virtumonde.crack spyware

O

OriginalMcBlood

New member
Hi please help I have the above piece of malware plus some win32 type malware.
I mistakenly ran s&d and removed a lot of stuff before reading the correct process properly, sorry. Anyway here is the log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:27:36, on 27/04/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ntl\ntl Netguard\fws.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
c:\APPS\Powercinema\Kernel\CLML_NTService\CLMLServer.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Sonic\DigitalMedia LE v7\MyDVD LE\USBDeviceService.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wscntfy.exe
c:\APPS\Powercinema\Kernel\TV\CLSched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Sonic\DigitalMedia LE v7\MyDVD LE\DetectorApp.exe
C:\APPS\Powercinema\PCMService.exe
C:\apps\ABoard\ABoard.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\apps\ABoard\AOSD.exe
C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
C:\Program Files\ntl\ntl Netguard\RPS.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\TEMP\System.exe
C:\APPS\SMP\SmpSys.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DNA\btdna.exe
D:\Documents and Settings\The Family\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\NETGEAR\WG111v3\WG111v3.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
D:\Documents and Settings\The Family\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
D:\Documents and Settings\The Family\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
D:\Documents and Settings\The Family\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
D:\Documents and Settings\The Family\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://format.packardbell.com/cgi-bin/redirect/?country=UK&range=AD&phase=6&key=SEARCH
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ntlworld.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.ntlworld.com/welcome
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Packard Bell
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\drivers\services.exe
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\ntl\ntl Netguard\pkR.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\ntl\ntl Netguard\FBHR.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: qs Class - {8A555E0E-6240-DD93-198D-45F571D4FD9B} - C:\Program Files\altcmd\altcmd32.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: {510b77fa-78dc-54eb-1954-c32aa5ec61ee} - {ee16ce5a-a23c-4591-be45-cd87af77b015} - C:\WINDOWS\system32\vrqzew.dll
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [DetectorApp] C:\Program Files\Sonic\DigitalMedia LE v7\MyDVD LE\DetectorApp.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [PCMService] "c:\APPS\Powercinema\PCMService.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32"
O4 - HKLM\..\Run: [ACTIVBOARD] c:\apps\ABoard\ABoard.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [ntl Netguard] "C:\Program Files\ntl\ntl Netguard\RPS.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [MsgCenterExe] "C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" -osboot
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Windows System Update] C:\WINDOWS\TEMP\CSRSS.EXE
O4 - HKLM\..\Run: [Windows Updater] C:\WINDOWS\TEMP\System.exe
O4 - HKLM\..\Run: [Language_Shortcut] C:\WINDOWS\TEMP\IEXPLORE.EXE
O4 - HKLM\..\Run: [SYSTRAY_UPDATE] C:\WINDOWS\TEMP\systray.exe
O4 - HKLM\..\Run: [[system]] C:\WINDOWS\system32\drivers\services.exe
O4 - HKLM\..\Run: [System Restore] C:\WINDOWS\TEMP\alg.exe
O4 - HKCU\..\Run: [SmpcSys] C:\APPS\SMP\SmpSys.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_1_0
O4 - HKCU\..\Run: [Google Update] "D:\Documents and Settings\The Family\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [[system]] C:\WINDOWS\system32\drivers\services.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: userinit.exe
O4 - Global Startup: broadband medic.lnk = C:\Program Files\ntl\broadband medic\bin\matcli.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: NETGEAR WG111v3 Smart Wizard.lnk = C:\Program Files\NETGEAR\WG111v3\WG111v3.exe
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\uk.htm
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} (CPlayFirstDinerDash2Control Object) - http://www.shockwave.com/content/dinerdash2/sis/DinerDash2.1.0.0.67.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/Windows/Initial/VideoEggPublisher.exe
O16 - DPF: {B516CA4E-A5BA-405C-AFCF-A97F08CC7429} (GoBit Games Player) - http://www.shockwave.com/content/burgershop/sis/GoBitGamesPlayer_v4.cab
O16 - DPF: {BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19} (CPlayFirstddfotgControl Object) - http://www.shockwave.com/content/dinerdashfloonthego/sis/ddfotg.1.0.0.33.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game08.zylom.com/activex/zylomgamesplayer.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D40F5876-A494-4124-8161-82625BB28C06} (CPlayFirstChocolatieControl Object) - http://www.shockwave.com/content/chocolatier2/sis/Chocolatier2Web.1.0.0.10.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/zuma/sis/popcaploader_v10.cab
O16 - DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} (Seagate SeaTools English Online) - file:///C:/DRIVERS/snapsys/HDDDiag/bin/npseatools.cab
O16 - DPF: {EA6246B4-F380-443F-8727-9AEA3371146C} (CPlayFirstWeddingDashControl Object) - http://www.shockwave.com/content/weddingdash/sis/WeddingDash.1.0.0.47.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\wowfx.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - c:\APPS\Powercinema\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: Radialpoint Service (FWS) - Radialpoint Inc. - C:\Program Files\ntl\ntl Netguard\fws.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: KService - Unknown owner - C:\Program Files\Kontiki\KService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: USBDeviceService - Unknown owner - C:\Program Files\Sonic\DigitalMedia LE v7\MyDVD LE\USBDeviceService.exe

--
End of file - 14450 bytes
 
One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

However, if you do not have the resources to reinstall your computer and would like me to attempt to clean it, I will be happy to do so.
Should you have any questions, please feel free to ask.

Please let us know what you have decided to do in your next post.
 
reformat

I can reformat it if I only need to reformat one HDD.

The problem is that I have 2 HDDs on this computer. The standard factory issue installed drive split into 2 normal drives C and D but I also have a second HDD ( K) connected via a USB.

IF I can just wipe the C (where the OS is) and D drives and remain secure then that is fine because I can use the other drive to store a backup all of my files. If this is infected though I do not have the resource to do this.

It depends on the nature of the virus. Anything I download normally I download onto D and then tranfers across to K ( the entire download untouched) and install on K. All original downloaded data on D is normally deleted and deleted from the recycle bin. If the programme is related to "standard" applications such as the OS, browser, Java etc or is less than about 1 gb then I commonly install it on the C.

I strongly suspect this has piggy backed in with IE.8 maybe I have unknowingly downloaded from a dodgy mocked up site. Practically immediately after install my spyware software started giving me detections and If I tried to browse it tried to redirected me to a URL starting "gremlinko" before coming up with a cannot connect page.

