We'd like to remind Forumites to please avoid political debate on the Forum... Read More »
We're aware that some users are experiencing technical issues which the team are working to resolve. See the Community Noticeboard for more info. Thank you for your patience.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
Oh whats going on with computer??!!
Options
Comments
-
When I go on tools to disable the BHOs the only one that looks remotely similar is Yahoo Companion BHO and that is already disabled.
Could I tick them on the hijack this scan and click "fix"?
What is a rootkit? Is there any other way of dealing with it? The computer failure bit scares me!0 -
Yesterday I did notice two new icons on my desktop one is browser choice and the other was data protection. The data protection one has now gone but the other one is still there, are they linked at all?0
-
rootkit activity really needs combofix to sort out, as browntoa suggested earlier. It may look scary to a novice, but it's not that bad.
Oh, and microsoft security essentials is MS's free antivirus prog, which I assume you had installed earlier yourself...might be an idea when you've fully cleaned your system, to get avira instead
p.s. browser choice is a windows update, enforced on microsoft by the EU anti-competition ruling...this is annoying but normal
......Gettin' There, Wherever There is......
I have a dodgy "i" key, so ignore spelling errors due to "i" issues, ...I blame Apple
0 -
Ok I'm gonna try the combo thing, wish me luck;)0
-
just be patient and you'll be ok ......Gettin' There, Wherever There is......
I have a dodgy "i" key, so ignore spelling errors due to "i" issues, ...I blame Apple0 -
That wasn't bad at all!! Here is the log:
ComboFix 10-05-21.06 - manager 22/05/2010 8:53.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.627 [GMT 1:00]
Running from: c:\documents and settings\manager\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *On-access scanning disabled* (Outdated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\manager\Application Data\inst.exe
c:\documents and settings\manager\Local Settings\Application Data\{1FE2A3E4-8656-4CC9-BDA2-27DE1A407AF2}
c:\documents and settings\manager\Local Settings\Application Data\{1FE2A3E4-8656-4CC9-BDA2-27DE1A407AF2}\chrome\content\_cfg.js
c:\documents and settings\manager\Local Settings\Application Data\{1FE2A3E4-8656-4CC9-BDA2-27DE1A407AF2}\chrome\content\overlay.xul
c:\documents and settings\manager\Local Settings\Application Data\{1FE2A3E4-8656-4CC9-BDA2-27DE1A407AF2}\install.rdf
c:\windows\system32\drivers\stefn.sys
c:\windows\system32\pragmasrcr.dat
c:\windows\system32\VB40032.DLL
Infected copy of c:\windows\system32\drivers\kbdclass.sys was found and disinfected
Restored copy from - Kitty had a snack
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
\Legacy_ykgyyr
\Service_ykgyyr
((((((((((((((((((((((((( Files Created from 2010-04-22 to 2010-05-22 )))))))))))))))))))))))))))))))
.
