virtumonde.crack spyware

[OriginalMcBlood]

I have rebooted and rescaned but mbam has found these infections again i have not ran another dds as mbam results the same I would imagine dds the same again.
Most recent mbam scan result:
Malwarebytes' Anti-Malware 1.36
Database version: 2104
Windows 5.1.2600 Service Pack 3

11/05/2009 00:49:10
mbam-log-2009-05-11 (00-49-10).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|G:\|H:\|I:\|K:\|)
Objects scanned: 360885
Time elapsed: 1 hour(s), 48 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders (Trojan.Agent) -> Data: snapapi32.dll -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\snapapi32.dll (Trojan.Agent) -> Quarantined and deleted successfully.

 

[Blade81]

Hi

Disable TeaTimer.

Have those external drives plugged in that you've lately used with the system.


Open notepad and copy/paste the text in the quotebox below into it:

File::
D:\DOCUME~1\THEFAM~1\LOCALS~1\Temp\5F.exe
c:\windows\system32\drivers\khqv.sys

DDS::
uInternet Settings,ProxyOverride = 127.0.0.1
BHO: {ee16ce5a-a23c-4591-be45-cd87af77b015} - No File

Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log. Re-run Kaspersky online scanner & post back its report and fresh dds.txt file contents.


Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

 

[OriginalMcBlood]

The saga continues

Sorry for the delay but KOS took over 6 hours to run with the K: drive attached.

Combofix, KOS and DDS scripts are zipped and attached.

There are 2 things to note:

1) From the combfix log "2009-05-10 13:55 . 2009-05-10 13:55 -------- d-----w C:\OEMSettings"
This was me flashing the Bios, I assume.

2) Also from the combofix log in the firewall authorised applications section

"k:\\Programs 2\\Rockstar Games\\Grand Theft Auto IV\\GTAIV.exe"=

This is not on the windows firewall exception list. I double checked. I also run a second firewall on this system supplied by my ISP it is not on this exception list either.

I also have a question, on the DDS (created last 30) it states

"2009-05-11 20:08 581,632 a------- c:\windows\system32\snapapi32.dll"

Do you know what this is? Its entry is 2 minutes after combofix. Is this related to combofix?

This is the file that most recently has consistently shown up as an infected item in the scans with an associated infected registry entry.

It does not show on the KOS, but!?

Oh and I have just noticed a 3rd thing to mention. From the KOS "D:\Documents and Settings\The Family\Local Settings\Application Data\Identities\{D688B133-BB08-44AA-9610-0788232F351C}\Microsoft\Outlook Express\Dylan.dbx Suspicious: Trojan-Spy.HTML.Fraud.gen 1"

I have been through this mailbox and deleted anything that looked suspicious but we have seen this entry on an earlier scan ( it subsequently disappeared but here it is again.). I also tried to get to the folder to delete direct from there however although I could locate the folder when I went in it was empty. I think I have xp set up to show me everything so ? Also when I clicked on folder properties it stated that the folder was empty.

Anyway on we go.......
Thanks.

 

[Blade81]

Hi

No, that snapapi32.dll file is not related to ComboFix.

I wouldn't worry about that mail related Kaspersky finding. If you have checked messages and no suspicious one is present then the finding is possibly false positive.

Please run following test:
1. Run MBAM and let it clean it findings.
2. Immediately after successful cleaning reboot the system.
3. Run another MBAM scan and let it clean findings if found.
4. If findings were found, make sure system is disconnected from internet. Then reboot and run another MBAM scan.


Download GMER and save it your desktop:

• Extract it to your desktop and double-click GMER.exe
• Click rootkit-tab and then scan.
• Don't check
  Show All
  box while scanning in progress!
• When scanning is ready, click Copy.
• This copies log to clipboard
• Post log in your reply.

* Go here to run an online scanner from ESET.

• Note: You will need to use Internet explorer for this scan
• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the activex control to install
• Click Start
• Make sure that the option Remove found threats is UNchecked and the option Scan unwanted applications is checkmarked.
• Click Scan
• Wait for the scan to finish
• Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
• Copy and paste that log & a fresh dds.txt log as a reply to this topic.

 

[OriginalMcBlood]

Update only

Hi,
This is just a partial progress report as I did not have time to complete all the steps from your last post.

I have ran 3 sequential MBAM scans.

1) Same result as previous with only Snapapi32.dll file and registry entries.
2) Same result as previous with only Snapapi32.dll file and registry entries.
3) (with no internet connection) no signs of infection found.

As mentioned I did not have the time to carry out the next 2 steps and unfortunately I may not have the time for another 48 to 72 hours. I will try to squeeze it in when I have a minute because it is only a 5 min job to download install and start the scans.

I wanted to post as it has never been more than 24 hours between my posts. We have now been working on this for 2 weeks and I will not let it beat me. It has long gone past the point were it would have been cost effective (classing time as a resource) just to reformat the drive and reinstall everything. It has even gone past the point were it would have been more cost effective to throw the drive out of a window buy a new drive and all the software that is on this current drive and start from scratch!

I have not said thanks for a while so thank you I just wonder if you regret picking this thread up or view it as a learning experience? (do not answer that).

I will post as soon as I am able until then once again thanks. OriginalMcBlood.

 

[Blade81]

Thanks for the heads up.

I just wonder if you regret picking this thread up or view it as a learning experience? (do not answer that).

You can probably guess the answer anyway

 

[OriginalMcBlood]

Hello,
good news and bad news.
Good news I was able to get on the infected unit earlier than expected.

Bad news I can not get Eset to run on the unit at all.
It will only go to the point where it asks if I wish to install active X I click yes and then nothing, like nothing at all, no error messages, no pages reloading loading, no change of page, no increased system resource (cpu/ ram) nothing, nada, zilch!!

I must have tried 20 times always the same.