At the same time on bootup windows DEP kicked in flashing numerous DDM proxy messages, well the same one over and over again.

The source could also have been a driver update tool app that I downlowded installed ran and uninstalled all within about half an hour.

If however it has lay dormant for a week or longer then it could be a few different things.

Anyway back to the point Will I need to reformat all drives connected to this PC? And also this PC is networked and there are 2 other PCs and an Xbox that share this network what about them are they secure?

I can keep posting from my nice clean PC at work.

thanks blade

OriginalMcBlood
 
Hi

Both C and D drive should be reformatted.

Also, in your case there's a worm that is aware of removable drives. That means your USB drive may carry the infection.

Let me know what you want to do (try cleaning or format).
 
Hi
lets try and clean it first and if that does not work then I will have to go down the reformat route. Happy days I am carrying about 400 GB of apps and documents on this PC and god only knows where all the original media is to reinstall it all!

I am looking at a lot of time and work to get it back to where it was before infection if I have to reformat but I suppose that is better than being bankrupt and the CID knocking on my door because someone with my identity has done something naughty.

Is the malware in the os or is it more deeply embedded, could we clean and then I could uninstall and reinstall my OS or is this a pointless exercise just making me feel more secure without any guaranteed security benefits?

Sorry to moan I really appreciate your help on this I am just PO'ed with getting malware after never having any for the last, forever and priding myself on being, I thought, very secure.

cheers
 
tag on to previous post

Just read the post above and realised it sounds a bit naive. I know if I reinstall the OS that I will be reformatting following the normal process (although I also know that there are ways around this).

To clarify if I back up everything on my drives. They get cleaned and then I just dump everything that was on there back again could I effectively reinfect my system thus wasting my and more importantly your valuable time?
 
Hi

You should backup only videos, music and pictures.

As said, one of infections there is aware of removable drives. If you're going to backup anything to USB drive, it's better make sure drive hasn't infection.

Disable autorun on infected system (instructions).


1. Download Flash_Disinfector and save it to your Desktop of your clean system.
2. After downloading, double-click on Flash_Disinfector to run it.
3. Just follow the prompts and continue until it begin scanning.
4. If asked to insert your flash drive or any removable device including USB Pen Drive and Memory Stick, please do so.
5. It will scan removable drives, wait for the scan to finish. Done.

Run Kaspersky Online Scanner to check if external hard drive is clean. If it is then you may backup those above mentioned file types
 
stumbling block

Okay I have hit a problem.
I downloaded flash disinfector (your link did not work by the way) on to a pen drive from a laptop.

I went on the infected system to disable autorun. I disabled autorun and rebooted and put the pen drive into a usb in the infected computer. It did not appear that autorun had been disabled properly. I went back and downloaded an update from microsoft to make it work using the same pen drive. I was so caught up in trying to clean the infected machine that I totally forgot about the dangers of cross infection. I then installed the update and disabled autorun.

When I then went to install and run flash disinfector, from the pen drive, the file had not downloaded properly and was unable to fully install.

It was at this point that I stopped and thought about the danger of cross infection, maybe too late. So I used my antispyware scanner provided by my ISP to scan the pen drive I had been using.

Yes you guessed it, it showed the pen drive as infected with about 4 viruses. All the ones that it shows if I run it on the infected system (it does not pick up all the ones that spybot S & D does).

So my problem is now two fold:
I do not have a way of getting any files onto the infected machine because my pen drive is compromised.

The laptop I used to download the files may now well be infected as well. This laptop is in constant use and it was amazing that I could use it for the 2 minutes that I did to download these files. This computer has no antispyware software on it at all and because of the constant use issues I can not get on it to put any on it and scan (it is exclusively my wifes and is used very heavily for work related stuff).

The laptop is not showing any signs of infection but it did request the password for my wifes' email account which it does sporadically, she told me but this was the next time she checked it after I had used the pen drive in her machine. Could I ask what you think the liklihood of infection is? Nothing has been installed or downloaded onto this machine only the infected pen drive used in it.

I can not use the pc I am posting from to download any files even if I went and got a new pen drive or even to download to CD. The pc's within my organisation, because of the potential risk involved in any information governance breaches are disabled in the production of any portable media.

I would still like to try and clean this machine but it is looking less and less possible.

In your opinion, (I accept full liability for any consequences of any action I take with regards to this computer malware infection irrespective of advice given) is it too much of a risk to connect this machine to the internet to download flash disinfector and run Kaspersky Online Scanner
This is only one step added, downloading flash disinfector, before you advised going online anyway.

cheers
 
Hi

I think you can download KOS to this system with issues. As said earlier, I'm ready to assist with system cleaning if you want to try that.
 
Results of KOS

KASPERSKY ONLINE SCANNER 7.0 REPORT
Friday, May 1, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Friday, May 01, 2009 14:52:27
Records in database: 2117868
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\

Scan statistics:
Files scanned: 243828
Threat name: 10
Infected objects: 51
Suspicious objects: 4
Duration of the scan: 04:43:38


