We’d like to remind Forumites to please avoid political debate on the Forum.

This is to keep it a safe and useful space for MoneySaving discussions. Threads that are – or become – political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.

📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!

FAO aliEnRIK. Combofix Log after rootkit cleaned, thankyou for looking.

Following a recent rootkit virus here follows my logfile from combofix.
Thankyou for your time.

:o I hope this wont be too difficult.

Its deleting files at the moment :o

I hope it looks worse than it is :eek:

Now re-booting...
This does take a while....
«134

Comments

  • :o OK THIS LOOKS SERIOUS

    following a forced reboot by combofix

    its just hanging an the screen with the microsoft windows XP flag..
    the blue bars underneath arent moving...
  • GunJack
    GunJack Posts: 11,864 Forumite
    Part of the Furniture 10,000 Posts Name Dropper Photogenic
    give it chance, it can take a while...
    ......Gettin' There, Wherever There is......

    I have a dodgy "i" key, so ignore spelling errors due to "i" issues, ...I blame Apple :D
  • Windows-XP-splash-screen.jpg
    this is the screen its hanging on..
    the blue bars are static...
    and the HD light on my tower is showing no activity...
    At least 10 minutes like this now..
  • aliEnRIK
    aliEnRIK Posts: 17,741 Forumite
    Part of the Furniture Combo Breaker
    Pull the power and reboot
    :idea:
  • I wanted to do that but was scared...

    Looks like it has booted ok this time just preparing Log Report
  • Still preparing log report...
    10 minutes now...

    Perhaps I am just too impatient :o

    Woohoo....
    Looks like its nearly done...
    Just told me where the report will be...
  • ComboFix 11-02-28.02 - Dave 28/02/2011 22:11:15.3.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1918.1248 [GMT 0:00]
    Running from: c:\documents and settings\Dave\Desktop\ComboFix.exe
    AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
    FW: ZoneAlarm Firewall *Enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    c:\documents and settings\Dave\Application Data\uid_pal
    c:\documents and settings\Dave\Local Settings\Application Data\{1A06AD2F-41A4-4492-81AB-D4E5A6EB61E9}
    c:\documents and settings\Dave\Local Settings\Application Data\{1A06AD2F-41A4-4492-81AB-D4E5A6EB61E9}\chrome.manifest
    c:\documents and settings\Dave\Local Settings\Application Data\{1A06AD2F-41A4-4492-81AB-D4E5A6EB61E9}\chrome\content\_cfg.js
    c:\documents and settings\Dave\Local Settings\Application Data\{1A06AD2F-41A4-4492-81AB-D4E5A6EB61E9}\chrome\content\overlay.xul
    c:\documents and settings\Dave\Local Settings\Application Data\{1A06AD2F-41A4-4492-81AB-D4E5A6EB61E9}\install.rdf
    c:\program files\WinPCap
    c:\program files\WinPCap\daemon_mgm.exe
    c:\program files\WinPCap\npf_mgm.exe
    c:\program files\WinPCap\rpcapd.exe
    c:\windows\system32\drivers\hwinterface.sys
    c:\windows\system32\drivers\npf.sys
    c:\windows\system32\dumphive.exe
    c:\windows\system32\kbiwkmlog.dat
    c:\windows\system32\Packet.dll
    c:\windows\system32\Process.exe
    c:\windows\system32\pthreadVC.dll
    c:\windows\system32\SrchSTS.exe
    c:\windows\system32\tmp.reg
    c:\windows\system32\VCCLSID.exe
    c:\windows\system32\WanPacket.dll
    c:\windows\system32\winlogon.bak
    c:\windows\system32\wpcap.dll
    c:\windows\system32\WS2Fix.exe
    c:\windows\Tasks\At1.job
    c:\windows\Tasks\At10.job
    c:\windows\Tasks\At11.job
    c:\windows\Tasks\At12.job
    c:\windows\Tasks\At13.job
    c:\windows\Tasks\At14.job
    c:\windows\Tasks\At15.job
    c:\windows\Tasks\At16.job
    c:\windows\Tasks\At17.job
    c:\windows\Tasks\At18.job
    c:\windows\Tasks\At19.job
    c:\windows\Tasks\At2.job
    c:\windows\Tasks\At20.job
    c:\windows\Tasks\At21.job
    c:\windows\Tasks\At22.job
    c:\windows\Tasks\At23.job
    c:\windows\Tasks\At3.job
    c:\windows\Tasks\At4.job
    c:\windows\Tasks\At5.job
    c:\windows\Tasks\At6.job
    c:\windows\Tasks\At7.job
    c:\windows\Tasks\At8.job
    c:\windows\Tasks\At9.job
    Infected copy of c:\windows\system32\Drivers\atapi.sys was found and disinfected
    Restored copy from - c:\windows\ServicePackFiles\i386\atapi.sys
    Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
    Restored copy from - c:\windows\system32\dllcache\winlogon.exe
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    \Legacy_NPF
    \Service_npf
    \Legacy_hwinterface
    \Service_hwinterface