Good news I got Gmer to run. No easy task it kept shutting down with the old favourite "whatever application is running" has encountered an unexpected error an needs to close. Blah, blah, blah.

In fact and call me slow on the uptake but this has been happening to a lot of applications with increased frequency ( I.E 7 practically every 2-3 clicks) for about 2-3 months hello dopey this is probably this infection. I just thought that the os has been used for so long and is so cluttered that is was just being a pain.

Anyway here is the GMER log and new DDS let me know what you want to scan with or if there is a solution to the ESet problem.

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-05-14 21:09:50
Windows 5.1.2600 Service Pack 3

---- System - GMER 1.0.15 ----
SSDT spre.sys ZwCreateKey [0xB9EA70E0]
SSDT spre.sys ZwEnumerateKey [0xB9EC5CA4]
SSDT spre.sys ZwEnumerateValueKey [0xB9EC6032]
SSDT spre.sys ZwOpenKey [0xB9EA70C0]
SSDT spre.sys ZwQueryKey [0xB9EC610A]
SSDT spre.sys ZwQueryValueKey [0xB9EC5F8A]
SSDT spre.sys ZwSetValueKey [0xB9EC619C]
INT 0x62 ? 8ACD4BF8
INT 0x73 ? 8ABA2F00
INT 0x73 ? 8ABA2F00
INT 0x73 ? 8ABA2F00
INT 0x83 ? 8ACC4BF8
Code 8924DD28 ZwCreateSection
Code 892B8EE8 ZwDuplicateObject
Code 8924FEE8 ZwSetInformationFile
Code 8A845018 ZwSetSystemInformation
Code 8929ED28 ZwWriteFile
Code 8924DD27 NtCreateSection
Code 892B8EE7 NtDuplicateObject
Code 8924FEE7 NtSetInformationFile
Code 8929ED27 NtWriteFile
---- Kernel code sections - GMER 1.0.15 ----
? spre.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload B95888AC 5 Bytes JMP 8ABA24E0
.text ac3xzg1z.SYS B8D60386 35 Bytes [00, 00, 00, 00, 00, 00, 20, ...]
.text ac3xzg1z.SYS B8D603AA 24 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
.text ac3xzg1z.SYS B8D603C4 3 Bytes [00, 70, 02] {ADD [EAX+0x2], DH}
.text ac3xzg1z.SYS B8D603C9 1 Byte [30]
.text ac3xzg1z.SYS B8D603C9 11 Bytes [30, 00, 00, 00, 5C, 02, 00, ...] {XOR [EAX], AL; ADD [EAX], AL; POP ESP; ADD AL, [EAX]; ADD [EAX], AL; ADD [EAX], AL}
.text ...
---- User code sections - GMER 1.0.15 ----
.text C:\WINDOWS\system32\SearchIndexer.exe[1016] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
---- Kernel IAT/EAT - GMER 1.0.15 ----
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B9EA8042] spre.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B9EA813E] spre.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B9EA80C0] spre.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B9EA8800] spre.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B9EA86D6] spre.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [B9EB7E9C] spre.sys
IAT \SystemRoot\System32\Drivers\ac3xzg1z.SYS[HAL.dll!KfAcquireSpinLock] 18C4830E
IAT \SystemRoot\System32\Drivers\ac3xzg1z.SYS[HAL.dll!READ_PORT_UCHAR] 1C8D9E88
IAT \SystemRoot\System32\Drivers\ac3xzg1z.SYS[HAL.dll!KeGetCurrentIrql] 9E880000
IAT \SystemRoot\System32\Drivers\ac3xzg1z.SYS[HAL.dll!KfRaiseIrql] 00001CA9
IAT \SystemRoot\System32\Drivers\ac3xzg1z.SYS[HAL.dll!KfLowerIrql] 0E798366
IAT \SystemRoot\System32\Drivers\ac3xzg1z.SYS[HAL.dll!HalGetInterruptVector] 74AAB000
IAT \SystemRoot\System32\Drivers\ac3xzg1z.SYS[HAL.dll!HalTranslateBusAddress] 8186C636
IAT \SystemRoot\System32\Drivers\ac3xzg1z.SYS[HAL.dll!KeStallExecutionProcessor] 1A00001C
IAT \SystemRoot\System32\Drivers\ac3xzg1z.SYS[HAL.dll!KfReleaseSpinLock] 1C8386C6
IAT \SystemRoot\System32\Drivers\ac3xzg1z.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] C6020000
IAT \SystemRoot\System32\Drivers\ac3xzg1z.SYS[HAL.dll!READ_PORT_USHORT] 001C8E86
IAT \SystemRoot\System32\Drivers\ac3xzg1z.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 86C60200
IAT \SystemRoot\System32\Drivers\ac3xzg1z.SYS[HAL.dll!WRITE_PORT_UCHAR] 00001CAA
IAT \SystemRoot\System32\Drivers\ac3xzg1z.SYS[WMILIB.SYS!WmiSystemControl] 8800001C
IAT \SystemRoot\System32\Drivers\ac3xzg1z.SYS[WMILIB.SYS!WmiCompleteRequest] 001CB19E
---- Devices - GMER 1.0.15 ----
Device \FileSystem\Ntfs \Ntfs 8ACC21F8
Device \FileSystem\Fastfat \FatCdrom Code 89270EE8
Device \FileSystem\Fastfat \FatCdrom 8976F500
AttachedDevice \Driver\Tcpip \Device\Ip FreeTdi.sys (Radialpoint Filter/Radialpoint Inc.)
Device \Driver\USBSTOR \Device\0000009d 8A48A500
Device \Driver\USBSTOR \Device\0000009e 8A48A500
Device \Driver\USBSTOR \Device\0000009f 8A48A500
Device \Driver\usbohci \Device\USBPDO-0 8AAE2500
Device \Driver\usbehci \Device\USBPDO-1 8ABA1500
Device \Driver\USBSTOR \Device\000000a0 8A48A500
AttachedDevice \Driver\Tcpip \Device\Tcp FreeTdi.sys (Radialpoint Filter/Radialpoint Inc.)
Device \Driver\USBSTOR \Device\000000a1 8A48A500
Device \Driver\Ftdisk \Device\HarddiskVolume1 8ACD51F8
Device \Driver\Ftdisk \Device\HarddiskVolume2 8ACD51F8
Device \Driver\Cdrom \Device\CdRom0 8AAE1500
Device \Driver\PCI_PNP8824 \Device\00000072 spre.sys
Device \Driver\Ftdisk \Device\HarddiskVolume3 8ACD51F8
Device \Driver\sptd \Device\226437574 spre.sys
Device \Driver\Ftdisk \Device\HarddiskVolume4 8ACD51F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{F98986A8-5616-4B7E-9F28-27E689093F5E} 8A48D500
Device \Driver\NetBT \Device\NetBt_Wins_Export 8A48D500
Device \Driver\nvata \Device\00000091 8ACC41F8
Device \Driver\NetBT \Device\NetbiosSmb 8A48D500
AttachedDevice \Driver\Tcpip \Device\Udp FreeTdi.sys (Radialpoint Filter/Radialpoint Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp FreeTdi.sys (Radialpoint Filter/Radialpoint Inc.)
Device \Driver\usbohci \Device\USBFDO-0 8AAE2500
Device \Driver\USBSTOR \Device\00000099 8A48A500
Device \Driver\nvata \Device\NvAta0 8ACC41F8
Device \Driver\usbehci \Device\USBFDO-1 8ABA1500
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8AA53500
Device \FileSystem\MRxSmb \Device\LanmanRedirector 8AA53500
Device \Driver\Ftdisk \Device\FtControl 8ACD51F8
Device \Driver\USBSTOR \Device\0000009a 8A48A500
Device \Driver\ac3xzg1z \Device\Scsi\ac3xzg1z1 8A9FB1F8
Device \FileSystem\Fastfat \Fat Code 89270EE8
Device \FileSystem\Fastfat \Fat 8976F500
Device \FileSystem\Cdfs \Cdfs 897601F8
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 -667533817
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 -327378777
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xF0 0x6E 0x48 0xA4 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xDE 0xE7 0x34 0x95 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xF2 0x02 0x30 0xFB ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x66 0x71 0x83 0x2E ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x76 0x16 0x8E 0x2C ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x5B 0x6A 0x7A 0x7F ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0xB3 0xDE 0x70 0xE0 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x2A 0x54 0xB3 0x86 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xBD 0xA8 0xDE 0x81 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xA3 0x8E 0x5A 0xD3 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x14 0xBD 0x38 0xFC ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xB0 0x07 0xF5 0xC4 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x46 0xD2 0xA5 0x2B ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x9F 0xF0 0x19 0xC8 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0xAC 0xD5 0xC1 0xAD ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xF0 0x6E 0x48 0xA4 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xDE 0xE7 0x34 0x95 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xF2 0x02 0x30 0xFB ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x66 0x71 0x83 0x2E ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x76 0x16 0x8E 0x2C ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x5B 0x6A 0x7A 0x7F ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0xB3 0xDE 0x70 0xE0 ...
---- EOF - GMER 1.0.15 ----



