Jump to content

journo

Honorary Members
  • Posts

    25
  • Joined

  • Last visited

Posts posted by journo

  1. Ok, so this is disturbing. I'm getting exactly the same popups from Calculator, Lockapp etc, identified as trojan.fadeb.j by Malwarebytes.

    But the really disturbing thing is that i'm also using a BLU device!

    This is a device that I hardly use. It sits on my desk and hosts my old SIM card in case I receive a text.

    No way I accidentally installed malware so it's highly worrying that this device/manufacturer may have a security flaw.

  2. Hi,

    I think ive got some malware because my browsers are only working in Safe mode.

    However, Malwarebytes didnt pick up anything. Its fully updated.

    How should I proceed? Here are the DDS files.

    Thanks

    Dan

    DDS (Ver_2012-11-20.01) - NTFS_x86 NETWORK

    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.11.2

    Run by Gerard at 20:04:41 on 2013-02-05

    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.334 [GMT 0:00]

    .

    AV: Kaspersky Internet Security *Enabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

    FW: Kaspersky Internet Security *Enabled*

    .

    ============== Running Processes ================

    .

    C:\WINDOWS\Explorer.EXE

    C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

    C:\WINDOWS\system32\ctfmon.exe

    C:\Documents and Settings\Gerard\Local Settings\Application Data\join.me\join.me.exe

    C:\WINDOWS\notepad.exe

    C:\Program Files\Google\Chrome\Application\chrome.exe

    C:\Program Files\Google\Chrome\Application\chrome.exe

    C:\Program Files\Google\Chrome\Application\chrome.exe

    C:\Program Files\Google\Chrome\Application\chrome.exe

    C:\Program Files\Google\Chrome\Application\chrome.exe

    C:\Program Files\Google\Chrome\Application\chrome.exe

    C:\Program Files\Google\Chrome\Application\chrome.exe

    C:\Program Files\Google\Chrome\Application\chrome.exe

    C:\Program Files\Google\Chrome\Application\chrome.exe

    C:\Program Files\Google\Chrome\Application\chrome.exe

    C:\Program Files\Google\Chrome\Application\chrome.exe

    C:\Program Files\Google\Chrome\Application\chrome.exe

    C:\Program Files\Google\Chrome\Application\chrome.exe

    C:\WINDOWS\system32\wbem\wmiprvse.exe

    C:\WINDOWS\system32\svchost.exe -k netsvcs

    C:\WINDOWS\system32\svchost.exe -k NetworkService

    C:\WINDOWS\system32\svchost.exe -k LocalService

    .

    ============== Pseudo HJT Report ===============

    .

    BHO: Adobe PDF Reader Link Helper: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

    BHO: Content Blocker Plugin: {5564CC73-EFA7-4CBF-918A-5CF7FBBFFF4F} - c:\program files\kaspersky lab\kaspersky internet security 2013\ieext\contentblocker\ie_content_blocker_plugin.dll

    BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

    BHO: Virtual Keyboard Plugin: {73455575-E40C-433C-9784-C78DC7761455} - c:\program files\kaspersky lab\kaspersky internet security 2013\ieext\virtualkeyboard\ie_virtual_keyboard_plugin.dll

    BHO: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll

    BHO: Safe Money Plugin: {9E6D0D23-3D72-4A94-AE1F-2D167624E3D9} - c:\program files\kaspersky lab\kaspersky internet security 2013\ieext\onlinebanking\online_banking_bho.dll

    BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll

    BHO: URL Advisor Plugin: {E33CF602-D945-461A-83F0-819F76A199F8} - c:\program files\kaspersky lab\kaspersky internet security 2013\ieext\urladvisor\klwtbbho.dll

    uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe

    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

    mRun: [igfxTray] c:\windows\system32\igfxtray.exe

    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

    mRun: [Persistence] c:\windows\system32\igfxpers.exe

    mRun: [RTHDCPL] RTHDCPL.EXE

    mRun: [Alcmtr] ALCMTR.EXE

    mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

    mRun: [THotkey] c:\program files\toshiba\toshiba applet\thotkey.exe

    mRun: [TPSMain] TPSMain.exe

    mRun: [NDSTray.exe] NDSTray.exe

    mRun: [smoothView] c:\program files\toshiba\toshiba zooming utility\SmoothView.exe

    mRun: [TFncKy] TFncKy.exe

    mRun: [DDWMon] c:\program files\toshiba\toshiba direct disc writer\\ddwmon.exe

    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"

    mRun: [topi] c:\program files\toshiba\toshiba online product information\topi.exe -startup

    mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"

    mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

    mRun: [AVP] "c:\program files\kaspersky lab\kaspersky internet security 2013\avp.exe"

    mRunOnce: [Malwarebytes Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent

    dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

    StartupFolder: c:\docume~1\gerard\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE

    uPolicies-Explorer: NoDriveTypeAutoRun = dword:145

    mPolicies-Explorer: NoDriveTypeAutoRun = dword:145

    IE: Add to Anti-Banner - c:\program files\kaspersky lab\kaspersky internet security 2013\ie_banner_deny.htm

    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

    IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre7\bin\jp2iexp.dll

    IE: {0C4CC089-D306-440D-9772-464E226F6539} - {0BA14598-4178-4CE5-B1F1-B5C6408A3F2E} - c:\program files\kaspersky lab\kaspersky internet security 2013\ieext\virtualkeyboard\ie_virtual_keyboard_plugin.dll

    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll

    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}

    IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files\kaspersky lab\kaspersky internet security 2013\ieext\urladvisor\klwtbbho.dll

    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

    DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

    TCP: NameServer = 192.168.1.254 192.168.1.254

    TCP: Interfaces\{89278D3F-6BE9-49D3-B65C-1BAE24114C8C} : DHCPNameServer = 192.168.1.254 192.168.1.254

    Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll

    Notify: igfxcui - igfxdev.dll

    Notify: klogon - c:\windows\system32\klogon.dll

    SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

    mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\24.0.1312.56\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome

    .

    ============= SERVICES / DRIVERS ===============

    .

    R0 kl1;kl1;c:\windows\system32\drivers\kl1.sys [2012-6-19 136024]

    R1 kltdi;kltdi;c:\windows\system32\drivers\kltdi.sys [2012-6-8 43608]

    R3 FwLnk;FwLnk Driver;c:\windows\system32\drivers\FwLnk.sys [2008-4-3 5888]

    R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2012-6-27 35672]

    R3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187B.sys [2013-1-3 288000]

    S1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2013-1-24 586584]

    S1 kneps;kneps;c:\windows\system32\drivers\kneps.sys [2012-8-13 144344]

    S2 AVP;Kaspersky Anti-Virus Service;c:\program files\kaspersky lab\kaspersky internet security 2013\avp.exe [2012-8-17 356376]

    S2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2013-2-5 398184]

    S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2013-2-5 682344]

    S2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [2007-3-26 105856]

    S2 trudf;TOSHIBA DVD-RAM UDF File System Driver;c:\windows\system32\drivers\trudf.sys [2007-2-19 134016]

    S3 klkbdflt;Kaspersky Lab KLKBDFLT;c:\windows\system32\drivers\klkbdflt.sys [2012-10-25 24408]

    S3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2012-10-25 24920]

    S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2013-2-5 21104]

    S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2013-2-5 40776]

    .

    =============== Created Last 30 ================

    .

    2013-02-05 19:32:13 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

    2013-02-05 19:32:12 -------- d-----w- c:\documents and settings\gerard\application data\Malwarebytes

    2013-02-05 19:32:00 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes

    2013-02-05 19:31:55 21104 ----a-w- c:\windows\system32\drivers\mbam.sys

    2013-02-05 19:31:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

    2013-02-05 18:50:07 -------- d-----w- c:\windows\system32\wbem\repository\FS

    2013-02-05 18:50:07 -------- d-----w- c:\windows\system32\wbem\Repository

    2013-02-04 19:26:50 -------- d-----w- c:\documents and settings\gerard\PrivacIE

    2013-01-27 19:02:39 12928 -c--a-w- c:\windows\system32\dllcache\dot4prt.sys

    2013-01-27 19:02:39 12928 ----a-w- c:\windows\system32\drivers\Dot4Prt.sys

    2013-01-27 19:02:35 23808 -c--a-w- c:\windows\system32\dllcache\dot4usb.sys

    2013-01-27 19:02:35 23808 ----a-w- c:\windows\system32\drivers\Dot4usb.sys

    2013-01-27 19:02:34 207360 -c--a-w- c:\windows\system32\dllcache\dot4.sys

    2013-01-27 19:02:34 207360 ----a-w- c:\windows\system32\drivers\Dot4.sys

    2013-01-24 20:35:28 -------- d-----w- c:\documents and settings\gerard\local settings\application data\join.me

    2013-01-24 20:34:41 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll

    2013-01-24 20:28:45 -------- d-----w- c:\program files\Kaspersky Lab

    2013-01-24 20:28:44 -------- d-----w- c:\documents and settings\all users\application data\Kaspersky Lab

    2013-01-24 20:28:16 74072 ----a-w- c:\windows\system32\drivers\klflt.sys

    .

    ==================== Find3M ====================

    .

    2013-01-27 09:49:27 43608 ----a-w- c:\windows\system32\drivers\kltdi.sys

    2013-01-03 20:36:38 859072 ----a-w- c:\windows\system32\npDeployJava1.dll

    2013-01-03 20:36:38 779704 ----a-w- c:\windows\system32\deployJava1.dll

    .

