We'd like to remind Forumites to please avoid political debate on the Forum... Read More »
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
Help please - Malware log
blahblahdoh
Posts: 433 Forumite
in Techie Stuff
Hi,
AliEnRik suggested I post the log from my first scan using anti-malware software 'Malwarebytes' in a new thread, as I may need further action to remove bad stuff. Here it is:
Malwarebytes' Anti-Malware 1.41
Database version: 3005
Windows 5.1.2600 Service Pack 2
21/10/2009 15:57:27
mbam-log-2009-10-21 (15-57-27).txt
Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 202994
Time elapsed: 1 hour(s), 8 minute(s), 47 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 13
Registry Values Infected: 12
Registry Data Items Infected: 15
Folders Infected: 11
Files Infected: 64
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{d5792aa9-d373-4039-8670-2cdab6a71f15} (Trojan.Swizzor) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{c48635ad-d6b5-3ee4-aaa2-540d5a173658} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{c48635ad-d6b5-3ee4-aaa2-540d5a173658} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\BitDownload (Trojan.Swizzor) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\WakeNet (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Csrss (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winexy32 (Trojan.Dialer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\podmena (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\podmenadrv (Trojan.Downloader) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\brastia (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysdll (Worm.AutoRun) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\podmena (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AntiVirus Agent Pro (Rogue.AntiVirusAgentPro) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\brastia (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MSN\BN (Trojan.Ambler) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MSN\D1 (Trojan.Ambler) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MSN\D2 (Trojan.Ambler) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MSN\D3 (Trojan.Ambler) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MSN\gd (Trojan.Ambler) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MSN\pr (Trojan.Ambler) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit32.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit32.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,,C:\WINDOWS\system32\userinit32.exe,) Good: (Userinit.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{b69f76a3-e9f7-4350-b911-bdf06a2ba922}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.108,85.255.112.143 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{be829b72-ff28-4573-afb8-ed0159ec58c2}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.108,85.255.112.143 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{f5210e4f-c489-45ae-907c-87f02a4bb84c}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.108,85.255.112.143 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{b69f76a3-e9f7-4350-b911-bdf06a2ba922}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.108,85.255.112.143 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{be829b72-ff28-4573-afb8-ed0159ec58c2}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.108,85.255.112.143 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{f5210e4f-c489-45ae-907c-87f02a4bb84c}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.108,85.255.112.143 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{b69f76a3-e9f7-4350-b911-bdf06a2ba922}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.108,85.255.112.143 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{be829b72-ff28-4573-afb8-ed0159ec58c2}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.108,85.255.112.143 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{f5210e4f-c489-45ae-907c-87f02a4bb84c}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.108,85.255.112.143 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\Tcpip\Parameters\Interfaces\{b69f76a3-e9f7-4350-b911-bdf06a2ba922}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.108,85.255.112.143 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\Tcpip\Parameters\Interfaces\{be829b72-ff28-4573-afb8-ed0159ec58c2}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.108,85.255.112.143 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\Tcpip\Parameters\Interfaces\{f5210e4f-c489-45ae-907c-87f02a4bb84c}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.108,85.255.112.143 -> Quarantined and deleted successfully.
Folders Infected:
C:\Documents and Settings\LocalService\Application Data\twain_32 (Trojan.Zbot) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Application Data\twain_32 (Trojan.Zbot) -> Quarantined and deleted successfully.
C:\Program Files\BitDownload (Trojan.Swizzor) -> Quarantined and deleted successfully.
C:\Program Files\BitDownload\Skins (Trojan.Swizzor) -> Quarantined and deleted successfully.
C:\Program Files\BitDownload\Support (Trojan.Swizzor) -> Quarantined and deleted successfully.
C:\Program Files\BitDownload\ZM (Trojan.Swizzor) -> Quarantined and deleted successfully.
C:\Program Files\podmena (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\BitDownload (Trojan.Swizzor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mac32 (Stolen.data) -> Delete on reboot.
C:\WINDOWS\system32\sysloc (Trojan.BHO) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\twain_32 (Backdoor.Bot) -> Quarantined and deleted successfully.
Files Infected:
C:\Documents and Settings\All Users\Application Data\SecTaskMan\xagkf32.dll.q_8048600_q (Password.Stealer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Desktop\adwareprofessional.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Program Files\Sibelius Software\Sibelius 3\UNWISE.EXE (Malware.Packer.Morphine) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{6BCF816E-5DD3-4D52-8959-4D2CE8D95DF3}\RP753\A0165406.exe (Rogue.SystemSecurity) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winarps32.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\twain_32\user.ds (Trojan.Zbot) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Application Data\twain_32\user.ds (Trojan.Zbot) -> Quarantined and deleted successfully.
