program please , with Vista you will have to right click on the icon and select Run As Administrator

Download ComboFix from one of these locations:

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)


* IMPORTANT !!! Save ComboFix.exe to your Desktop


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.


Double click on ComboFix.exe & follow the prompts.


As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.


Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



http://img.photobucket.com/albums/v706/ried7/RC1.png


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

Antylus
2010-10-10, 18:48
Thank you very much for your help.

I've saved the file to the desktop and disabled both AVG and Windows Firewall. When I double-click on the icon (or run as administrator), I am given the option to run the program. When I select 'Run', the dialogue box disappears and nothing happens.

Any advice would be much appreciated.

Antylus

ken545
2010-10-10, 19:24
Hi,

I am sure there is a rootkit type of infection still present preventing CF from running.

Drag Combofix to the trash and do it this way

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)


http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_FF.gif


http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_rename.gif

* IMPORTANT !!! Save ComboFix.exe to your Desktop


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.


Double click on ComboFix.exe & follow the prompts.


As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.


Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



http://img.photobucket.com/albums/v706/ried7/RC1.png


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

Antylus
2010-10-10, 21:52
Hi,

I ran Combofix and it generated the attached log file. Now, however, when I try to open programs, I get the following message 'Illegal operation attempted on a registry key that has been marked for deletion.'

Thanks again for your help.

Antylus
2010-10-10, 21:56
Hi,

I ran Combofix and it generated the attached log file. Now, however, when I try to open programs, I get the following message 'Illegal operation attempted on a registry key that has been marked for deletion.'

Thanks again for your help.

Sorry, forgot to attach the log.

ComboFix 10-10-09.06 - Adam 10/10/2010 18:54:37.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2038.1165 [GMT 1:00]
Running from: c:\users\Adam\Desktop\Combo-Fix.exe
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Adam\DreamAquarium.scr
c:\users\Adam\DreamAquariumXP.exe
c:\users\Adam\Murder Theme .WAV

Infected copy of c:\windows\system32\drivers\smb.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_usnjsvc


((((((((((((((((((((((((( Files Created from 2010-09-10 to 2010-10-10 )))))))))))))))))))))))))))))))
.