    ============= FINISH: 20:04:56.64 ===============

    DDS (Ver_2012-11-20.01) - NTFS_x86 NETWORK

    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.11.2

    Run by Gerard at 20:04:41 on 2013-02-05

    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.334 [GMT 0:00]

    .

    AV: Kaspersky Internet Security *Enabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

    FW: Kaspersky Internet Security *Enabled*

    .

    ============== Running Processes ================

    .

    C:\WINDOWS\Explorer.EXE

    C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

    C:\WINDOWS\system32\ctfmon.exe

    C:\Documents and Settings\Gerard\Local Settings\Application Data\join.me\join.me.exe

    C:\WINDOWS\notepad.exe

    C:\Program Files\Google\Chrome\Application\chrome.exe

    C:\Program Files\Google\Chrome\Application\chrome.exe

    C:\Program Files\Google\Chrome\Application\chrome.exe

    C:\Program Files\Google\Chrome\Application\chrome.exe

    C:\Program Files\Google\Chrome\Application\chrome.exe

    C:\Program Files\Google\Chrome\Application\chrome.exe

    C:\Program Files\Google\Chrome\Application\chrome.exe

    C:\Program Files\Google\Chrome\Application\chrome.exe

    C:\Program Files\Google\Chrome\Application\chrome.exe

    C:\Program Files\Google\Chrome\Application\chrome.exe

    C:\Program Files\Google\Chrome\Application\chrome.exe

    C:\Program Files\Google\Chrome\Application\chrome.exe

    C:\Program Files\Google\Chrome\Application\chrome.exe

    C:\WINDOWS\system32\wbem\wmiprvse.exe

    C:\WINDOWS\system32\svchost.exe -k netsvcs

    C:\WINDOWS\system32\svchost.exe -k NetworkService

    C:\WINDOWS\system32\svchost.exe -k LocalService

    .

    ============== Pseudo HJT Report ===============

    .

    BHO: Adobe PDF Reader Link Helper: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

    BHO: Content Blocker Plugin: {5564CC73-EFA7-4CBF-918A-5CF7FBBFFF4F} - c:\program files\kaspersky lab\kaspersky internet security 2013\ieext\contentblocker\ie_content_blocker_plugin.dll

    BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

    BHO: Virtual Keyboard Plugin: {73455575-E40C-433C-9784-C78DC7761455} - c:\program files\kaspersky lab\kaspersky internet security 2013\ieext\virtualkeyboard\ie_virtual_keyboard_plugin.dll

    BHO: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll

    BHO: Safe Money Plugin: {9E6D0D23-3D72-4A94-AE1F-2D167624E3D9} - c:\program files\kaspersky lab\kaspersky internet security 2013\ieext\onlinebanking\online_banking_bho.dll

    BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll

    BHO: URL Advisor Plugin: {E33CF602-D945-461A-83F0-819F76A199F8} - c:\program files\kaspersky lab\kaspersky internet security 2013\ieext\urladvisor\klwtbbho.dll

    uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe

    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

    mRun: [igfxTray] c:\windows\system32\igfxtray.exe

    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

    mRun: [Persistence] c:\windows\system32\igfxpers.exe

    mRun: [RTHDCPL] RTHDCPL.EXE

    mRun: [Alcmtr] ALCMTR.EXE

    mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

    mRun: [THotkey] c:\program files\toshiba\toshiba applet\thotkey.exe

    mRun: [TPSMain] TPSMain.exe

    mRun: [NDSTray.exe] NDSTray.exe

    mRun: [smoothView] c:\program files\toshiba\toshiba zooming utility\SmoothView.exe

    mRun: [TFncKy] TFncKy.exe

    mRun: [DDWMon] c:\program files\toshiba\toshiba direct disc writer\\ddwmon.exe

    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"

    mRun: [topi] c:\program files\toshiba\toshiba online product information\topi.exe -startup

    mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"

    mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

    mRun: [AVP] "c:\program files\kaspersky lab\kaspersky internet security 2013\avp.exe"

    mRunOnce: [Malwarebytes Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent

    dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

    StartupFolder: c:\docume~1\gerard\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE

    uPolicies-Explorer: NoDriveTypeAutoRun = dword:145

    mPolicies-Explorer: NoDriveTypeAutoRun = dword:145

    IE: Add to Anti-Banner - c:\program files\kaspersky lab\kaspersky internet security 2013\ie_banner_deny.htm

    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

    IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre7\bin\jp2iexp.dll

    IE: {0C4CC089-D306-440D-9772-464E226F6539} - {0BA14598-4178-4CE5-B1F1-B5C6408A3F2E} - c:\program files\kaspersky lab\kaspersky internet security 2013\ieext\virtualkeyboard\ie_virtual_keyboard_plugin.dll

    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll

    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}

    IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files\kaspersky lab\kaspersky internet security 2013\ieext\urladvisor\klwtbbho.dll

    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

    DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

    TCP: NameServer = 192.168.1.254 192.168.1.254

    TCP: Interfaces\{89278D3F-6BE9-49D3-B65C-1BAE24114C8C} : DHCPNameServer = 192.168.1.254 192.168.1.254

    Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll

    Notify: igfxcui - igfxdev.dll

    Notify: klogon - c:\windows\system32\klogon.dll

    SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

    mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\24.0.1312.56\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome

    .

    ============= SERVICES / DRIVERS ===============

    .

    R0 kl1;kl1;c:\windows\system32\drivers\kl1.sys [2012-6-19 136024]

    R1 kltdi;kltdi;c:\windows\system32\drivers\kltdi.sys [2012-6-8 43608]

    R3 FwLnk;FwLnk Driver;c:\windows\system32\drivers\FwLnk.sys [2008-4-3 5888]

    R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2012-6-27 35672]

    R3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187B.sys [2013-1-3 288000]

    S1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2013-1-24 586584]

    S1 kneps;kneps;c:\windows\system32\drivers\kneps.sys [2012-8-13 144344]

    S2 AVP;Kaspersky Anti-Virus Service;c:\program files\kaspersky lab\kaspersky internet security 2013\avp.exe [2012-8-17 356376]

    S2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2013-2-5 398184]

    S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2013-2-5 682344]

    S2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [2007-3-26 105856]

    S2 trudf;TOSHIBA DVD-RAM UDF File System Driver;c:\windows\system32\drivers\trudf.sys [2007-2-19 134016]

    S3 klkbdflt;Kaspersky Lab KLKBDFLT;c:\windows\system32\drivers\klkbdflt.sys [2012-10-25 24408]

    S3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2012-10-25 24920]

    S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2013-2-5 21104]

    S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2013-2-5 40776]

    .

    =============== Created Last 30 ================

    .

    2013-02-05 19:32:13 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

    2013-02-05 19:32:12 -------- d-----w- c:\documents and settings\gerard\application data\Malwarebytes

    2013-02-05 19:32:00 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes

    2013-02-05 19:31:55 21104 ----a-w- c:\windows\system32\drivers\mbam.sys

    2013-02-05 19:31:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

    2013-02-05 18:50:07 -------- d-----w- c:\windows\system32\wbem\repository\FS

    2013-02-05 18:50:07 -------- d-----w- c:\windows\system32\wbem\Repository

    2013-02-04 19:26:50 -------- d-----w- c:\documents and settings\gerard\PrivacIE

    2013-01-27 19:02:39 12928 -c--a-w- c:\windows\system32\dllcache\dot4prt.sys

    2013-01-27 19:02:39 12928 ----a-w- c:\windows\system32\drivers\Dot4Prt.sys

    2013-01-27 19:02:35 23808 -c--a-w- c:\windows\system32\dllcache\dot4usb.sys

    2013-01-27 19:02:35 23808 ----a-w- c:\windows\system32\drivers\Dot4usb.sys

    2013-01-27 19:02:34 207360 -c--a-w- c:\windows\system32\dllcache\dot4.sys

    2013-01-27 19:02:34 207360 ----a-w- c:\windows\system32\drivers\Dot4.sys

    2013-01-24 20:35:28 -------- d-----w- c:\documents and settings\gerard\local settings\application data\join.me

    2013-01-24 20:34:41 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll

    2013-01-24 20:28:45 -------- d-----w- c:\program files\Kaspersky Lab

    2013-01-24 20:28:44 -------- d-----w- c:\documents and settings\all users\application data\Kaspersky Lab

    2013-01-24 20:28:16 74072 ----a-w- c:\windows\system32\drivers\klflt.sys

    .

    ==================== Find3M ====================

    .

    2013-01-27 09:49:27 43608 ----a-w- c:\windows\system32\drivers\kltdi.sys

    2013-01-03 20:36:38 859072 ----a-w- c:\windows\system32\npDeployJava1.dll

    2013-01-03 20:36:38 779704 ----a-w- c:\windows\system32\deployJava1.dll

    .

    ============= FINISH: 20:04:56.64 ===============

  3. Hi,

    I'm unable to access some https files and ive noticed that my hosts file keeps being added to.

    I remove the entries, but they come back a few minutes later.

    Malwarebytes shows nothing.

    eset online scanner shows nothing.

    Symantec shows nothing.

    Any ideas?

    Heres the items from the hosts file if needed.