C:\Program Files\BitDownload\BitDownload.exe (Trojan.Swizzor) -> Quarantined and deleted successfully.
C:\Program Files\BitDownload\BitDownload.TRC (Trojan.Swizzor) -> Quarantined and deleted successfully.
C:\Program Files\BitDownload\BitDownload_1.TRC (Trojan.Swizzor) -> Quarantined and deleted successfully.
C:\Program Files\BitDownload\settings.ini (Trojan.Swizzor) -> Quarantined and deleted successfully.
C:\Program Files\BitDownload\settings.stp (Trojan.Swizzor) -> Quarantined and deleted successfully.
C:\Program Files\BitDownload\SkinCrafterDll.dll (Trojan.Swizzor) -> Quarantined and deleted successfully.
C:\Program Files\BitDownload\TorrentManager.dll (Trojan.Swizzor) -> Quarantined and deleted successfully.
C:\Program Files\BitDownload\unins000.dat (Trojan.Swizzor) -> Quarantined and deleted successfully.
C:\Program Files\BitDownload\unins000.exe (Trojan.Swizzor) -> Quarantined and deleted successfully.
C:\Program Files\BitDownload\Skins\Stylish.skf (Trojan.Swizzor) -> Quarantined and deleted successfully.
C:\Program Files\BitDownload\Support\default.htm (Trojan.Swizzor) -> Quarantined and deleted successfully.
C:\Program Files\BitDownload\Support\dots.gif (Trojan.Swizzor) -> Quarantined and deleted successfully.
C:\Program Files\BitDownload\Support\logo.jpg (Trojan.Swizzor) -> Quarantined and deleted successfully.
C:\Program Files\BitDownload\Support\porttest_error.htm (Trojan.Swizzor) -> Quarantined and deleted successfully.
C:\Program Files\BitDownload\Support\porttest_start.htm (Trojan.Swizzor) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\BitDownload\BitDownload.lnk (Trojan.Swizzor) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\BitDownload\Uninstall BitDownload.lnk (Trojan.Swizzor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mac32\cbt.lc (Stolen.data) -> Delete on reboot.
C:\WINDOWS\system32\mac32\cbt.lc.lll (Stolen.data) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mac32\cc.lc (Stolen.data) -> Delete on reboot.
C:\WINDOWS\system32\twain_32\local.ds (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\twain_32\user.ds (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\twain_32\user.ds.cla (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\wiaserva.log (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\a9k.bin (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\c2d.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ck.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\idm.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\inform.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nk.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\q1.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\Userinit32.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\z98a.bin (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\win399E.tmp.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\win4C75.tmp.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\win4C7C.tmp.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\win4C7F.tmp.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\win4C85.tmp.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\win4D1D.tmp.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\win4E8D.tmp.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\win4F88.tmp.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\win4F8B.tmp.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\win4F8E.tmp.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\win4F91.tmp.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\win4F94.tmp.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\wpv071239809728.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\wpv231241182073.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\wpv761244355759.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\zaponce52597.dat (Worm.Koobface) -> Quarantined and deleted successfully.
C:\WINDOWS\zaponce52612.dat (Worm.Koobface) -> Quarantined and deleted successfully.
C:\WINDOWS\zaponce52689.dat (Worm.Koobface) -> Quarantined and deleted successfully.
C:\WINDOWS\9g2234wesdf3dfgjf23 (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\bf23567.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\hosts (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\sonce122730.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\csrss2.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\ (Trojan.Dialer) -> Quarantined and deleted successfully.
Thanks.