    ((((((((((((((((((((((((( Files Created from 2011-01-28 to 2011-02-28 )))))))))))))))))))))))))))))))
    .
    2011-02-28 21:10 . 2011-02-28 21:10
    d
    w- c:\program files\Sophos
    2011-02-27 20:16 . 2011-02-27 22:11
    d
    w- c:\documents and settings\All Users\Application Data\eJiJlLb06308
    2011-02-23 22:25 . 2011-02-23 14:56 371544 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2011-02-22 19:09 . 2011-02-22 19:10
    d
    w- c:\documents and settings\Dave\Application Data\DVDVideoSoft
    2011-02-08 23:16 . 2011-02-08 23:16 292240 ---ha-r- c:\windows\system32\cpnprtuk.cid
    2011-02-08 23:16 . 2011-02-08 23:16 398744 ---ha-r- c:\windows\system32\cpnprt2.cid
    2011-02-08 23:16 . 2011-02-08 23:16
    d
    w- c:\windows\Cache
    2011-02-08 23:16 . 2011-02-08 23:24
    d
    w- c:\program files\Coupon Printer
    2011-02-08 23:16 . 2011-02-08 23:16 31 ---ha-w- c:\windows\UKCpInfo.sys
    2011-02-07 19:08 . 2011-02-07 19:08 0 ----a-w- c:\windows\Wtimesofihutafu.bin
    2011-02-07 19:06 . 2011-02-07 19:46
    d
    w- c:\documents and settings\All Users\Application Data\pMjHnAb08514
    2011-01-30 14:57 . 2011-01-30 14:57 103864 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-02-23 15:04 . 2010-06-29 16:45 40648 ----a-w- c:\windows\avastSS.scr
    2011-02-23 15:04 . 2010-04-05 13:00 190016 ----a-w- c:\windows\system32\aswBoot.exe
    2011-02-23 14:56 . 2010-04-05 13:01 301528 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2011-02-23 14:55 . 2010-04-05 13:01 49240 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2011-02-23 14:55 . 2010-04-05 13:01 102232 ----a-w- c:\windows\system32\drivers\aswmon2.sys
    2011-02-23 14:55 . 2010-04-05 13:01 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys
    2011-02-23 14:55 . 2010-04-05 13:01 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2011-02-23 14:54 . 2010-04-05 13:00 30680 ----a-w- c:\windows\system32\drivers\aavmker4.sys
    2011-02-23 14:54 . 2010-04-05 13:01 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2011-01-21 14:44 . 2005-04-25 23:05 439296 ----a-w- c:\windows\system32\shimgvw.dll
    2011-01-07 14:09 . 2005-04-25 23:05 290048 ----a-w- c:\windows\system32\atmfd.dll
    2010-12-31 13:10 . 2005-04-25 23:06 1854976 ----a-w- c:\windows\system32\win32k.sys
    2010-12-22 12:34 . 2005-04-25 23:05 301568 ----a-w- c:\windows\system32\kerberos.dll
    2010-12-20 23:59 . 2005-04-25 23:06 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-12-20 23:59 . 2005-04-25 23:05 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-12-20 23:59 . 2005-04-25 23:05 1469440
    w- c:\windows\system32\inetcpl.cpl
    2010-12-20 18:09 . 2008-10-20 22:50 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-12-20 18:08 . 2008-10-20 22:50 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-12-20 17:26 . 2005-04-25 23:05 730112 ----a-w- c:\windows\system32\lsasrv.dll
    2010-12-20 12:55 . 2005-04-25 23:05 385024 ----a-w- c:\windows\system32\html.iec
    2010-12-09 15:15 . 2005-04-25 23:05 718336 ----a-w- c:\windows\system32\ntdll.dll
    2010-12-09 14:30 . 2005-04-25 23:05 33280 ----a-w- c:\windows\system32\csrsrv.dll
    2010-12-09 13:38 . 2005-04-25 23:05 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe
    2010-12-09 13:07 . 2004-08-04 05:59 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe
  • ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @="{472083B0-C522-11CF-8763-00608CC02F24}"
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2011-02-23 15:04 122512 ----a-w- c:\program files\Alwil Software\Avast5\ashShell.dll
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "PopUpStopperFreeEdition"="c:\progra~1\PANICW~1\POP-UP~1\PSFree.exe" [2003-10-29 524288]
    "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
    "msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-16 3872080]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RTHDCPL"="RTHDCPL.EXE" [2006-04-16 16143872]
    "CHotkey"="zHotkey.exe" [2004-12-08 550912]
    "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]
    "IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2005-12-05 461584]
    "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
    "Wireless Manager"="c:\program files\Virgin Broadband Wireless\Wireless Manager.exe" [2008-05-26 585728]
    "avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2011-02-23 3451496]
    "ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-09-02 1043968]
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Down2Home.lnk - c:\program files\Down2Home\Down2Home.exe [2003-3-11 307200]
    Kodak EasyShare software.lnk.disabled [2008-11-10 1837]
    Stickies.lnk - c:\program files\stickies\stickies.exe [2010-3-26 1101824]
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ ??????
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
    @=""
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
    @=""
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
    backup=c:\windows\pss\Windows Search.lnkCommon Startup
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
    2010-09-20 22:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2011-01-31 08:44 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FlashPlayerUpdate]
    2010-11-14 20:36 233936 ----a-w- c:\windows\system32\Macromed\Flash\FlashUtil10l_ActiveX.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
    2010-10-02 07:45 136176 ----atw- c:\documents and settings\Dave\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2010-01-22 19:16 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    2008-04-14 00:12 1695232
    w- c:\program files\Messenger\msmsgs.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Shockwave Updater]
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
    2010-08-24 09:38 247144 ----a-w- c:\program files\TomTom HOME 2\TomTomHOMERunner.exe
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
    "PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray
    "TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe"
    "AdobeUpdater6"="c:\program files\Common Files\Adobe\Updater6\Adobe_Updater.exe"
    "MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "ArcSoft Connection Service"=c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
    "Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    "NeroFilterCheck"=c:\windows\system32\NeroCheck.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
    "DisableMonitoring"=dword:00000001
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
    "c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
    "%windir%\\system32\\drivers\\svchost.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
    "5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
    R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [20/08/2009 22:18 28544]
    R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [23/02/2011 22:25 371544]
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [05/04/2010 13:01 301528]
    R1 HCW88AUD;Hauppauge WinTV 88x Audio Capture;c:\windows\system32\drivers\hcw88aud.sys [20/11/2006 23:03 13440]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [05/04/2010 13:01 19544]
    R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [24/08/2010 09:38 92008]
    R3 HCW88BDA;Hauppauge WinTV 88x DVB Tuner/Demod;c:\windows\system32\drivers\hcw88bda.sys [20/11/2006 23:03 207872]
    R3 HCW88TSE;Hauppauge WinTV 88x MPEG/TS Capture;c:\windows\system32\drivers\hcw88tse.sys [20/11/2006 23:03 320512]
    R3 HCW88TUNE;Hauppauge WinTV 88x Tuner;c:\windows\system32\drivers\hcw88tun.sys [20/11/2006 23:03 75904]
    R3 hcw88vid;Hauppauge WinTV 88x Video;c:\windows\system32\drivers\hcw88vid.sys [20/11/2006 23:03 396032]
    R3 HCW88XBAR;Hauppauge WinTV 88x Crossbar;c:\windows\system32\drivers\hcw88bar.sys [20/11/2006 23:06 17792]
    S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18/03/2010 12:16 130384]
    S3 CYUSB;Cypress Generic USB Driver;c:\windows\system32\drivers\CYUSB.sys [16/01/2009 19:12 38144]
    S3 HauppaugeTVServer;HauppaugeTVServer;c:\progra~1\WinTV\HCWTVS~1.EXE [17/01/2007 21:18 380928]
    S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\1.tmp --> c:\windows\system32\1.tmp [?]
    S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [25/04/2005 23:06 14336]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18/03/2010 12:16 753504]
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    getPlusHelper REG_MULTI_SZ getPlusHelper
    WINRM REG_MULTI_SZ WINRM
    .
    Contents of the 'Scheduled Tasks' folder
    2011-02-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1444691231-1327899234-483227007-1007Core.job
    - c:\documents and settings\Dave\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-02 07:45]
    2011-02-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1444691231-1327899234-483227007-1007UA.job
    - c:\documents and settings\Dave\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-02 07:45]