File name / Threat name / Threats count
C:\WINDOWS\system32\vrqzew.dll/C:\WINDOWS\system32\vrqzew.dll Infected: Packed.Win32.Krap.n 29
C:\WINDOWS\TEMP\System.exe/C:\WINDOWS\TEMP\System.exe Infected: Backdoor.Win32.SdBot.jpe 1
C:\WINDOWS\csauie1.ocx Infected: not-a-virus:AdWare.Win32.Coupons.u 1
C:\WINDOWS\system32\drivers\services.exe Infected: Backdoor.Win32.SdBot.jpe 1
C:\WINDOWS\system32\isyhvxyp.dll Infected: Packed.Win32.Krap.n 1
C:\WINDOWS\system32\khfCuVmm.dll Infected: Trojan-Downloader.Win32.BHO.kml 1
C:\WINDOWS\system32\mvyerpjt.dll Infected: Packed.Win32.Krap.n 1
C:\WINDOWS\system32\vrqzew.dll Infected: Packed.Win32.Krap.n 1
C:\WINDOWS\system32\vtUlMecY.dll Infected: Trojan-Downloader.Win32.BHO.kml 1
C:\WINDOWS\system32\wowfx.dll Infected: Trojan.Win32.Agent.alos 1
C:\WINDOWS\Temp\System.exe Infected: Backdoor.Win32.SdBot.jpe 1
D:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6B0D69EF.wmf Infected: Trojan-Downloader.Win32.Agent.acd 1
D:\Documents and Settings\The Family\Application Data\nvsvc1024.dll Infected: Trojan.Win32.Agent.alos 1
D:\Documents and Settings\The Family\Application Data\Sun\Java\Deployment\cache\6.0\25\650d0659-68161e1c Infected: Exploit.Java.Gimsh.a 1
D:\Documents and Settings\The Family\Application Data\Sun\Java\Deployment\cache\6.0\44\232f2a6c-75a95481 Infected: Exploit.Java.Gimsh.a 1
D:\Documents and Settings\The Family\Application Data\Sun\Java\Deployment\cache\6.0\47\bd7ce2f-6f01188c Infected: Exploit.Java.Gimsh.b 1
D:\Documents and Settings\The Family\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-51fad18-3450a110.zip Infected: Exploit.Java.Gimsh.a 1
D:\Documents and Settings\The Family\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6b13a7e7-52495110.zip Infected: Exploit.Java.Gimsh.b 1
D:\Documents and Settings\The Family\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6d00d9f7-4fb0852d.zip Infected: Exploit.Java.Gimsh.a 1
D:\Documents and Settings\The Family\Local Settings\Application Data\Identities\{D688B133-BB08-44AA-9610-0788232F351C}\Microsoft\Outlook Express\Dylan.dbx Suspicious: Trojan-Spy.HTML.Fraud.gen 1
D:\Documents and Settings\The Family\Start Menu\Programs\Startup\userinit.exe Infected: Backdoor.Win32.SdBot.jpe 1
D:\Documents and Settings\The Family\svchost.exe Infected: Backdoor.Win32.SdBot.jpe 1
D:\RECYCLER\S-1-5-21-2687666314-1017323166-2936280733-1006\Dd129.bak Suspicious: Trojan-Spy.HTML.Fraud.gen 1
D:\RECYCLER\S-1-5-21-2687666314-1017323166-2936280733-1006\Dd156.bak Suspicious: Trojan-Spy.HTML.Fraud.gen 1
D:\RECYCLER\S-1-5-21-2687666314-1017323166-2936280733-1006\Dd181.bak Suspicious: Trojan-Spy.HTML.Fraud.gen 1
K:\My Documents 2\Downloads 2\downloaded stuff originals\Pro Evolution Soccer 2009 crack - [ pes2009.exe ].exe Infected: Trojan.Win32.VB.kki 1
K:\Programs 2\KONAMI\Pro Evolution 2009\cracked exe(s)\Pro Evolution Soccer 2009 crack - [ pes2009.exe ].exe Infected: Trojan.Win32.VB.kki 1

The selected area was scanned.
 
Cracks and safe computing don't fit well together. You have to delete all illegal stuff you got there. Means all copyrighted material that you don't have legal rights.

Then if you want take cleaning route you have to do following. Before that uninstall your P2P file sharing programs, like BitTorrent, though.


Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.
  • When done, DDS will open two (2) logs:
    1. DDS.txt
    2. Attach.txt
  • Save both reports to your desktop. Post them back to your topic.
 
DDS results

Followed instructions.
Then ran KOS K clean therefore backed up "My documents" on D, as folder and subfolders appeared clean onto K and disconnected K.
DDS scan results are included.
DDS (Ver_09-03-16.01) - NTFSx86
Run by The Family at 13:53:36.76 on 03/05/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.2558.1886 [GMT 1:00]

AV: ntl Netguard Anti-virus *On-access scanning enabled* (Updated)
FW: ntl Netguard Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\ntl\ntl Netguard\fws.exe
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
c:\APPS\Powercinema\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Sonic\DigitalMedia LE v7\MyDVD LE\USBDeviceService.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wscntfy.exe
c:\APPS\Powercinema\Kernel\TV\CLSched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Sonic\DigitalMedia LE v7\MyDVD LE\DetectorApp.exe
C:\APPS\Powercinema\PCMService.exe
C:\apps\ABoard\ABoard.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
C:\apps\ABoard\AOSD.exe
C:\Program Files\ntl\ntl Netguard\RPS.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\TEMP\System.exe
C:\APPS\SMP\SmpSys.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Documents and Settings\The Family\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\NETGEAR\WG111v3\WG111v3.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\ntl\broadband medic\bin\mpbtn.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\WINDOWS\system32\NOTEPAD.EXE
D:\Documents and Settings\The Family\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.ntlworld.com/
uSearch Bar = hxxp://format.packardbell.com/cgi-bin/redirect/?country=UK&range=AD&phase=6&key=SEARCH
uSearchMigratedDefaultURL = hxxp://search.msn.co.uk/previewx.aspx?q={searchTerms}&FORM=CBPW&first=1&noredir=1
uInternet Connection Wizard,ShellNext = hxxp://www.ntlworld.com/welcome
uInternet Settings,ProxyOverride = 127.0.0.1
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\drivers\services.exe
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: PopKill Class: {3c060ea2-e6a9-4e49-a530-d4657b8c449a} - c:\program files\ntl\ntl netguard\pkR.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: ZKBho Class: {56071e0d-c61b-11d3-b41c-00e02927a304} - c:\program files\ntl\ntl netguard\FBHR.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: qs Class: {8a555e0e-6240-dd93-198d-45f571d4fd9b} - c:\program files\altcmd\altcmd32.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {510b77fa-78dc-54eb-1954-c32aa5ec61ee}: {ee16ce5a-a23c-4591-be45-cd87af77b015} - c:\windows\system32\vrqzew.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [SmpcSys] c:\apps\smp\SmpSys.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [kdx] c:\program files\kontiki\KHost.exe -all
uRun: [updateMgr] c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe AcRdB7_1_0
uRun: [Google Update] "d:\documents and settings\the family\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [[system]] c:\windows\system32\drivers\services.exe
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [DetectorApp] c:\program files\sonic\digitalmedia le v7\mydvd le\DetectorApp.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [PCMService] "c:\apps\powercinema\PCMService.exe"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32"
mRun: [ACTIVBOARD] c:\apps\aboard\ABoard.exe
mRun: [BJCFD] c:\program files\broadjump\client foundation\CFD.exe
mRun: [Motive SmartBridge] c:\progra~1\ntl\broadb~1\smartb~1\MotiveSB.exe
mRun: [ntl Netguard] "c:\program files\ntl\ntl netguard\RPS.exe"
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [4oD] "c:\program files\kontiki\KHost.exe" -all
mRun: [MsgCenterExe] "c:\program files\common files\real\update_ob\RealOneMessageCenter.exe" -osboot
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Windows System Update] c:\windows\temp\CSRSS.EXE
mRun: [Windows Updater] c:\windows\temp\System.exe
mRun: [Language_Shortcut] c:\windows\temp\IEXPLORE.EXE
mRun: [SYSTRAY_UPDATE] c:\windows\temp\systray.exe
mRun: [[system]] c:\windows\system32\drivers\services.exe
mRun: [System Restore] c:\windows\temp\alg.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: d:\docume~1\thefam~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: d:\documents and settings\the family\start menu\programs\startup\userinit.exe
StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\broadb~1.lnk - c:\program files\ntl\broadband medic\bin\matcli.exe
StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wg111v3\WG111v3.exe
StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} - hxxp://www.shockwave.com/content/dinerdash2/sis/DinerDash2.1.0.0.67.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} - hxxp://update.videoegg.com/Install/Windows/Initial/VideoEggPublisher.exe
DPF: {B516CA4E-A5BA-405C-AFCF-A97F08CC7429} - hxxp://www.shockwave.com/content/burgershop/sis/GoBitGamesPlayer_v4.cab
DPF: {BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19} - hxxp://www.shockwave.com/content/dinerdashfloonthego/sis/ddfotg.1.0.0.33.cab
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://game08.zylom.com/activex/zylomgamesplayer.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D40F5876-A494-4124-8161-82625BB28C06} - hxxp://www.shockwave.com/content/chocolatier2/sis/Chocolatier2Web.1.0.0.10.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://www.shockwave.com/content/zuma/sis/popcaploader_v10.cab
DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} - file:///C:/DRIVERS/snapsys/HDDDiag/bin/npseatools.cab
DPF: {EA6246B4-F380-443F-8727-9AEA3371146C} - hxxp://www.shockwave.com/content/weddingdash/sis/WeddingDash.1.0.0.47.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
AppInit_DLLs: c:\windows\system32\wowfx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: {aa92c67d-b5da-914b-89b4-90cef433ad84}: {48da334f-ec09-4b98-b419-ad5bd76c29aa} - c:\windows\system32\vrqzew.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, snapapi32.dll, digest32.dll, , , , wowfx.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\geBrpoLE