DDS


DDS (Ver_09-03-16.01) - NTFSx86
Run by The Family at 21:50:55.00 on 14/05/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.2558.1958 [GMT 1:00]
AV: ntl Netguard Anti-virus *On-access scanning enabled* (Updated)
FW: ntl Netguard Firewall *enabled*
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\ntl\ntl Netguard\fws.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
c:\APPS\Powercinema\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Sonic\DigitalMedia LE v7\MyDVD LE\USBDeviceService.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
c:\APPS\Powercinema\Kernel\TV\CLSched.exe
C:\Program Files\Sonic\DigitalMedia LE v7\MyDVD LE\DetectorApp.exe
C:\APPS\Powercinema\PCMService.exe
C:\apps\ABoard\ABoard.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
C:\apps\ABoard\AOSD.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\APPS\SMP\SmpSys.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Documents and Settings\The Family\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\NETGEAR\WG111v3\WG111v3.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\ntl\ntl Netguard\Rps.exe
D:\Documents and Settings\The Family\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.ntlworld.com/
uSearchMigratedDefaultURL = hxxp://search.msn.co.uk/previewx.aspx?q={searchTerms}&FORM=CBPW&first=1&noredir=1
uInternet Connection Wizard,ShellNext = hxxp://www.ntlworld.com/welcome
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: PopKill Class: {3c060ea2-e6a9-4e49-a530-d4657b8c449a} - c:\program files\ntl\ntl netguard\pkR.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: ZKBho Class: {56071e0d-c61b-11d3-b41c-00e02927a304} - c:\program files\ntl\ntl netguard\FBHR.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [SmpcSys] c:\apps\smp\SmpSys.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [kdx] c:\program files\kontiki\KHost.exe -all
uRun: [Google Update] "d:\documents and settings\the family\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe" -autorun
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [DetectorApp] c:\program files\sonic\digitalmedia le v7\mydvd le\DetectorApp.exe
mRun: [PCMService] "c:\apps\powercinema\PCMService.exe"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32"
mRun: [ACTIVBOARD] c:\apps\aboard\ABoard.exe
mRun: [BJCFD] c:\program files\broadjump\client foundation\CFD.exe
mRun: [Motive SmartBridge] c:\progra~1\ntl\broadb~1\smartb~1\MotiveSB.exe
mRun: [ntl Netguard] "c:\program files\ntl\ntl netguard\RPS.exe"
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [4oD] "c:\program files\kontiki\KHost.exe" -all
mRun: [MsgCenterExe] "c:\program files\common files\real\update_ob\RealOneMessageCenter.exe" -osboot
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: d:\docume~1\thefam~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: d:\docume~1\thefam~1\startm~1\programs\startup\secuni~1.lnk - c:\program files\secunia\psi\psi.exe
StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\broadb~1.lnk - c:\program files\ntl\broadband medic\bin\matcli.exe
StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wg111v3\WG111v3.exe
StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} - hxxp://www.shockwave.com/content/dinerdash2/sis/DinerDash2.1.0.0.67.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {B516CA4E-A5BA-405C-AFCF-A97F08CC7429} - hxxp://www.shockwave.com/content/burgershop/sis/GoBitGamesPlayer_v4.cab
DPF: {BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19} - hxxp://www.shockwave.com/content/dinerdashfloonthego/sis/ddfotg.1.0.0.33.cab
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://game08.zylom.com/activex/zylomgamesplayer.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D40F5876-A494-4124-8161-82625BB28C06} - hxxp://www.shockwave.com/content/chocolatier2/sis/Chocolatier2Web.1.0.0.10.cab
DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} - file:///C:/DRIVERS/snapsys/HDDDiag/bin/npseatools.cab
DPF: {EA6246B4-F380-443F-8727-9AEA3371146C} - hxxp://www.shockwave.com/content/weddingdash/sis/WeddingDash.1.0.0.47.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
================= FIREFOX ===================
FF - ProfilePath - d:\docume~1\thefam~1\applic~1\mozilla\firefox\profiles\1i8880in.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.ntlworld.com/
FF - plugin: c:\program files\real\realarcade\plugins\mozilla\npracplug.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - plugin: d:\documents and settings\the family\local settings\application data\google\update\1.2.145.5\npGoogleOneClick8.dll
---- FIREFOX POLICIES ----
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
============= SERVICES / DRIVERS ===============
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [2007-10-9 38144]
R2 FWS;Radialpoint Service;c:\program files\ntl\ntl netguard\fws.exe [2005-7-5 274432]
R3 JL2005;JL2005A Toy Camera;c:\windows\system32\drivers\toywdm.sys [2004-6-4 70888]
R3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [2007-12-28 287232]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-3-21 1684736]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2009-3-24 7808]