    216.239.32.20 www.google.ae # bck9

    216.239.32.20 www.google.at # bck9

    216.239.32.20 www.google.be # bck9

    216.239.32.20 www.google.ca # bck9

    216.239.32.20 www.google.ch # bck9

    216.239.32.20 www.google.cl # bck9

    216.239.32.20 www.google.co.il # bck9

    216.239.32.20 www.google.co.in # bck9

    216.239.32.20 www.google.co.jp # bck9

    216.239.32.20 www.google.co.kr # bck9

    216.239.32.20 www.google.co.nz # bck9

    216.239.32.20 www.google.co.uk # bck9

    216.239.32.20 www.google.co.ve # bck9

    216.239.32.20 www.google.co.za # bck9

    216.239.32.20 www.google.com # bck9

    216.239.32.20 www.google.com.ar # bck9

    216.239.32.20 www.google.com.au # bck9

    216.239.32.20 www.google.com.br # bck9

    216.239.32.20 www.google.com.co # bck9

    216.239.32.20 www.google.com.gr # bck9

    216.239.32.20 www.google.com.hk # bck9

    216.239.32.20 www.google.com.mx # bck9

    216.239.32.20 www.google.com.my # bck9

    216.239.32.20 www.google.com.pe # bck9

    216.239.32.20 www.google.com.ph # bck9

    216.239.32.20 www.google.com.pk # bck9

    216.239.32.20 www.google.com.sg # bck9

    216.239.32.20 www.google.com.tr # bck9

    216.239.32.20 www.google.com.tw # bck9

    216.239.32.20 www.google.com.ua # bck9

    216.239.32.20 www.google.de # bck9

    216.239.32.20 www.google.dk # bck9

    216.239.32.20 www.google.es # bck9

    216.239.32.20 www.google.fi # bck9

    216.239.32.20 www.google.fr # bck9

    216.239.32.20 www.google.it # bck9

    216.239.32.20 www.google.lt # bck9

    216.239.32.20 www.google.lv # bck9

    216.239.32.20 www.google.nl # bck9

    216.239.32.20 www.google.pl # bck9

    216.239.32.20 www.google.pt # bck9

    216.239.32.20 www.google.ro # bck9

    216.239.32.20 www.google.ru # bck9

  4. Hi,

    Here are the results from the DDS program.

    DDS.txt

    .

    DDS (Ver_2011-08-26.01) - NTFSx86

    Internet Explorer: 8.0.6001.18702

    Run by Administrator at 23:15:47 on 2012-07-17

    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1410 [GMT 1:00]

    .

    FW: Symantec Endpoint Protection *Enabled*

    .

    ============== Running Processes ===============

    .

    C:\WINDOWS\system32\Ati2evxx.exe

    C:\WINDOWS\system32\svchost.exe -k DcomLaunch

    C:\WINDOWS\system32\svchost.exe -k rpcss

    C:\WINDOWS\System32\svchost.exe -k netsvcs

    C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

    C:\WINDOWS\system32\svchost.exe -k NetworkService

    C:\WINDOWS\system32\svchost.exe -k LocalService

    C:\WINDOWS\system32\spoolsv.exe

    C:\WINDOWS\system32\svchost.exe -k LocalService

    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

    C:\Program Files\Bonjour\mDNSResponder.exe

    C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe

    C:\Program Files\LogMeIn\x86\RaMaint.exe

    C:\Program Files\LogMeIn\x86\LogMeIn.exe

    C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe

    C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe

    C:\WINDOWS\system32\svchost.exe -k imgsvc

    C:\Program Files\TeamViewer\Version5\TeamViewer_Service.exe

    C:\Program Files\TeamViewer\Version7\TeamViewer_Service.exe

    C:\Program Files\Xobni\XobniService.exe

    C:\WINDOWS\System32\alg.exe

    C:\Program Files\LogMeIn\x86\LogMeIn.exe

    C:\WINDOWS\system32\wbem\wmiprvse.exe

    C:\WINDOWS\Explorer.EXE

    C:\WINDOWS\system32\userinit.exe

    C:\WINDOWS\system32\svchost.exe

    C:\WINDOWS\system32\svchost.exe

    C:\Program Files\TeamViewer\Version7\TeamViewer.exe

    C:\WINDOWS\system32\wscntfy.exe

    C:\Program Files\TeamViewer\Version7\tv_w32.exe

    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

    C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe

    C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

    C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe

    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

    C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe

    C:\Program Files\LogMeIn\x86\LogMeInSystray.exe

    C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe

    C:\Program Files\iTunes\iTunesHelper.exe

    C:\Program Files\Microsoft ActiveSync\wcescomm.exe

    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

    C:\WINDOWS\system32\ctfmon.exe

    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

    C:\PROGRA~1\MI3AA1~1\rapimgr.exe

    C:\Program Files\SHARP\Printer Status Monitor\Smon.exe

    C:\WINDOWS\system32\svchost.exe -k hpdevmgmt

    C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

    C:\Program Files\iPod\bin\iPodService.exe

    C:\WINDOWS\system32\wbem\wmiapsrv.exe

    C:\WINDOWS\system32\wbem\wmiprvse.exe

    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

    .

    ============== Pseudo HJT Report ===============

    .

    uStart Page = about:blank

    mURLSearchHooks: H - No File

    mWinlogon: Userinit=c:\windows\system32\userinit.exe,,c:\documents and settings\administrator.seedmanchester\local settings\application data\pytmlmix\xflyvmro.exe

    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

    BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll

    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll

    BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll

    BHO: Project seed Toolbar: {7f4290b4-b183-4623-bba2-28f48d9bbd23} - c:\program files\project_seed\prxtbPro0.dll

    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

    BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7227.1100\swg.dll

    TB: Project seed Toolbar: {7f4290b4-b183-4623-bba2-28f48d9bbd23} - c:\program files\project_seed\prxtbPro0.dll

    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

    TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File

    uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"

    uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

    uRun: [XflYvmro] c:\documents and settings\administrator.seedmanchester\local settings\application data\pytmlmix\xflyvmro.exe

    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

    mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay

    mRun: [iSUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup

    mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start

    mRun: [RoxioDragToDisc] "c:\program files\roxio\drag-to-disc\DrgToDsc.exe"

    mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"

    mRun: [synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon

    mRun: [sMSTray] c:\program files\samsung\samsung media studio 5\SMSTray.exe

    mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe

    mRun: [\\PC2\EPSON Stylus D68 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatiaae.exe /p29 "\\pc2\EPSON Stylus D68 Series" /O6 "USB001" /M "Stylus D68"

    mRun: [ToolBoxFX] "c:\program files\hp\toolboxfx\bin\HPTLBXFX.exe" /enum:on /alerts:on /notifications:on /fl:on /fr:on /appData:on /tmcp:on

    mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"

    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

    mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot

    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

    mRun: [Google Updater] "c:\program files\google\google updater\GoogleUpdater.exe" -check_deprecation

    mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"

    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

    dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

    dRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe

    dRunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs"

    dRunOnce: [TSClientAXDisabler] cmd.exe /C "%systemroot%\Installer\TSClientMsiTrans\tscdsbl.bat"

    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe

    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\printe~1.lnk - c:\program files\sharp\printer status monitor\Smon.exe

    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe

    uPolicies-explorer: DisablePersonalDirChange = 1 (0x1)

    mPolicies-explorer: NoWelcomeScreen = 1 (0x1)

    mPolicies-explorer: NoActiveDesktop = 1 (0x1)

    mPolicies-system: EnableLUA = 0 (0x0)

    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

    IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll

    IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll

    IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll

    IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL

    DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

    DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab

    DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} - hxxp://manchesterserve/connectcomputer/nshelp.dll

    DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab

    DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab

    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab

    DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

    DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab

    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab

    DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100

    TCP: DhcpNameServer = 192.168.11.254

    TCP: Interfaces\{BC9C58A2-60A2-4E71-A074-F19F6A930625} : DhcpNameServer = 192.168.11.254

    Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

    Notify: LMIinit - LMIinit.dll

    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

    SEH: ShellHook Class: {88485281-8b4b-4f8d-9ede-82e29a064277} - c:\progra~1\markany\conten~1\MACSMA~1.DLL

    SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

    .

    ================= FIREFOX ===================

    .

    FF - ProfilePath - \\Manchesterserve\Users\Administrator\Application Data\Mozilla\Firefox\Profiles\kxdjx1ig.default\

    .

    ============= SERVICES / DRIVERS ===============

    .

    R2 acedrv11;acedrv11;c:\windows\system32\drivers\acedrv11.sys [2008-7-30 277736]

    R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2011-1-6 374152]

    R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2008-7-24 12856]

    R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2009-5-18 47640]

    R2 QuickBooksDB17;QuickBooksDB17;c:\progra~1\intuit\quickb~1\qbdbmgrn.exe -hvquickbooksdb17 --> c:\progra~1\intuit\quickb~1\QBDBMgrN.exe -hvQuickBooksDB17 [?]

    R2 TeamViewer5;TeamViewer 5;c:\program files\teamviewer\version5\TeamViewer_Service.exe [2010-5-21 173352]

    R2 TeamViewer7;TeamViewer 7;c:\program files\teamviewer\version7\TeamViewer_Service.exe [2012-3-19 2666880]

    R2 XobniService;XobniService;c:\program files\xobni\XobniService.exe [2009-8-11 46824]

    R3 pmxmouse;PMXMOUSE;c:\windows\system32\drivers\pmxmouse.sys [2008-2-20 18432]

    R3 pmxusblf;PMXUSBLF;c:\windows\system32\drivers\pmxusblf.sys [2008-2-20 14336]

    R4 Micorsoft Windows Service;Micorsoft Windows Service;\??\c:\docume~1\admini~1.see\locals~1\temp\ftmgyjnb.sys --> c:\docume~1\admini~1.see\locals~1\temp\ftmgyjnb.sys [?]

    S0 00677621;00677621;c:\windows\system32\drivers\68236726.sys --> c:\windows\system32\drivers\68236726.sys [?]