AliEnRik suggested I post the log from my first scan using anti-malware software 'Malwarebytes' in a new thread, as I may need further action to remove bad stuff. Here it is:
Malwarebytes' Anti-Malware 1.41
Database version: 3005
Windows 5.1.2600 Service Pack 2
21/10/2009 15:57:27
mbam-log-2009-10-21 (15-57-27).txt
Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 202994
Time elapsed: 1 hour(s), 8 minute(s), 47 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 13
Registry Values Infected: 12
Registry Data Items Infected: 15
Folders Infected: 11
Files Infected: 64
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{d5792aa9-d373-4039-8670-2cdab6a71f15} (Trojan.Swizzor) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{c48635ad-d6b5-3ee4-aaa2-540d5a173658} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{c48635ad-d6b5-3ee4-aaa2-540d5a173658} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\BitDownload (Trojan.Swizzor) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\WakeNet (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Csrss (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winexy32 (Trojan.Dialer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\podmena (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\podmenadrv (Trojan.Downloader) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\brastia (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysdll (Worm.AutoRun) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\podmena (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AntiVirus Agent Pro (Rogue.AntiVirusAgentPro) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\brastia (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MSN\BN (Trojan.Ambler) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MSN\D1 (Trojan.Ambler) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MSN\D2 (Trojan.Ambler) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MSN\D3 (Trojan.Ambler) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MSN\gd (Trojan.Ambler) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MSN\pr (Trojan.Ambler) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit32.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit32.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,,C:\WINDOWS\system32\userinit32.exe,) Good: (Userinit.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{b69f76a3-e9f7-4350-b911-bdf06a2ba922}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.108,85.255.112.143 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{be829b72-ff28-4573-afb8-ed0159ec58c2}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.108,85.255.112.143 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{f5210e4f-c489-45ae-907c-87f02a4bb84c}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.108,85.255.112.143 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{b69f76a3-e9f7-4350-b911-bdf06a2ba922}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.108,85.255.112.143 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{be829b72-ff28-4573-afb8-ed0159ec58c2}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.108,85.255.112.143 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{f5210e4f-c489-45ae-907c-87f02a4bb84c}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.108,85.255.112.143 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{b69f76a3-e9f7-4350-b911-bdf06a2ba922}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.108,85.255.112.143 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{be829b72-ff28-4573-afb8-ed0159ec58c2}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.108,85.255.112.143 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{f5210e4f-c489-45ae-907c-87f02a4bb84c}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.108,85.255.112.143 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\Tcpip\Parameters\Interfaces\{b69f76a3-e9f7-4350-b911-bdf06a2ba922}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.108,85.255.112.143 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\Tcpip\Parameters\Interfaces\{be829b72-ff28-4573-afb8-ed0159ec58c2}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.108,85.255.112.143 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\Tcpip\Parameters\Interfaces\{f5210e4f-c489-45ae-907c-87f02a4bb84c}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.108,85.255.112.143 -> Quarantined and deleted successfully.
Folders Infected:
C:\Documents and Settings\LocalService\Application Data\twain_32 (Trojan.Zbot) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Application Data\twain_32 (Trojan.Zbot) -> Quarantined and deleted successfully.
C:\Program Files\BitDownload (Trojan.Swizzor) -> Quarantined and deleted successfully.
C:\Program Files\BitDownload\Skins (Trojan.Swizzor) -> Quarantined and deleted successfully.
C:\Program Files\BitDownload\Support (Trojan.Swizzor) -> Quarantined and deleted successfully.
C:\Program Files\BitDownload\ZM (Trojan.Swizzor) -> Quarantined and deleted successfully.
C:\Program Files\podmena (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\BitDownload (Trojan.Swizzor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mac32 (Stolen.data) -> Delete on reboot.
C:\WINDOWS\system32\sysloc (Trojan.BHO) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\twain_32 (Backdoor.Bot) -> Quarantined and deleted successfully.
Files Infected:
C:\Documents and Settings\All Users\Application Data\SecTaskMan\xagkf32.dll.q_8048600_q (Password.Stealer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Desktop\adwareprofessional.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Program Files\Sibelius Software\Sibelius 3\UNWISE.EXE (Malware.Packer.Morphine) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{6BCF816E-5DD3-4D52-8959-4D2CE8D95DF3}\RP753\A0165406.exe (Rogue.SystemSecurity) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winarps32.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\twain_32\user.ds (Trojan.Zbot) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Application Data\twain_32\user.ds (Trojan.Zbot) -> Quarantined and deleted successfully.
C:\Program Files\BitDownload\BitDownload.exe (Trojan.Swizzor) -> Quarantined and deleted successfully.
C:\Program Files\BitDownload\BitDownload.TRC (Trojan.Swizzor) -> Quarantined and deleted successfully.
C:\Program Files\BitDownload\BitDownload_1.TRC (Trojan.Swizzor) -> Quarantined and deleted successfully.
C:\Program Files\BitDownload\settings.ini (Trojan.Swizzor) -> Quarantined and deleted successfully.
C:\Program Files\BitDownload\settings.stp (Trojan.Swizzor) -> Quarantined and deleted successfully.
C:\Program Files\BitDownload\SkinCrafterDll.dll (Trojan.Swizzor) -> Quarantined and deleted successfully.
C:\Program Files\BitDownload\TorrentManager.dll (Trojan.Swizzor) -> Quarantined and deleted successfully.
C:\Program Files\BitDownload\unins000.dat (Trojan.Swizzor) -> Quarantined and deleted successfully.
