We’d like to remind Forumites to please avoid political debate on the Forum.
This is to keep it a safe and useful space for MoneySaving discussions. Threads that are – or become – political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
Slow computer/ broadband, Hijack log enc.
Comments
-
This might come as a surprise, Computer 2:-
Malwarebytes' Anti-Malware 1.44
Database version: 3921
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
27/03/2010 23:41:30
mbam-log-2010-03-27 (23-41-30).txt
Scan type: Full Scan (C:\|F:\|)
Objects scanned: 734131
Time elapsed: 4 hour(s), 27 minute(s), 32 second(s)
You can say that again, you have definite 'videoegg' activity and I believe your infected with trojans
Your 'absolutely sure' thats computer2??
if so ~
Please run COMBOFIX
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Shut down your anti virus
Follow the simple instructions it gives
Post the COMPLETE log it creates here (Split into sections if need be) ~ if there are loads of 'SNAPSHOT' pages then leave them out
If it comes up with a RENAMING error then RIGHT click the exe file and RENAME and call it QWERTY (Making the complete file name 'QWERTY.exe') Or SAVE as 'QWERTY' on download:idea:0 -
You can say that again, you have definite 'videoegg' activity and I believe your infected with trojans
Please run COMBOFIX
Computer 2 combofix log below.
ComboFix 10-03-27.02 - Dilwyn 28/03/2010 10:45:28.1.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.511.296 [GMT 1:00]
Running from: c:\documents and settings\Dilwyn\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\docume~1\Dilwyn\LOCALS~1\Temp\tmp2.tmp
c:\documents and settings\All Users\Start Menu\Programs\RebirthRO Full Client
c:\documents and settings\All Users\Start Menu\Programs\RebirthRO Full Client \lua.lnk
c:\documents and settings\All Users\Start Menu\Programs\RebirthRO Full Client \nProtect Hacking Protector.lnk
c:\documents and settings\All Users\Start Menu\Programs\RebirthRO Full Client \RebirthRO Patcher.lnk
c:\documents and settings\All Users\Start Menu\Programs\RebirthRO Full Client \RebirthRO.lnk
c:\documents and settings\All Users\Start Menu\Programs\RebirthRO Full Client \Setup.lnk
c:\documents and settings\All Users\Start Menu\Programs\RebirthRO Full Client \Sysinternals Contig.lnk
c:\documents and settings\All Users\Start Menu\Programs\RebirthRO Full Client \Uninstall RebirthRO Full Client .lnk
c:\documents and settings\Dilwyn\Application Data\EurekaLog
c:\documents and settings\Dilwyn\Application Data\EurekaLog\EurekaLog.ini
c:\documents and settings\Dilwyn\Local Settings\Application Data\{8F6FF804-1553-4269-AA57-B1976AD784B4}
c:\documents and settings\Dilwyn\Local Settings\Application Data\{8F6FF804-1553-4269-AA57-B1976AD784B4}\chrome.manifest
c:\documents and settings\Dilwyn\Local Settings\Application Data\{8F6FF804-1553-4269-AA57-B1976AD784B4}\chrome\content\_cfg.js
c:\documents and settings\Dilwyn\Local Settings\Application Data\{8F6FF804-1553-4269-AA57-B1976AD784B4}\chrome\content\overlay.xul
c:\documents and settings\Dilwyn\Local Settings\Application Data\{8F6FF804-1553-4269-AA57-B1976AD784B4}\install.rdf
c:\documents and settings\Dilwyn\My Documents\backup reg.reg
C:\VDM258.tmp
C:\VDM259.tmp
C:\VDM2BF.tmp
C:\VDM2C0.tmp
c:\windows\Downloaded Program Files\RdxIE.dll
c:\windows\eSellerateEngine.dll
c:\windows\Guxbpi.dll
c:\windows\RebirthRO Full Client
c:\windows\RebirthRO Full Client \uninstall.exe
c:\windows\Rop12.exe
c:\windows\run.log
c:\windows\system32\ipflr.dll
c:\windows\system32\Thumbs.db
c:\windows\system32\tmp.reg
c:\windows\system32\tmp30.tmp
c:\windows\winhelp.ini
.
((((((((((((((((((((((((( Files Created from 2010-02-28 to 2010-03-28 )))))))))))))))))))))))))))))))
.