============= SERVICES / DRIVERS ===============

R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [2007-10-9 38144]
R2 FWS;Radialpoint Service;c:\program files\ntl\ntl netguard\fws.exe [2005-7-5 274432]
R3 JL2005;JL2005A Toy Camera;c:\windows\system32\drivers\toywdm.sys [2004-6-4 70888]
R3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [2007-12-28 287232]
S1 icyvjrws;icyvjrws;\??\c:\windows\system32\drivers\icyvjrws.sys --> c:\windows\system32\drivers\icyvjrws.sys [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-3-21 1684736]
S3 cel90xbe;cel90xbe;\??\d:\docume~1\thefam~1\locals~1\temp\cel90xbe.sys --> d:\docume~1\thefam~1\locals~1\temp\cel90xbe.sys [?]

=============== Created Last 30 ================

2009-05-01 18:15 <DIR> a-dshr-- C:\autorun.inf
2009-04-27 21:27 <DIR> --d----- c:\program files\Trend Micro
2009-04-27 20:37 <DIR> --d----- c:\windows\system32\xlib254.dll
2009-04-27 20:37 <DIR> --d----- c:\windows\system32\append.dll
2009-04-27 18:32 <DIR> --d----- d:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-04-27 18:32 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-04-25 14:21 54,156 a---h--- c:\windows\QTFont.qfn
2009-04-25 14:21 1,409 a------- c:\windows\QTFont.for
2009-04-24 17:05 118,272 a------- c:\windows\system32\vrqzew.dll
2009-04-24 17:05 118,272 a------- c:\windows\system32\mvyerpjt.dll
2009-04-24 16:56 37,376 -------- c:\windows\system32\vtUlMecY.dll
2009-04-21 19:23 <DIR> --d----- d:\docume~1\thefam~1\applic~1\DriverCure
2009-04-21 19:23 <DIR> --d----- d:\docume~1\alluse~1\applic~1\ParetoLogic
2009-04-21 19:23 <DIR> --d----- d:\docume~1\alluse~1\applic~1\DriverCure
2009-04-21 19:17 <DIR> --dsh--- d:\documents and settings\the family\IECompatCache
2009-04-21 19:07 <DIR> --dsh--- d:\documents and settings\the family\PrivacIE
2009-04-21 19:04 <DIR> --dsh--- d:\documents and settings\the family\IETldCache
2009-04-21 19:01 81,920 a------- c:\windows\system32\ieencode.dll
2009-04-21 19:01 <DIR> --d----- c:\windows\system32\MpEngineStore
2009-04-18 22:43 118,272 a------- c:\windows\system32\isyhvxyp.dll
2009-04-18 22:40 2,850 a--sh--- c:\windows\system32\bceggMoq.ini
2009-04-18 22:32 90,112 a------- c:\windows\system32\wowfx.dll
2009-04-18 22:32 90,112 -------- d:\docume~1\thefam~1\applic~1\nvsvc1024.dll
2009-04-18 22:32 37,376 -------- c:\windows\system32\khfCuVmm.dll
2009-04-18 22:32 57,344 a------- c:\windows\system32\digest32.dll
2009-04-15 21:52 <DIR> --d----- d:\docume~1\thefam~1\applic~1\2K Sports

==================== Find3M ====================

2009-04-06 17:16 34 a------- d:\documents and settings\the family\jagex_runescape_preferences.dat
2009-02-12 00:17 4,304 a------- c:\windows\system32\ealregsnapshot1.reg
2009-02-09 12:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-09 12:13 1,846,784 -------- c:\windows\system32\dllcache\win32k.sys
2009-02-03 18:32 18,085,888 a------- c:\windows\RTHDCPL.EXE
2009-02-03 17:35 35,840 a------- c:\windows\system32\RtkCoInstXP.dll
2008-04-14 01:11 23,552 a------- d:\documents and settings\the family\svchost.exe
2007-12-28 16:02 287,232 a------- c:\windows\inf\wg111v3\wg111v3.sys
2007-12-28 15:59 342,528 a------- c:\windows\inf\wg111v3\vista64\wg111v3.sys
2007-11-27 18:53 63,488 a------- c:\windows\inf\wg111v3\SetDrv64.exe
2007-11-27 18:52 32,768 a------- c:\windows\inf\wg111v3\SetDrv.exe
2007-05-10 20:52 6,420 a------- d:\docume~1\thefam~1\applic~1\wklnhst.dat
2006-12-15 12:30 315,392 a------- c:\windows\inf\wg111v3\InstallDriver.exe
2006-12-15 12:30 212,992 a------- c:\windows\inf\wg111v3\CopyWHQLDriver.exe
2006-12-15 12:30 98,304 a------- c:\windows\inf\wg111v3\UScanM.exe
2006-12-15 12:30 20,480 a------- c:\windows\inf\wg111v3\RTWUPath.exe
2006-12-15 12:30 19,968 a------- c:\windows\inf\wg111v3\RTWREFU.EXE
2006-10-15 16:57 774,144 a------- c:\program files\RngInterstitial.dll

============= FINISH: 13:54:14.92 ===============
 
Hi,


Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

  1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
    Remember to re-enable them afterwards.