    S2 ASFIPmon;Broadcom ASF IP Monitor;"c:\program files\broadcom\asfipmon\asfipmon.exe" -service --> c:\program files\broadcom\asfipmon\AsfIpMon.exe [?]

    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-4-8 135664]

    S2 WinDefend;Windows Defender;"c:\program files\windows defender\msmpeng.exe" --> c:\program files\windows defender\MsMpEng.exe [?]

    S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-7-16 250056]

    S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-4-8 135664]

    S3 MBAMCatchMe;MBAMCatchMe;c:\program files\malwarebytes' anti-malware\catchme.sys [2008-3-26 27136]

    S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-7-16 40776]

    S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2004-8-11 14336]

    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

    S4 LMIRfsClientNP;LMIRfsClientNP; [x]

    .

    =============== Created Last 30 ================

    .

    2012-07-17 09:37:29 -------- d-----w- c:\documents and settings\administrator.seedmanchester\local settings\application data\pytmlmix

    2012-07-16 21:07:03 -------- d-----w- c:\program files\stinger

    2012-07-16 18:16:21 -------- d-sha-r- C:\cmdcons

    2012-07-16 14:03:10 98816 ----a-w- c:\windows\sed.exe

    2012-07-16 14:03:10 518144 ----a-w- c:\windows\SWREG.exe

    2012-07-16 14:03:10 256000 ----a-w- c:\windows\PEV.exe

    2012-07-16 14:03:10 208896 ----a-w- c:\windows\MBR.exe

    2012-07-16 14:01:02 -------- d-----w- C:\TDSSKiller_Quarantine

    2012-07-16 05:56:59 9216 ----a-w- c:\windows\system32\dllcache\wamps51.dll

    2012-07-16 05:55:58 94720 ----a-w- c:\windows\system32\dllcache\umaxud32.dll

    2012-07-16 05:54:58 230912 ----a-w- c:\windows\system32\dllcache\tosdvd03.sys

    2012-07-16 05:53:57 53248 ----a-w- c:\windows\system32\dllcache\stlncoin.dll

    2012-07-16 05:52:59 6912 ----a-w- c:\windows\system32\dllcache\smbclass.sys

    2012-07-16 05:51:59 26112 ----a-w- c:\windows\system32\dllcache\EXCH_seos.dll

    2012-07-16 05:50:58 19017 ----a-w- c:\windows\system32\dllcache\rtl8029.sys

    2012-07-16 05:49:59 8832 ----a-w- c:\windows\system32\dllcache\powerfil.sys

    2012-07-16 05:48:58 31872 ----a-w- c:\windows\system32\dllcache\ovce.sys

    2012-07-16 05:48:56 28032 ----a-w- c:\windows\system32\dllcache\ovcd.sys

    2012-07-16 05:48:53 48000 ----a-w- c:\windows\system32\dllcache\ovcam2.sys

    2012-07-16 05:48:51 25088 ----a-w- c:\windows\system32\dllcache\ovca.sys

    2012-07-16 05:48:49 54186 ----a-w- c:\windows\system32\dllcache\otcsercb.sys

    2012-07-16 05:48:46 43689 ----a-w- c:\windows\system32\dllcache\otceth5.sys

    2012-07-16 05:48:43 27209 ----a-w- c:\windows\system32\dllcache\otc06x5.sys

    2012-07-16 05:48:38 54528 ----a-w- c:\windows\system32\dllcache\opl3sax.sys

    2012-07-16 05:48:29 61696 ----a-w- c:\windows\system32\dllcache\ohci1394.sys

    2012-07-16 05:48:11 198144 ----a-w- c:\windows\system32\dllcache\nv3.sys

    2012-07-16 05:48:09 123776 ----a-w- c:\windows\system32\dllcache\nv3.dll

    2012-07-16 05:46:58 91488 ----a-w- c:\windows\system32\dllcache\n9i3disp.dll

    2012-07-16 05:45:41 2944 ----a-w- c:\windows\system32\dllcache\msmpu401.sys

    2012-07-16 05:45:36 98304 ----a-w- c:\windows\system32\dllcache\msir3jp.dll

    2012-07-16 05:45:36 22016 ----a-w- c:\windows\system32\dllcache\msircomm.sys

    2012-07-16 05:45:04 35200 ----a-w- c:\windows\system32\dllcache\msgame.sys

    2012-07-16 05:45:00 6016 ----a-w- c:\windows\system32\dllcache\msfsio.sys

    2012-07-16 05:44:59 51200 ----a-w- c:\windows\system32\dllcache\msdv.sys

    2012-07-16 05:44:20 15232 ----a-w- c:\windows\system32\dllcache\mpe.sys

    2012-07-16 05:44:09 16128 ----a-w- c:\windows\system32\dllcache\modemcsa.sys

    2012-07-16 05:42:58 70730 ----a-w- c:\windows\system32\dllcache\lne100tx.sys

    2012-07-16 05:41:58 59904 ----a-w- c:\windows\system32\dllcache\imkrinst.exe

    2012-07-16 05:40:58 391199 ----a-w- c:\windows\system32\dllcache\hsf_k56k.sys

    2012-07-16 05:39:59 320384 ----a-w- c:\windows\system32\dllcache\g200m.sys

    2012-07-16 05:38:58 174464 ----a-w- c:\windows\system32\dllcache\es198x.sys

    2012-07-16 05:37:59 6729 ----a-w- c:\windows\system32\dllcache\disrvci.dll

    2012-07-16 05:36:59 272640 ----a-w- c:\windows\system32\dllcache\cinemclc.sys

    2012-07-16 05:35:59 75136 ----a-w- c:\windows\system32\dllcache\atimpae.sys

    2012-07-16 05:28:47 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

    2012-07-16 05:10:35 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe

    2012-07-15 18:16:26 -------- d-----w- c:\program files\ESET

    2012-06-26 20:58:04 -------- d-----w- \\Manchesterserve\Users\Administrator\Application Data\ElevatedDiagnostics

    .

    ==================== Find3M ====================

    .

    2012-07-16 05:10:35 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

    2012-07-03 12:46:44 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

    2012-06-13 13:19:59 1866112 ----a-w- c:\windows\system32\win32k.sys

    2012-06-05 15:50:25 1372672 ----a-w- c:\windows\system32\msxml6.dll

    2012-06-05 15:50:25 1172480 ----a-w- c:\windows\system32\msxml3.dll

    2012-06-04 04:32:08 152576 ----a-w- c:\windows\system32\schannel.dll

    2012-06-02 14:19:44 22040 ----a-w- c:\windows\system32\wucltui.dll.mui

    2012-06-02 14:19:38 219160 ----a-w- c:\windows\system32\wuaucpl.cpl

    2012-06-02 14:19:38 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui

    2012-06-02 14:19:34 15384 ----a-w- c:\windows\system32\wuapi.dll.mui

    2012-06-02 14:19:30 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui

    2012-05-31 13:22:09 599040 ----a-w- c:\windows\system32\crypt32.dll

    2012-05-16 15:08:26 916992 ----a-w- c:\windows\system32\wininet.dll

    2012-05-11 14:42:33 43520 ----a-w- c:\windows\system32\licmgr10.dll

    2012-05-11 14:42:33 1469440 ------w- c:\windows\system32\inetcpl.cpl

    2012-05-11 11:38:02 385024 ----a-w- c:\windows\system32\html.iec

    2012-05-04 13:16:13 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe

    2012-05-04 12:32:19 2026496 ----a-w- c:\windows\system32\ntkrnlpa.exe

    2012-05-02 13:46:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys

    .

    ============= FINISH: 23:17:29.23 ===============

    I couldnt copy and paste the attach.txt file because it was too large to post, so i've attached it instead.

    Thanks

    Dan

    Attach.txt

  5. I was following the previous topic instructions so thats where ComboFix came from.

    I've deleted it now.

    In the process of trying to delete the malware, I removed Symantec Endpoint Protection. It was blocking access to the malware files but the malware was causing SEP to repeatedly crash and therefore I was unable to Disable the AV.

    After performing the CF steps, I'm still unable to access www.Malwarebytes.org, www.eset.com etc.

    Please find the attachments requested.

    Thanks for your help.

    Dan

    Results of screen317's Security Check version 0.99.42

    Windows XP Service Pack 3 x86 (UAC is disabled!)

    Internet Explorer 8

    ``````````````Antivirus/Firewall Check:``````````````

    Windows Firewall Enabled!

    Please wait while WMIC is being installed.

    WMI entry may not exist for antivirus; attempting automatic update.

    `````````Anti-malware/Other Utilities Check:`````````

    Windows Defender

    Malwarebytes Anti-Malware version 1.62.0.1300

    Java 6 Update 5

    Java version out of Date!

    Adobe Reader 9 Adobe Reader out of Date!

    Mozilla Firefox (for.)

    ````````Process Check: objlist.exe by Laurent````````

    `````````````````System Health check`````````````````

    Total Fragmentation on Drive C:: 27% Defragment your hard drive soon!

    ````````````````````End of Log``````````````````````

    ComboFix 12-07-16.01 - Administrator 17/07/2012 10:24:31.2.2 - x86 NETWORK

    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1687 [GMT 1:00]

    Running from: \\MANCHESTERSERVE\Users\Administrator\Desktop\ComboFix.exe

    Command switches used :: \\MANCHESTERSERVE\Users\Administrator\Desktop\CFScript.txt

    FW: Symantec Endpoint Protection *Enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

    .

    FILE ::

    "c:\documents and settings\shaya.seedmanchester.000\local settings\application data\pytmlmix\xflyvmro.exe"

    .

    file zipped: c:\documents and settings\shaya.SEEDMANCHESTER.000\Local Settings\Application Data\pytmlmix\xflyvmro.exe

    .

