We’d like to remind Forumites to please avoid political debate on the Forum.
This is to keep it a safe and useful space for MoneySaving discussions. Threads that are – or become – political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
FAO aliEnRIK. Combofix Log after rootkit cleaned, thankyou for looking.

rockin_plumber
Posts: 689 Forumite
in Techie Stuff
Following a recent rootkit virus here follows my logfile from combofix.
Thankyou for your time.
I hope this wont be too difficult.
Its deleting files at the moment
I hope it looks worse than it is :eek:
Now re-booting...
This does take a while....
Thankyou for your time.

Its deleting files at the moment

I hope it looks worse than it is :eek:
Now re-booting...
This does take a while....
0
Comments
-
OK THIS LOOKS SERIOUS
following a forced reboot by combofix
its just hanging an the screen with the microsoft windows XP flag..
the blue bars underneath arent moving...0 -
give it chance, it can take a while.........Gettin' There, Wherever There is......
I have a dodgy "i" key, so ignore spelling errors due to "i" issues, ...I blame Apple0 -
this is the screen its hanging on..
the blue bars are static...
and the HD light on my tower is showing no activity...
At least 10 minutes like this now..0 -
Pull the power and reboot:idea:0
-
I wanted to do that but was scared...
Looks like it has booted ok this time just preparing Log Report0 -
Still preparing log report...
10 minutes now...
Perhaps I am just too impatient
Woohoo....
Looks like its nearly done...
Just told me where the report will be...0 -
ComboFix 11-02-28.02 - Dave 28/02/2011 22:11:15.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1918.1248 [GMT 0:00]
Running from: c:\documents and settings\Dave\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Firewall *Enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Dave\Application Data\uid_pal
c:\documents and settings\Dave\Local Settings\Application Data\{1A06AD2F-41A4-4492-81AB-D4E5A6EB61E9}
c:\documents and settings\Dave\Local Settings\Application Data\{1A06AD2F-41A4-4492-81AB-D4E5A6EB61E9}\chrome.manifest
c:\documents and settings\Dave\Local Settings\Application Data\{1A06AD2F-41A4-4492-81AB-D4E5A6EB61E9}\chrome\content\_cfg.js
c:\documents and settings\Dave\Local Settings\Application Data\{1A06AD2F-41A4-4492-81AB-D4E5A6EB61E9}\chrome\content\overlay.xul
c:\documents and settings\Dave\Local Settings\Application Data\{1A06AD2F-41A4-4492-81AB-D4E5A6EB61E9}\install.rdf
c:\program files\WinPCap
c:\program files\WinPCap\daemon_mgm.exe
c:\program files\WinPCap\npf_mgm.exe
c:\program files\WinPCap\rpcapd.exe
c:\windows\system32\drivers\hwinterface.sys
c:\windows\system32\drivers\npf.sys
c:\windows\system32\dumphive.exe
c:\windows\system32\kbiwkmlog.dat
c:\windows\system32\Packet.dll
c:\windows\system32\Process.exe
c:\windows\system32\pthreadVC.dll
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WanPacket.dll
c:\windows\system32\winlogon.bak
c:\windows\system32\wpcap.dll
c:\windows\system32\WS2Fix.exe
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job
Infected copy of c:\windows\system32\Drivers\atapi.sys was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\atapi.sys
Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\winlogon.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
\Legacy_NPF
\Service_npf
\Legacy_hwinterface
\Service_hwinterface
((((((((((((((((((((((((( Files Created from 2011-01-28 to 2011-02-28 )))))))))))))))))))))))))))))))
.