2010-10-10 18:05 . 2010-10-10 18:08 -------- d-----w- c:\users\Adam\AppData\Local\temp
2010-10-10 18:05 . 2010-10-10 18:05 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-10-10 18:05 . 2010-10-10 18:05 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2010-10-06 13:57 . 2010-09-16 09:24 6084944 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{C3E7C4F9-2F6B-4469-972E-D90251B3C6A0}\mpengine.dll
2010-10-06 11:43 . 2010-10-06 11:43 -------- d-----w- c:\users\Adam\AppData\Roaming\SUPERAntiSpyware.com
2010-10-06 11:43 . 2010-10-06 11:43 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2010-10-06 11:40 . 2010-10-06 14:51 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-10-06 11:37 . 2010-10-06 11:37 2400229 ----a-w- C:\MGtools.exe
2010-10-06 11:12 . 2010-10-06 11:12 -------- d-----w- c:\program files\Common Files\Java
2010-10-06 00:20 . 2010-10-06 00:20 -------- d-----w- c:\users\Adam\AppData\Roaming\Malwarebytes
2010-10-06 00:17 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-06 00:17 . 2010-10-06 00:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-06 00:17 . 2010-10-06 00:17 -------- d-----w- c:\programdata\Malwarebytes
2010-10-06 00:17 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-06 00:09 . 2010-10-06 00:09 -------- d-----w- c:\program files\ERUNT
2010-09-29 08:33 . 2010-06-22 13:30 2048 ----a-w- c:\windows\system32\tzres.dll
2010-09-27 16:39 . 2010-09-27 16:40 -------- d-----w- C:\Hotspot Shield
2010-09-27 16:38 . 2010-09-27 16:40 -------- d-----w- c:\program files\Hotspot Shield
2010-09-27 02:25 . 2010-09-27 02:25 -------- d-----w- c:\program files\Windows Portable Devices
2010-09-27 02:06 . 2009-09-10 02:00 92672 ----a-w- c:\windows\system32\UIAnimation.dll
2010-09-27 02:06 . 2009-09-10 02:01 3023360 ----a-w- c:\windows\system32\UIRibbon.dll
2010-09-27 02:06 . 2009-09-10 02:00 1164800 ----a-w- c:\windows\system32\UIRibbonRes.dll
2010-09-27 02:03 . 2009-10-08 21:08 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2010-09-27 02:03 . 2009-10-08 21:08 234496 ----a-w- c:\windows\system32\oleacc.dll
2010-09-27 02:03 . 2009-10-08 21:07 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2010-09-25 18:34 . 2010-09-25 18:36 -------- d-----w- c:\programdata\DivX
2010-09-25 18:00 . 2010-08-17 23:54 280064 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2010-09-25 18:00 . 2010-08-17 23:54 135680 ----a-w- c:\windows\system32\XpsRasterService.dll
2010-09-25 18:00 . 2010-08-17 23:52 979456 ----a-w- c:\windows\system32\MFH264Dec.dll
2010-09-25 18:00 . 2010-08-17 23:51 357376 ----a-w- c:\windows\system32\MFHEAACdec.dll
2010-09-25 18:00 . 2010-08-17 23:51 261632 ----a-w- c:\windows\system32\mfreadwrite.dll
2010-09-25 18:00 . 2010-08-17 23:51 302592 ----a-w- c:\windows\system32\mfmp4src.dll
2010-09-25 18:00 . 2010-08-17 23:50 680960 ----a-w- c:\windows\system32\d2d1.dll
2010-09-25 18:00 . 2010-08-17 23:49 1174528 ----a-w- c:\windows\system32\d3d10warp.dll
2010-09-25 18:00 . 2010-08-17 23:49 1068032 ----a-w- c:\windows\system32\DWrite.dll
2010-09-25 18:00 . 2010-08-17 23:49 797184 ----a-w- c:\windows\system32\FntCache.dll
2010-09-25 18:00 . 2010-08-17 23:48 161280 ----a-w- c:\windows\system32\d3d10_1.dll
2010-09-25 18:00 . 2010-08-17 23:48 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2010-09-25 17:58 . 2010-09-25 17:58 -------- d-----w- c:\program files\Feedback Tool
2010-09-25 12:21 . 2010-09-25 12:22 -------- d-----w- c:\windows\system32\ca-ES
2010-09-25 12:21 . 2010-09-25 12:22 -------- d-----w- c:\windows\system32\eu-ES
2010-09-25 12:21 . 2010-09-25 12:22 -------- d-----w- c:\windows\system32\vi-VN
2010-09-25 11:08 . 2010-09-25 11:08 -------- d-----w- c:\windows\system32\EventProviders
2010-09-22 19:19 . 2010-09-22 19:19 37376 ----a-w- c:\windows\system32\drivers\HssDrv.sys
2010-09-18 16:41 . 2010-09-18 16:41 -------- d-----w- c:\users\Adam\AppData\Local\Amazon
2010-09-18 10:19 . 2010-09-18 10:19 -------- d-----w- c:\users\Adam\AppData\Local\Cisco
2010-09-18 10:10 . 2010-09-18 10:10 -------- d-----w- c:\program files\Cisco
2010-09-18 10:10 . 2010-09-18 10:10 -------- d-----w- c:\programdata\Cisco
2010-09-17 02:02 . 2010-10-06 10:49 -------- d-----w- C:\52a3bb0b6e95a19f0af21e
2010-09-16 18:26 . 2010-09-21 12:30 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-09-15 21:58 . 2010-04-16 16:46 502272 ----a-w- c:\windows\system32\usp10.dll
2010-09-15 21:57 . 2010-08-17 14:11 128000 ----a-w- c:\windows\system32\spoolsv.exe
2010-09-15 21:57 . 2010-04-05 17:02 317952 ----a-w- c:\windows\system32\MP4SDECD.DLL
2010-09-15 21:57 . 2010-08-17 10:52 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2010-09-15 21:57 . 2010-05-27 20:08 739328 ----a-w- c:\windows\system32\inetcomm.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-29 12:11 . 2008-12-16 12:26 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-17 815104]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-27 1540096]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-14 644696]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-07-25 563984]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-07-25 2027792]
"ContentTransferWMDetector.exe"="c:\program files\Sony\Content Transfer\ContentTransferWMDetector.exe" [2008-07-11 423200]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-01-28 133656]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-06-29 30192]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-05-02 184320]
"SigmatelSysTrayApp"="sttray.exe" [2007-02-08 303104]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-09-01 1164584]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

c:\users\Adam\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
HotSync Manager.lnk.disabled [2008-12-22 1615]
OneNote 2007 Screen Clipper and Launcher.lnk.disabled [2009-4-7 1113]
OneNote Table Of Contents.onetoc2 [2009-4-7 3656]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk.disabled [2010-7-20 917]
Adobe Reader Speed Launch.lnk.disabled [2008-5-7 1883]
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-11-3 703280]
Dataviz Messenger.lnk.disabled [2008-12-22 1644]
Digital Line Detect.lnk.disabled [2007-9-6 1748]
HP Digital Imaging Monitor.lnk.disabled [2008-3-18 1974]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2008-10-11 67128]
Privoxy.lnk.disabled [2010-8-2 808]
QuickSet.lnk.disabled [2010-8-20 2485]
VPN Client.lnk.disabled [2010-8-20 2565]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 52\axcmd.exe" /automount
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" /startup
"doubleTwist"=c:\program files\doubleTwist 2.0\DoubleTwist.DeviceHelper.exe
"ehTray.exe"=c:\windows\ehome\ehTray.exe
"kdx"=c:\program files\Kontiki\KHost.exe -all
"ISUSPM"="c:\programdata\Macrovision\FLEXnet Connect\6\ISUSPM.exe" -scheduler
"Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PCSync2.exe" /NoDialog
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
"WindowsWelcomeCenter"=rundll32.exe oobefldr.dll,ShowWelcomeCenter

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"dscactivate"=c:\dell\dsca.exe 3
"ECenter"=c:\dell\E-Center\EULALauncher.exe
"HotKeysCmds"=c:\windows\system32\hkcmd.exe
"HP Software Update"=c:\program files\HP\HP Software Update\HPWuSchd2.exe
"IgfxTray"=c:\windows\system32\igfxtray.exe
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4\OpwareSE4.exe"
"PMX Daemon"=ICO.EXE
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"Reflect Scheduler"=c:\program files\Macrium\Reflect\RefSched.exe
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
"SigmatelSysTrayApp"=sttray.exe
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