C:\Program Files\BitDownload\unins000.exe (Trojan.Swizzor) -> Quarantined and deleted successfully.
C:\Program Files\BitDownload\Skins\Stylish.skf (Trojan.Swizzor) -> Quarantined and deleted successfully.
C:\Program Files\BitDownload\Support\default.htm (Trojan.Swizzor) -> Quarantined and deleted successfully.
C:\Program Files\BitDownload\Support\dots.gif (Trojan.Swizzor) -> Quarantined and deleted successfully.
C:\Program Files\BitDownload\Support\logo.jpg (Trojan.Swizzor) -> Quarantined and deleted successfully.
C:\Program Files\BitDownload\Support\porttest_error.htm (Trojan.Swizzor) -> Quarantined and deleted successfully.
C:\Program Files\BitDownload\Support\porttest_start.htm (Trojan.Swizzor) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\BitDownload\BitDownload.lnk (Trojan.Swizzor) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\BitDownload\Uninstall BitDownload.lnk (Trojan.Swizzor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mac32\cbt.lc (Stolen.data) -> Delete on reboot.
C:\WINDOWS\system32\mac32\cbt.lc.lll (Stolen.data) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mac32\cc.lc (Stolen.data) -> Delete on reboot.
C:\WINDOWS\system32\twain_32\local.ds (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\twain_32\user.ds (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\twain_32\user.ds.cla (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\wiaserva.log (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\a9k.bin (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\c2d.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ck.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\idm.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\inform.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nk.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\q1.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\Userinit32.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\z98a.bin (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\win399E.tmp.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\win4C75.tmp.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\win4C7C.tmp.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\win4C7F.tmp.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\win4C85.tmp.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\win4D1D.tmp.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\win4E8D.tmp.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\win4F88.tmp.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\win4F8B.tmp.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\win4F8E.tmp.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\win4F91.tmp.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\win4F94.tmp.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\wpv071239809728.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\wpv231241182073.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\wpv761244355759.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\zaponce52597.dat (Worm.Koobface) -> Quarantined and deleted successfully.
C:\WINDOWS\zaponce52612.dat (Worm.Koobface) -> Quarantined and deleted successfully.
C:\WINDOWS\zaponce52689.dat (Worm.Koobface) -> Quarantined and deleted successfully.
C:\WINDOWS\9g2234wesdf3dfgjf23 (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\bf23567.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\hosts (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\sonce122730.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\csrss2.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\ (Trojan.Dialer) -> Quarantined and deleted successfully.
Thanks.
0
Comments
-
Jesus blah
Thats a seriously bad lot of infections!
Please run COMBOFIX
Follow the simple instructions it gives
Post the COMPLETE log it creates here (Split into sections if need be)
If it comes up with a RENAMING error then RIGHT click the exe file and RENAME and call it QWERTY (Making the complete file name 'QWERTY.exe') Or SAVE as 'QWERTY' on download:idea:0 -
COMBOFIX log (part 1 of 2)
ComboFix 09-10-20.03 - Owner 22/10/2009 12:52.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.511.137 [GMT 1:00]
Running from: c:\documents and settings\Owner\My Documents\Downloads\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\recycler\S-1-5-21-149224033-2728638990-1855971354-1003
c:\recycler\S-1-5-21-1960408961-1767777339-725345543-1003
c:\recycler\S-1-5-21-2393801536-3181911000-3815576754-1003
c:\recycler\S-1-5-21-3612998713-4017617122-1963733254-1003
c:\windows\system32\al.txt
c:\windows\system32\dz1.txt
c:\windows\system32\kjs
c:\windows\system32\p1.txt
c:\windows\system32\r24.txt
c:\windows\system32\grpconv.exe . . . is missing!!
c:\windows\system32\proquota.exe . . . is missing!!
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
\Legacy_NDISRD
\Legacy_PODMENA
\Legacy_PODMENADRV
\Service_ndisrd
((((((((((((((((((((((((( Files Created from 2009-09-22 to 2009-10-22 )))))))))))))))))))))))))))))))
.