2010-03-27 06:15 . 2010-03-27 06:15
d
w- c:\program files\Trend Micro
2010-03-26 20:32 . 2010-03-26 20:32
d
w- C:\FOUND.034
2010-03-21 16:03 . 2010-03-21 16:03
d
w- C:\FOUND.033
2010-03-20 18:40 . 2010-03-20 18:40 69 ----a-w- c:\documents and settings\Dilwyn\jagex_runescape_preferences2.dat
2010-03-13 01:35 . 2009-10-23 14:28 3558912
w- c:\windows\system32\dllcache\moviemk.exe
2010-03-06 13:50 . 2010-03-06 13:50
d
w- C:\FOUND.032
2010-03-06 05:37 . 2010-03-06 05:37
d
w- c:\documents and settings\Gwilym\Local Settings\Application Data\{FA88295D-FBF9-463E-AF20-2A6A4AB50226}
2010-03-06 05:36 . 2010-03-06 05:36
d
w- c:\documents and settings\Gwilym\Application Data\WTablet
2010-03-05 07:11 . 2010-03-10 05:42 0 ----a-w- c:\windows\Unoxejala.bin
2010-03-05 07:11 . 2010-03-10 15:47 120 ----a-w- c:\windows\Alahida.dat
2010-03-04 06:51 . 2010-03-04 06:51
d
w- C:\FOUND.031
2010-03-04 06:14 . 2010-03-04 06:14
d
w- C:\FOUND.030
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-27 08:37 . 2007-07-24 15:31 2202 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-03-20 18:40 . 2008-08-26 17:27 41 ----a-w- c:\documents and settings\Dilwyn\jagex_runescape_preferences.dat
2010-02-24 21:20 . 2010-02-24 21:20
d
w- c:\documents and settings\Dilwyn\Application Data\Acoustica
2010-02-24 21:13 . 2010-02-24 21:13
d
w- c:\program files\Acoustica Shared Effects
2010-02-24 21:02 . 2010-02-24 21:02
d
w- c:\documents and settings\All Users\Application Data\Acoustica
2010-02-24 21:02 . 2010-02-24 21:02
d
w- c:\program files\Acoustica Mixcraft 5
2010-02-12 09:03 . 2010-02-24 09:58 293376
w- c:\windows\system32\browserchoice.exe
2010-02-08 21:34 . 2009-01-06 17:35 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-27 21:13 . 2010-01-27 21:13
d
w- c:\program files\iTunes
2010-01-27 21:13 . 2010-01-27 21:13
d
w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2010-01-07 15:07 . 2008-09-08 21:56 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 15:07 . 2008-09-08 21:56 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-01 12:22 . 2004-10-31 17:20 106320 ----a-w- c:\documents and settings\Dilwyn\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-31 15:50 . 2004-01-22 21:53 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-01-06 19:24 . 2009-01-06 19:24 742 ----a-w- c:\program files\bkfch.txt
2008-10-25 13:58 . 2008-10-25 13:58 604 ---ha-w- c:\program files\STLL Notifier
2008-08-06 19:46 . 2007-07-24 15:31 56 --sh--r- c:\windows\system32\043C8080F9.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CARPService"="carpserv.exe" [2003-06-11 4608]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-03-19 2046816]
"ADUserMon"="c:\program files\Iomega\AutoDisk\ADUserMon.exe" [2002-09-24 147456]
"Iomega Drive Icons"="c:\program files\Iomega\DriveIcons\ImgIcon.exe" [2002-08-13 86016]
"Deskup"="c:\program files\Iomega\DriveIcons\deskup.exe" [2002-07-16 32768]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-17 8491008]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-10 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2007-10-23 443968]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-01-07 05:39 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-26 07:25 11952 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AudioDeck.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AudioDeck.lnk
backup=c:\windows\pss\AudioDeck.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Belkin Wireless USB Utility.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Belkin Wireless USB Utility.lnk
backup=c:\windows\pss\Belkin Wireless USB Utility.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BlueSoleil.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BlueSoleil.lnk
backup=c:\windows\pss\BlueSoleil.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickTV.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickTV.lnk
backup=c:\windows\pss\QuickTV.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Dilwyn^Start Menu^Programs^Startup^hamachi.lnk]
path=c:\documents and settings\Dilwyn\Start Menu\Programs\Startup\hamachi.lnk
backup=c:\windows\pss\hamachi.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360
w- c:\windows\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gStart]
2005-07-25 08:05 1896448 ----a-w- c:\garmin\gStart.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
2006-11-13 12:39 1289000 ----a-w- c:\program files\Microsoft ActiveSync\wcescomm.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-11-12 15:33 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X1100 Series]