R0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [x]
R2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-26 135664]
R2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [x]
R3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2010-06-29 30192]
R3 hwmobilehsn;High Speed USB Modem and USB Serial For Normal;c:\windows\system32\DRIVERS\hwmob01.sys [2009-07-08 106240]
R3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2009-03-19 136704]
R3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [2009-03-19 8320]
R3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [x]
R3 pmxmouse;pmxmouse;c:\windows\system32\DRIVERS\pmxmouse.sys [2006-10-19 23232]
R3 pmxusblf;pmxusblf;c:\windows\system32\DRIVERS\pmxusblf.sys [2006-10-19 19008]
R3 pohci13F;pohci13F;c:\users\Adam\AppData\Local\Temp\pohci13F.sys [x]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-02-28 691696]
S0 hotcore3;Hotcore helper;c:\windows\system32\DRIVERS\hotcore3.sys [2008-09-26 40496]
S0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\DRIVERS\pssnap.sys [2008-05-20 15328]
S1 PSMounter;PSMounter; [x]
S1 RapportBuka;RapportBuka;c:\windows\system32\drivers\RapportBuka.sys [2010-03-02 390528]
S1 RapportKELL;RapportKELL;c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [2010-07-01 59240]
S1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [2010-07-01 166632]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]
S2 ABBYY.Licensing.FineReader.Professional.9.0;ABBYY FineReader 9.0 PE Licensing Service;c:\program files\Common Files\ABBYY\FineReader\9.00\Licensing\PE\NetworkLicenseServer.exe [2007-12-06 660768]
S2 HssWd;Hotspot Shield Monitoring Service;c:\program files\Hotspot Shield\bin\hsswd.exe [2010-09-22 325168]
S2 iPodDrv;iPodDrv;c:\windows\system32\drivers\iPodDrv.sys [2010-03-10 6656]
S2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [2010-07-01 840936]
S2 ReflectService;Macrium Reflect Scheduling Services;c:\program files\Macrium\Reflect\ReflectService.exe [2008-08-10 252896]
S2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [2009-12-17 497856]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-10-10 c:\windows\Tasks\AWC Startup.job
- c:\program files\IObit\Advanced SystemCare 3\AWC.exe [2010-07-14 16:33]

2010-10-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-26 23:03]

2010-10-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-26 23:03]

2010-10-10 c:\windows\Tasks\User_Feed_Synchronization-{D0DEC358-9280-41BE-929F-5820DF4846BB}.job
- c:\windows\system32\msfeedssync.exe [2010-09-25 23:42]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: 55963676-2F5E-4BAF-AC28-CF26AA587566 - vpnweb.cab
FF - ProfilePath - c:\users\Adam\AppData\Roaming\Mozilla\Firefox\Profiles\nuhnsxic.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - component: c:\users\Adam\AppData\Roaming\Mozilla\Firefox\Profiles\nuhnsxic.default\extensions\piclens@cooliris.com\components\cooliris.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\npaudio.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\npavi32.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\npbeatnk.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\npchime.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\NPDocBox.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\npnul32.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\NPOFF12.DLL
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\nppdf32.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\nppl3260.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\npqtplugin.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\npqtplugin2.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\npqtplugin3.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\npqtplugin4.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\npqtplugin5.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\npqtplugin6.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\npqtplugin7.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\nprfxins.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\nprjplug.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\nprpjplug.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\npswf32.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF - plugin: c:\program files\Virtual Earth 3D\npVE3D.dll
FF - plugin: c:\users\Adam\AppData\Roaming\Mozilla\Firefox\Profiles\nuhnsxic.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
FF - plugin: c:\users\Adam\AppData\Roaming\Mozilla\plugins\npcoolirisplugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-4027073455-2314426751-95628222-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{C8E212BE-61D4-EC7E-2134-D94D9605CEB3}*]
"naafebhhhdgedflfmbojojbakbde"=hex:69,61,64,6f,6e,6e,6a,6b,69,6e,6a,66,63,65,
65,6d,6b,65,00,77
"oakdcibnbcclnbcdcpkjggnnhjmidk"=hex:6b,61,6f,6f,6b,63,63,62,61,6f,6e,67,63,61,
70,6a,70,69,61,70,66,64,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0006\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0007\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0008\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0009\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0010\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0011\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(14916)
c:\program files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll
c:\program files\Stardock\Object Desktop\DeskScapes\deskscapes.dll
c:\program files\Stardock\Object Desktop\DeskScapes\deskscape.dll
c:\program files\Stardock\Object Desktop\DeskScapes\DesktopControlPanel.dll
c:\program files\Stardock\Object Desktop\DeskScapes\DreamControl.dll
c:\windows\system32\btncopy.dll
c:\program files\Nokia\Nokia PC Suite 6\phonebrowser.dll
c:\program files\Nokia\Nokia PC Suite 6\NGSCM.DLL
c:\program files\Nokia\Nokia PC Suite 6\Lang\PhoneBrowser_eng.nlr
c:\program files\Nokia\Nokia PC Suite 6\Resource\PhoneBrowser_Nokia.ngr
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Hotspot Shield\bin\openvpnas.exe
c:\program files\Hotspot Shield\HssWPR\hsssrv.exe
c:\program files\Kontiki\KService.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
c:\program files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\windows\sttray.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\ehome\ehmsas.exe
c:\program files\WIDCOMM\Bluetooth Software\BtStackServer.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
.
**************************************************************************
.
Completion time: 2010-10-10 19:16:11 - machine was rebooted
ComboFix-quarantined-files.txt 2010-10-10 18:16