2009-10-22 11:34 . 2009-10-22 11:34
dcsh--w- c:\documents and settings\NetworkService\IETldCache
2009-10-22 11:14 . 2009-10-22 11:14
d
w- c:\program files\Windows Defender
2009-10-22 02:01 . 2009-10-22 02:01
d
w- c:\windows\ie8updates
2009-10-21 15:46 . 2009-10-21 15:49
d
w- c:\program files\Death Rally
2009-10-21 15:10 . 2009-10-21 15:10
d
w- c:\program files\CCleaner
2009-10-21 13:46 . 2009-08-29 08:08 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-10-21 13:46 . 2009-08-29 08:08 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-10-21 13:30 . 2009-10-21 13:30
dc----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-10-21 13:30 . 2009-09-10 13:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-21 13:30 . 2009-10-21 13:30
dc----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-21 13:30 . 2009-10-21 13:30
d
w- c:\program files\Malwarebytes' Anti-Malware
2009-10-21 13:30 . 2009-09-10 13:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-21 13:28 . 2009-10-21 13:28
d
w- c:\program files\HostsXpert
2009-10-21 10:46 . 2009-10-21 10:46
dcsh--w- c:\documents and settings\Owner\PrivacIE
2009-10-21 03:49 . 2009-10-21 03:49
dcsh--w- c:\documents and settings\Administrator\IETldCache
2009-10-21 03:29 . 2009-10-19 23:37 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-10-21 03:19 . 2009-10-21 03:19
dcsh--w- c:\documents and settings\LocalService\IETldCache
2009-10-21 01:09 . 2009-10-21 01:09
dcsh--w- c:\documents and settings\Owner\IETldCache
2009-10-21 01:08 . 2009-10-21 01:08
d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-10-21 00:59 . 2009-10-21 01:00
dc-h--w- c:\windows\ie8
2009-10-20 22:50 . 2001-08-31 14:07 27255
w- c:\windows\system32\drivers\NWWMUSB.sys
2009-10-20 22:50 . 2009-10-20 22:50
d
w- c:\program files\Sony Corporation
2009-10-20 22:50 . 2002-09-11 09:20 11510
w- c:\windows\system32\drivers\VMCUSB.sys
2009-10-20 22:49 . 2005-10-31 09:46 36679
w- c:\windows\system32\drivers\NETMD052.sys
2009-10-20 22:49 . 2003-11-10 11:31 36232
w- c:\windows\system32\drivers\NETMD033.sys
2009-10-20 22:49 . 2003-04-01 17:55 35319
w- c:\windows\system32\drivers\NETMD031.sys
2009-10-20 22:49 . 2002-08-08 14:51 38951
w- c:\windows\system32\drivers\NETMDUSB.sys
2009-10-20 22:49 . 2001-09-13 01:15 90112
w- c:\windows\snymsico.dll
2009-10-19 23:38 . 2009-10-19 23:37 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-10-19 23:35 . 2009-10-19 23:35
dc-h--w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-10-19 23:34 . 2009-10-19 23:34
d
w- c:\program files\Lavasoft
2009-10-01 12:43 . 2009-10-01 12:43
dc----w- c:\documents and settings\All Users\Application Data\TVU Networks
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-22 02:08 . 2006-12-04 15:16
d
w- c:\program files\DivX
2009-10-21 23:55 . 2008-10-02 15:40
dc----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-10-21 15:19 . 2009-02-06 23:23
d
w- c:\program files\Coupon Printer
2009-10-21 15:19 . 2007-03-09 15:43
d
w- c:\program files\BitComet
2009-10-21 15:18 . 2009-03-24 01:02
d
w- c:\program files\Audible
2009-10-21 03:51 . 2009-01-07 05:45
d
w- c:\program files\SUPERAntiSpyware
2009-10-21 03:47 . 2006-08-29 01:52
d
w- c:\documents and settings\Owner\Application Data\Skype
2009-10-20 23:21 . 2008-11-21 09:08
dc----w- c:\documents and settings\Owner\Application Data\skypePM
2009-10-20 22:51 . 2003-10-15 17:08
d--h--w- c:\program files\InstallShield Installation Information
2009-10-20 22:51 . 2007-10-03 14:04
d
w- c:\program files\Common Files\Sony Shared
2009-10-20 22:50 . 2007-10-03 14:04
d
w- c:\program files\Sony
2009-10-20 12:00 . 2006-09-06 22:28
d
w- c:\program files\Java
2009-10-19 23:34 . 2009-06-22 23:35
dc----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-10-19 23:29 . 2006-12-08 01:24
dc----w- c:\documents and settings\Owner\Application Data\Lavasoft
2009-10-14 01:32 . 2007-11-16 00:15
d
w- c:\program files\ChineseTools
2009-10-13 23:17 . 2009-02-06 23:23 31 ---ha-w- c:\windows\UKCpInfo.sys
2009-10-09 19:58 . 2009-04-15 16:26
dc----w- c:\documents and settings\Owner\Application Data\LimeWire
2009-10-06 19:19 . 2008-01-11 22:57
d
w- c:\program files\Wenlin3-flashcards, sound etc
2009-10-01 12:43 . 2007-07-25 13:28
d
w- c:\program files\TVUPlayer
2009-10-01 04:52 . 2007-07-25 13:29
dc----w- c:\documents and settings\Owner\Application Data\TVU Networks