2010-05-21 10:39 . 2010-05-21 10:39 31 ----a-w- C:\troj000.exe
2010-05-21 10:39 . 2010-05-21 10:39 31 ----a-w- C:\spam003.exe
2010-05-21 10:39 . 2010-05-21 10:39 31 ----a-w- C:\spam001.exe
2010-05-21 08:54 . 2010-05-21 08:54
d
w- c:\documents and settings\NetworkService\Application Data\AdobeUM
2010-05-21 08:53 . 2010-05-21 08:54
d
w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-05-21 07:31 . 2010-05-21 07:31
d
w- c:\windows\system32\wbem\Repository
2010-05-20 20:20 . 2010-05-20 20:20
d
w- c:\windows\system32\config\systemprofile\IECompatCache
2010-04-25 10:59 . 2010-04-25 10:59 46124 ---ha-w- c:\windows\system32\mlfcache.dat
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-22 08:05 . 2009-04-24 23:28 117760 ----a-w- c:\documents and settings\manager\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-05-21 20:23 . 2008-07-23 13:06
d
w- c:\documents and settings\manager\Application Data\Ucedl
2010-05-21 19:07 . 2010-03-04 17:12 439816 ----a-w- c:\documents and settings\manager\Application Data\Real\Update\setup3.10\setup.exe
2010-05-21 19:06 . 2007-03-26 19:19
d
w- c:\program files\palmOne
2010-05-21 11:16 . 2010-02-05 17:55 52224 ----a-w- c:\documents and settings\manager\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-05-21 08:36 . 2009-04-24 15:08
d
w- c:\program files\Malwarebytes' Anti-Malware
2010-05-21 08:19 . 2008-10-27 18:55
d
w- c:\documents and settings\All Users\Application Data\Google Updater
2010-05-20 22:44 . 2008-12-20 18:30 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-05-20 22:11 . 2007-03-30 12:42
d
w- c:\program files\BitComet
2010-05-20 20:38 . 2010-05-20 20:38 20 ----a-w- c:\windows\system32\config\systemprofile\Application Data\qvjsge.dat
2010-05-20 19:58 . 2010-05-20 19:57 20 ----a-w- c:\documents and settings\LocalService\Application Data\qvjsge.dat
2010-05-18 01:58 . 2005-12-17 00:49
d
w- c:\program files\Google
2010-05-06 09:36 . 2010-02-17 18:57 221568
w- c:\windows\system32\MpSigStub.exe
2010-04-29 14:39 . 2009-04-24 15:08 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 14:39 . 2009-04-24 15:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-05 14:28 . 2005-12-16 23:03
d
w- c:\program files\Tesconet
2010-04-02 12:59 . 2010-04-02 12:59
d
w- c:\documents and settings\All Users\Application Data\SweetIM
2010-04-02 12:59 . 2010-04-02 12:59
d
w- c:\program files\SweetIM
2010-03-29 09:50 . 2010-03-29 09:50 1036288 ----a-w- c:\documents and settings\manager\Application Data\Mozilla\Firefox\Profiles\ksv9zr5c.default\extensions\{B042753D-F57E-4e8e-A01B-7379A6D4CEFB}\components\IBitCometExtension.dll
2010-03-18 18:49 . 2005-12-16 22:04 59896 ----a-w- c:\documents and settings\manager\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-11 03:19 . 2010-03-11 03:19 339968 ----a-w- c:\windows\system32\RapportBuka.dll
2010-03-10 06:15 . 2005-11-17 16:54 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-05 01:13 . 2010-03-05 01:13 79368 ----a-w- c:\documents and settings\manager\Application Data\Real\Update\setup3.10\RUP\vista.exe
2010-03-05 01:13 . 2010-03-05 01:13 64000 ----a-w- c:\documents and settings\manager\Application Data\Real\Update\setup3.10\RUP\inst_config\gcapi_dll.dll
2010-03-05 01:13 . 2010-03-05 01:13 52288 ----a-w- c:\documents and settings\manager\Application Data\Real\Update\setup3.10\RUP\inst_config\gtapi.dll
2010-03-05 01:13 . 2010-03-05 01:13 50688 ----a-w- c:\documents and settings\manager\Application Data\Real\Update\setup3.10\RUP\inst_config\fftbapi.dll
2010-03-05 01:13 . 2010-03-05 01:13 49152 ----a-w- c:\documents and settings\manager\Application Data\Real\Update\setup3.10\RUP\inst_config\CarboniteCompatibility.dll
2010-03-05 01:13 . 2010-03-05 01:13 118784 ----a-w- c:\documents and settings\manager\Application Data\Real\Update\setup3.10\RUP\inst_config\compat.dll
2010-02-26 07:45 . 2010-02-26 07:45 390528 ----a-w- c:\windows\system32\drivers\RapportBuka.sys
2010-02-26 07:45 . 2010-02-26 07:45 390528 ----a-w- c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportBukaBroom\13897\RapportBuka.sys
2010-02-26 07:45 . 2010-02-26 07:45 249856 ----a-w- c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportBukaBroom\13897\RapportBukaBroom.dll