  2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds.txt log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.
 
scan results

Hello again and thanks.
DEP warning messages did not appear on combofix reboot.
Reports follow:

ComboFix 09-05-02.4 - The Family 03/05/2009 19:57.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.2558.1936 [GMT 1:00]
Running from: d:\documents and settings\The Family\Desktop\ComboFix.exe
AV: ntl Netguard Anti-virus *On-access scanning disabled* (Updated)
FW: ntl Netguard Firewall *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\bceggMoq.ini
c:\windows\system32\drivers\services.exe
c:\windows\system32\isyhvxyp.dll
c:\windows\system32\khfCuVmm.dll
c:\windows\system32\mvyerpjt.dll
c:\windows\system32\vrqzew.dll
c:\windows\system32\vtUlMecY.dll
c:\windows\system32\wowfx.dll
d:\documents and settings\The Family\Start Menu\Programs\Startup\userinit.exe
d:\documents and settings\The Family\svchost.exe

.
((((((((((((((((((((((((( Files Created from 2009-04-03 to 2009-05-03 )))))))))))))))))))))))))))))))
.

2009-05-03 18:43 . 2009-05-03 18:43 -------- d-----w d:\documents and settings\All Users\Application Data\HP Product Assistant
2009-04-27 20:27 . 2009-04-27 20:27 -------- d-----w c:\program files\Trend Micro
2009-04-27 20:23 . 2009-04-27 20:23 -------- d-----w c:\program files\ERUNT
2009-04-27 19:37 . 2009-04-27 19:37 -------- d-----w c:\windows\system32\append.dll
2009-04-27 19:37 . 2009-04-27 19:37 -------- d-----w c:\windows\system32\xlib254.dll
2009-04-27 17:32 . 2009-04-27 17:39 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-27 17:32 . 2009-04-27 17:39 -------- d-----w d:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-21 18:23 . 2009-04-21 18:23 -------- d-----w d:\documents and settings\The Family\Application Data\DriverCure
2009-04-21 18:23 . 2009-04-21 18:23 -------- d-----w d:\documents and settings\All Users\Application Data\ParetoLogic
2009-04-21 18:23 . 2009-04-22 16:53 -------- d-----w d:\documents and settings\All Users\Application Data\DriverCure
2009-04-21 18:17 . 2009-04-21 18:17 -------- d-sh--w d:\documents and settings\The Family\IECompatCache
2009-04-21 18:07 . 2009-04-21 18:07 -------- d-sh--w d:\documents and settings\The Family\PrivacIE
2009-04-21 18:06 . 2009-04-21 18:06 -------- d-sh--w d:\documents and settings\NetworkService\IETldCache
2009-04-21 18:05 . 2009-04-21 18:05 -------- d-sh--w d:\documents and settings\LocalService\IETldCache
2009-04-21 18:04 . 2009-04-21 18:04 -------- d-sh--w d:\documents and settings\The Family\IETldCache
2009-04-21 18:01 . 2008-04-14 00:11 81920 ----a-w c:\windows\system32\ieencode.dll
2009-04-21 18:01 . 2009-04-21 18:01 -------- d-----w c:\windows\system32\MpEngineStore
2009-04-20 19:58 . 2009-04-20 19:58 -------- d-----w d:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2009-04-18 21:32 . 2006-08-22 17:19 90112 ------w d:\documents and settings\The Family\Application Data\nvsvc1024.dll
2009-04-18 21:32 . 2006-08-23 08:45 57344 ----a-w c:\windows\system32\digest32.dll
2009-04-16 20:38 . 2009-04-16 20:38 -------- d-----w d:\documents and settings\oblivion\Data
2009-04-16 20:38 . 2009-04-16 20:38 -------- d-----w d:\documents and settings\oblivion\lex
2009-04-16 20:38 . 2007-04-04 18:12 7491584 ----a-w d:\documents and settings\oblivion\TESConstructionSet.exe
2009-04-16 20:38 . 2005-02-18 10:23 212992 ----a-w d:\documents and settings\oblivion\ssce5432.dll
2009-04-16 20:38 . 2009-04-16 20:45 -------- d-----w d:\documents and settings\oblivion
2009-04-15 20:52 . 2009-04-15 20:52 -------- d-----w d:\documents and settings\The Family\Application Data\2K Sports