2009-09-11 14:33 . 2004-08-04 12:00 133632 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 20:45 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 08:16 . 2004-08-04 12:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-05 09:11 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 14:00 . 2004-08-04 12:00 2180352 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-08-04 13:13 . 2004-08-03 22:59 2057728 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-07-31 14:23 . 2009-01-16 21:57 411368 ----a-w- c:\windows\system32\deploytk.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-10-16 2000112]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PinnacleDriverCheck"="c:\windows\System32\PSDrvCheck.exe" [2003-05-28 394240]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2005-02-17 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-17 81920]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2003-03-31 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2003-03-31 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2003-03-31 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2003-03-31 455168]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-11-07 8523776]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-11-07 81920]
"ContentTransferWMDetector.exe"="c:\program files\Sony\Content Transfer\ContentTransferWMDetector.exe" [2008-07-11 423200]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-10-19 520024]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-31 149280]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"PRISMSTA.EXE"="PRISMSTA.EXE" - c:\windows\system32\PRISMSTA.exe [2003-08-04 215552]
"ledpointer"="CNYHKey.exe" - c:\windows\CNYHKey.exe [2003-06-27 5798912]
"Cmaudio"="cmicnfg.cpl" - c:\windows\CMICNFG.CPL [2003-10-14 2269184]
"CHotkey"="mHotkey.exe" - c:\windows\mHotkey.exe [2003-06-27 506368]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-11-07 1626112]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
hp psc 2000 Series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2003-4-6 323646]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
backup=c:\windows\pss\hpoddt01.exe.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Photo Loader supervisory.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Photo Loader supervisory.lnk
backup=c:\windows\pss\Photo Loader supervisory.lnkCommon Startup
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\uTorrent\\utorrent.exe"=
"c:\\Program Files\\SUPERAntiSpyware\\RUNSAS.EXE"=
"c:\\Program Files\\SUPERAntiSpyware\\SUPERANTISPYWARE.EXE"=
"c:\\Program Files\\eMule\\emule.exe"=
"c:\\Program Files\\SUPERAntiSpyware\\SSUpdate.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Lavasoft\\Ad-Aware\\Ad-Aware.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqvwr08.exe"=
"c:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"c:\\Program Files\\Uniblue\\ProcessScanner\\ProcessScanner.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Windows Defender\\MSASCui.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"23455:TCP"= 23455:TCP:BitComet 23455 TCP
"23455:UDP"= 23455:UDP:BitComet 23455 UDP
"110:TCP"= 110:TCP:svchost
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [20/10/2009 00:38 64160]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [22/12/2008 12:06 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [22/12/2008 12:05 74480]
R1 ShldDrv;Panda File Shield Driver;c:\windows\system32\drivers\ShldDrv.sys [18/06/2009 12:46 26752]
R1 SSHDRV76;SSHDRV76;c:\windows\system32\drivers\SSHDRV76.sys [10/09/2006 17:41 53760]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [09/03/2009 20:06 1028432]
R2 PavProc;Panda Process Protection Driver;c:\windows\system32\drivers\PavProc.sys [18/06/2009 12:46 163856]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 19:19 13592]
R3 PRISM_A00;PRISM 802.11g Driver;c:\windows\system32\drivers\PRISMA00.sys [10/09/2003 12:22 362688]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [22/12/2008 12:06 7408]
S2 LogWatch;Event Log Watch;c:\program files\CA\SharedComponents\CA_LIC\LogWatNT.exe --> c:\program files\CA\SharedComponents\CA_LIC\LogWatNT.exe [?]
S3 AIT800AC;BenQ-Siemens EF61;c:\windows\system32\drivers\AIT800C.sys [18/11/2006 13:16 52096]
S3 CA_LIC_CLNT;CA License Client;c:\program files\CA\SharedComponents\CA_LIC\lic98rmt.exe [20/09/2002 17:27 77824]
S3 CA_LIC_SRVR;CA License Server;c:\program files\CA\SharedComponents\CA_LIC\lic98rmtd.exe [20/09/2002 17:41 77824]
S3 PhTVTune;MEDION TV-TUNER 7134 MK2/3;c:\windows\system32\drivers\PhTVTune.sys [12/06/2003 07:47 24704]
S3 qcusbmdm6k;New York Proprietary USB Driver;c:\windows\system32\drivers\qcusbmdm6k.sys [21/11/2008 17:49 65024]
S3 qcusbser6k;New York Diagnostic Port;c:\windows\system32\drivers\qcusbser6k.sys [21/11/2008 17:57 65024]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{2E1A9DE4-ADA0-4501-A46E-6633CDB01654}]
rundll32 xagkf32.dll,InitO
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{AC018590-FBBD-4789-A15B-FFBBBE6C8965}]
rundll32 bekbn.dll,InitO
.