2010-02-25 06:24 . 2005-11-17 16:54 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2005-11-17 16:54 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-11-12 16:33 . 2009-11-12 16:33 294688 ----a-w- c:\program files\iTunesOutlookAddIn.dll
2009-11-12 16:33 . 2009-11-12 16:33 292640 ----a-w- c:\program files\iTunesPhotoProcessor.exe
2009-11-12 16:33 . 2009-11-12 16:33 384800 ----a-w- c:\program files\iTunesAdmin.dll
2009-11-12 16:33 . 2009-11-12 16:33 211232 ----a-w- c:\program files\iTunesHelper.dll
2009-11-12 16:33 . 2009-11-12 16:33 141600 ----a-w- c:\program files\iTunesHelper.exe
2009-11-12 16:33 . 2009-11-12 16:33 124192 ----a-w- c:\program files\iTunesMiniPlayer.dll
2009-11-12 16:33 . 2009-11-12 16:33 10358048 ----a-w- c:\program files\iTunes.exe
2009-11-12 16:33 . 2009-11-12 16:33 722160 ----a-w- c:\program files\CDDBControlApple.dll
2009-11-12 16:33 . 2009-11-12 16:33 648480 ----a-w- c:\program files\iPodUpdaterExt.dll
2009-11-12 16:33 . 2009-11-12 16:33 14769448 ----a-w- c:\program files\iTunes.dll
2009-11-12 16:33 . 2009-11-12 16:33 111912 ----a-w- c:\program files\ITDetector.ocx
2009-11-12 16:32 . 2009-11-12 16:32 59083 ----a-w- c:\program files\Acknowledgements.rtf
2007-08-20 18:52 . 2007-08-20 18:51 942080 ----a-w- c:\program files\chkwin13.exe
2007-08-20 18:15 . 2007-08-20 18:15 160235 ----a-w- c:\program files\AMCheckers.exe
2007-03-30 13:06 . 2007-03-30 13:06 28515
w- c:\program files\[TorrentReactor[1].to] - 24.S06E10.HDTV.XviD-XOR [eztv].torrent
2007-03-30 12:28 . 2007-03-30 12:24 5653833
w- c:\program files\BitComet_0.83_setup.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{EEE6C35D-6118-11DC-9C72-001320C79847}"= "c:\program files\SweetIM\Toolbars\Internet Explorer\mgHelper.dll" [2009-10-19 187192]
[HKEY_CLASSES_ROOT\clsid\{eee6c35d-6118-11dc-9c72-001320c79847}]
[HKEY_CLASSES_ROOT\SweetIM_URLSearchHook.ToolbarURLSearchHook.1]
[HKEY_CLASSES_ROOT\TypeLib\{EEE6C35F-6118-11DC-9C72-001320C79847}]
[HKEY_CLASSES_ROOT\SweetIM_URLSearchHook.ToolbarURLSearchHook]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EEE6C35C-6118-11DC-9C72-001320C79847}]
2009-10-19 15:15 1345336 ----a-w- c:\program files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{EEE6C35B-6118-11DC-9C72-001320C79847}"= "c:\program files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll" [2009-10-19 1345336]
[HKEY_CLASSES_ROOT\clsid\{eee6c35b-6118-11dc-9c72-001320c79847}]
[HKEY_CLASSES_ROOT\SWEETIE.IEToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{EEE6C35E-6118-11DC-9C72-001320C79847}]
[HKEY_CLASSES_ROOT\SWEETIE.IEToolbar]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{EEE6C35B-6118-11DC-9C72-001320C79847}"= "c:\program files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll" [2009-10-19 1345336]
[HKEY_CLASSES_ROOT\clsid\{eee6c35b-6118-11dc-9c72-001320c79847}]
[HKEY_CLASSES_ROOT\SWEETIE.IEToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{EEE6C35E-6118-11DC-9C72-001320C79847}]
[HKEY_CLASSES_ROOT\SWEETIE.IEToolbar]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-25 68856]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-03-23 1830128]
"{E7F2EABD-B684-668C-AC66-EB39DC075522}"="c:\documents and settings\manager\Application Data\Nyompe\imuf.exe" [2007-01-14 133693]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-11-18 30192]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-12-17 180269]
"PCSuiteTrayApplication"="c:\documents and settings\manager\Desktop\Nokia PC Suite 6\LaunchApplication.exe" [2007-06-18 271360]
"SS_MW"="c:\program files\Radica\Stylin' Studio\SS_MW.exe" [2008-04-25 524288]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-02-21 1093208]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-10 417792]
"SweetIM"="c:\program files\SweetIM\Messenger\SweetIM.exe" [2010-02-24 111928]
"Malwarebytes Anti-Malware (rootkit-scan)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"Nokia.PCSync"="c:\documents and settings\manager\Desktop\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 1241088]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Picture Package Menu.lnk - c:\program files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe [2006-5-20 151552]