Pre-Run: 81,235,890,176 bytes free
Post-Run: 80,848,592,896 bytes free

- - End Of File - - B348DE0D9D1779AA5FB490178E61EB39

ken545
2010-10-10, 22:06
Hi,

Just reboot your computer and that error should go away.

Just copy and paste the logs into this thread its easier for us to analyze them.

Looking at it now, be back in a bit

ken545
2010-10-11, 00:00
Looks fine,

Lets sweep for leftovers

Please run this free online virus scanner from ESET (http://www.eset.com/onlinescan/)

Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is ticked, and the option Scan unwanted applications is checked
Click Scan
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic

Antylus
2010-10-11, 02:54
Here is the log:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=9.00.7930.16406 (WIN7_IE9_Beta.100831-2345)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=db36febb30e7f8489dc085f39db47bcc
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-10-10 11:30:20
# local_time=2010-10-11 12:30:20 (+0000, GMT Daylight Time)
# country="United Kingdom"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=1024 16777215 100 0 392 392 0 0
# compatibility_mode=5892 16776573 100 100 372828 124278989 0 0
# compatibility_mode=8192 67108863 100 0 736 736 0 0
# scanned=337175
# found=19
# cleaned=18
# scan_time=7158
C:\Program Files\Hotspot Shield\bin\openvpnas.exe a variant of Win32/HotSpotShield application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files\MATLAB\R2009a\toolbox\rtw\targets\xpc\target\build\xpcblocks\adbbpci20019.mexw32 probably a variant of Win32/Agent.ETXTRWX trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files\MATLAB\R2009a\toolbox\rtw\targets\xpc\target\build\xpcblocks\adbbpci20023.mexw32 probably a variant of Win32/Agent.IJGCGML trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files\MATLAB\R2009a\toolbox\rtw\targets\xpc\target\build\xpcblocks\adgesada1.mexw32 probably a variant of Win32/Agent.JQVAIXB trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files\MATLAB\R2009a\toolbox\rtw\targets\xpc\target\build\xpcblocks\adrtddm6420.mexw32 probably a variant of Win32/Agent.YULJKC trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files\MATLAB\R2009a\toolbox\rtw\targets\xpc\target\build\xpcblocks\adrtddm6430.mexw32 probably a variant of Win32/Agent.FEHKRNR trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files\MATLAB\R2009a\toolbox\rtw\targets\xpc\target\build\xpcblocks\dikmdas1800hr.mexw32 probably a variant of Win32/Agent.DLKBKHU trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files\MATLAB\R2009a\toolbox\rtw\targets\xpc\target\build\xpcblocks\dinipctio10.mexw32 probably a variant of Win32/Agent.LIWBNIY trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files\MATLAB\R2009a\toolbox\rtw\targets\xpc\target\build\xpcblocks\dobbpci20041.mexw32 probably a variant of Win32/Agent.LGHPYFZ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files\MATLAB\R2009a\toolbox\rtw\targets\xpc\target\build\xpcblocks\encadapci1710.mexw32 probably a variant of Win32/Agent.MGCEANH trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files\MATLAB\R2009a\toolbox\rtw\targets\xpc\target\build\xpcblocks\encadpa1700.mexw32 probably a variant of Win32/Agent.FMZKFTW trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files\MATLAB\R2009a\toolbox\rtw\targets\xpc\target\build\xpcblocks\rs232_send.mexw32 probably a variant of Win32/Agent.BWDMVJY trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files\MATLAB\R2009a\toolbox\rtw\targets\xpc\target\build\xpcblocks\scblock.mexw32 probably a variant of Win32/Agent.CQMYIJY trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files\MATLAB\R2009a\toolbox\rtw\targets\xpc\target\build\xpcblocks\xpcregstack.mexw32 probably a variant of Win32/Agent.BBHSNJZ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Windows\system32\Drivers\smb.sys.vir Win32/Olmarik.ZC trojan (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Users\Adam\Downloads\video2screensaver4.exe multiple threats (deleted - quarantined) 00000000000000000000000000000000 C
C:\Users\Adam\Downloads\HSS-1.22-install-anchorfree-76-conduit\HSS-1.22-install-anchorfree-76-conduit.exe a variant of Win32/HotSpotShield application (deleted - quarantined) 00000000000000000000000000000000 C
C:\Users\Adam\Seagate\Downloads\HSS-1.07-install-anchorfree-76-conduit\HSS-1.07-install-anchorfree-76-conduit.exe a variant of Win32/HotSpotShield application (deleted - quarantined) 00000000000000000000000000000000 C
C:\Windows\winsxs\x86_microsoft-windows-nbsmb_31bf3856ad364e35_6.0.6002.18005_none_61560a3ff5180c84\smb.sys Win32/Olmarik.ZC trojan (error while cleaning) 00000000000000000000000000000000 I

I am being given the option of deleting the quarantined files. Should I do this?

ken545
2010-10-11, 03:08
Just leave them in Quarantine , make sure everything is working ok. if so than delete them.