Contents of the 'Scheduled Tasks' folder
2009-10-19 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 23:37]
2007-01-04 c:\windows\Tasks\FRU Task 2003-04-06 08:52ewlett-Packard2003-04-06 08:52p psc 2100 series5E771253C1676EBED677BF361FDFC537825E15B8157896530.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-05 23:52]
2009-10-22 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-10-02 15:55]
2009-10-22 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
.
.
Supplementary Scan
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ezbfs6ye.New user 0509\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ezbfs6ye.New user 0509\extensions\firedownload@mozilla.org\components\firedownload.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1508.6312\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.
- - - - ORPHANS REMOVED - - - -
Notify-saifx - saifx.dll
SafeBoot-sorrd.sys
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-22 13:13
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 00 -
COMBOFIX log (part 2 of 2):
**************************************************************************
.
LOCKED REGISTRY KEYS
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"
@=""
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"NoChange"="1"
"Installed"="1"
@=""
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
@=""
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}]
@DACL=(02 0000)
@="Microsoft Disk Quota"
"NoMachinePolicy"=dword:00000000
"NoUserPolicy"=dword:00000001
"NoSlowLink"=dword:00000001
"NoBackgroundPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"PerUserLocalSettings"=dword:00000000
"RequiresSuccessfulRegistry"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000000
"DllName"=expand:"dskquota.dll"
"ProcessGroupPolicy"="ProcessGroupPolicy"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}]
@DACL=(02 0000)
@="Internet Explorer Zonemapping"
"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"
"ProcessGroupPolicy"="ProcessGroupPolicyForZoneMap"
"NoGPOListChanges"=dword:00000001
"RequiresSucessfulRegistry"=dword:00000001
"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"
"RequiresSuccessfulRegistry"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}]
@DACL=(02 0000)
"ProcessGroupPolicy"="SceProcessSecurityPolicyGPO"
"GenerateGroupPolicy"="SceGenerateGroupPolicy"
"ExtensionRsopPlanningDebugLevel"=dword:00000001
"ProcessGroupPolicyEx"="SceProcessSecurityPolicyGPOEx"
"ExtensionDebugLevel"=dword:00000001
"DllName"=expand:"scecli.dll"
@="Security"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000001
"MaxNoGPOListChangesInterval"=dword:000003c0
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}]
@DACL=(02 0000)
"ProcessGroupPolicyEx"="ProcessGroupPolicyEx"
"GenerateGroupPolicy"="GenerateGroupPolicy"
"ProcessGroupPolicy"="ProcessGroupPolicy"
"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"
@="Internet Explorer Branding"
"NoSlowLink"=dword:00000001
"NoBackgroundPolicy"=dword:00000000
"NoGPOListChanges"=dword:00000001
"NoMachinePolicy"=dword:00000001
"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3014"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}]
@DACL=(02 0000)
"ProcessGroupPolicy"="SceProcessEFSRecoveryGPO"
"DllName"=expand:"scecli.dll"
@="EFS recovery"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"RequiresSuccessfulRegistry"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}]
@DACL=(02 0000)
@="Microsoft Offline Files"
"DllName"=expand:"%SystemRoot%\\System32\\cscui.dll"
"EnableAsynchronousProcessing"=dword:00000000
"NoBackgroundPolicy"=dword:00000000
"NoGPOListChanges"=dword:00000000
"NoMachinePolicy"=dword:00000000
"NoSlowLink"=dword:00000000
"NoUserPolicy"=dword:00000001
"PerUserLocalSettings"=dword:00000000
"ProcessGroupPolicy"="ProcessGroupPolicy"
"RequiresSuccessfulRegistry"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}]
@DACL=(02 0000)
@="Software Installation"
"DllName"=expand:"appmgmts.dll"
"ProcessGroupPolicyEx"="ProcessGroupPolicyObjectsEx"
"GenerateGroupPolicy"="GenerateGroupPolicy"
"NoBackgroundPolicy"=dword:00000000
"RequiresSucessfulRegistry"=dword:00000000
"NoSlowLink"=dword:00000001
"PerUserLocalSettings"=dword:00000001
"EventSources"=multi:"(Application Management,Application)\00(MsiInstaller,Application)\00\00"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
@DACL=(02 0000)
"DllName"="c:\\Program Files\\SUPERAntiSpyware\\SASWINLO.dll"
"Logon"="SABWINLOLogon"