Picture Package VCD Maker.lnk - c:\program files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe [2006-5-20 106496]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package Menu.lnk
backup=c:\windows\pss\Picture Package Menu.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package VCD Maker.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package VCD Maker.lnk
backup=c:\windows\pss\Picture Package VCD Maker.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^manager^Start Menu^Programs^Startup^HotSync Manager.LNK]
path=c:\documents and settings\manager\Start Menu\Programs\Startup\HotSync Manager.LNK
backup=c:\windows\pss\HotSync Manager.LNKStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-03 16:43 69632 ----a-w- c:\windows\ALCMTR.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]
2005-09-21 13:32 2807808 ----a-w- c:\windows\ALCWZRD.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360
w- c:\windows\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell AIO Printer A920]
2003-06-02 18:25 270336 ----a-w- c:\program files\Dell AIO Printer A920\dlbkbmgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus DX7400 Series]
2007-04-12 06:00 182272 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\E_FATICDE.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2009-11-18 08:25 30192 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
2005-01-07 16:07 61952
w- c:\windows\system32\HdAShCut.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-11-12 16:33 141600 ----a-w- c:\program files\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MBBalloon]
2006-12-15 10:45 787096 ----a-w- c:\program files\HOTALBUMMyBOX\MBBalloon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2005-08-31 19:27 1658592 ----a-w- c:\progra~1\MESSEN~1\Msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-10 23:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealPlayer]
2006-11-01 19:07 1003520 ----a-w- c:\program files\Real\RealPlayer\realplay.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2005-09-21 08:24 86016 ----a-w- c:\windows\SOUNDMAN.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpeedTouch USB Diagnostics]
2004-01-26 11:38 866816 ----a-w- c:\program files\Thomson\SpeedTouch USB\dragdiag.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\STManager]
2003-10-16 13:25 118784
w- c:\program files\SpeedTouch\Dr SpeedTouch\drst.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2006-02-13 11:53 32881 ----a-w- c:\program files\Java\j2re1.4.2_11\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2005-12-17 00:48 180269 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\Msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\manager\\My Documents\\Update Service\\Update Service.exe"=
"c:\\3D Home Designer\\Program\\ArCon.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\BitComet\\BitComet.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\ypager.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10846:TCP"= 10846:TCP:BitComet 10846 TCP
"10846:UDP"= 10846:UDP:BitComet 10846 UDP
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
R0 PzWDM;PzWDM;c:\windows\system32\drivers\PzWDM.sys [15/09/2007 11:23 15172]
R1 RapportBuka;RapportBuka;c:\windows\system32\drivers\RapportBuka.sys [26/02/2010 08:45 390528]
R1 RapportKELL;RapportKELL;c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [25/02/2010 17:26 58984]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [25/02/2010 17:26 108904]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [23/03/2009 14:07 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [23/03/2009 14:07 72944]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [23/03/2009 14:07 7408]
R3 SIS163u;SiS163 usb Wireless LAN Adapter Driver;c:\windows\system32\drivers\sis163u.sys [17/11/2005 18:00 215040]
S2 gupdate1ca1c2af8964122;Google Update Service (gupdate1ca1c2af8964122);c:\program files\Google\Update\GoogleUpdate.exe [13/08/2009 16:29 133104]
S2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [25/02/2010 17:25 779496]
S3 bfastfao;bfastfao;\??\c:\docume~1\manager\LOCALS~1\Temp\bfastfao.sys --> c:\docume~1\manager\LOCALS~1\Temp\bfastfao.sys [?]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [05/04/2008 19:48 13352]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [17/12/2005 01:55 30192]
.