=============== Created Last 30 ================
2009-05-11 18:03 <DIR> --d----- C:\ComboFix
2009-05-10 14:55 <DIR> --d----- C:\OEMSettings
2009-05-07 21:30 <DIR> --d----- d:\docume~1\alluse~1\applic~1\DAEMON Tools Lite
2009-05-07 21:30 <DIR> --d----- c:\program files\DAEMON Tools Toolbar
2009-05-07 21:30 <DIR> --d----- c:\program files\DAEMON Tools Lite
2009-05-07 21:23 <DIR> --d----- c:\windows\NV24243848.TMP
2009-05-07 21:13 <DIR> --d----- d:\docume~1\thefam~1\applic~1\DAEMON Tools Lite
2009-05-07 20:50 <DIR> --d----- c:\program files\Mozilla Firefox 3.5 Beta 4
2009-05-07 20:41 <DIR> --d----- c:\program files\Secunia
2009-05-05 23:59 401,408 -------- c:\windows\system32\dllcache\rpcss.dll
2009-05-05 23:59 284,160 -------- c:\windows\system32\dllcache\pdh.dll
2009-05-05 23:59 110,592 -------- c:\windows\system32\dllcache\services.exe
2009-05-05 23:59 35,328 -------- c:\windows\system32\dllcache\sc.exe
2009-05-05 23:59 729,088 -------- c:\windows\system32\dllcache\lsasrv.dll
2009-05-05 23:59 617,472 -------- c:\windows\system32\dllcache\advapi32.dll
2009-05-05 23:59 473,600 -------- c:\windows\system32\dllcache\fastprox.dll
2009-05-05 23:59 453,120 -------- c:\windows\system32\dllcache\wmiprvsd.dll
2009-05-05 23:59 227,840 -------- c:\windows\system32\dllcache\wmiprvse.exe
2009-05-05 23:59 714,752 -------- c:\windows\system32\dllcache\ntdll.dll
2009-05-05 22:35 <DIR> --d----- c:\windows\system32\Adobe
2009-05-05 18:52 <DIR> --d----- d:\docume~1\thefam~1\applic~1\Malwarebytes
2009-05-05 18:52 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-05-05 18:52 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-05 18:52 <DIR> --d----- d:\docume~1\alluse~1\applic~1\Malwarebytes
2009-05-05 18:52 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-05-03 19:56 161,792 a------- c:\windows\SWREG.exe
2009-05-03 19:56 98,816 a------- c:\windows\sed.exe
2009-05-01 18:15 <DIR> a-dshr-- C:\autorun.inf
2009-04-27 21:27 <DIR> --d----- c:\program files\Trend Micro
2009-04-27 18:32 <DIR> --d----- d:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-04-27 18:32 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-04-25 14:21 54,156 a---h--- c:\windows\QTFont.qfn
2009-04-25 14:21 1,409 a------- c:\windows\QTFont.for
2009-04-21 19:23 <DIR> --d----- d:\docume~1\thefam~1\applic~1\DriverCure
2009-04-21 19:23 <DIR> --d----- d:\docume~1\alluse~1\applic~1\ParetoLogic
2009-04-21 19:23 <DIR> --d----- d:\docume~1\alluse~1\applic~1\DriverCure
2009-04-21 19:17 <DIR> --dsh--- d:\documents and settings\the family\IECompatCache
2009-04-21 19:07 <DIR> --dsh--- d:\documents and settings\the family\PrivacIE
2009-04-21 19:04 <DIR> --dsh--- d:\documents and settings\the family\IETldCache
2009-04-21 19:01 78,336 a------- c:\windows\system32\ieencode.dll
2009-04-21 19:01 <DIR> --d----- c:\windows\system32\MpEngineStore
2009-04-16 17:45 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-04-16 17:45 1,203,922 -------- c:\windows\system32\dllcache\sysmain.sdb
2009-04-16 17:45 215,552 -------- c:\windows\system32\dllcache\wordpad.exe
2009-04-15 21:52 <DIR> --d----- d:\docume~1\thefam~1\applic~1\2K Sports
==================== Find3M ====================
2009-05-07 21:13 721,904 a------- c:\windows\system32\drivers\sptd.sys
2009-05-04 18:31 410,984 a------- c:\windows\system32\deploytk.dll
2009-04-06 17:16 34 a------- d:\documents and settings\the family\jagex_runescape_preferences.dat
2009-03-27 08:14 453,152 a------- c:\windows\system32\NVUNINST.EXE
2009-03-24 12:03 7,808 a------- c:\windows\system32\drivers\psi_mf.sys
2009-03-21 15:06 989,696 -------- c:\windows\system32\dllcache\kernel32.dll
2009-03-06 15:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-03 01:18 826,368 a------- c:\windows\system32\wininet.dll
2009-03-03 01:18 826,368 a------- c:\windows\system32\dllcache\wininet.dll
2009-02-28 05:54 636,072 a------- c:\windows\system32\dllcache\iexplore.exe
2009-02-20 11:20 70,656 a------- c:\windows\system32\dllcache\ie4uinit.exe
2009-02-20 11:20 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-02-20 06:14 161,792 a------- c:\windows\system32\dllcache\ieakui.dll
2007-12-28 15:02 287,232 a------- c:\windows\inf\wg111v3\wg111v3.sys
2007-12-28 14:59 342,528 a------- c:\windows\inf\wg111v3\vista64\wg111v3.sys
2007-11-27 17:53 63,488 a------- c:\windows\inf\wg111v3\SetDrv64.exe
2007-11-27 17:52 32,768 a------- c:\windows\inf\wg111v3\SetDrv.exe
2007-05-10 20:52 6,420 a------- d:\docume~1\thefam~1\applic~1\wklnhst.dat
2006-12-15 11:30 315,392 a------- c:\windows\inf\wg111v3\InstallDriver.exe
2006-12-15 11:30 212,992 a------- c:\windows\inf\wg111v3\CopyWHQLDriver.exe
2006-12-15 11:30 98,304 a------- c:\windows\inf\wg111v3\UScanM.exe
2006-12-15 11:30 20,480 a------- c:\windows\inf\wg111v3\RTWUPath.exe
2006-12-15 11:30 19,968 a------- c:\windows\inf\wg111v3\RTWREFU.EXE
2006-10-15 16:57 774,144 a------- c:\program files\RngInterstitial.dll
============= FINISH: 21:51:29.96 ===============