    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

    .

    .

    c:\documents and settings\Administrator.SEEDMANCHESTER\Local Settings\Application Data\awseslek.log

    c:\documents and settings\Administrator.SEEDMANCHESTER\Local Settings\Application Data\bwitqshb.log

    c:\documents and settings\Administrator.SEEDMANCHESTER\Local Settings\Application Data\dgmbomnp.log

    c:\documents and settings\Administrator.SEEDMANCHESTER\Local Settings\Application Data\epjlyeqf.log

    c:\documents and settings\Administrator.SEEDMANCHESTER\Local Settings\Application Data\lymuqbib.log

    c:\documents and settings\Administrator.SEEDMANCHESTER\Local Settings\Application Data\nrcdbcgr.log

    c:\documents and settings\Administrator.SEEDMANCHESTER\Local Settings\Application Data\rgveijmc.log

    c:\documents and settings\Administrator.SEEDMANCHESTER\Local Settings\Application Data\ygoqwlak.log

    c:\documents and settings\shaya.seedmanchester.000\local settings\application data\pytmlmix

    .

    .

    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

    .

    .

    -------\Legacy_MICORSOFT_WINDOWS_SERVICE

    .

    .

    ((((((((((((((((((((((((( Files Created from 2012-06-17 to 2012-07-17 )))))))))))))))))))))))))))))))

    .

    .

    2012-07-17 09:37 . 2012-07-17 09:37 -------- d-----w- c:\documents and settings\Administrator.SEEDMANCHESTER\Local Settings\Application Data\pytmlmix

    2012-07-17 09:14 . 2012-07-17 09:15 -------- d-----w- c:\program files\ERUNT

    2012-07-16 21:07 . 2012-07-16 21:08 -------- d-----w- c:\program files\stinger

    2012-07-16 14:01 . 2012-07-16 21:05 -------- d-----w- C:\TDSSKiller_Quarantine

    2012-07-16 05:54 . 2001-08-17 21:36 10240 ----a-w- c:\windows\system32\dllcache\swpdflt2.dll

    2012-07-16 05:54 . 2001-08-17 21:36 155648 ----a-w- c:\windows\system32\dllcache\stlnprop.dll

    2012-07-16 05:52 . 2008-04-13 18:36 6912 ----a-w- c:\windows\system32\dllcache\smbclass.sys

    2012-07-16 05:51 . 2001-08-17 21:36 26112 ----a-w- c:\windows\system32\dllcache\EXCH_seos.dll

    2012-07-16 05:50 . 2001-08-17 11:12 19017 ----a-w- c:\windows\system32\dllcache\rtl8029.sys

    2012-07-16 05:49 . 2008-04-13 18:40 8832 ----a-w- c:\windows\system32\dllcache\powerfil.sys

    2012-07-16 05:48 . 2001-08-17 13:05 31872 ----a-w- c:\windows\system32\dllcache\ovce.sys

    2012-07-16 05:48 . 2001-08-17 13:05 28032 ----a-w- c:\windows\system32\dllcache\ovcd.sys

    2012-07-16 05:48 . 2001-08-17 13:05 48000 ----a-w- c:\windows\system32\dllcache\ovcam2.sys

    2012-07-16 05:48 . 2001-08-17 13:05 25088 ----a-w- c:\windows\system32\dllcache\ovca.sys

    2012-07-16 05:48 . 2001-08-17 12:28 54186 ----a-w- c:\windows\system32\dllcache\otcsercb.sys

    2012-07-16 05:48 . 2001-08-17 11:12 43689 ----a-w- c:\windows\system32\dllcache\otceth5.sys

    2012-07-16 05:48 . 2001-08-17 11:12 27209 ----a-w- c:\windows\system32\dllcache\otc06x5.sys

    2012-07-16 05:48 . 2001-08-17 11:20 54528 ----a-w- c:\windows\system32\dllcache\opl3sax.sys

    2012-07-16 05:48 . 2008-04-13 18:46 61696 ----a-w- c:\windows\system32\dllcache\ohci1394.sys

    2012-07-16 05:48 . 2001-08-17 11:50 198144 ----a-w- c:\windows\system32\dllcache\nv3.sys

    2012-07-16 05:48 . 2001-08-17 21:36 123776 ----a-w- c:\windows\system32\dllcache\nv3.dll

    2012-07-16 05:46 . 2001-08-17 13:56 91488 ----a-w- c:\windows\system32\dllcache\n9i3disp.dll

    2012-07-16 05:45 . 2001-08-17 13:00 2944 ----a-w- c:\windows\system32\dllcache\msmpu401.sys

    2012-07-16 05:45 . 2008-04-13 18:54 22016 ----a-w- c:\windows\system32\dllcache\msircomm.sys

    2012-07-16 05:45 . 2004-08-04 05:00 98304 ----a-w- c:\windows\system32\dllcache\msir3jp.dll

    2012-07-16 05:45 . 2001-08-17 13:02 35200 ----a-w- c:\windows\system32\dllcache\msgame.sys

    2012-07-16 05:45 . 2001-08-17 12:48 6016 ----a-w- c:\windows\system32\dllcache\msfsio.sys

    2012-07-16 05:44 . 2008-04-13 18:46 51200 ----a-w- c:\windows\system32\dllcache\msdv.sys

    2012-07-16 05:44 . 2008-04-13 18:46 15232 ----a-w- c:\windows\system32\dllcache\mpe.sys

    2012-07-16 05:44 . 2001-08-17 12:57 16128 ----a-w- c:\windows\system32\dllcache\modemcsa.sys

    2012-07-16 05:42 . 2001-08-17 11:12 70730 ----a-w- c:\windows\system32\dllcache\lne100tx.sys

    2012-07-16 05:41 . 2004-08-04 05:00 59904 ----a-w- c:\windows\system32\dllcache\imkrinst.exe

    2012-07-16 05:40 . 2001-08-17 12:28 391199 ----a-w- c:\windows\system32\dllcache\hsf_k56k.sys

    2012-07-16 05:39 . 2001-08-17 11:49 320384 ----a-w- c:\windows\system32\dllcache\g200m.sys

    2012-07-16 05:38 . 2001-08-17 11:19 174464 ----a-w- c:\windows\system32\dllcache\es198x.sys

    2012-07-16 05:37 . 2001-08-17 21:36 6729 ----a-w- c:\windows\system32\dllcache\disrvci.dll

    2012-07-16 05:36 . 2001-08-17 13:02 272640 ----a-w- c:\windows\system32\dllcache\cinemclc.sys

    2012-07-16 05:35 . 2001-08-17 11:49 75136 ----a-w- c:\windows\system32\dllcache\atimpae.sys

    2012-07-16 05:28 . 2012-07-16 21:01 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

    2012-07-16 05:10 . 2012-07-16 05:10 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe

    2012-07-15 18:16 . 2012-07-15 18:16 -------- d-----w- c:\program files\ESET

    .

    .

    .

    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

    .

    2012-07-16 05:10 . 2012-02-21 20:59 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

    2012-07-03 12:46 . 2012-02-02 14:01 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

    2012-06-13 13:19 . 2004-08-11 17:00 1866112 ----a-w- c:\windows\system32\win32k.sys

    2012-06-05 15:50 . 2007-05-15 15:43 1372672 ----a-w- c:\windows\system32\msxml6.dll

    2012-06-05 15:50 . 2004-08-11 17:00 1172480 ----a-w- c:\windows\system32\msxml3.dll

    2012-06-04 04:32 . 2004-08-11 17:00 152576 ----a-w- c:\windows\system32\schannel.dll

    2012-06-02 14:19 . 2007-04-16 22:44 22040 ----a-w- c:\windows\system32\wucltui.dll.mui

    2012-06-02 14:19 . 2007-04-16 22:46 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui

    2012-06-02 14:19 . 2004-08-11 17:12 329240 ----a-w- c:\windows\system32\wucltui.dll

    2012-06-02 14:19 . 2004-08-11 17:12 219160 ----a-w- c:\windows\system32\wuaucpl.cpl

    2012-06-02 14:19 . 2004-08-11 17:12 210968 ----a-w- c:\windows\system32\wuweb.dll

    2012-06-02 14:19 . 2007-04-16 22:46 15384 ----a-w- c:\windows\system32\wuapi.dll.mui

    2012-06-02 14:19 . 2007-04-16 22:45 45080 ----a-w- c:\windows\system32\wups2.dll

    2012-06-02 14:19 . 2004-08-11 17:12 53784 ----a-w- c:\windows\system32\wuauclt.exe

    2012-06-02 14:19 . 2004-08-11 17:12 35864 ----a-w- c:\windows\system32\wups.dll

    2012-06-02 14:19 . 2004-08-11 17:00 97304 ----a-w- c:\windows\system32\cdm.dll

    2012-06-02 14:19 . 2007-04-16 22:45 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui

    2012-06-02 14:19 . 2004-08-11 17:12 577048 ----a-w- c:\windows\system32\wuapi.dll

    2012-06-02 14:19 . 2004-08-11 17:12 1933848 ----a-w- c:\windows\system32\wuaueng.dll

    2012-05-31 13:22 . 2004-08-11 17:00 599040 ----a-w- c:\windows\system32\crypt32.dll

    2012-05-16 15:08 . 2004-08-11 17:00 916992 ----a-w- c:\windows\system32\wininet.dll

    2012-05-11 14:42 . 2004-08-11 17:00 43520 ----a-w- c:\windows\system32\licmgr10.dll

    2012-05-11 14:42 . 2004-08-11 17:00 1469440 ------w- c:\windows\system32\inetcpl.cpl

    2012-05-11 11:38 . 2004-08-11 17:00 385024 ----a-w- c:\windows\system32\html.iec

    2012-05-04 13:16 . 2004-08-11 17:00 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe

    2012-05-04 12:32 . 2004-08-03 22:59 2026496 ----a-w- c:\windows\system32\ntkrnlpa.exe

    2012-05-02 13:46 . 2004-08-11 17:11 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys

    .