  • Supplementary Scan
    .
    uStart Page = hxxp://www.virginmedia.com/
    uInternet Connection Wizard,ShellNext = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_GB&Sys=DTP&M=E3042
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
    IE: Free YouTube Download - c:\documents and settings\Dave\Application Data\DVDVideoSoftIEHelpers\freeyoutubedownload.htm
    IE: Free YouTube to MP3 Converter - c:\documents and settings\Dave\Application Data\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm
    DPF: {FD0EBBED-0C42-4D0F-82DA-44399B5C420A} - hxxp://downloads.virginmedia.com/CST/ver1/xp_mail.cab
    .
    - - - - ORPHANS REMOVED - - - -
    URLSearchHooks-CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    SafeBoot-AVG Anti-Spyware Driver
    SafeBoot-AVG Anti-Spyware Guard
    MSConfigStartUp-Fcehibotaxaro - c:\windows\umojihum.dll
    MSConfigStartUp-ISW - c:\program files\CheckPoint\ZAForceField\ForceField.exe
    MSConfigStartUp-pgcywgno - c:\docume~1\Dave\LOCALS~1\Temp\rwphvgjdd\qgjhmumsika.exe
    MSConfigStartUp-pMjHnAb08514 - c:\documents and settings\All Users\Application Data\pMjHnAb08514\pMjHnAb08514.exe
    MSConfigStartUp-Qfujovavoxo - c:\windows\iespite.dll
    MSConfigStartUp-SUPERAntiSpyware - c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