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-03 19:03 . 2006-10-10 20:56 230 ----a-w c:\windows\freedom.backup.dat
2009-05-03 19:01 . 2009-04-21 18:23 378 ----a-w c:\windows\Tasks\DriverCure.job
2009-05-03 19:01 . 2009-04-21 18:23 426 ----a-w c:\windows\Tasks\ParetoLogic Update Version2.job
2009-05-03 19:01 . 2004-08-10 16:04 6 ---ha-w c:\windows\Tasks\SA.DAT
2009-05-02 12:44 . 2006-10-10 20:47 -------- d-----w c:\program files\Common Files\PestPatrol
2009-05-02 12:43 . 2006-10-10 20:47 -------- d-----w c:\program files\Common Files\Command Software
2009-04-25 21:57 . 2009-02-20 01:05 3152 ----a-w d:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-04-21 18:23 . 2009-04-21 18:23 404 ----a-w c:\windows\Tasks\ParetoLogic Registration.job
2009-04-20 19:45 . 2007-09-07 16:37 -------- d-----w c:\program files\EA GAMES
2009-04-18 19:49 . 2009-03-07 13:38 946 ----a-w c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2687666314-1017323166-2936280733-1006.job
2009-04-18 18:30 . 2009-03-07 20:41 248 ----a-w c:\windows\Tasks\Setup my PC.job
2009-04-16 20:38 . 2006-10-10 07:11 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-06 16:16 . 2008-10-08 17:52 34 ----a-w d:\documents and settings\The Family\jagex_runescape_preferences.dat
2009-03-25 11:05 . 2009-03-25 11:05 -------- d-----w c:\program files\Common Files\Adobe AIR
2009-03-25 11:05 . 2009-03-25 11:03 -------- d-----w c:\program files\Common Files\Adobe
2009-03-21 12:29 . 2006-10-10 07:11 -------- d-----w c:\program files\Realtek
2009-03-20 21:45 . 2009-03-20 21:45 -------- d-----w c:\program files\Thrustmaster
2009-03-20 21:16 . 2009-01-17 18:05 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-03-20 21:15 . 2009-01-17 18:05 -------- d-----w c:\program files\AGEIA Technologies
2009-03-20 20:53 . 2009-03-20 20:53 -------- d-----w c:\program files\DIFX
2009-03-19 16:03 . 2009-03-19 16:03 -------- d-----w c:\program files\Common Files\Windows Live
2009-03-07 20:41 . 2009-03-07 20:37 95344 ----a-w d:\documents and settings\The Family.049907920267.000\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-07 20:40 . 2009-03-07 20:40 150 ----a-w d:\documents and settings\The Family.049907920267.000\Local Settings\Application Data\fusioncache.dat
2009-02-20 12:31 . 2006-10-09 23:32 95344 ----a-w d:\documents and settings\The Family\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-02-11 23:17 . 2009-02-11 23:17 4304 ----a-w c:\windows\system32\ealregsnapshot1.reg
2009-02-09 11:13 . 2004-08-10 15:38 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-03 17:32 . 2006-09-28 11:32 18085888 ----a-w c:\windows\RTHDCPL.EXE
2009-02-03 17:22 . 2006-09-28 11:32 5030912 ----a-w c:\windows\system32\drivers\RtkHDAud.sys
2009-02-03 16:35 . 2009-03-21 12:29 35840 ----a-w c:\windows\system32\RtkCoInstXP.dll
2006-10-15 15:57 . 2006-10-15 20:00 774144 ----a-w c:\program files\RngInterstitial.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SmpcSys"="c:\apps\SMP\SmpSys.exe" [2005-11-17 975360]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"kdx"="c:\program files\Kontiki\KHost.exe" [2006-11-08 1040832]
"Google Update"="d:\documents and settings\The Family\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-03-07 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-02-18 13680640]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-22 136600]
"DetectorApp"="c:\program files\Sonic\DigitalMedia LE v7\MyDVD LE\DetectorApp.exe" [2005-10-20 102400]
"PCMService"="c:\apps\Powercinema\PCMService.exe" [2006-02-23 147456]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"ACTIVBOARD"="c:\apps\ABoard\ABoard.exe" [2003-05-02 24576]
"BJCFD"="c:\program files\BroadJump\Client Foundation\CFD.exe" [2003-01-27 376912]
"Motive SmartBridge"="c:\progra~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe" [2003-12-30 380928]
"ntl Netguard"="c:\program files\ntl\ntl Netguard\RPS.exe" [2005-07-05 229376]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-01-18 282624]
"4oD"="c:\program files\Kontiki\KHost.exe" [2006-11-08 1040832]
"MsgCenterExe"="c:\program files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" [2008-05-08 69632]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-05-08 185896]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-02-18 86016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-14 49152]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-02-18 1657376]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2009-02-03 18085888]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

d:\documents and settings\The Family\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

d:\documents and settings\All Users\Start Menu\Programs\Startup\
broadband medic.lnk - c:\program files\ntl\broadband medic\bin\matcli.exe [2006-10-10 217088]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-5-28 53248]
NETGEAR WG111v3 Smart Wizard.lnk - c:\program files\NETGEAR\WG111v3\WG111v3.exe [2008-12-11 2322432]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, snapapi32.dll, digest32.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\AOL 9.0\\aol.exe"=
"c:\\Program Files\\AOL 9.0\\waol.exe"=
"d:\\Documents and Settings\\The Family\\My Documents\\Downloads\\WoW-enGB-Installer-downloader.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\WINDOWS\\system32\\nvsvc32.exe"=
"c:\\WINDOWS\\system32\\wbem\\wmiprvse.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"4719:TCP"= 4719:TCP:4719

R1 icyvjrws;icyvjrws; [x]
R3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2008-08-05 1684736]
R3 cel90xbe;cel90xbe; [x]
S2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\DRIVERS\EAPPkt.sys [2007-10-09 38144]
S2 FWS;Radialpoint Service;c:\program files\ntl\ntl Netguard\fws.exe [2005-07-05 274432]
S3 JL2005;JL2005A Toy Camera;c:\windows\system32\Drivers\toywdm.sys [2004-06-04 70888]
S3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\DRIVERS\wg111v3.sys [2007-12-28 287232]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\M]
\Shell\AutoRun\command - M:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\N]
\Shell\AutoRun\command - N:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0968251a-9bb6-11dd-a0b1-001e2aaf0479}]
\Shell\AutoRun\command - J:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5ccdf9fd-fca0-11db-9be0-0017316f265c}]
\Shell\AutoRun\command - l:\wd_windows_tools\setup.exe
.
Contents of the 'Scheduled Tasks' folder

2009-04-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2687666314-1017323166-2936280733-1006.job
- d:\documents and settings\The Family\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-03-07 13:38]

2009-04-18 c:\windows\Tasks\Setup my PC.job
- c:\apps\SMP\PCSETUP.EXE [2005-11-17 09:03]
.
- - - - ORPHANS REMOVED - - - -