2011-02-28 21:10 . 2011-02-28 21:10
d
w- c:\program files\Sophos
2011-02-27 20:16 . 2011-02-27 22:11
d
w- c:\documents and settings\All Users\Application Data\eJiJlLb06308
2011-02-23 22:25 . 2011-02-23 14:56 371544 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-02-22 19:09 . 2011-02-22 19:10
d
w- c:\documents and settings\Dave\Application Data\DVDVideoSoft
2011-02-08 23:16 . 2011-02-08 23:16 292240 ---ha-r- c:\windows\system32\cpnprtuk.cid
2011-02-08 23:16 . 2011-02-08 23:16 398744 ---ha-r- c:\windows\system32\cpnprt2.cid
2011-02-08 23:16 . 2011-02-08 23:16
d
w- c:\windows\Cache
2011-02-08 23:16 . 2011-02-08 23:24
d
w- c:\program files\Coupon Printer
2011-02-08 23:16 . 2011-02-08 23:16 31 ---ha-w- c:\windows\UKCpInfo.sys
2011-02-07 19:08 . 2011-02-07 19:08 0 ----a-w- c:\windows\Wtimesofihutafu.bin
2011-02-07 19:06 . 2011-02-07 19:46
d
w- c:\documents and settings\All Users\Application Data\pMjHnAb08514
2011-01-30 14:57 . 2011-01-30 14:57 103864 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-23 15:04 . 2010-06-29 16:45 40648 ----a-w- c:\windows\avastSS.scr
2011-02-23 15:04 . 2010-04-05 13:00 190016 ----a-w- c:\windows\system32\aswBoot.exe
2011-02-23 14:56 . 2010-04-05 13:01 301528 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-02-23 14:55 . 2010-04-05 13:01 49240 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-02-23 14:55 . 2010-04-05 13:01 102232 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-02-23 14:55 . 2010-04-05 13:01 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-02-23 14:55 . 2010-04-05 13:01 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-02-23 14:54 . 2010-04-05 13:00 30680 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-02-23 14:54 . 2010-04-05 13:01 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-01-21 14:44 . 2005-04-25 23:05 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2005-04-25 23:05 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2005-04-25 23:06 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34 . 2005-04-25 23:05 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:59 . 2005-04-25 23:06 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:59 . 2005-04-25 23:05 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-12-20 23:59 . 2005-04-25 23:05 1469440
w- c:\windows\system32\inetcpl.cpl
2010-12-20 18:09 . 2008-10-20 22:50 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-20 18:08 . 2008-10-20 22:50 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-20 17:26 . 2005-04-25 23:05 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55 . 2005-04-25 23:05 385024 ----a-w- c:\windows\system32\html.iec
2010-12-09 15:15 . 2005-04-25 23:05 718336 ----a-w- c:\windows\system32\ntdll.dll
2010-12-09 14:30 . 2005-04-25 23:05 33280 ----a-w- c:\windows\system32\csrsrv.dll
2010-12-09 13:38 . 2005-04-25 23:05 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-12-09 13:07 . 2004-08-04 05:59 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe0 -
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-02-23 15:04 122512 ----a-w- c:\program files\Alwil Software\Avast5\ashShell.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PopUpStopperFreeEdition"="c:\progra~1\PANICW~1\POP-UP~1\PSFree.exe" [2003-10-29 524288]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-16 3872080]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2006-04-16 16143872]
"CHotkey"="zHotkey.exe" [2004-12-08 550912]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2005-12-05 461584]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"Wireless Manager"="c:\program files\Virgin Broadband Wireless\Wireless Manager.exe" [2008-05-26 585728]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2011-02-23 3451496]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-09-02 1043968]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Down2Home.lnk - c:\program files\Down2Home\Down2Home.exe [2003-3-11 307200]
Kodak EasyShare software.lnk.disabled [2008-11-10 1837]
Stickies.lnk - c:\program files\stickies\stickies.exe [2010-3-26 1101824]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ ??????
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@=""
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-20 22:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-01-31 08:44 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FlashPlayerUpdate]
2010-11-14 20:36 233936 ----a-w- c:\windows\system32\Macromed\Flash\FlashUtil10l_ActiveX.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-10-02 07:45 136176 ----atw- c:\documents and settings\Dave\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-01-22 19:16 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232
w- c:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Shockwave Updater]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
2010-08-24 09:38 247144 ----a-w- c:\program files\TomTom HOME 2\TomTomHOMERunner.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe"
"AdobeUpdater6"="c:\program files\Common Files\Adobe\Updater6\Adobe_Updater.exe"
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"ArcSoft Connection Service"=c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
"NeroFilterCheck"=c:\windows\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [20/08/2009 22:18 28544]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [23/02/2011 22:25 371544]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [05/04/2010 13:01 301528]
R1 HCW88AUD;Hauppauge WinTV 88x Audio Capture;c:\windows\system32\drivers\hcw88aud.sys [20/11/2006 23:03 13440]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [05/04/2010 13:01 19544]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [24/08/2010 09:38 92008]
R3 HCW88BDA;Hauppauge WinTV 88x DVB Tuner/Demod;c:\windows\system32\drivers\hcw88bda.sys [20/11/2006 23:03 207872]
R3 HCW88TSE;Hauppauge WinTV 88x MPEG/TS Capture;c:\windows\system32\drivers\hcw88tse.sys [20/11/2006 23:03 320512]
R3 HCW88TUNE;Hauppauge WinTV 88x Tuner;c:\windows\system32\drivers\hcw88tun.sys [20/11/2006 23:03 75904]
R3 hcw88vid;Hauppauge WinTV 88x Video;c:\windows\system32\drivers\hcw88vid.sys [20/11/2006 23:03 396032]
R3 HCW88XBAR;Hauppauge WinTV 88x Crossbar;c:\windows\system32\drivers\hcw88bar.sys [20/11/2006 23:06 17792]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18/03/2010 12:16 130384]
S3 CYUSB;Cypress Generic USB Driver;c:\windows\system32\drivers\CYUSB.sys [16/01/2009 19:12 38144]
S3 HauppaugeTVServer;HauppaugeTVServer;c:\progra~1\WinTV\HCWTVS~1.EXE [17/01/2007 21:18 380928]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\1.tmp --> c:\windows\system32\1.tmp [?]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [25/04/2005 23:06 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18/03/2010 12:16 753504]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder
2011-02-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1444691231-1327899234-483227007-1007Core.job
- c:\documents and settings\Dave\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-02 07:45]
2011-02-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1444691231-1327899234-483227007-1007UA.job
- c:\documents and settings\Dave\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-02 07:45]0 -
Supplementary Scan
.