How are things running now ?

Antylus
2010-10-11, 03:39
Things seem to be working well.

Should I be worried about this bit of the log?:

C:\Windows\winsxs\x86_microsoft-windows-nbsmb_31bf3856ad364e35_6.0.6002.18005_none_61560a3ff5180c84\smb.sys Win32/Olmarik.ZC trojan (error while cleaning) 00000000000000000000000000000000 I

ken545
2010-10-11, 11:08
Hi,

Thats a backup of the infected file that Combofix cleaned. If we remove it there will be no back up so just leave it be.

You need to enable windows to show all files and folders, instructions Here (http://www.bleepingcomputer.com/tutorials/tutorial62.html)

Go to VirusTotal (http://www.virustotal.com/) and submit this file for analysis, just use the browse feature and then Send File, you will get a report back, post the report into this thread for me to see. If the site says this file has been checked before, have them check it again

C:\Windows\winsxs\x86_microsoft-windows-nbsmb_31bf3856ad364e35_6.0.6002.18005_none_61560a3ff5180c84\smb.sys <--This file

If the site is busy you can try this one

http://virusscan.jotti.org/en

Antylus
2010-10-11, 12:13
Hi,

With hidden files visible, the only smb.sys file I can locate is called 'smb.sys.vir' and is found in C:\Qoobox\Quarantine\C\Windows\system32\Drivers.

I submitted this to VirusTotal but only get the following:

File name: smb.sys.vir
Submission date: 2010-10-11 09:07:55 (UTC)
Current status: queued queued analysing finished
Result: 0/ 43 (0.0%)

Is there something that I have to do to the file before submitting it?

ken545
2010-10-11, 14:09
Hi,

The file your submitting is the infected one that was removed by Combofix. The one we are looking at for info may have been removed.


Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:


:filefind
smb.sys


Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

Post that information and I will be back soon

Antylus
2010-10-11, 14:36
Here are the results:

SystemLook 04.09.10 by jpshortstuff
Log created at 12:30 on 11/10/2010 by Adam
Administrator - Elevation successful

========== filefind ==========

Searching for "smb.sys"
C:\Windows\System32\drivers\smb.sys --a---- 66560 bytes [22:28 23/09/2009] [04:45 11/04/2009] 7B75299A4D201D6A6533603D6914AB04
C:\Windows\winsxs\x86_microsoft-windows-nbsmb_31bf3856ad364e35_6.0.6000.16386_none_5d33cf37fb0b3064\smb.sys --a---- 66048 bytes [08:57 02/11/2006] [08:57 02/11/2006] AC0D90738ADB51A6FD12FF00874A2162
C:\Windows\winsxs\x86_microsoft-windows-nbsmb_31bf3856ad364e35_6.0.6001.18000_none_5f6a9133f7f64138\smb.sys --a---- 66560 bytes [11:51 11/09/2008] [05:55 19/01/2008] 031E6BCD53C9B2B9ACE111EAFEC347B6

-= EOF =-

Antylus
2010-10-11, 14:45
Strangely, smb.sys has now appeared. Here is the VirusTotal output:

File name:
smb.sys
Submission date:
2010-10-11 11:41:10 (UTC)
Current status:
queued (#1) queued analysing finished
Result:
0/ 43 (0.0%)

Antivirus Version Last Update Result
AhnLab-V3 2010.10.11.00 2010.10.11 -
AntiVir 7.10.12.171 2010.10.11 -
Antiy-AVL 2.0.3.7 2010.10.11 -
Authentium 5.2.0.5 2010.10.10 -
Avast 4.8.1351.0 2010.10.11 -
Avast5 5.0.594.0 2010.10.11 -
AVG 9.0.0.851 2010.10.10 -
BitDefender 7.2 2010.10.11 -
CAT-QuickHeal 11.00 2010.10.11 -
ClamAV 0.96.2.0-git 2010.10.11 -
Comodo 6351 2010.10.11 -
DrWeb 5.0.2.03300 2010.10.11 -
Emsisoft 5.0.0.50 2010.10.11 -
eSafe 7.0.17.0 2010.10.07 -
eTrust-Vet 36.1.7904 2010.10.11 -
F-Prot 4.6.2.117 2010.10.10 -
F-Secure 9.0.15370.0 2010.10.11 -
Fortinet 4.2.249.0 2010.10.11 -
GData 21 2010.10.11 -
Ikarus T3.1.1.90.0 2010.10.11 -
Jiangmin 13.0.900 2010.10.11 -
K7AntiVirus 9.65.2713 2010.10.09 -
Kaspersky 7.0.0.125 2010.10.11 -
McAfee 5.400.0.1158 2010.10.11 -
McAfee-GW-Edition 2010.1C 2010.10.11 -
Microsoft 1.6201 2010.10.11 -
NOD32 5520 2010.10.11 -
Norman 6.06.07 2010.10.11 -
nProtect 2010-10-11.01 2010.10.11 -
Panda 10.0.2.7 2010.10.10 -
PCTools 7.0.3.5 2010.10.11 -
Prevx 3.0 2010.10.11 -
Rising 22.69.00.01 2010.10.11 -
Sophos 4.58.0 2010.10.11 -
Sunbelt 7035 2010.10.11 -
SUPERAntiSpyware 4.40.0.1006 2010.10.10 -
Symantec 20101.2.0.161 2010.10.11 -
TheHacker 6.7.0.1.054 2010.10.10 -
TrendMicro 9.120.0.1004 2010.10.11 -
TrendMicro-HouseCall 9.120.0.1004 2010.10.11 -
VBA32 3.12.14.1 2010.10.11 -
ViRobot 2010.10.4.4074 2010.10.11 -
VirusBuster 12.67.11.0 2010.10.10 -