 

[Blade81]

Hi,

Did you still have system disconnected from internet? At least snapapi32.dll file or related registry entries are not appearing in the latest log.


Please download OTListIt2
Save it to the Desktop

• Close all windows and double-click on the OTListIt2.exe file
• OK any warning about running OTListIt.
• Place a check in the Scan All Users checkbox
• Click the Run Scan button
• When the scan is complete, two text files are produced on the Desktop: OTListIt.txt , and Extras.txt

Please post the OTListIt.txt and Extras.txt in your reply.

 

[OriginalMcBlood]

After (my) last post ran a quick KOS scan -clean, then an offline MBam -clean. At this point I thought it looked hopeful or too good to be true. Ran MBam whilst connected to internet. Guess what snapapi32.dll back.

Went back to try Eset it worked.

C:\Qoobox\Quarantine\C\WINDOWS\system32\bceggMoq.ini.vir Win32/Adware.Virtumonde.NEO application
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\services.exe.vir Win32/Socks.NAH worm
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP722\A0260529.dll probably a variant of Win32/Agent trojan
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP723\A0260543.ini Win32/Adware.Virtumonde.NEO application
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\A0263178.exe Win32/Socks.NAH worm
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP725\A0263204.ini Win32/Adware.Virtumonde.NEO application
D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgenthc2.zip Win32/Bagle.gen.zip worm

Can I just go into thes folders and delete. I have been in and checked they were there?
There is a dds from the same time below.
Why does the snapapi32. dll not show on this scan? I assume this is why we are using so many different scanners because different scans are better at picking up different things.
I have also ran OTListIt2 and I have zipped with post


DDS (Ver_09-03-16.01) - NTFSx86
Run by The Family at 23:50:26.34 on 15/05/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.2558.1804 [GMT 1:00]
​