    .

    ((((((((((((((((((((((((((((( SnapShot@2012-07-16_20.04.25 )))))))))))))))))))))))))))))))))))))))))

    .

    + 2012-07-17 01:30 . 2012-07-17 01:30 22016 c:\windows\Installer\fbd1a7.msi

    + 2012-07-17 09:37 . 2012-07-17 09:37 65536 c:\windows\Installer\{5ACE69F0-A3E8-44EB-88C1-0A841E700180}\NewShortcut1.A6CC6977_F7B4_4C0B_9510_BCD847D4BDB2.exe

    - 2008-09-09 11:48 . 2008-09-09 11:48 65536 c:\windows\Installer\{5ACE69F0-A3E8-44eb-88C1-0A841E700180}\NewShortcut1.A6CC6977_F7B4_4C0B_9510_BCD847D4BDB2.exe

    + 2012-07-17 09:15 . 2012-07-17 09:15 12288 c:\windows\erdnt\17-07-2012\Users\00000004\UsrClass.dat

    + 2012-07-17 09:15 . 2012-07-17 09:15 12288 c:\windows\erdnt\17-07-2012\Users\00000002\UsrClass.dat

    + 2009-11-11 23:28 . 2009-10-01 09:29 195440 c:\windows\system32\MpSigStub.exe

    + 2012-07-17 09:15 . 2012-07-17 09:15 151552 c:\windows\erdnt\17-07-2012\Users\00000006\UsrClass.dat

    + 2012-07-17 09:15 . 2012-07-17 09:15 241664 c:\windows\erdnt\17-07-2012\Users\00000003\NTUSER.DAT

    + 2012-07-17 09:15 . 2012-07-17 09:15 237568 c:\windows\erdnt\17-07-2012\Users\00000001\NTUSER.DAT

    + 2012-07-17 09:15 . 2005-10-20 11:02 163328 c:\windows\erdnt\17-07-2012\ERDNT.EXE

    + 2012-07-17 09:15 . 2012-07-17 09:15 3440640 c:\windows\erdnt\17-07-2012\Users\00000005\NTUSER.DAT

    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

    .

    .

    *Note* empty entries & legit default entries are not shown

    REGEDIT4

    .

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7f4290b4-b183-4623-bba2-28f48d9bbd23}]

    2011-05-09 09:49 176936 ----a-w- c:\program files\Project_seed\prxtbPro0.dll

    .

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

    "{7f4290b4-b183-4623-bba2-28f48d9bbd23}"= "c:\program files\Project_seed\prxtbPro0.dll" [2011-05-09 176936]

    .

    [HKEY_CLASSES_ROOT\clsid\{7f4290b4-b183-4623-bba2-28f48d9bbd23}]

    .

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

    "{7F4290B4-B183-4623-BBA2-28F48D9BBD23}"= "c:\program files\Project_seed\prxtbPro0.dll" [2011-05-09 176936]

    .

    [HKEY_CLASSES_ROOT\clsid\{7f4290b4-b183-4623-bba2-28f48d9bbd23}]

    .

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

    "H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]

    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-02-13 68856]

    "XflYvmro"="c:\documents and settings\Administrator.SEEDMANCHESTER\Local Settings\Application Data\pytmlmix\xflyvmro.exe" [bU]

    .

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

    "ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]

    "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]

    "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]

    "RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920]

    "PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]

    "Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360]

    "SMSTray"="c:\program files\Samsung\Samsung Media Studio 5\SMSTray.exe" [2007-09-20 132624]

    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-14 49152]

    "\\PC2\EPSON Stylus D68 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAAE.EXE" [2005-01-25 98304]

    "ToolBoxFX"="c:\program files\HP\ToolBoxFX\bin\HPTLBXFX.exe" [2008-05-27 53248]

    "LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-07-24 63048]

    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-02-08 198160]

    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]

    "Google Updater"="c:\program files\Google\Google Updater\GoogleUpdater.exe" [2011-09-12 161336]

    "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-20 59240]

    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-27 421736]

    .

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-02-13 68856]

    .

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

    "TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2007-10-30 13801]

    "TSClientAXDisabler"="c:\windows\Installer\TSClientMsiTrans\tscdsbl.bat" [2008-01-18 2247]

    .

    c:\documents and settings\ilan\Start Menu\Programs\Startup\

    eFax 4.4.lnk - c:\program files\eFax Messenger 4.4\J2GTray.exe [N/A]

    Microsoft Office Outlook.lnk - c:\program files\Microsoft Office\Office12\OUTLOOK.EXE [2012-5-3 13006952]

    .

    c:\documents and settings\All Users\Start Menu\Programs\Startup\

    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]

    Printer Status Monitor.lnk - c:\program files\SHARP\Printer Status Monitor\Smon.exe [2011-1-6 180313]

    QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2007-8-23 967960]

    .

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

    "EnableLUA"= 0 (0x0)

    .

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

    "NoWelcomeScreen"= 1 (0x1)

    .

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

    "DisablePersonalDirChange"= 1 (0x1)

    .

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

    .

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]

    "Userinit"="c:\windows\system32\userinit.exe,,c:\documents and settings\Administrator.SEEDMANCHESTER\Local Settings\Application Data\pytmlmix\xflyvmro.exe"

    .

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]

    2010-12-14 14:32 87424 ----a-w- c:\windows\system32\LMIinit.dll

    .

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

    @="Driver"

    .

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

    @="Service"

    .

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PMX Daemon]

    2010-04-22 10:55 49152 ----a-w- c:\windows\system32\ico.exe

    .

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SN0XRCV]

    2006-10-23 10:11 102400 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\SN0XRCV.exe

    .

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SN52IPRW]

    2005-02-15 10:02 135168 ----a-w- c:\windows\system32\SN52SELC.exe

    .

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\XflYvmro]

    c:\documents and settings\shaya.SEEDMANCHESTER.000\Local Settings\Application Data\pytmlmix\xflyvmro.exe [bU]

    .

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

    "stllssvr"=3 (0x3)

    .

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]

    "AllAlertsDisabled"=dword:00000001

    "TermService"=dword:00000001

    "DisableMonitoring"=dword:00000001

    .

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

    "%windir%\\system32\\sessmgr.exe"=

    "c:\\temp\\HP_WebRelease\\Setup\\HPZnet01.exe"=

    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

    "c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager

    "c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager

    "c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=

    .

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

    "26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

    .

    R2 acedrv11;acedrv11;c:\windows\system32\drivers\acedrv11.sys [30/07/2008 06:51 277736]

    R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [06/01/2011 16:45 374152]

    R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [24/07/2008 18:46 12856]

    R2 QuickBooksDB17;QuickBooksDB17;c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB17 --> c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB17 [?]

    R2 TeamViewer5;TeamViewer 5;c:\program files\TeamViewer\Version5\TeamViewer_Service.exe [21/05/2010 12:27 173352]

    R2 TeamViewer7;TeamViewer 7;c:\program files\TeamViewer\Version7\TeamViewer_Service.exe [19/03/2012 12:38 2666880]

    R2 XobniService;XobniService;c:\program files\Xobni\XobniService.exe [11/08/2009 23:31 46824]

    R3 pmxmouse;PMXMOUSE;c:\windows\system32\drivers\pmxmouse.sys [20/02/2008 15:08 18432]

    R3 pmxusblf;PMXUSBLF;c:\windows\system32\drivers\pmxusblf.sys [20/02/2008 15:08 14336]

    R4 Micorsoft Windows Service;Micorsoft Windows Service;\??\c:\docume~1\ADMINI~1.SEE\LOCALS~1\Temp\ftmgyjnb.sys --> c:\docume~1\ADMINI~1.SEE\LOCALS~1\Temp\ftmgyjnb.sys [?]

    S0 00677621;00677621;c:\windows\system32\drivers\68236726.sys --> c:\windows\system32\drivers\68236726.sys [?]

    S2 ASFIPmon;Broadcom ASF IP Monitor;"c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe" -service --> c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [?]

    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [08/04/2010 15:30 135664]

    S2 WinDefend;Windows Defender;"c:\program files\Windows Defender\MsMpEng.exe" --> c:\program files\Windows Defender\MsMpEng.exe [?]

    S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [16/07/2012 06:10 250056]

    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [08/04/2010 15:30 135664]

    S3 MBAMCatchMe;MBAMCatchMe;c:\program files\Malwarebytes' Anti-Malware\catchme.sys [26/03/2008 11:58 27136]

    S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [16/07/2012 06:28 40776]

    .

    --- Other Services/Drivers In Memory ---

    .

    *NewlyCreated* - MICORSOFT_WINDOWS_SERVICE

    .

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

    .

    Contents of the 'Scheduled Tasks' folder

    .

    2012-07-17 c:\windows\Tasks\Adobe Flash Player Updater.job

    - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-16 05:10]

    .

    2012-07-06 c:\windows\Tasks\AppleSoftwareUpdate.job

    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 16:57]

    .

    2012-07-12 c:\windows\Tasks\Google Software Updater.job

    - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-02-13 13:30]

    .