Additional information

MD5 : 031e6bcd53c9b2b9ace111eafec347b6
SHA1 : 8d5e2e086a1ee5138a257a89d37e36eaf7464af3
SHA256: b934129bd77ca6a1434c59ea82b5e93fd4089608e0e41242b6e68070a0f33fb8
ssdeep: 768:KRMZGl8pNOycBLtWKpruaDfrMXtFes9ANIiy2oZO3vW7akukgTUIS9QvB0yFym83:hZlpNO
Lxp3HyFeZKix/kaJQm8l1
File size : 66560 bytes
First seen: 2009-09-19 20:17:09
Last seen : 2010-10-11 11:41:10
TrID:
Win32 Executable Generic (68.0%)
Generic Win/DOS Executable (15.9%)
DOS Executable Generic (15.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
sigcheck:
publisher....: Microsoft Corporation
copyright....: (c) Microsoft Corporation. All rights reserved.
product......: Microsoft_ Windows_ Operating System
description..: SMB Transport driver
original name: smb.sys
internal name: smb.sys
file version.: 6.0.6001.18000 (longhorn_rtm.080118-1840)
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
PEInfo: PE structure information

[[ basic data ]]
entrypointaddress: 0x104FB
timedatestamp....: 0x479190CF (Sat Jan 19 05:55:27 2008)
machinetype......: 0x14c (I386)

[[ 7 section(s) ]]
name, viradd, virsiz, rawdsiz, ntropy, md5
.text, 0x1000, 0x9E7C, 0xA000, 6.35, d382db19365b2a064001096e587b2661
.rdata, 0xB000, 0x630, 0x800, 4.27, 7e258cf84ef9890fdf4aec61c2924eb7
.data, 0xC000, 0x368, 0x200, 1.93, 3df6b17179703e291195683cc2c4f99f
PAGE, 0xD000, 0x2E08, 0x3000, 6.27, d1b289f8fd13da08bb7bde61fa6cbf07
INIT, 0x10000, 0x127E, 0x1400, 5.72, c5baad2824d37f7ce81853cee803634e
.rsrc, 0x12000, 0x3E8, 0x400, 3.32, 74c1c9e9518c6c360157789bae6e426b
.reloc, 0x13000, 0xDBE, 0xE00, 6.42, 50a35d6e330a8f8239b2b28366a78c01

[[ 5 import(s) ]]
ntoskrnl.exe: IoAllocateWorkItem, IofCompleteRequest, IoReleaseCancelSpinLock, IoAcquireCancelSpinLock, ObfReferenceObject, memmove, MmMapLockedPagesSpecifyCache, MmBuildMdlForNonPagedPool, ZwQueryValueKey, RtlInitUnicodeString, memcpy, RtlUpcaseUnicodeStringToOemString, IoAllocateIrp, IoFreeIrp, RtlUpcaseUnicodeChar, RtlGUIDFromString, KeLeaveCriticalRegion, ExReleaseResourceLite, ExAcquireResourceExclusiveLite, KeEnterCriticalRegion, RtlEqualUnicodeString, ZwClose, ZwCreateFile, _allmul, KeSetTimer, IoQueueWorkItem, KeInitializeTimer, KeCancelTimer, IoBuildPartialMdl, DbgBreakPoint, MmUnmapLockedPages, IoBuildDeviceIoControlRequest, KeGetCurrentThread, IoGetDeviceObjectPointer, KeDetachProcess, KeAttachProcess, PsGetCurrentProcess, ZwDeviceIoControlFile, IoWMIWriteEvent, MmGetSystemRoutineAddress, RtlCompareMemory, IoWMIRegistrationControl, ExQueueWorkItem, strncmp, ExDeleteResourceLite, ExInitializeResourceLite, ZwCreateKey, ZwOpenKey, IoDeleteDevice, KeTickCount, KeBugCheckEx, IoFreeWorkItem, KeResetEvent, IoGetRelatedDeviceObject, IofCallDriver, KeInitializeEvent, KeWaitForSingleObject, IoFileObjectType, ObfDereferenceObject, IoAllocateMdl, IoInitializeWorkItem, KeInitializeSemaphore, KefAcquireSpinLockAtDpcLevel, KefReleaseSpinLockFromDpcLevel, IoFreeMdl, KeSetEvent, IoUninitializeWorkItem, ExFreePoolWithTag, IoSizeofWorkItem, ExAllocatePoolWithTag, memset, KeInitializeDpc, ObReferenceObjectByHandle, ZwSetSecurityObject, ObOpenObjectByPointer, IoDeviceObjectType, IoCreateDevice, RtlGetDaclSecurityDescriptor, RtlGetSaclSecurityDescriptor, RtlGetGroupSecurityDescriptor, RtlGetOwnerSecurityDescriptor, _snwprintf, RtlLengthSecurityDescriptor, SeCaptureSecurityDescriptor, SeExports, IoIsWdmVersionAvailable, _wcsnicmp, RtlAddAccessAllowedAce, RtlLengthSid, wcschr, RtlAbsoluteToSelfRelativeSD, RtlSetDaclSecurityDescriptor, RtlCreateSecurityDescriptor, ZwSetValueKey, RtlFreeUnicodeString, isspace, islower, isxdigit, isdigit
HAL.dll: KfAcquireSpinLock, KeGetCurrentIrql, KfReleaseSpinLock
NETIO.SYS: NsiAllocateAndGetTable, NsiFreeTable, NsiGetAllParameters
NDIS.SYS: NdisGetThreadObjectCompartmentId, NdisSetThreadObjectCompartmentId
TDI.SYS: TdiEnumerateAddresses, TdiCopyBufferToMdl, TdiDeregisterDeviceObject, TdiRegisterDeviceObject, TdiInitialize, TdiProviderReady, TdiDeregisterProvider, TdiRegisterPnPHandlers, TdiRegisterProvider, TdiDeregisterPnPHandlers