2003-08-19 14:43 57344 ----a-w- c:\program files\Lexmark X1100 Series\lxbkbmgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechSoftwareUpdate]
2005-06-08 13:44 196608 ----a-w- c:\program files\Logitech\Video\ManifestEngine.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]
2005-06-08 14:24 458752 ----a-w- c:\program files\Logitech\Video\ISStart.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]
2005-06-08 14:14 217088 ----a-w- c:\program files\Logitech\Video\LogiTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMSX]
2005-07-19 16:32 221184 ----a-w- c:\windows\system32\LVCOMSX.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
2005-05-10 15:04 11776 ----a-w- c:\progra~1\MUSICM~1\MUSICM~1\mimboot.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
2005-05-10 15:04 110592 ----a-w- c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2007-09-17 00:07 8491008 ----a-w- c:\windows\system32\nvcpl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2007-09-17 00:07 81920 ----a-w- c:\windows\system32\nvmctray.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-10 22:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealPlayer]
2006-05-31 17:42 1003520 ----a-w- c:\program files\Real\RealPlayer\realplay.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recordpad]
2008-03-16 09:29 577540 ----a-w- c:\program files\NCH Swift Sound\Recordpad\recordpad.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2003-10-31 18:42 32768 ----a-w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
2005-10-26 15:17 159744 ----a-r- c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpeedTouch USB Diagnostics]
2004-01-26 10:38 866816 ----a-w- c:\program files\Thomson\SpeedTouch USB\dragdiag.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SupaDial]
2003-08-26 15:40 286720 ----a-w- c:\program files\SupaDial\SupaDial.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\System32\\LEXPPS.EXE"=
"c:\\Program Files\\THQ\\Dawn of War\\W40k.exe"=
"c:\\Program Files\\Real\\RealPlayer\\REALPLAY.EXE"=
"c:\\WINDOWS\\System32\\rtcshare.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\Messenger\\MSMSGS.EXE"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"c:\\Program Files\\WS_FTP\\ws_ftp95.exe"=
"c:\\WINDOWS\\System32\\dpvsetup.exe"=
"c:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\BlueByte\\The Settlers IV\\Exe\\S4_Main.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"=
"c:\\Program Files\\Real\\RealPlayer\\trueplay.exe"=
"c:\\Program Files\\YVD\\YGO Virtual Desktop V086.exe"=
"c:\\Program Files\\YVD\\n00b-IRC.exe"=
"c:\\Program Files\\THQ\\Dawn of War - Dark Crusade\\DarkCrusade.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"f:\\Rhys\\redshark.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Java\\jre1.6.0_07\\BIN\\javaw.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\DSGameMaker\\DSGameMaker.exe"=
"c:\\WINDOWS\\System32\\javaws.exe"=
"c:\\Program Files\\Java\\jre1.6.0_07\\BIN\\javaws.exe"=
"f:\\Rhys\\Desmume_build_2810_x86_x64\\Desmume build 2810 x86 x64\\Desmume-r2810\\DeSmuME_VS2008.exe"=
"f:\\Rhys\\Desmume_build_2810_x86_x64\\Desmume build 2810 x86 x64\\Desmume-r2810\\DeSmuME_VS2008_sse2.exe"=
"c:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\HelpCtr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"f:\\Rhys\\Battle for Middle Earth\\game.dat"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"27383:UDP"= 27383:UDP:axeurus
"990:TCP"= 990:TCP:activsync
"999:TCP"= 999:TCP:activesync
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [09/05/2008 13:09 335240]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [09/05/2008 13:09 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [28/05/2008 10:33 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [28/05/2008 10:33 55024]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [04/07/2008 09:36 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [04/07/2008 09:36 297752]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [20/08/2008 11:36 1373480]
R3 PhTVTune;Cap7134 TVTuner;c:\windows\system32\drivers\PhTVTune.sys [02/08/2004 15:52 34880]
S3 ewdmaudn;ewdmaudn;\??\c:\docume~1\Rhys\LOCALS~1\Temp\ewdmaudn.sys --> c:\docume~1\Rhys\LOCALS~1\Temp\ewdmaudn.sys [?]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\MAGIX\Common\Database\bin\fbserver.exe [28/12/2008 18:16 1527900]
S3 ntportio;ntportio;\??\c:\documents and settings\All Users\Documents\usb smart semctool\ntportio.sys --> c:\documents and settings\All Users\Documents\usb smart semctool\ntportio.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [28/05/2008 10:33 7408]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\i:\ntglm7x.sys --> i:\NTGLM7X.sys [?]