    2012-07-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

    - c:\program files\Google\Update\GoogleUpdate.exe [2010-04-08 14:30]

    .

    2012-07-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

    - c:\program files\Google\Update\GoogleUpdate.exe [2010-04-08 14:30]

    .

    .

    ------- Supplementary Scan -------

    .

    uStart Page = about:blank

    TCP: DhcpNameServer = 192.168.11.254

    FF - ProfilePath - \\Manchesterserve\Users\Administrator\Application Data\Mozilla\Firefox\Profiles\kxdjx1ig.default\

    .

    - - - - ORPHANS REMOVED - - - -

    .

    WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

    HKCU-Run-PC Suite Tray - c:\program files\Nokia\Nokia PC Suite 6\PCSuite.exe

    SafeBoot-00677621.sys

    .

    .

    .

    **************************************************************************

    .

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

    Rootkit scan 2012-07-17 10:36

    Windows 5.1.2600 Service Pack 3 NTFS

    .

    scanning hidden processes ...

    .

    scanning hidden autostart entries ...

    .

    scanning hidden files ...

    .

    scan completed successfully

    hidden files: 0

    .

    **************************************************************************

    .

    --------------------- LOCKED REGISTRY KEYS ---------------------

    .

    [HKEY_USERS\S-1-5-21-1918387015-3744224925-1604920466-500\Software\Microsoft\Internet Explorer\User Preferences]

    @Denied: (2) (Administrator)

    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,24,fe,f0,cf,ca,89,ea,46,92,30,9d,\

    "6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,

    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,24,fe,f0,cf,ca,89,ea,46,92,30,9d,\

    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,24,fe,f0,cf,ca,89,ea,46,92,30,9d,\

    .

    [HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\User Preferences]

    @Denied: (2) (Administrator)

    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,24,fe,f0,cf,ca,89,ea,46,92,30,9d,\

    "6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,

    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,24,fe,f0,cf,ca,89,ea,46,92,30,9d,\

    .

    --------------------- DLLs Loaded Under Running Processes ---------------------

    .

    - - - - - - - > 'winlogon.exe'(664)

    c:\windows\system32\LMIinit.dll

    c:\program files\LogMeIn\x86\LMIhook.000.dll

    c:\windows\system32\wininet.dll

    c:\windows\system32\LMIRfsClientNP.dll

    .

    - - - - - - - > 'lsass.exe'(720)

    c:\windows\system32\LMIRfsClientNP.dll

    .

    - - - - - - - > 'explorer.exe'(5844)

    c:\windows\system32\WININET.dll

    c:\program files\LogMeIn\x86\LMIhook.000.dll

    c:\windows\system32\LMIRfsClientNP.dll

    c:\windows\system32\ieframe.dll

    c:\windows\system32\webcheck.dll

    c:\windows\system32\WPDShServiceObj.dll

    c:\program files\Nokia\Nokia PC Suite 7\PhoneBrowser.dll

    c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL

    c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll

    c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_eng.nlr

    c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr

    c:\program files\Roxio\Drag-to-Disc\Shellex.dll

    c:\windows\system32\DLAAPI_W.DLL

    c:\windows\system32\CDRTC.DLL

    c:\program files\Roxio\Drag-to-Disc\ShellRes.dll

    c:\windows\system32\PortableDeviceTypes.dll

    c:\windows\system32\PortableDeviceApi.dll

    .

    ------------------------ Other Running Processes ------------------------

    .

    c:\windows\system32\Ati2evxx.exe

    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

    c:\program files\Bonjour\mDNSResponder.exe

    c:\program files\LogMeIn\x86\RaMaint.exe

    c:\program files\LogMeIn\x86\LogMeIn.exe

    c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe

    c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe

    c:\windows\system32\msiexec.exe

    c:\program files\LogMeIn\x86\LogMeIn.exe

    c:\program files\TeamViewer\Version7\TeamViewer.exe

    c:\windows\system32\wscntfy.exe

    c:\program files\TeamViewer\Version7\tv_w32.exe

    c:\progra~1\MI3AA1~1\rapimgr.exe

    c:\program files\iPod\bin\iPodService.exe

    .

    **************************************************************************

    .

    Completion time: 2012-07-17 10:42:06 - machine was rebooted

    ComboFix-quarantined-files.txt 2012-07-17 09:42

    ComboFix2.txt 2012-07-16 20:09

    .

    Pre-Run: 109,024,645,120 bytes free

    Post-Run: 106,894,229,504 bytes free

    .

    - - End Of File - - 8F83AFB3399AAB5FBA40AB97F69828FA

    Upload was successful

  6. Post Merged

    We look for post with 0 replies, so when you reply to your own topic, we assume you were being helped.

    Please be patient, someone will assist you as soon as possible.

    Hi,

    Ive got a PC thats been having issues. Last time I had an issue, i was asked to run an online virus scan at www.eset.com however i'm now unable to access the site.

    ping www.eset.com sends a ping to 127.0.0.1.

    Ive checked the hosts file and its empty so no issue there.

    Any idea how I can diagnose this?

    Also can't seem to open malwarebytes.

    This only seems to happen when one specific user is logged in.

    Other users can run the online eset scanner and malwarebytes without any problems.

    The computer is on a domain.

    Thanks

    Dan

    Just noticed that i'm unable to get onto the malwarebytes website too.

  7. Hi,

    I just wanted to update you that the user was using it today, installed Google drive which asked him to perform a reboot.

    Then there were a series of messages that mentioned the words 'deleting files' and indexes.

    Then the PC stopped booting and continuously showed the blue screen, even safe mode and last known good config.

    Running Recuva on it to rescue the data, then i'll reinstall windows.

    Not sure what the cause was. Could it have been the viruses?

    Thanks

    Dan

  8. Hi,

    Sorry for the delay.

    Here are the results:-

    ESETSmartInstaller@High as CAB hook log:

    OnlineScanner.ocx - registred OK

    # version=7

    # iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

    # OnlineScanner.ocx=1.0.0.6583

    # api_version=3.0.2

    # EOSSerial=9008ce58ac188f4d9a6ef5f36fc5dad2

    # end=finished

    # remove_checked=true

    # archives_checked=true

    # unwanted_checked=true

    # unsafe_checked=false

    # antistealth_checked=true

    # utc_time=2012-05-29 08:58:46

    # local_time=2012-05-29 09:58:46 (+0000, GMT Daylight Time)

    # country="United Kingdom"

    # lang=1033

    # osver=5.1.2600 NT Service Pack 3

    # compatibility_mode=8192 67108863 100 0 117 117 0 0

    # scanned=117647

    # found=85

    # cleaned=85

    # scan_time=6582

    C:\Documents and Settings\az\Local Settings\Temp\ICReinstall\cnet2_swfflv_player_exe.exe a variant of Win32/InstallCore.D application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

    C:\Documents and Settings\az.SEEDLONDON\Application Data\MediaWmplay\FlashPlugin\FlashUtil192_ActiveX.exe a variant of Win32/Kryptik.AENA trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

    C:\Documents and Settings\az.SEEDLONDON\Application Data\Sun\Java\Deployment\cache\6.0\55\25e91f37-78bea34a multiple threats (deleted - quarantined) 00000000000000000000000000000000 C

    C:\Documents and Settings\az.SEEDLONDON\My Documents\Windows\NTdZMGTHzjoD\taskhost.exe MSIL/Injector.ACD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

    C:\Qoobox\Quarantine\C\Documents and Settings\az.SEEDLONDON\Application Data\0FB177C9.exe.vir MSIL/Injector.ACD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

    C:\Qoobox\Quarantine\C\Documents and Settings\az.SEEDLONDON\Application Data\4Z7DPS8WE8M2test1.exe.vir a variant of MSIL/TrojanDownloader.Agent.DR trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

    C:\Qoobox\Quarantine\C\Documents and Settings\az.SEEDLONDON\Application Data\bzvqex.exe.vir a variant of MSIL/Kryptik.CO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

    C:\Qoobox\Quarantine\C\Documents and Settings\az.SEEDLONDON\Application Data\C4BBZhkcmdX.exe.vir a variant of MSIL/TrojanDownloader.Agent.DR trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

    C:\Qoobox\Quarantine\C\Documents and Settings\az.SEEDLONDON\Application Data\Driver.exe.vir MSIL/Injector.ACD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

    C:\Qoobox\Quarantine\C\Documents and Settings\az.SEEDLONDON\Application Data\evdfes.exe.vir a variant of MSIL/Kryptik.CC trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

    C:\Qoobox\Quarantine\C\Documents and Settings\az.SEEDLONDON\Application Data\fvrhs.exe.vir a variant of Win32/Kryptik.AEFU trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

    C:\Qoobox\Quarantine\C\Documents and Settings\az.SEEDLONDON\Application Data\hglphv.exe.vir a variant of Win32/TrojanDownloader.Zurgop.AQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

    C:\Qoobox\Quarantine\C\Documents and Settings\az.SEEDLONDON\Application Data\hptlyz.exe.vir a variant of MSIL/Kryptik.CO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

    C:\Qoobox\Quarantine\C\Documents and Settings\az.SEEDLONDON\Application Data\hxafcl.exe.vir a variant of MSIL/Kryptik.CO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

    C:\Qoobox\Quarantine\C\Documents and Settings\az.SEEDLONDON\Application Data\jdjkwl.exe.vir a variant of MSIL/Kryptik.CO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

    C:\Qoobox\Quarantine\C\Documents and Settings\az.SEEDLONDON\Application Data\jljter.exe.vir a variant of Win32/Injector.RET trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