ken545
2010-10-11, 19:16
Hi,

Lets run ESET again and see if its gone. Post the NEW log please

Antylus
2010-10-12, 02:33
Here is the new log:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=9.00.7930.16406 (WIN7_IE9_Beta.100831-2345)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=db36febb30e7f8489dc085f39db47bcc
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-10-10 11:30:20
# local_time=2010-10-11 12:30:20 (+0000, GMT Daylight Time)
# country="United Kingdom"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=1024 16777215 100 0 392 392 0 0
# compatibility_mode=5892 16776573 100 100 372828 124278989 0 0
# compatibility_mode=8192 67108863 100 0 736 736 0 0
# scanned=337175
# found=19
# cleaned=18
# scan_time=7158
C:\Program Files\Hotspot Shield\bin\openvpnas.exe a variant of Win32/HotSpotShield application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files\MATLAB\R2009a\toolbox\rtw\targets\xpc\target\build\xpcblocks\adbbpci20019.mexw32 probably a variant of Win32/Agent.ETXTRWX trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files\MATLAB\R2009a\toolbox\rtw\targets\xpc\target\build\xpcblocks\adbbpci20023.mexw32 probably a variant of Win32/Agent.IJGCGML trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files\MATLAB\R2009a\toolbox\rtw\targets\xpc\target\build\xpcblocks\adgesada1.mexw32 probably a variant of Win32/Agent.JQVAIXB trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files\MATLAB\R2009a\toolbox\rtw\targets\xpc\target\build\xpcblocks\adrtddm6420.mexw32 probably a variant of Win32/Agent.YULJKC trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files\MATLAB\R2009a\toolbox\rtw\targets\xpc\target\build\xpcblocks\adrtddm6430.mexw32 probably a variant of Win32/Agent.FEHKRNR trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files\MATLAB\R2009a\toolbox\rtw\targets\xpc\target\build\xpcblocks\dikmdas1800hr.mexw32 probably a variant of Win32/Agent.DLKBKHU trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files\MATLAB\R2009a\toolbox\rtw\targets\xpc\target\build\xpcblocks\dinipctio10.mexw32 probably a variant of Win32/Agent.LIWBNIY trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files\MATLAB\R2009a\toolbox\rtw\targets\xpc\target\build\xpcblocks\dobbpci20041.mexw32 probably a variant of Win32/Agent.LGHPYFZ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files\MATLAB\R2009a\toolbox\rtw\targets\xpc\target\build\xpcblocks\encadapci1710.mexw32 probably a variant of Win32/Agent.MGCEANH trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files\MATLAB\R2009a\toolbox\rtw\targets\xpc\target\build\xpcblocks\encadpa1700.mexw32 probably a variant of Win32/Agent.FMZKFTW trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files\MATLAB\R2009a\toolbox\rtw\targets\xpc\target\build\xpcblocks\rs232_send.mexw32 probably a variant of Win32/Agent.BWDMVJY trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files\MATLAB\R2009a\toolbox\rtw\targets\xpc\target\build\xpcblocks\scblock.mexw32 probably a variant of Win32/Agent.CQMYIJY trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files\MATLAB\R2009a\toolbox\rtw\targets\xpc\target\build\xpcblocks\xpcregstack.mexw32 probably a variant of Win32/Agent.BBHSNJZ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Windows\system32\Drivers\smb.sys.vir Win32/Olmarik.ZC trojan (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Users\Adam\Downloads\video2screensaver4.exe multiple threats (deleted - quarantined) 00000000000000000000000000000000 C
C:\Users\Adam\Downloads\HSS-1.22-install-anchorfree-76-conduit\HSS-1.22-install-anchorfree-76-conduit.exe a variant of Win32/HotSpotShield application (deleted - quarantined) 00000000000000000000000000000000 C
C:\Users\Adam\Seagate\Downloads\HSS-1.07-install-anchorfree-76-conduit\HSS-1.07-install-anchorfree-76-conduit.exe a variant of Win32/HotSpotShield application (deleted - quarantined) 00000000000000000000000000000000 C
C:\Windows\winsxs\x86_microsoft-windows-nbsmb_31bf3856ad364e35_6.0.6002.18005_none_61560a3ff5180c84\smb.sys Win32/Olmarik.ZC trojan (error while cleaning) 00000000000000000000000000000000 I
# version=7
# iexplore.exe=9.00.7930.16406 (WIN7_IE9_Beta.100831-2345)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=db36febb30e7f8489dc085f39db47bcc
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-10-11 08:04:52
# local_time=2010-10-11 09:04:52 (+0000, GMT Daylight Time)
# country="United Kingdom"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=1024 16777215 100 0 0 0 0 0
# compatibility_mode=5892 16776574 100 100 0 124351139 0 0
# compatibility_mode=8192 67108863 100 0 72886 72886 0 0
# scanned=338188
# found=0
# cleaned=0
# scan_time=9080