AV: ntl Netguard Anti-virus *On-access scanning enabled* (Updated)
FW: ntl Netguard Firewall *enabled*
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\ntl\ntl Netguard\fws.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
c:\APPS\Powercinema\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Sonic\DigitalMedia LE v7\MyDVD LE\USBDeviceService.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
c:\APPS\Powercinema\Kernel\TV\CLSched.exe
C:\Program Files\Sonic\DigitalMedia LE v7\MyDVD LE\DetectorApp.exe
C:\APPS\Powercinema\PCMService.exe
C:\apps\ABoard\ABoard.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
C:\apps\ABoard\AOSD.exe
C:\Program Files\ntl\ntl Netguard\RPS.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\APPS\SMP\SmpSys.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Documents and Settings\The Family\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\NETGEAR\WG111v3\WG111v3.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\WINDOWS\system32\NvCplUI.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
D:\Documents and Settings\The Family\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.ntlworld.com/
uSearchMigratedDefaultURL = hxxp://search.msn.co.uk/previewx.aspx?q={searchTerms}&FORM=CBPW&first=1&noredir=1
uInternet Connection Wizard,ShellNext = hxxp://www.ntlworld.com/welcome
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: PopKill Class: {3c060ea2-e6a9-4e49-a530-d4657b8c449a} - c:\program files\ntl\ntl netguard\pkR.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: ZKBho Class: {56071e0d-c61b-11d3-b41c-00e02927a304} - c:\program files\ntl\ntl netguard\FBHR.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [SmpcSys] c:\apps\smp\SmpSys.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [kdx] c:\program files\kontiki\KHost.exe -all
uRun: [Google Update] "d:\documents and settings\the family\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe" -autorun
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [DetectorApp] c:\program files\sonic\digitalmedia le v7\mydvd le\DetectorApp.exe
mRun: [PCMService] "c:\apps\powercinema\PCMService.exe"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32"
mRun: [ACTIVBOARD] c:\apps\aboard\ABoard.exe
mRun: [BJCFD] c:\program files\broadjump\client foundation\CFD.exe
mRun: [Motive SmartBridge] c:\progra~1\ntl\broadb~1\smartb~1\MotiveSB.exe
mRun: [ntl Netguard] "c:\program files\ntl\ntl netguard\RPS.exe"
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [4oD] "c:\program files\kontiki\KHost.exe" -all
mRun: [MsgCenterExe] "c:\program files\common files\real\update_ob\RealOneMessageCenter.exe" -osboot
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: d:\docume~1\thefam~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: d:\docume~1\thefam~1\startm~1\programs\startup\secuni~1.lnk - c:\program files\secunia\psi\psi.exe
StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\broadb~1.lnk - c:\program files\ntl\broadband medic\bin\matcli.exe
StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wg111v3\WG111v3.exe
StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} - hxxp://www.shockwave.com/content/dinerdash2/sis/DinerDash2.1.0.0.67.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {B516CA4E-A5BA-405C-AFCF-A97F08CC7429} - hxxp://www.shockwave.com/content/burgershop/sis/GoBitGamesPlayer_v4.cab
DPF: {BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19} - hxxp://www.shockwave.com/content/dinerdashfloonthego/sis/ddfotg.1.0.0.33.cab
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://game08.zylom.com/activex/zylomgamesplayer.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D40F5876-A494-4124-8161-82625BB28C06} - hxxp://www.shockwave.com/content/chocolatier2/sis/Chocolatier2Web.1.0.0.10.cab
DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} - file:///C:/DRIVERS/snapsys/HDDDiag/bin/npseatools.cab
DPF: {EA6246B4-F380-443F-8727-9AEA3371146C} - hxxp://www.shockwave.com/content/weddingdash/sis/WeddingDash.1.0.0.47.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, snapapi32.dll
================= FIREFOX ===================
FF - ProfilePath - d:\docume~1\thefam~1\applic~1\mozilla\firefox\profiles\1i8880in.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.ntlworld.com/
FF - plugin: c:\program files\real\realarcade\plugins\mozilla\npracplug.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - plugin: d:\documents and settings\the family\local settings\application data\google\update\1.2.145.5\npGoogleOneClick8.dll
---- FIREFOX POLICIES ----
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
============= SERVICES / DRIVERS ===============
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [2007-10-9 38144]
R2 FWS;Radialpoint Service;c:\program files\ntl\ntl netguard\fws.exe [2005-7-5 274432]
R3 JL2005;JL2005A Toy Camera;c:\windows\system32\drivers\toywdm.sys [2004-6-4 70888]
R3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [2007-12-28 287232]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-3-21 1684736]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2009-3-24 7808]