BHO-{ee16ce5a-a23c-4591-be45-cd87af77b015} - c:\windows\system32\vrqzew.dll
HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
HKLM-Run-ISUSPM Startup - c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
HKLM-Run-ISUSScheduler - c:\program files\Common Files\InstallShield\UpdateService\issch.exe
ShellExecuteHooks-{48da334f-ec09-4b98-b419-ad5bd76c29aa} - c:\windows\system32\vrqzew.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ntlworld.com/
uSearchMigratedDefaultURL = hxxp://search.msn.co.uk/previewx.aspx?q={searchTerms}&FORM=CBPW&first=1&noredir=1
uInternet Connection Wizard,ShellNext = hxxp://www.ntlworld.com/welcome
uInternet Settings,ProxyOverride = 127.0.0.1
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {B516CA4E-A5BA-405C-AFCF-A97F08CC7429} - hxxp://www.shockwave.com/content/burgershop/sis/GoBitGamesPlayer_v4.cab
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://game08.zylom.com/activex/zylomgamesplayer.cab
DPF: {D40F5876-A494-4124-8161-82625BB28C06} - hxxp://www.shockwave.com/content/chocolatier2/sis/Chocolatier2Web.1.0.0.10.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-03 20:03
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2687666314-1017323166-2936280733-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-2687666314-1017323166-2936280733-1006\Software\SecuROM\License information*]
"datasecu"=hex:6a,b8,24,27,32,5c,ae,29,48,f4,7e,8a,3a,ca,02,ad,ed,48,f1,c3,ba,
d8,05,92,a0,0d,49,76,f6,72,92,04,b1,2f,00,af,95,cc,fc,da,e2,00,05,e5,09,95,\
"rkeysecu"=hex:36,4e,91,58,c0,fd,da,b0,58,97,27,be,96,e2,71,a0
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(1308)
c:\windows\system32\wininet.dll

- - - - - - - > 'explorer.exe'(3068)
c:\progra~1\ntl\BROADB~1\SMARTB~1\SBHook.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\apps\Powercinema\Kernel\TV\CLCapSvc.exe
c:\apps\Powercinema\Kernel\CLML_NTService\CLMLServer.exe
c:\program files\Common Files\Command Software\dvpapi.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Kontiki\KService.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\program files\Sonic\DigitalMedia LE v7\MyDVD LE\USBDeviceService.exe
c:\windows\system32\searchindexer.exe
c:\apps\Powercinema\Kernel\TV\CLSched.exe
c:\apps\ABOARD\AOSD.EXE
c:\windows\system32\searchprotocolhost.exe
c:\windows\system32\wscntfy.exe
c:\program files\ntl\broadband medic\bin\mpbtn.exe
c:\program files\HP\Digital Imaging\bin\hpqgalry.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
c:\windows\system32\searchfilterhost.exe
.
**************************************************************************
.
Completion time: 2009-05-03 20:09 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-03 19:08

Pre-Run: 3,335,065,600 bytes free
Post-Run: 3,214,286,848 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
266 --- E O F --- 2009-04-18 12:54






DDS report:


DDS (Ver_09-03-16.01) - NTFSx86
Run by The Family at 20:18:00.42 on 03/05/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.2558.1842 [GMT 1:00]

AV: ntl Netguard Anti-virus *On-access scanning enabled* (Updated)
FW: ntl Netguard Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\ntl\ntl Netguard\fws.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
c:\APPS\Powercinema\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Sonic\DigitalMedia LE v7\MyDVD LE\USBDeviceService.exe
C:\WINDOWS\system32\SearchIndexer.exe
c:\APPS\Powercinema\Kernel\TV\CLSched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\APPS\Powercinema\PCMService.exe
C:\apps\ABoard\ABoard.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
C:\apps\ABoard\AOSD.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\APPS\SMP\SmpSys.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
D:\Documents and Settings\The Family\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\ntl\broadband medic\bin\mpbtn.exe
C:\Program Files\NETGEAR\WG111v3\WG111v3.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
D:\Documents and Settings\The Family\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
D:\Documents and Settings\The Family\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
D:\Documents and Settings\The Family\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\ntl\ntl Netguard\Rps.exe
D:\Documents and Settings\The Family\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
D:\Documents and Settings\The Family\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.ntlworld.com/
uSearchMigratedDefaultURL = hxxp://search.msn.co.uk/previewx.aspx?q={searchTerms}&FORM=CBPW&first=1&noredir=1
uInternet Connection Wizard,ShellNext = hxxp://www.ntlworld.com/welcome
uInternet Settings,ProxyOverride = 127.0.0.1
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: PopKill Class: {3c060ea2-e6a9-4e49-a530-d4657b8c449a} - c:\program files\ntl\ntl netguard\pkR.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: ZKBho Class: {56071e0d-c61b-11d3-b41c-00e02927a304} - c:\program files\ntl\ntl netguard\FBHR.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [SmpcSys] c:\apps\smp\SmpSys.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [kdx] c:\program files\kontiki\KHost.exe -all
uRun: [Google Update] "d:\documents and settings\the family\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [DetectorApp] c:\program files\sonic\digitalmedia le v7\mydvd le\DetectorApp.exe
mRun: [PCMService] "c:\apps\powercinema\PCMService.exe"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32"
mRun: [ACTIVBOARD] c:\apps\aboard\ABoard.exe
mRun: [BJCFD] c:\program files\broadjump\client foundation\CFD.exe
mRun: [Motive SmartBridge] c:\progra~1\ntl\broadb~1\smartb~1\MotiveSB.exe
mRun: [ntl Netguard] "c:\program files\ntl\ntl netguard\RPS.exe"
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [4oD] "c:\program files\kontiki\KHost.exe" -all
mRun: [MsgCenterExe] "c:\program files\common files\real\update_ob\RealOneMessageCenter.exe" -osboot
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: d:\docume~1\thefam~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\broadb~1.lnk - c:\program files\ntl\broadband medic\bin\matcli.exe
StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wg111v3\WG111v3.exe
StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} - hxxp://www.shockwave.com/content/dinerdash2/sis/DinerDash2.1.0.0.67.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} - hxxp://update.videoegg.com/Install/Windows/Initial/VideoEggPublisher.exe
DPF: {B516CA4E-A5BA-405C-AFCF-A97F08CC7429} - hxxp://www.shockwave.com/content/burgershop/sis/GoBitGamesPlayer_v4.cab
DPF: {BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19} - hxxp://www.shockwave.com/content/dinerdashfloonthego/sis/ddfotg.1.0.0.33.cab
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://game08.zylom.com/activex/zylomgamesplayer.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D40F5876-A494-4124-8161-82625BB28C06} - hxxp://www.shockwave.com/content/chocolatier2/sis/Chocolatier2Web.1.0.0.10.cab
DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} - file:///C:/DRIVERS/snapsys/HDDDiag/bin/npseatools.cab
DPF: {EA6246B4-F380-443F-8727-9AEA3371146C} - hxxp://www.shockwave.com/content/weddingdash/sis/WeddingDash.1.0.0.47.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, snapapi32.dll, digest32.dll

============= SERVICES / DRIVERS ===============

R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [2007-10-9 38144]
R2 FWS;Radialpoint Service;c:\program files\ntl\ntl netguard\fws.exe [2005-7-5 274432]
R3 JL2005;JL2005A Toy Camera;c:\windows\system32\drivers\toywdm.sys [2004-6-4 70888]
R3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [2007-12-28 287232]
S1 icyvjrws;icyvjrws;\??\c:\windows\system32\drivers\icyvjrws.sys --> c:\windows\system32\drivers\icyvjrws.sys [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-3-21 1684736]
S3 cel90xbe;cel90xbe;\??\d:\docume~1\thefam~1\locals~1\temp\cel90xbe.sys --> d:\docume~1\thefam~1\locals~1\temp\cel90xbe.sys [?]