S3 Vsp;Vsp;c:\windows\system32\drivers\vsp.sys [02/08/2004 21:56 3351]
.
Contents of the 'Scheduled Tasks' folder
2010-03-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
.
Supplementary Scan
.
uStart Page = hxxp://www.google.co.uk/
mWindow Title = Supanet Internet Explorer
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = localhost;*.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: autoregister.net\autoreg
Trusted Zone: gov.uk\secure.vebus.defra
Trusted Zone: musicmatch.com\online
DPF: DirectAnimation Java Classes
DPF: Microsoft XML Parser for Java
DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} - hxxps://moneymanager.egg.com/Pinsafe/accounttracking.cab
.
- - - - ORPHANS REMOVED - - - -
MSConfigStartUp-LDM - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
MSConfigStartUp-TkBellExe - c:\program files\Common Files\Real\Update_OB\realsched.exe
AddRemove-DeicideOnline - g:\rhys\DeicideOnline\uninstall.exe
AddRemove-Desktop Players_is1 - c:\program files\LEGO Desktop Toys\unins000.exe
AddRemove-GamewareBAMZOOKiZookKitSeries1_is1 - c:\program files\BAMZOOKi Zook Kit\unins000.exe
AddRemove-GoldWave v5.17 - c:\program files\GoldWave\unstall.exe
AddRemove-Kaiba Corp VDS_is1 - c:\program files\Kaiba Corp VDS\unins000.exe
AddRemove-Macromedia Flash 4 - f:\rhys\Flash 4\Uninst.isu
AddRemove-Poket Script - g:\rhys\Pokewitch\uninst.exe
AddRemove-RebirthRO Full Client 6.0 - c:\windows\RebirthRO Full Client \uninstall.exe
AddRemove-SecondLife - c:\program files\SecondLife\uninst.exe
AddRemove-The Games Factory 2 Demo - g:\rhys\Games Factory\UninstTGF2.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-28 11:03
Windows 5.1.2600 Service Pack 3 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Iomega Activity Disk2]
"ImagePath"="\"\""
.
LOCKED REGISTRY KEYS
[HKEY_USERS\S-1-5-21-3379260615-2782345078-1053136719-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
[HKEY_USERS\S-1-5-21-3379260615-2782345078-1053136719-1006\Software\SecuROM\License information*]
"datasecu"=hex:fc,e3,b9,50,27,28,30,bc,d8,f1,37,14,44,9e,09,5e,f9,32,dd,bf,50,
e9,b2,c7,47,af,9d,1f,9a,81,e5,db,b0,bb,cf,97,77,f7,64,cb,e5,09,a0,c7,f2,44,\
"rkeysecu"=hex:cb,bd,f2,61,5a,4e,c6,95,f2,29,8b,82,ba,6b,3d,44
.
DLLs Loaded Under Running Processes
- - - - - - - > 'winlogon.exe'(876)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
- - - - - - - > 'explorer.exe'(3320)
c:\windows\system32\WININET.dll
c:\program files\Iomega\DriveIcons\IMGHOOK.DLL
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\program files\Microsoft Office\OFFICE11\msohev.dll
.
Other Running Processes
.
c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\IVT Corporation\BlueSoleil\BTNtService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\progra~1\Iomega\System32\AppServices.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Iomega\AutoDisk\ADService.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\WTablet\Pen_TabletUser.exe
c:\windows\system32\carpserv.exe
c:\progra~1\MI3AA1~1\rapimgr.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-03-28 11:10:25 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-28 10:10
Pre-Run: 5,298,454,528 bytes free
Post-Run: 10,999,463,936 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
- - End Of File - - B4DDF66B869452DE9932E8F2961CF7CF0 -
Computer 2 has lots of folders on the C: drive. They are called Found.001 up to 034. Each folder has a varied number of files called file0000.chk or with another digit in them. They are 32kb and are recovered file fragments. Is it true that these are no use or should I keep them? If I keep them, what do I do with them?0
-
Computer 2 ~
yes you can remove all the 'found' folders
Its infected with trojans though ~
Open notepad and copy/paste the text in RED below
File::
c:\windows\Unoxejala.bin
c:\windows\Alahida.dat
c:\windows\system32\043C8080F9.sys
Save this as "CFScript" (FULL file will be 'CFScript.txt' EXACTLY as shown)
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply
Combofix should never take more that 30 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.:idea:0 -
Computer 2 ~
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply
After running this, the fan is running constantly and the computer seems to be busy.