=============== Created Last 30 ================
2009-05-15 22:35 <DIR> --d----- c:\program files\ESET
2009-05-15 21:11 581,632 a------- c:\windows\system32\snapapi32.dll
2009-05-11 18:03 <DIR> --d----- C:\ComboFix
2009-05-10 14:55 <DIR> --d----- C:\OEMSettings
2009-05-07 21:30 <DIR> --d----- d:\docume~1\alluse~1\applic~1\DAEMON Tools Lite
2009-05-07 21:30 <DIR> --d----- c:\program files\DAEMON Tools Toolbar
2009-05-07 21:30 <DIR> --d----- c:\program files\DAEMON Tools Lite
2009-05-07 21:23 <DIR> --d----- c:\windows\NV24243848.TMP
2009-05-07 21:13 <DIR> --d----- d:\docume~1\thefam~1\applic~1\DAEMON Tools Lite
2009-05-07 20:50 <DIR> --d----- c:\program files\Mozilla Firefox 3.5 Beta 4
2009-05-07 20:41 <DIR> --d----- c:\program files\Secunia
2009-05-05 23:59 401,408 -------- c:\windows\system32\dllcache\rpcss.dll
2009-05-05 23:59 284,160 -------- c:\windows\system32\dllcache\pdh.dll
2009-05-05 23:59 110,592 -------- c:\windows\system32\dllcache\services.exe
2009-05-05 23:59 35,328 -------- c:\windows\system32\dllcache\sc.exe
2009-05-05 23:59 729,088 -------- c:\windows\system32\dllcache\lsasrv.dll
2009-05-05 23:59 617,472 -------- c:\windows\system32\dllcache\advapi32.dll
2009-05-05 23:59 473,600 -------- c:\windows\system32\dllcache\fastprox.dll
2009-05-05 23:59 453,120 -------- c:\windows\system32\dllcache\wmiprvsd.dll
2009-05-05 23:59 227,840 -------- c:\windows\system32\dllcache\wmiprvse.exe
2009-05-05 23:59 714,752 -------- c:\windows\system32\dllcache\ntdll.dll
2009-05-05 22:35 <DIR> --d----- c:\windows\system32\Adobe
2009-05-05 18:52 <DIR> --d----- d:\docume~1\thefam~1\applic~1\Malwarebytes
2009-05-05 18:52 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-05-05 18:52 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-05 18:52 <DIR> --d----- d:\docume~1\alluse~1\applic~1\Malwarebytes
2009-05-05 18:52 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-05-03 19:56 161,792 a------- c:\windows\SWREG.exe
2009-05-03 19:56 98,816 a------- c:\windows\sed.exe
2009-05-01 18:15 <DIR> a-dshr-- C:\autorun.inf
2009-04-27 21:27 <DIR> --d----- c:\program files\Trend Micro
2009-04-27 18:32 <DIR> --d----- d:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-04-27 18:32 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-04-25 14:21 54,156 a---h--- c:\windows\QTFont.qfn
2009-04-25 14:21 1,409 a------- c:\windows\QTFont.for
2009-04-21 19:23 <DIR> --d----- d:\docume~1\thefam~1\applic~1\DriverCure
2009-04-21 19:23 <DIR> --d----- d:\docume~1\alluse~1\applic~1\ParetoLogic
2009-04-21 19:23 <DIR> --d----- d:\docume~1\alluse~1\applic~1\DriverCure
2009-04-21 19:17 <DIR> --dsh--- d:\documents and settings\the family\IECompatCache
2009-04-21 19:07 <DIR> --dsh--- d:\documents and settings\the family\PrivacIE
2009-04-21 19:04 <DIR> --dsh--- d:\documents and settings\the family\IETldCache
2009-04-21 19:01 78,336 a------- c:\windows\system32\ieencode.dll
2009-04-21 19:01 <DIR> --d----- c:\windows\system32\MpEngineStore
2009-04-16 17:45 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-04-16 17:45 1,203,922 -------- c:\windows\system32\dllcache\sysmain.sdb
2009-04-16 17:45 215,552 -------- c:\windows\system32\dllcache\wordpad.exe
==================== Find3M ====================
2009-05-07 21:13 721,904 a------- c:\windows\system32\drivers\sptd.sys
2009-05-04 18:31 410,984 a------- c:\windows\system32\deploytk.dll
2009-04-06 17:16 34 a------- d:\documents and settings\the family\jagex_runescape_preferences.dat
2009-03-27 08:14 453,152 a------- c:\windows\system32\NVUNINST.EXE
2009-03-24 12:03 7,808 a------- c:\windows\system32\drivers\psi_mf.sys
2009-03-21 15:06 989,696 -------- c:\windows\system32\dllcache\kernel32.dll
2009-03-06 15:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-03 01:18 826,368 a------- c:\windows\system32\wininet.dll
2009-03-03 01:18 826,368 a------- c:\windows\system32\dllcache\wininet.dll
2009-02-28 05:54 636,072 a------- c:\windows\system32\dllcache\iexplore.exe
2009-02-20 11:20 70,656 a------- c:\windows\system32\dllcache\ie4uinit.exe
2009-02-20 11:20 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-02-20 06:14 161,792 a------- c:\windows\system32\dllcache\ieakui.dll
2007-12-28 15:02 287,232 a------- c:\windows\inf\wg111v3\wg111v3.sys
2007-12-28 14:59 342,528 a------- c:\windows\inf\wg111v3\vista64\wg111v3.sys
2007-11-27 17:53 63,488 a------- c:\windows\inf\wg111v3\SetDrv64.exe
2007-11-27 17:52 32,768 a------- c:\windows\inf\wg111v3\SetDrv.exe
2007-05-10 20:52 6,420 a------- d:\docume~1\thefam~1\applic~1\wklnhst.dat
2006-12-15 11:30 315,392 a------- c:\windows\inf\wg111v3\InstallDriver.exe
2006-12-15 11:30 212,992 a------- c:\windows\inf\wg111v3\CopyWHQLDriver.exe
2006-12-15 11:30 98,304 a------- c:\windows\inf\wg111v3\UScanM.exe
2006-12-15 11:30 20,480 a------- c:\windows\inf\wg111v3\RTWUPath.exe
2006-12-15 11:30 19,968 a------- c:\windows\inf\wg111v3\RTWREFU.EXE
2006-10-15 16:57 774,144 a------- c:\program files\RngInterstitial.dll
============= FINISH: 23:51:50.60 ===============