    **************************************************************************
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-02-28 22:48
    Windows 5.1.2600 Service Pack 3 NTFS
    scanning hidden processes ...
    scanning hidden autostart entries ...
    scanning hidden files ...

    c:\docume~1\Dave\LOCALS~1\Temp\JET852A.tmp
    C:\## aswSnx private storage
    scan completed successfully
    hidden files: 2
    **************************************************************************
    [HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MEMSWEEP2]
    "ImagePath"="\??\c:\windows\system32\1.tmp"
    .
    LOCKED REGISTRY KEYS
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    DLLs Loaded Under Running Processes
    - - - - - - - > 'winlogon.exe'(776)
    c:\windows\system32\Ati2evxx.dll
    - - - - - - - > 'explorer.exe'(2676)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\program files\Nokia\Nokia PC Suite 7\phonebrowser.dll
    c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL
    c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
    c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_eng.nlr
    c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    Other Running Processes
    .
    c:\windows\system32\Ati2evxx.exe
    c:\program files\Ahead\InCD\InCDsrv.exe
    c:\windows\system32\Ati2evxx.exe
    c:\program files\Alwil Software\Avast5\AvastSvc.exe
    c:\program files\Virgin Broadband Wireless\AffinegyService.exe
    c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    c:\program files\IVT Corporation\BlueSoleil\BTNtService.exe
    c:\program files\Common Files\EPSON\EBAPI\SAgent2.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    c:\windows\RTHDCPL.EXE
    c:\windows\zHotkey.exe
    c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    c:\program files\Virgin Broadband Wireless\ndis_events.exe
    c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
    c:\program files\Windows Live\Contacts\wlcomm.exe
    .
    **************************************************************************
    .
    Completion time: 2011-02-28 22:59:29 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-02-28 22:59
    ComboFix2.txt 2008-10-21 19:56
    Pre-Run: 46,508,306,432 bytes free
    Post-Run: 46,400,995,328 bytes free
    WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
    Current=2 Default=2 Failed=3 LastKnownGood=4 Sets=1,2,3,4
    - - End Of File - - EBB23ED1F60AD79613F3F01E1F4470D3
  • aliEnRIK
    aliEnRIK Posts: 17,741 Forumite
    Part of the Furniture Combo Breaker
    Your computer is seriously infected

    I would advise backing up any important files (Take into consideration they could well be infected themselves), formatting and reinstalling windows

    if you wish to go on -

    Run this kaspersky rootkit killer -
    http://support.kaspersky.com/viruses/solutions?qid=208280684


    Open notepad and copy/paste the text in RED below

    File::
    c:\windows\system32\cpnprtuk.cid
    c:\windows\system32\cpnprt2.cid
    c:\windows\Wtimesofihutafu.bin
    c:\windows\UKCpInfo.sys
    c:\docume~1\Dave\LOCALS~1\Temp\JET852A.tmp

    Dirlook::
    c:\documents and settings\All Users\Application Data\pMjHnAb08514


    Save this as "CFScript"

    Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

    CFScript.gif


    This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply

    Combofix should never take more that 20 minutes including the reboot if malware is detected.
    If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.



    :idea:
This discussion has been closed.
Meet your Ambassadors

🚀 Getting Started

Hi new member!

Our Getting Started Guide will help you get the most out of the Forum

Categories

  • All Categories
  • 351.7K Banking & Borrowing
  • 253.4K Reduce Debt & Boost Income
  • 454K Spending & Discounts
  • 244.7K Work, Benefits & Business
  • 600.1K Mortgages, Homes & Bills
  • 177.3K Life & Family
  • 258.4K Travel & Transport
  • 1.5M Hobbies & Leisure
  • 16.2K Discuss & Feedback
  • 37.6K Read-Only Boards

Is this how you want to be seen?

We see you are using a default avatar. It takes only a few seconds to pick a picture.