Anyway, here's the log. Your help is greatly appreciated.
ComboFix 10-03-27.02 - Dilwyn 28/03/2010 15:47:33.2.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.511.141 [GMT 1:00]
Running from: c:\documents and settings\Dilwyn\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Dilwyn\Desktop\CFScript.txt'.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FILE ::
"c:\windows\Alahida.dat"
"c:\windows\system32\043C8080F9.sys"
"c:\windows\Unoxejala.bin"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\Alahida.dat
c:\windows\system32\043C8080F9.sys
c:\windows\Unoxejala.bin
.
((((((((((((((((((((((((( Files Created from 2010-02-28 to 2010-03-28 )))))))))))))))))))))))))))))))
.
2010-03-27 06:15 . 2010-03-27 06:15
d
w- c:\program files\Trend Micro
2010-03-26 20:32 . 2010-03-26 20:32
d
w- C:\FOUND.034
2010-03-21 16:03 . 2010-03-21 16:03
d
w- C:\FOUND.033
2010-03-20 18:40 . 2010-03-20 18:40 69 ----a-w- c:\documents and settings\Dilwyn\jagex_runescape_preferences2.dat
2010-03-13 01:35 . 2009-10-23 14:28 3558912
w- c:\windows\system32\dllcache\moviemk.exe
2010-03-06 13:50 . 2010-03-06 13:50
d
w- C:\FOUND.032
2010-03-06 05:37 . 2010-03-06 05:37
d
w- c:\documents and settings\Gwilym\Local Settings\Application Data\{FA88295D-FBF9-463E-AF20-2A6A4AB50226}
2010-03-06 05:36 . 2010-03-06 05:36
d
w- c:\documents and settings\Gwilym\Application Data\WTablet
2010-03-04 06:51 . 2010-03-04 06:51
d
w- C:\FOUND.031
2010-03-04 06:14 . 2010-03-04 06:14
d
w- C:\FOUND.030
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-27 08:37 . 2007-07-24 15:31 2202 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-03-20 18:40 . 2008-08-26 17:27 41 ----a-w- c:\documents and settings\Dilwyn\jagex_runescape_preferences.dat
2010-02-24 21:20 . 2010-02-24 21:20
d
w- c:\documents and settings\Dilwyn\Application Data\Acoustica
2010-02-24 21:13 . 2010-02-24 21:13
d
w- c:\program files\Acoustica Shared Effects
2010-02-24 21:02 . 2010-02-24 21:02
d
w- c:\documents and settings\All Users\Application Data\Acoustica
2010-02-24 21:02 . 2010-02-24 21:02
d
w- c:\program files\Acoustica Mixcraft 5
2010-02-12 09:03 . 2010-02-24 09:58 293376
w- c:\windows\system32\browserchoice.exe
2010-02-08 21:34 . 2009-01-06 17:35 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-27 21:13 . 2010-01-27 21:13
d
w- c:\program files\iTunes
2010-01-27 21:13 . 2010-01-27 21:13
d
w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2010-01-07 15:07 . 2008-09-08 21:56 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 15:07 . 2008-09-08 21:56 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-01 12:22 . 2004-10-31 17:20 106320 ----a-w- c:\documents and settings\Dilwyn\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-31 15:50 . 2004-01-22 21:53 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-01-06 19:24 . 2009-01-06 19:24 742 ----a-w- c:\program files\bkfch.txt
2008-10-25 13:58 . 2008-10-25 13:58 604 ---ha-w- c:\program files\STLL Notifier
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CARPService"="carpserv.exe" [2003-06-11 4608]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-03-19 2046816]
"ADUserMon"="c:\program files\Iomega\AutoDisk\ADUserMon.exe" [2002-09-24 147456]
"Iomega Drive Icons"="c:\program files\Iomega\DriveIcons\ImgIcon.exe" [2002-08-13 86016]
"Deskup"="c:\program files\Iomega\DriveIcons\deskup.exe" [2002-07-16 32768]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-17 8491008]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-10 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2007-10-23 443968]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-01-07 05:39 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-26 07:25 11952 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AudioDeck.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AudioDeck.lnk
backup=c:\windows\pss\AudioDeck.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Belkin Wireless USB Utility.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Belkin Wireless USB Utility.lnk