"Logoff"="SABWINLOLogoff"
"Startup"="SABWINLOStartup"
"Shutdown"="SABWINLOShutdown"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avldr]
@DACL=(02 0000)
"Asynchronous"=dword:00000000
"DllName"=expand:"avldr.dll"
"Impersonate"=dword:00000000
"Startup"="AvLdrStartupNotification"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
@DACL=(02 0000)
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=expand:"crypt32.dll"
"Logoff"="ChainWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
@DACL=(02 0000)
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=expand:"cryptnet.dll"
"Logoff"="CryptnetWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
@DACL=(02 0000)
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
@DACL=(02 0000)
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
@DACL=(02 0000)
"Asynchronous"=dword:00000000
"DllName"=expand:"wlnotify.dll"
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
@DACL=(02 0000)
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=expand:"sclgntfy.dll"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
@DACL=(02 0000)
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
@DACL=(02 0000)
"Asynchronous"=dword:00000000
"DllName"=expand:"wlnotify.dll"
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
@DACL=(02 0000)
"Logon"="WLEventLogon"
"Logoff"="WLEventLogoff"
"Startup"="WLEventStartup"
"Shutdown"="WLEventShutdown"
"StartScreenSaver"="WLEventStartScreenSaver"
"StopScreenSaver"="WLEventStopScreenSaver"
"Lock"="WLEventLock"
"Unlock"="WLEventUnlock"
"StartShell"="WLEventStartShell"
"PostShell"="WLEventPostShell"
"Disconnect"="WLEventDisconnect"
"Reconnect"="WLEventReconnect"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000000
"SafeMode"=dword:00000001
"MaxWait"=dword:ffffffff
"DllName"=expand:"WgaLogon.dll"
"Event"=dword:00000000
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
@DACL=(02 0000)
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList]
@DACL=(02 0000)
"HelpAssistant"=dword:00000000
"TsInternetUser"=dword:00000000
"SQLAgentCmdExec"=dword:00000000
"NetShowServices"=dword:00000000
"IWAM_"=dword:00010000
"IUSR_"=dword:00010000
"VUSR_"=dword:00010000
"ASPNET"=dword:00000000
.
DLLs Loaded Under Running Processes
- - - - - - - > 'winlogon.exe'(548)
c:\windows\system32\WININET.dll
- - - - - - - > 'lsass.exe'(608)
c:\windows\system32\WININET.dll
- - - - - - - > 'explorer.exe'(3472)
c:\windows\system32\WININET.dll
c:\windows\HKCYDLL.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Other Running Processes
.
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wbem\unsecapp.exe
c:\combofix\CF14393.exe
c:\windows\system32\RunDll32.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
c:\combofix\PEV.cfxxe
.
**************************************************************************
.
Completion time: 2009-10-22 13:22 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-22 12:21
Pre-Run: 2,803,568,640 bytes free
Post-Run: 2,762,215,424 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
- - End Of File - - 037096EDD812D9D2A1876A1747E96D2A0 -
Id suggest a scan with DR WEB too ~
http://www.freedrweb.com/download+cureit/
It will auto quick scan
Once its done set to scan the WHOLE computer and press the 'play' icon:idea:0 -
Can't remember now what else you've done......
Run CCLeaner (cleaner and registry) and a full disk cleanup including old restore points coz it looks like some of the infections are hiding in there, instructions here:-
http://forums.moneysavingexpert.com/showpost.html?p=26008869&postcount=7
Then would be good idea to do another full MBAM scan, remember to UPDATE before you start it off...let's see if that's cleared up....
After you've followed RIK's advice, of course
......Gettin' There, Wherever There is......
I have a dodgy "i" key, so ignore spelling errors due to "i" issues, ...I blame Apple
0 -
I'd also consider running a SuperAntiSpyware scan as well.0
-
Thanks everyone. I did ALL of the above. My PC is squeaky.
Thanks very much for all the help. What a brilliant site this is.
Special big clever wibbly THANKS to aliEnRIK - he's a Star, man!0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 351.4K Banking & Borrowing
- 253.3K Reduce Debt & Boost Income
- 453.8K Spending & Discounts
- 244.4K Work, Benefits & Business
- 599.6K Mortgages, Homes & Bills
- 177.1K Life & Family
- 257.9K Travel & Transport
- 1.5M Hobbies & Leisure
- 16.2K Discuss & Feedback
- 37.6K Read-Only Boards