 

[Blade81]

Hi

QooBox and system restore related stuff will be dealt with later. However, you may delete that other finding in Spybot recovery folder.

I shall ask for other opinions on this snapapi32.dll thing. Meanwhile, upload following file to http://www.virustotal.com (rescan those that have been already scanned) and post back the results or links to the results:
c:\windows\system32\snapapi32.dll

I want to see if detection status has changed.

 

[OriginalMcBlood]

Here are the virus scan results for snapapi32.dll

file snapapi32.dll received on 05.16.2009 16:46:19 (CET)
Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.05.16 -
AhnLab-V3 5.0.0.2 2009.05.16 -
AntiVir 7.9.0.168 2009.05.15 -
Antiy-AVL 2.0.3.1 2009.05.15 -
Authentium 5.1.2.4 2009.05.16 -
Avast 4.8.1335.0 2009.05.15 -
AVG 8.5.0.336 2009.05.15 -
BitDefender 7.2 2009.05.16 -
CAT-QuickHeal 10.00 2009.05.15 -
ClamAV 0.94.1 2009.05.16 -
Comodo 1157 2009.05.08 -
DrWeb 5.0.0.12182 2009.05.16 -
eSafe 7.0.17.0 2009.05.14 -
eTrust-Vet 31.6.6508 2009.05.16 -
F-Prot 4.4.4.56 2009.05.16 -
F-Secure 8.0.14470.0 2009.05.15 -
Fortinet 3.117.0.0 2009.05.16 -
GData 19 2009.05.16 -
Ikarus T3.1.1.49.0 2009.05.16 -
K7AntiVirus 7.10.735 2009.05.14 -
Kaspersky 7.0.0.125 2009.05.16 -
McAfee 5616 2009.05.15 -
McAfee+Artemis 5616 2009.05.15 -
McAfee-GW-Edition 6.7.6 2009.05.15 -
Microsoft 1.4602 2009.05.16 -
NOD32 4080 2009.05.15 -
Norman 6.01.05 2009.05.16 -
nProtect 2009.1.8.0 2009.05.16 -
Panda 10.0.0.14 2009.05.16 -
PCTools 4.4.2.0 2009.05.16 -
Prevx 3.0 2009.05.16 -
Rising 21.29.52.00 2009.05.16 -
Sophos 4.41.0 2009.05.16 -
Sunbelt 3.2.1858.2 2009.05.16 -
Symantec 1.4.4.12 2009.05.16 -
TheHacker 6.3.4.1.326 2009.05.15 -
TrendMicro 8.950.0.1092 2009.05.15 -
VBA32 3.12.10.5 2009.05.16 -
ViRobot 2009.5.15.1737 2009.05.15 -
VirusBuster 4.6.5.0 2009.05.16 -
Additional information
File size: 581632 bytes
MD5...: 9b1f586cf49e1db21ba246d53a31ff0c
SHA1..: 66f1d3811ce0a2a5854709b0b2991bfe6ace96cc
SHA256: 75e55f8de01b4731ea90454cb8a0f60af68c79ea0f4521178550db13c1d9b020
SHA512: ac93b6236dfa1710e68a845560c9e1c0d668e055452655e9584c4534d7aab1a2<br>77b29ac31b4507de07ea77ea2d150a0cde2fdb97d890ba9e6ba2eda0c67e3bba
ssdeep: 6144:BG6Ycno/breJKvtHS1RczAJ5Jav++W6C3Q61jSqeM+N/1U4Ae4GC2Mf+jW1<br>2/b:cx/XeJKVHS1RczAvwv+36C3QPRMgb4G<br>
PEiD..: -
TrID..: File type identification<br>Win32 Executable Generic (42.3%)<br>Win32 Dynamic Link Library (generic) (37.6%)<br>Generic Win/DOS Executable (9.9%)<br>DOS Executable Generic (9.9%)<br>Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information<br><br>( base data )<br>entrypointaddress.: 0x2a92<br>timedatestamp.....: 0x498c9e77 (Fri Feb 06 20:32:55 2009)<br>machinetype.......: 0x14c (I386)<br><br>( 4 sections )<br>name viradd virsiz rawdsiz ntrpy md5<br>.text 0x1000 0x25c6 0x3000 5.36 fb59f1ea592976013834c174b0ef1c80<br>.rdata 0x4000 0x6e8 0x1000 2.62 fb248850a415ad9059d715de67bcdbb7<br>.data 0x5000 0x879f8 0x88000 7.88 3bb7e21a71ef22e3751f288ef36dd3e9<br>.reloc 0x8d000 0x906 0x1000 1.80 f2501e3e9584067698225df2b007c80f<br><br>( 5 imports ) <br>> KERNEL32.dll: GetTickCount, GetAtomNameA, GetCurrentDirectoryA, FindAtomA, GetLocalTime, lstrlenA, GlobalFindAtomA, GetConsoleTitleA, CloseHandle, SetFileTime, GetCurrentProcess, lstrcatA, lstrcpyA, GetSystemDirectoryA, GetCurrentThread, WriteFile, GetModuleFileNameA, GlobalAddAtomA, lstrcmpA, GetVersion, ExitProcess, IsProcessorFeaturePresent, SystemTimeToFileTime, GetWindowsDirectoryA, GlobalGetAtomNameA, HeapAlloc, GetComputerNameA, GetTempPathA, GetProcessHeap, HeapFree, CreateFileA<br>> ADVAPI32.dll: RegQueryValueExA, RegOpenKeyA, RegSetValueExA, RegCreateKeyA, GetUserNameA, RegCloseKey<br>> USER32.dll: GetCursor, GetWindow, GetDesktopWindow, GetFocus, GetClassNameA, GetCapture, GetClassLongA, GetWindowDC, GetDC, FindWindowA, IsWindowEnabled, IsWindowVisible, GetSysColor, GetActiveWindow, GetWindowLongA<br>> GDI32.dll: GetDeviceCaps, GetTextColor, GetBkColor, GetBkMode<br>> MSVCRT.dll: _ltoa, strlen, strcat, memset, _ftol, atol<br><br>( 1 exports ) <br>DllMain<br>
PDFiD.: -
RDS...: NSRL Reference Data Set<br>

 

[Blade81]

Hi

Are there any other systems in same network with this one we're dealing with?


Open notepad and then copy and paste the bolded lines below into it. Go to File > save as and name the file fixes.bat, change the Save as type to all files and save it to your desktop.
@echo off
ipconfig /all >c:\ipsettings.txt

Double-click on fixes.bat file to execute it. After that c:\ipsettings.txt file should exist. Please post back contents of that file.



Download ERUNT
Save it to your desktop. Run and install this program.

In the box that opens ONLY choose
System registry.

Then click OK.

Click save and then go to File > Exit.
This is so the registry can be restored to this point if we need it. It may take a minute. Just let it go until it's done.


Save text below as fix.reg on Notepad (save it as all files (*.*)) on the Desktop.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{502b4e06-3fe0-472d-b929-e4ecfb50d066}]
"Compatibility Flags"=dword:00000400

It should look like this ->

Doubleclick fix.reg, press Yes and ok.

 

[OriginalMcBlood]

hi,
there are other machines that share this router, 4 in total but they are not networked.

I have followed all your instructions from the last post but I am not comfortable posting this level of specific identifiable information across the net i.e. IP addresses and unit names/identifiers.

If you need info from the txt ask and I will let you know. Sorry if it seems I am being awkward especially after how long we have been working on this but this is outside of my comfort zone.

 

[Blade81]

Hi

It's DNS servers IP addresses that I'm interested in. If you think those are too private to be posted in topic then you can send me details through private messaging system

 

[Blade81]

Due to inactivity, this thread will now be closed.

Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.

If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.