backup=c:\windows\pss\Belkin Wireless USB Utility.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BlueSoleil.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BlueSoleil.lnk
backup=c:\windows\pss\BlueSoleil.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickTV.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickTV.lnk
backup=c:\windows\pss\QuickTV.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Dilwyn^Start Menu^Programs^Startup^hamachi.lnk]
path=c:\documents and settings\Dilwyn\Start Menu\Programs\Startup\hamachi.lnk
backup=c:\windows\pss\hamachi.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360
w- c:\windows\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gStart]
2005-07-25 08:05 1896448 ----a-w- c:\garmin\gStart.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
2006-11-13 12:39 1289000 ----a-w- c:\program files\Microsoft ActiveSync\wcescomm.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-11-12 15:33 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X1100 Series]
2003-08-19 14:43 57344 ----a-w- c:\program files\Lexmark X1100 Series\lxbkbmgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechSoftwareUpdate]
2005-06-08 13:44 196608 ----a-w- c:\program files\Logitech\Video\ManifestEngine.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]
2005-06-08 14:24 458752 ----a-w- c:\program files\Logitech\Video\ISStart.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]
2005-06-08 14:14 217088 ----a-w- c:\program files\Logitech\Video\LogiTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMSX]
2005-07-19 16:32 221184 ----a-w- c:\windows\system32\LVCOMSX.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
2005-05-10 15:04 11776 ----a-w- c:\progra~1\MUSICM~1\MUSICM~1\mimboot.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
2005-05-10 15:04 110592 ----a-w- c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2007-09-17 00:07 8491008 ----a-w- c:\windows\system32\nvcpl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2007-09-17 00:07 81920 ----a-w- c:\windows\system32\nvmctray.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-10 22:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealPlayer]
2006-05-31 17:42 1003520 ----a-w- c:\program files\Real\RealPlayer\realplay.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recordpad]
2008-03-16 09:29 577540 ----a-w- c:\program files\NCH Swift Sound\Recordpad\recordpad.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2003-10-31 18:42 32768 ----a-w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
2005-10-26 15:17 159744 ----a-r- c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpeedTouch USB Diagnostics]
2004-01-26 10:38 866816 ----a-w- c:\program files\Thomson\SpeedTouch USB\dragdiag.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SupaDial]
2003-08-26 15:40 286720 ----a-w- c:\program files\SupaDial\SupaDial.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\System32\\LEXPPS.EXE"=
"c:\\Program Files\\THQ\\Dawn of War\\W40k.exe"=
"c:\\Program Files\\Real\\RealPlayer\\REALPLAY.EXE"=
"c:\\WINDOWS\\System32\\rtcshare.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\Messenger\\MSMSGS.EXE"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"c:\\Program Files\\WS_FTP\\ws_ftp95.exe"=
"c:\\WINDOWS\\System32\\dpvsetup.exe"=
"c:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\BlueByte\\The Settlers IV\\Exe\\S4_Main.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"=
"c:\\Program Files\\Real\\RealPlayer\\trueplay.exe"=
"c:\\Program Files\\YVD\\YGO Virtual Desktop V086.exe"=
"c:\\Program Files\\YVD\\n00b-IRC.exe"=
"c:\\Program Files\\THQ\\Dawn of War - Dark Crusade\\DarkCrusade.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"f:\\Rhys\\redshark.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Java\\jre1.6.0_07\\BIN\\javaw.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\DSGameMaker\\DSGameMaker.exe"=
"c:\\WINDOWS\\System32\\javaws.exe"=
"c:\\Program Files\\Java\\jre1.6.0_07\\BIN\\javaws.exe"=