uStart Page = hxxp://www.virginmedia.com/
uInternet Connection Wizard,ShellNext = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_GB&Sys=DTP&M=E3042
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Free YouTube Download - c:\documents and settings\Dave\Application Data\DVDVideoSoftIEHelpers\freeyoutubedownload.htm
IE: Free YouTube to MP3 Converter - c:\documents and settings\Dave\Application Data\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm
DPF: {FD0EBBED-0C42-4D0F-82DA-44399B5C420A} - hxxp://downloads.virginmedia.com/CST/ver1/xp_mail.cab
.
- - - - ORPHANS REMOVED - - - -
URLSearchHooks-CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
SafeBoot-AVG Anti-Spyware Driver
SafeBoot-AVG Anti-Spyware Guard
MSConfigStartUp-Fcehibotaxaro - c:\windows\umojihum.dll
MSConfigStartUp-ISW - c:\program files\CheckPoint\ZAForceField\ForceField.exe
MSConfigStartUp-pgcywgno - c:\docume~1\Dave\LOCALS~1\Temp\rwphvgjdd\qgjhmumsika.exe
MSConfigStartUp-pMjHnAb08514 - c:\documents and settings\All Users\Application Data\pMjHnAb08514\pMjHnAb08514.exe
MSConfigStartUp-Qfujovavoxo - c:\windows\iespite.dll
MSConfigStartUp-SUPERAntiSpyware - c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-02-28 22:48
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
c:\docume~1\Dave\LOCALS~1\Temp\JET852A.tmp
C:\## aswSnx private storage
scan completed successfully
hidden files: 2
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\1.tmp"
.
LOCKED REGISTRY KEYS
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
DLLs Loaded Under Running Processes
- - - - - - - > 'winlogon.exe'(776)
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'explorer.exe'(2676)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Nokia\Nokia PC Suite 7\phonebrowser.dll
c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_eng.nlr
c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Other Running Processes
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Ahead\InCD\InCDsrv.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Virgin Broadband Wireless\AffinegyService.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\IVT Corporation\BlueSoleil\BTNtService.exe
c:\program files\Common Files\EPSON\EBAPI\SAgent2.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\windows\RTHDCPL.EXE
c:\windows\zHotkey.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\Virgin Broadband Wireless\ndis_events.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
c:\program files\Windows Live\Contacts\wlcomm.exe
.
**************************************************************************
.
Completion time: 2011-02-28 22:59:29 - machine was rebooted
ComboFix-quarantined-files.txt 2011-02-28 22:59
ComboFix2.txt 2008-10-21 19:56
Pre-Run: 46,508,306,432 bytes free
Post-Run: 46,400,995,328 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
Current=2 Default=2 Failed=3 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - EBB23ED1F60AD79613F3F01E1F4470D30 -
Your computer is seriously infected
I would advise backing up any important files (Take into consideration they could well be infected themselves), formatting and reinstalling windows
if you wish to go on -
Run this kaspersky rootkit killer -
http://support.kaspersky.com/viruses/solutions?qid=208280684
Open notepad and copy/paste the text in RED below
File::
c:\windows\system32\cpnprtuk.cid
c:\windows\system32\cpnprt2.cid
c:\windows\Wtimesofihutafu.bin
c:\windows\UKCpInfo.sys
c:\docume~1\Dave\LOCALS~1\Temp\JET852A.tmp
Dirlook::
c:\documents and settings\All Users\Application Data\pMjHnAb08514
Save this as "CFScript"
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
:idea:0
This discussion has been closed.
Confirm your email address to Create Threads and Reply

Categories
- All Categories
- 351.7K Banking & Borrowing
- 253.4K Reduce Debt & Boost Income
- 454K Spending & Discounts
- 244.7K Work, Benefits & Business
- 600.1K Mortgages, Homes & Bills
- 177.3K Life & Family
- 258.4K Travel & Transport
- 1.5M Hobbies & Leisure
- 16.2K Discuss & Feedback
- 37.6K Read-Only Boards