    C:\Qoobox\Quarantine\C\Documents and Settings\az.SEEDLONDON\Application Data\jpcwmb.exe.vir a variant of MSIL/Kryptik.CC trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

    C:\Qoobox\Quarantine\C\Documents and Settings\az.SEEDLONDON\Application Data\kfoczt.exe.vir a variant of MSIL/Kryptik.CO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

    C:\Qoobox\Quarantine\C\Documents and Settings\az.SEEDLONDON\Application Data\kzmlbp.exe.vir a variant of Win32/Kryptik.AENA trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

    C:\Qoobox\Quarantine\C\Documents and Settings\az.SEEDLONDON\Application Data\luqmrt.exe.vir a variant of MSIL/Kryptik.CO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

    C:\Qoobox\Quarantine\C\Documents and Settings\az.SEEDLONDON\Application Data\pbgulj.exe.vir a variant of MSIL/Kryptik.CO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

    C:\Qoobox\Quarantine\C\Documents and Settings\az.SEEDLONDON\Application Data\qlhlyi.exe.vir a variant of MSIL/Kryptik.CC trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

    C:\Qoobox\Quarantine\C\Documents and Settings\az.SEEDLONDON\Application Data\swmbst.exe.vir a variant of MSIL/Kryptik.CO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

    C:\Qoobox\Quarantine\C\Documents and Settings\az.SEEDLONDON\Application Data\VV0IYPGKU6TI7MhkcmdX.exe.vir a variant of MSIL/TrojanDownloader.Agent.DR trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

    C:\Qoobox\Quarantine\C\Documents and Settings\az.SEEDLONDON\Application Data\wtapbx.exe.vir a variant of MSIL/Kryptik.CO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

    C:\Qoobox\Quarantine\C\Documents and Settings\az.SEEDLONDON\Application Data\xbgfcn.exe.vir a variant of Win32/Kryptik.AENA trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

    C:\Qoobox\Quarantine\C\Documents and Settings\az.SEEDLONDON\Application Data\Winupdate\windefender.exe.vir a variant of MSIL/Injector.AAT trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

    C:\Qoobox\Quarantine\C\Documents and Settings\az.SEEDLONDON\Application Data\Ykkuw\uvdiw.exe.vir a variant of Win32/Kryptik.AFTN trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

    C:\Qoobox\Quarantine\C\Documents and Settings\az.SEEDLONDON\Local Settings\Application Data\184181752012Gerichtsdokumente.exe.vir a variant of Win32/Injector.OQZ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

    C:\Qoobox\Quarantine\C\Documents and Settings\az.SEEDLONDON\Local Settings\Application Data\2056191752012t123.exe.vir MSIL/Injector.ACD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

    C:\Qoobox\Quarantine\C\WINDOWS\taskhost.exe.vir MSIL/Injector.ACD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

    C:\Qoobox\Quarantine\C\WINDOWS\system32\Shield.exe.vir a variant of Win32/Injector.RNZ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

    C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP227\A0036381.exe Win32/Spy.Zbot.AAO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

    C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP235\A0037863.exe Win32/Spy.Zbot.AAO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

    C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP239\A0039968.exe a variant of Win32/Kryptik.ADUH trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

    C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP247\A0042221.exe probably a variant of Win32/CoinMiner.L trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

    C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP248\A0042243.exe Win32/Spy.Zbot.AAQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

    C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP254\A0043558.exe Win32/Spy.Zbot.AAO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

    C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP255\A0043592.exe Win32/Spy.Zbot.AAO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

    C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP261\A0043875.exe a variant of Win32/Kryptik.AFHB trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

    C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP262\A0043910.exe MSIL/Injector.ACD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

    C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP262\A0043911.exe MSIL/Injector.ACD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

    C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP262\A0043925.exe a variant of MSIL/TrojanDownloader.Agent.DR trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

    C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP263\A0043926.exe a variant of MSIL/TrojanDownloader.Agent.DR trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

    C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP263\A0043942.exe MSIL/Injector.ACD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

    C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP263\A0043943.exe MSIL/Injector.ACD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

    C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP263\A0043944.exe MSIL/Injector.ACD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

    C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP264\A0043949.exe MSIL/Injector.ACD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

    C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP264\A0043950.exe MSIL/Injector.ACD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

    C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP265\A0044915.exe MSIL/Injector.ACD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

    C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP265\A0044916.exe MSIL/Injector.ACD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

    C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP265\A0044917.exe MSIL/Injector.ACD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

    C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP267\A0044927.exe a variant of Win32/Injector.OQZ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

    C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP269\A0046863.exe MSIL/Injector.ACD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

    C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP269\A0046864.exe MSIL/Injector.ACD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

    C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP269\A0046865.exe MSIL/Injector.ACD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

    C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP269\A0047139.exe MSIL/Injector.ACD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

    C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP269\A0047151.exe a variant of MSIL/TrojanDownloader.Agent.DR trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

    C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP269\A0047168.exe a variant of MSIL/Kryptik.CO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

    C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP269\A0047169.exe a variant of MSIL/TrojanDownloader.Agent.DR trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

    C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP269\A0047170.exe MSIL/Injector.ACD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

    C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP269\A0047171.exe a variant of MSIL/Kryptik.CC trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

    C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP269\A0047173.exe a variant of Win32/Kryptik.AEFU trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

    C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP269\A0047175.exe a variant of Win32/TrojanDownloader.Zurgop.AQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

    C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP269\A0047176.exe a variant of MSIL/Kryptik.CO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

    C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP269\A0047177.exe a variant of MSIL/Kryptik.CO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

    C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP269\A0047178.exe a variant of MSIL/Kryptik.CO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

    C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP269\A0047179.exe a variant of Win32/Injector.RET trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

    C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP269\A0047180.exe a variant of MSIL/Kryptik.CC trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

    C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP269\A0047182.exe a variant of MSIL/Kryptik.CO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

    C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP269\A0047183.exe a variant of Win32/Kryptik.AENA trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

    C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP269\A0047184.exe a variant of MSIL/Kryptik.CO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

    C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP269\A0047187.exe a variant of MSIL/Kryptik.CO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

    C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP269\A0047190.exe a variant of MSIL/Kryptik.CC trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

    C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP269\A0047191.exe a variant of MSIL/Kryptik.CO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

    C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP269\A0047193.exe a variant of MSIL/TrojanDownloader.Agent.DR trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

    C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP269\A0047194.exe a variant of MSIL/Injector.AAT trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

    C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP269\A0047195.exe a variant of MSIL/Kryptik.CO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

    C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP269\A0047196.exe a variant of Win32/Kryptik.AENA trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

    C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP269\A0047197.exe a variant of Win32/Kryptik.AFTN trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

    C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP269\A0047198.exe a variant of Win32/Injector.OQZ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

    C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP269\A0047199.exe MSIL/Injector.ACD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

    C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP269\A0047205.exe a variant of Win32/Injector.RNZ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

    C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP269\A0047207.exe MSIL/Injector.ACD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

    C:\System Volume Information\_restore{DDA7F671-FCD3-4529-A331-F2671C118798}\RP274\A0050980.exe a variant of Win32/Kryptik.AENA trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

    Thanks

    Dan

  9. First, have you intentionally installed any BitCoin-mining software on your computer? While this is indeed legitimate software, it's often installed by cybercriminals alongside their malware... if you aren't familiar with it, we should erase it from your system. ;)

    Never heard of BitCoin. The user may have installed it, but if its suspicious, i'd rather remove it. They can always reinstall. Could it be part of Covenant Eyes?

    Second, Did you knowingly install this application:

    Covenant Eyes "internet accountability" software

    Yes, that was knowingly installed.

    Next, do you recognize the following folders (in bold)?

    • c:\documents and settings\az.SEEDLONDON\Application Data\Security
    • c:\documents and settings\az.SEEDLONDON\Application Data\System

    Please let me know :).

    No i dont. And I dont recognise the files within those folders either. Only system\cg has files in it:-

    Directory of C:\Documents and Settings\az.SEEDLONDON\Application Data\System\CG

    17/05/2012 18:32 <DIR> .

    17/05/2012 18:32 <DIR> ..

    17/05/2012 18:30 249,344 libcurl-4.dll

    17/05/2012 18:31 87,054 libpdcurses.dll

    17/05/2012 18:31 177,207 libusb-1.0.dll

    17/05/2012 18:31 57,960 OpenCL.dll

    17/05/2012 18:32 13,648 phatk120223.cl

    17/05/2012 18:32 44,730 poclbm120327.cl

    17/05/2012 18:32 68,096 pthreadGC2-w32.dll

    17/05/2012 18:32 68,096 pthreadGC2.dll

    17/05/2012 18:30 124,928 winapi.exe

    9 File(s) 891,063 bytes

    2 Dir(s) 69,349,888,000 bytes free

    Let's run a scan with Malwarebytes:

    Running scan. I'll post the results when it completes.

  10. Hi,

    I have a computer that had a virus. The virus changed the winlogon from userinit.exe to something else so that i couldnt log in. I sorted that out by correcting the registry.

    The virus also caused the redirect from www.malwarebytes.org to www.hotmail.com, so I had to downloaded and installed malwarebytes via usb key.

    Malwarebytes Free is now reporting that the computer is clean but the redirect is still in place. The free trial of Malwarebytes Pro has stopped reporting suspicious traffic so i believe its removed properly.

    I've checked the hosts file and its empty apart from the default settings.

    Ive also run kaspersky tdds and deleted what it found.

    attach.txt

    dds.txt

    Many thanks

    Dan

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.