"f:\\Rhys\\Desmume_build_2810_x86_x64\\Desmume build 2810 x86 x64\\Desmume-r2810\\DeSmuME_VS2008.exe"=
"f:\\Rhys\\Desmume_build_2810_x86_x64\\Desmume build 2810 x86 x64\\Desmume-r2810\\DeSmuME_VS2008_sse2.exe"=
"c:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\HelpCtr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"f:\\Rhys\\Battle for Middle Earth\\game.dat"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"27383:UDP"= 27383:UDP:axeurus
"990:TCP"= 990:TCP:activsync
"999:TCP"= 999:TCP:activesync
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [09/05/2008 13:09 335240]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [09/05/2008 13:09 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [28/05/2008 10:33 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [28/05/2008 10:33 55024]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [04/07/2008 09:36 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [04/07/2008 09:36 297752]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [20/08/2008 11:36 1373480]
R3 PhTVTune;Cap7134 TVTuner;c:\windows\system32\drivers\PhTVTune.sys [02/08/2004 15:52 34880]
S3 ewdmaudn;ewdmaudn;\??\c:\docume~1\Rhys\LOCALS~1\Temp\ewdmaudn.sys --> c:\docume~1\Rhys\LOCALS~1\Temp\ewdmaudn.sys [?]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\MAGIX\Common\Database\bin\fbserver.exe [28/12/2008 18:16 1527900]
S3 ntportio;ntportio;\??\c:\documents and settings\All Users\Documents\usb smart semctool\ntportio.sys --> c:\documents and settings\All Users\Documents\usb smart semctool\ntportio.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [28/05/2008 10:33 7408]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\i:\ntglm7x.sys --> i:\NTGLM7X.sys [?]
S3 Vsp;Vsp;c:\windows\system32\drivers\vsp.sys [02/08/2004 21:56 3351]
.
Contents of the 'Scheduled Tasks' folder
2010-03-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
.
Supplementary Scan
.
uStart Page = hxxp://www.google.co.uk/
mWindow Title = Supanet Internet Explorer
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = localhost;*.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: autoregister.net\autoreg
Trusted Zone: gov.uk\secure.vebus.defra
Trusted Zone: musicmatch.com\online
DPF: DirectAnimation Java Classes
DPF: Microsoft XML Parser for Java
DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} - hxxps://moneymanager.egg.com/Pinsafe/accounttracking.cab
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-28 16:00
Windows 5.1.2600 Service Pack 3 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Iomega Activity Disk2]
"ImagePath"="\"\""
.
LOCKED REGISTRY KEYS
[HKEY_USERS\S-1-5-21-3379260615-2782345078-1053136719-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
[HKEY_USERS\S-1-5-21-3379260615-2782345078-1053136719-1006\Software\SecuROM\License information*]
"datasecu"=hex:fc,e3,b9,50,27,28,30,bc,d8,f1,37,14,44,9e,09,5e,f9,32,dd,bf,50,
e9,b2,c7,47,af,9d,1f,9a,81,e5,db,b0,bb,cf,97,77,f7,64,cb,e5,09,a0,c7,f2,44,\
"rkeysecu"=hex:cb,bd,f2,61,5a,4e,c6,95,f2,29,8b,82,ba,6b,3d,44
.
DLLs Loaded Under Running Processes
- - - - - - - > 'winlogon.exe'(876)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
Completion time: 2010-03-28 16:05:04
ComboFix-quarantined-files.txt 2010-03-28 15:05
ComboFix2.txt 2010-03-28 10:10
Pre-Run: 10,922,688,512 bytes free
Post-Run: 10,990,419,968 bytes free
- - End Of File - - 40A12F0C1A6655A4C54274EFDAE3C6F80 -
Download and run the FREE version of DR WEB
http://www.freedrweb.com/download+cureit/gr/
Turn your anti virus OFF
Click CANCEL to the 'Would you like to read purchase terms now?' message
Click START click OK
It will auto QUICK scan
After that set to scan the WHOLE computer and press the 'play' icon
***DO NOT UPGRADE TO FULL VERSION***:idea:0 -
Computer 2,Download and run the FREE version of DR WEB
After that set to scan the WHOLE computer and press the 'play' icon
***DO NOT UPGRADE TO FULL VERSION***
The results are as follows after about 36hrs of scanning!
Do I cure, rename, move or delete these?