ken545
2010-10-12, 03:26
Looks like its gone, how are things running now ?

Antylus
2010-10-12, 03:31
Looks like its gone, how are things running now ?

Things seem to be working well - I am able to open all of my antivirus and anti-malware software.

ken545
2010-10-12, 03:34
Great, download and run this program, its the free version and yours to keep, one of the better anti spyware programs out there.

Please download Malwarebytes from Here (http://www.malwarebytes.org/mbam-download.php) or Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)


Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
http://i24.photobucket.com/albums/c30/ken545/MBAMCapture.jpg
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected .
When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
Post the report please

Antylus
2010-10-12, 11:50
Here is the log:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4799

Windows 6.0.6002 Service Pack 2
Internet Explorer 9.0.7930.16406

12/10/2010 09:45:54
mbam-log-2010-10-12 (09-45-54).txt

Scan type: Quick scan
Objects scanned: 162719
Time elapsed: 14 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

ken545
2010-10-12, 13:58
Looking good :bigthumb:

How are things running now ?

Antylus
2010-10-12, 16:19
Things seem to be back to normal. Is there anything else that I should do?

ken545
2010-10-12, 19:18
Great :bigthumb:


Malwarebytes <-- Yours to keep also, check for updates and run a scan now and then.

Combofix <---Is not a general cleaning tool, just run it with supervision or you can damage your system


Click START then RUN
Now type Combofix /uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.


http://i526.photobucket.com/albums/cc345/MPKwings/CF-Uninstall.png


When shown the disclaimer, Select "2"

The above procedure will:

Delete the following:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:_OtMoveIt folder, if present
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.





Now to remove most of the tools that we have used in fixing your machine:
Make sure you have an Internet Connection.
Download OTC (http://oldtimer.geekstogo.com/OTC.exe) to your desktop and run it
A list of tool components used in the cleanup of malware will be downloaded.
If your Firewall or Real Time protection attempts to block OTC to reach the Internet, please allow the application to do so.
Click Yes to begin the cleanup process and remove these components, including this application.
You will be asked to reboot the machine to finish the cleanup process. If you are asked to reboot the machine choose Yes.



Make sure to follow the instructions for System Restore, to remove old restore points and creating a new one


How did I get infected in the first place ?
Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)





Keep in mind if you install some of these programs. Only ONE Anti Virus and only ONE Firewall is recommended, more is overkill and can cause you problems. You can install all the Spyware programs I have listed without any problems. If you install Spyware Blaster and Spyware Guard, they will conflict with the TeaTimer in Spybot , you can still install Spybot Search and Destroy but do not enable the TeaTimer .


Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community

Spybot Search and Destroy 1.6 (http://www.safer-networking.org/en/download/)
Check for Updates/ Immunize and run a Full System Scan on a regular basis. If you install Spyware Blaster ( Recommended ) then do not enable the TeaTimer in Spybot Search and Destroy.

WinPatrol (www.winpatrol.com/download.html) Keep this fine program activated to block a lot of threats

Spyware Blaster (http://www.javacoolsoftware.com/spywareblaster.html) It will prevent most spyware from ever being installed. No scan to run, just update about once a week and enable all protection.

Spyware Guard (http://www.javacoolsoftware.com/spywareguard.html) It offers realtime protection from spyware installation attempts, again, no scan to run, just install it and let it do its thing.

IE-Spyad (http://www.pcworld.com/downloads/file/fid,23332-order,1-page,1-c,antispywaretools/description.html)
IE-Spyad places over 6000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.

Firefox 3 (http://www.mozilla.org/products/firefox/) It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.



Safe Surfn
Ken

Antylus
2010-10-12, 20:48
:thanks:

Thank you so much for all your help - you are a saint!

ken545
2010-10-12, 20:58
Your very welcome,

Take Care,

Ken :)

ken545
2010-11-01, 10:24
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.