Contents of the 'Scheduled Tasks' folder
2010-05-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
2010-05-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-13 15:29]
2010-05-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-13 15:29]
2010-05-22 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2009-12-09 18:02]
.
.
Supplementary Scan
.
uStart Page = hxxp://www.tesco.net/
mStart Page = hxxp://home.sweetim.com
uInternet Settings,ProxyServer = http=hxxp://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
uInternet Settings,ProxyOverride = *.local;<local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
Trusted Zone: bitcomet.com\www
Trusted Zone: tesco.net\memberservices
Trusted Zone: tesco.net\register
DPF: NTLSignup - hxxps://register.tesco.net/tesco/NTLSignup.cab
DPF: {1C11B948-582A-433F-A98D-A8C4D5CC64F2} - hxxp://homebase.2020.net/Core/Player/2020PlayerAX_Win32.cab
FF - ProfilePath - c:\documents and settings\manager\Application Data\Mozilla\Firefox\Profiles\ksv9zr5c.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.sweetim.com/search.asp?src=2&q=
FF - prefs.js: browser.search.selectedEngine - SweetIM Search
FF - prefs.js: browser.startup.homepage - hxxp://home.sweetim.com
FF - prefs.js: keyword.URL - hxxp://search.sweetim.com/search.asp?src=2&q=
FF - component: c:\documents and settings\manager\Application Data\Mozilla\Firefox\Profiles\ksv9zr5c.default\extensions\{B042753D-F57E-4e8e-A01B-7379A6D4CEFB}\components\IBitCometExtension.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\j2re1.4.2_11\bin\NPJPI142_11.dll
FF - plugin: c:\program files\Mozilla Plugins\npitunes.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -
Toolbar-Locked - (no file)
HKCU-Run-Yahoo! Pager - ~c:\program files\Yahoo!\Messenger\ypager.exe
HKCU-Run-Data Protection - c:\program files\Data Protection\datprot.exe
SafeBoot-mcmscsvc
SafeBoot-MCODS
MSConfigStartUp-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe
MSConfigStartUp-CaAvTray - c:\program files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
MSConfigStartUp-CAVRID - c:\program files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
MSConfigStartUp-dcsm - c:\program files\Common Files\DriveCleaner Free\dcsm.exe
MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
MSConfigStartUp-Zone Labs Client - c:\program files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-22 09:04
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
c:\windows\system32\wbem\Performance\WmiApRpl_new.h 835 bytes
scan completed successfully
hidden files: 1
**************************************************************************
.
DLLs Loaded Under Running Processes
- - - - - - - > 'winlogon.exe'(872)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'explorer.exe'(6720)
c:\windows\system32\WININET.dll
c:\program files\SweetIM\Messenger\mgAdaptersProxy.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\documents and settings\manager\Desktop\Nokia PC Suite 6\PhoneBrowser.dll
c:\documents and settings\manager\Desktop\Nokia PC Suite 6\PCSCM.dll
c:\windows\system32\MSVCP71.dll
c:\documents and settings\manager\Desktop\Nokia PC Suite 6\Lang\PhoneBrowser_eng.nlr
c:\documents and settings\manager\Desktop\Nokia PC Suite 6\Resource\PhoneBrowser_Nokia.ngr
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Other Running Processes
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Microsoft Security Essentials\MsMpEng.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\system32\wscntfy.exe
c:\program files\PC Connectivity Solution\ServiceLayer.exe
.