22eed609-1211da30\myf/y/AppletX.class;C:\Documents and Settings\Dilwyn\Application Data\Sun\Java\Deployment\cache\6.0\9\22eed609-1211da30;Exploit.CVE2008.5353;;
22eed609-1211da30\myf/y/LoaderX.class;C:\Documents and Settings\Dilwyn\Application Data\Sun\Java\Deployment\cache\6.0\9\22eed609-1211da30;Exploit.CVE2008.5353;; 22eed609-1211da30\myf/y/PayloadX.class;C:\Documents and Settings\Dilwyn\Application Data\Sun\Java\Deployment\cache\6.0\9\22eed609-1211da30;Exploit.CVE2008.5353;;
22eed609-1211da30;C:\Documents and Settings\Dilwyn\Application Data\Sun\Java\Deployment\cache\6.0\9;Archive contains infected objects;Moved.; A0351901.exe\SmitfraudFix\Process.exe;C:\System Volume Information\_restore{C39DF4B0-C3CF-475F-9C39-C9F173F17665}\RP1799\A0351901.exe;Tool.Prockill;;
A0351901.exe\SmitfraudFix\restart.exe;C:\System Volume Information\_restore{C39DF4B0-C3CF-475F-9C39-C9F173F17665}\RP1799\A0351901.exe;Tool.ShutDown.14;; A0351901.exe;C:\System Volume Information\_restore{C39DF4B0-C3CF-475F-9C39-C9F173F17665}\RP1799;Archive contains infected objects;Moved.;
A0352034.exe\SmitfraudFix\Process.exe;C:\System Volume Information\_restore{C39DF4B0-C3CF-475F-9C39-C9F173F17665}\RP1799\A0352034.exe;Tool.Prockill;; A0352034.exe\SmitfraudFix\restart.exe;C:\System Volume Information\_restore{C39DF4B0-C3CF-475F-9C39-C9F173F17665}\RP1799\A0352034.exe;Tool.ShutDown.14;;
A0352034.exe;C:\System Volume Information\_restore{C39DF4B0-C3CF-475F-9C39-C9F173F17665}\RP1799;Archive contains infected objects;Moved.; A0352104.exe;C:\System Volume Information\_restore{C39DF4B0-C3CF-475F-9C39-C9F173F17665}\RP1799;Tool.Prockill;;
A0352106.exe;C:\System Volume Information\_restore{C39DF4B0-C3CF-475F-9C39-C9F173F17665}\RP1799;Tool.ShutDown.14;; A0352122.exe;C:\System Volume Information\_restore{C39DF4B0-C3CF-475F-9C39-C9F173F17665}\RP1799;Tool.Prockill;; A0352124.exe;C:\System Volume Information\_restore{C39DF4B0-C3CF-475F-9C39-C9F173F17665}\RP1799;Tool.ShutDown.14;; FILE0004.CHK;C:\Recycled\Dc15.013;Trojan.Packed.365;Incurable.Moved.; tbr_dll.dll;F:\Rhys\TGB_Dual_7\devices;Trojan.Click.43327;Incurable.Moved.; adobe-master-cs4-keygen.exe/adobe-master-cs4-keygen.exe\installscashCrypt.exe;F:\Rhys\Adobe CS4 Master Collection Keygen~!\adobe-master-cs4-keygen.exe/adobe-master-cs4-keygen.exe;Trojan.Siggen.42666;; adobe-master-cs4-keygen.exe;F:\Rhys\Adobe CS4 Master Collection Keygen~!;Archive contains infected objects;; adobe-master-cs4-keygen.exe\l14.exe;F:\Rhys\Adobe CS4 Master Collection Keygen~!\adobe-master-cs4-keygen.exe;Trojan.DownLoad1.37727;; adobe-master-cs4-keygen.exe;F:\Rhys\Adobe CS4 Master Collection Keygen~!;Archive contains infected objects;Moved.; setup.exe\data097;F:\Rhys\My Documents\War-Lordz\setup.exe;Modification of BackDoor.Generic.53;; setup.exe;F:\Rhys\My Documents\War-Lordz;Container contains infected objects;Moved.;0 -
MOVING is always best bet:idea:0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 352.8K Banking & Borrowing
- 253.9K Reduce Debt & Boost Income
- 454.7K Spending & Discounts
- 245.9K Work, Benefits & Business
- 602K Mortgages, Homes & Bills
- 177.8K Life & Family
- 259.8K Travel & Transport
- 1.5M Hobbies & Leisure
- 16K Discuss & Feedback
- 37.7K Read-Only Boards