=============== Created Last 30 ================

2009-05-03 19:56 161,792 a------- c:\windows\SWREG.exe
2009-05-03 19:56 98,816 a------- c:\windows\sed.exe
2009-05-01 18:15 <DIR> a-dshr-- C:\autorun.inf
2009-04-27 21:27 <DIR> --d----- c:\program files\Trend Micro
2009-04-27 20:37 <DIR> --d----- c:\windows\system32\xlib254.dll
2009-04-27 20:37 <DIR> --d----- c:\windows\system32\append.dll
2009-04-27 18:32 <DIR> --d----- d:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-04-27 18:32 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-04-25 14:21 54,156 a---h--- c:\windows\QTFont.qfn
2009-04-25 14:21 1,409 a------- c:\windows\QTFont.for
2009-04-21 19:23 <DIR> --d----- d:\docume~1\thefam~1\applic~1\DriverCure
2009-04-21 19:23 <DIR> --d----- d:\docume~1\alluse~1\applic~1\ParetoLogic
2009-04-21 19:23 <DIR> --d----- d:\docume~1\alluse~1\applic~1\DriverCure
2009-04-21 19:17 <DIR> --dsh--- d:\documents and settings\the family\IECompatCache
2009-04-21 19:07 <DIR> --dsh--- d:\documents and settings\the family\PrivacIE
2009-04-21 19:04 <DIR> --dsh--- d:\documents and settings\the family\IETldCache
2009-04-21 19:01 81,920 a------- c:\windows\system32\ieencode.dll
2009-04-21 19:01 <DIR> --d----- c:\windows\system32\MpEngineStore
2009-04-18 22:32 90,112 -------- d:\docume~1\thefam~1\applic~1\nvsvc1024.dll
2009-04-18 22:32 57,344 a------- c:\windows\system32\digest32.dll
2009-04-15 21:52 <DIR> --d----- d:\docume~1\thefam~1\applic~1\2K Sports

==================== Find3M ====================

2009-04-06 17:16 34 a------- d:\documents and settings\the family\jagex_runescape_preferences.dat
2009-02-12 00:17 4,304 a------- c:\windows\system32\ealregsnapshot1.reg
2009-02-09 12:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-09 12:13 1,846,784 -------- c:\windows\system32\dllcache\win32k.sys
2009-02-03 18:32 18,085,888 a------- c:\windows\RTHDCPL.EXE
2009-02-03 17:35 35,840 a------- c:\windows\system32\RtkCoInstXP.dll
2007-12-28 16:02 287,232 a------- c:\windows\inf\wg111v3\wg111v3.sys
2007-12-28 15:59 342,528 a------- c:\windows\inf\wg111v3\vista64\wg111v3.sys
2007-11-27 18:53 63,488 a------- c:\windows\inf\wg111v3\SetDrv64.exe
2007-11-27 18:52 32,768 a------- c:\windows\inf\wg111v3\SetDrv.exe
2007-05-10 20:52 6,420 a------- d:\docume~1\thefam~1\applic~1\wklnhst.dat
2006-12-15 12:30 315,392 a------- c:\windows\inf\wg111v3\InstallDriver.exe
2006-12-15 12:30 212,992 a------- c:\windows\inf\wg111v3\CopyWHQLDriver.exe
2006-12-15 12:30 98,304 a------- c:\windows\inf\wg111v3\UScanM.exe
2006-12-15 12:30 20,480 a------- c:\windows\inf\wg111v3\RTWUPath.exe
2006-12-15 12:30 19,968 a------- c:\windows\inf\wg111v3\RTWREFU.EXE
2006-10-15 16:57 774,144 a------- c:\program files\RngInterstitial.dll

============= FINISH: 20:18:17.43 ===============


Other report attached.
 
Hi again,


Show hidden files
-----------------
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.


Upload following files (if found) to http://www.virustotal.com and post back the results:
c:\windows\system32\digest32.dll
c:\windows\system32\snapapi32.dll


Open notepad and copy/paste the text in the quotebox below into it:

Code: 
Driver::
icyvjrws
cel90xbe

DDS::
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File

File::
C:\WINDOWS\TEMP\System.exe
C:\WINDOWS\csauie1.ocx
D:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6B0D69EF.wmf
D:\Documents and Settings\The Family\Application Data\nvsvc1024.dll
D:\Documents and Settings\The Family\Application Data\Sun\Java\Deployment\cache\6.0\25\650d0659-68161e1c
D:\Documents and Settings\The Family\Application Data\Sun\Java\Deployment\cache\6.0\44\232f2a6c-75a95481
D:\Documents and Settings\The Family\Application Data\Sun\Java\Deployment\cache\6.0\47\bd7ce2f-6f01188c
D:\Documents and Settings\The Family\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-51fad18-3450a110.zip
D:\Documents and Settings\The Family\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6b13a7e7-52495110.zip
D:\Documents and Settings\The Family\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6d00d9f7-4fb0852d.zip
K:\My Documents 2\Downloads 2\downloaded stuff originals\Pro Evolution Soccer 2009 crack - [ pes2009.exe ].exe Infected: Trojan.Win32.VB.kki 1
K:\Programs 2\KONAMI\Pro Evolution 2009\cracked exe(s)\Pro Evolution Soccer 2009 crack - [ pes2009.exe ].exe
c:\windows\system32\drivers\icyvjrws.sys


Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

CFScriptB-4.gif


Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.


Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.


Empty recycler bin.



Uninstall old Adobe Reader versions and get the latest one here or get Foxit Reader here. Make sure you don't install toolbar if choose Foxit Reader!


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 13.
  • Click the
    Download
    button to the right.
  • Select Windows on platform combobox and check the box that says:
    Accept License Agreement. Click continue.
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u13-windows-i586-p.exe to install the newest version. Uncheck MSN toolbar if it's offered there.




Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Please run an online scan with Kaspersky Online Scanner as instructed in the screenshot here.


Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log.
 
Last edited:
You must log in or register to reply here.
Back
Top