**************************************************************************
.0 -
Completion time: 2010-05-22 09:10:02 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-22 08:09
Pre-Run: 179,687,575,552 bytes free
Post-Run: 180,968,402,944 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
- - End Of File - - D1B485C992F6C220F78564B1D1E1D4C60 -
if you can, uninstall SWEET IM (Everything associated with it)
TICK and FIX these in hijack this ~
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com
R3 - URLSearchHook: SweetIM ToolbarURLSearchHook Class - {EEE6C35D-6118-11DC-9C72-001320C79847} - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.4.1.27.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: SWEETIE - {EEE6C35C-6118-11DC-9C72-001320C79847} - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SweetIM] C:\Program Files\SweetIM\Messenger\SweetIM.exe
O4 - HKCU\..\Run: [Data Protection] "C:\Program Files\Data Protection\datprot.exe" -noscan
O4 - HKCU\..\Run: [{E7F2EABD-B684-668C-AC66-EB39DC075522}] "C:\Documents and Settings\manager\Application Data\Nyompe\imuf.exe"
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.4.1.27.dll/206 (file missing):idea:0 -
Open firefox, and remove the BITCOMET addon. same with internet explorer if you havnt already
Download CCLEANER
http://www.piriform.com/ccleaner/download/slim
Run the CLEANER scan (UNTICK 'cookies')
Then run the REGISTRY scan (Backup the registry when it asks)
Open notepad and copy/paste the text in RED below
File::
C:\troj000.exe
C:\spam003.exe
C:\spam001.exe
c:\program files\SweetIM\Toolbars\Internet Explorer\mgHelper.dll
c:\program files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll
c:\program files\SweetIM\Messenger\SweetIM.exe
Folder::
c:\program files\SweetIM
Registry::
[HKEY_CLASSES_ROOT\clsid\{eee6c35d-6118-11dc-9c72-001320c79847}]
[HKEY_CLASSES_ROOT\SweetIM_URLSearchHook.ToolbarURL SearchHook.1]
[HKEY_CLASSES_ROOT\TypeLib\{EEE6C35F-6118-11DC-9C72-001320C79847}]
[HKEY_CLASSES_ROOT\SweetIM_URLSearchHook.ToolbarURL SearchHook]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EEE6C35C-6118-11DC-9C72-001320C79847}]
[HKEY_CLASSES_ROOT\clsid\{eee6c35b-6118-11dc-9c72-001320c79847}]
[HKEY_CLASSES_ROOT\SWEETIE.IEToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{EEE6C35E-6118-11DC-9C72-001320C79847}]
[HKEY_CLASSES_ROOT\SWEETIE.IEToolbar]
[HKEY_CLASSES_ROOT\clsid\{eee6c35b-6118-11dc-9c72-001320c79847}]
[HKEY_CLASSES_ROOT\SWEETIE.IEToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{EEE6C35E-6118-11DC-9C72-001320C79847}]
[HKEY_CLASSES_ROOT\SWEETIE.IEToolbar]
Save this as "CFScript" (FULL file will be 'CFScript.txt' EXACTLY as shown)
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply
Combofix should never take more that 30 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
............................................................................
Open malwarebytes
Goto MORE TOOLS
then RUN TOOL
find and remove this file using the malwarebytes tool~
c:\docume~1\manager\LOCALS~1\Temp\bfastfao.sys:idea:0 -
Done the first bit, this line wasnt showing in hijack this
O4 - HKCU\..\Run: [Data Protection] "C:\Program Files\Data Protection\datprot.exe" -noscan
When I went to remove programs to take the sweetim off it came up with this message
Error 1704. An installation for microsoft office 2000 premium is currently suspended. You must undo the changes made by that installation to continue. Do you want to undo the changes?
I said don't undo as I dont know what it means but dont think sweetim has been removed.0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 350.9K Banking & Borrowing
- 253.1K Reduce Debt & Boost Income
- 453.5K Spending & Discounts
- 243.9K Work, Benefits & Business
- 598.7K Mortgages, Homes & Bills
- 176.9K Life & Family
- 257.1K Travel & Transport
- 1.5M Hobbies & Leisure
- 16.1K Discuss & Feedback
- 37.6K Read-Only Boards