Jump to content

dennisl

Honorary Members
  • Posts

    89
  • Joined

  • Last visited

Everything posted by dennisl

  1. Did the restore but no sign of the file in System32 folder -even if View is set at show hidden & system files.
  2. Same as before Malwarebytes Anti-Malware 1.75.0.1300 www.malwarebytes.org Database version: v2013.12.19.07 Windows 7 Service Pack 1 x86 NTFS Internet Explorer 11.0.9600.16476 19/12/2013 14:22:43 mbam-log-2013-12-19 (14-22-43).txt Scan type: Quick scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 237895 Time elapsed: 10 minute(s), Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 1 C:\Windows\System32\gBKgLLD.exe (Trojan.Agent.ZB) -> Quarantined and deleted successfully. (end)
  3. Results as follows. C:\Windows\System32\APUDuIP.exe Win32/Spy.Agent.OCN trojan cleaned by deleting - quarantined Operating memory a variant of Win32/Yebot.AB trojan
  4. Many thanks Think we still have a problem with the Trojan though . Here's the latest MWB log Malwarebytes Anti-Malware 1.75.0.1300 www.malwarebytes.org Database version: v2013.12.17.05 Windows 7 Service Pack 1 x86 NTFS Internet Explorer 11.0.9600.16476 xxx :: RAR-NB01 [administrator] 18/12/2013 16:44:25 mbam-log-2013-12-18 (16-44-25).txt Scan type: Quick scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 237389 Time elapsed: 9 minute(s), 55 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 1 C:\Windows\System32\jyIseyz.exe (Trojan.Agent.ZB) -> Quarantined and deleted successfully. (end)
  5. Log files attached as requested One issue remaining is that this message now appears at startup "The ‘secman.OutlookSecurityManager’COM object is not registered." AdwCleanerR2.txt AdwCleanerS1.txt mbam-log-2013-12-17 (16-46-59).txt
  6. Apologies for the delay File has been deleted & log file attached aswMBR.txt
  7. Link to results https://www.virustotal.com/en/file/1ad78156646ad730b7cd9667dcc955868229919df28a94d6c57557a0a82adafa/analysis/1387053879/ The other file wasn't found
  8. Please see log files attached FRST.txt Addition.txt log.txt
  9. Thanks Will run this tomorrow -sorry for the delay.
  10. Log files attached Did another MWB scan after cleaning, but unfortunately the Trojan entry is still there AdwCleanerS0.txt mbam-log-2013-12-12 (14-42-36).txt
  11. Thanks Results of scans attached attach.txt dds.txt RKreport0_S_12122013_100455.txt
  12. I was wondering if you could help with removal of Trojan.Agent.ZB? MBAM & MBAR find & delete ,but it re appears after reboot. Malwarebytes Anti-Malware 1.75.0.1300 www.malwarebytes.org Database version: v2013.12.06.05 Windows 7 Service Pack 1 x86 NTFS Internet Explorer 11.0.9600.16428 NB01 [administrator] 10/12/2013 17:56:37 MBAM-log-2013-12-10 (18-57-24).txt Scan type: Quick scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 250498 Time elapsed: 28 minute(s), 12 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 1 C:\Windows\System32\sdIZHhI.exe (Trojan.Agent.ZB) -> No action taken. Malwarebytes Anti-Rootkit BETA 1.07.0.1008 www.malwarebytes.org Database version: v2013.12.10.06 Windows 7 Service Pack 1 x86 NTFS Internet Explorer 11.0.9600.16428 NB01 [administrator] 10/12/2013 20:37:44 mbar-log-2013-12-10 (20-37-44).txt Scan type: Quick scan Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken Scan options disabled: Objects scanned: 248261 Time elapsed: 1 hour(s), 42 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 1 C:\Windows\System32\tJibjFv.exe (Trojan.Agent.ZB) -> Delete on reboot. Physical Sectors Detected: 0 (No malicious items detected) Thanks Dennis
  13. Please see below & attached Results of screen317's Security Check version 0.99.67 Windows 7 Service Pack 1 x86 (UAC is disabled!) Internet Explorer 10 ``````````````Antivirus/Firewall Check:`````````````` Windows Security Center service is not running! This report may not be accurate! Windows Firewall Enabled! Microsoft Security Essentials Antivirus up to date! `````````Anti-malware/Other Utilities Check:````````` Malwarebytes Anti-Malware version 1.75.0.1300 CCleaner Java 6 Update 37 Java version out of Date! Google Chrome 27.0.1453.110 Google Chrome 27.0.1453.116 ````````Process Check: objlist.exe by Laurent```````` Microsoft Security Essentials MSMpEng.exe `````````````````System Health check````````````````` Total Fragmentation on Drive C: 0% ````````````````````End of Log`````````````````````` AdwCleanerS1.txt
  14. Just one item C:\Users\Users name\Documents\Downloads\IZArc4.1.6.exe Win32/OpenCandy application
  15. Seems ok now,but will post back if any issues re occur Many thanks for your assistance FRST.txt
  16. Please see attached Assume a reboot is needed? Fixlog.txt
  17. Many thanks for your quick reply. The virus blocked the downloads so I downloaded on another computer & called them .txt. They were then transferred to the infected computer,renamed .exe & run Log files attached . ark.txt FRST.txt Addition.txt
  18. A friend has the System Care Antivirus rogue program on his Windows 7 32 Bit computer. I tried to run various anti rootkits prior to MWB, but the virus kills the download, even if the file is renamed. I updated MWB, ran a scan & removed the infected files listed. After the restart I ran another scan & there were no issues found. I then tried to open Microsoft Security Essentials , but had the following message. "Windows cannot access the specified device. You may not have the appropriate permissions to access." I still can't get any files to download, including Hijack This & get a message saying "Virus was deleted",or similar -even in Safe Mode. The MWB log follows Any help would be appreciated Dennis Malwarebytes Anti-Malware 1.75.0.1300 www.malwarebytes.org Database version: v2013.06.20.04 Windows 7 Service Pack 1 x86 NTFS (Safe Mode/Networking) Internet Explorer 10.0.9200.16618 20/06/2013 09:40:21 mbam-log-2013-06-20 (09-40-21).txt Scan type: Quick scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 234072 Time elapsed: 5 minute(s), 13 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 1 HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce|C08CB9811AFDAA750000C08BF8FAB003 (Trojan.FakeAV) -> Data: C:\ProgramData\C08CB9811AFDAA750000C08BF8FAB003\C08CB9811AFDAA750000C08BF8FAB003.exe -> Quarantined and deleted successfully. Registry Data Items Detected: 3 HKLM\SOFTWARE\Microsoft\Security Center|AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully. HKLM\SOFTWARE\Microsoft\Security Center|FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully. HKLM\SOFTWARE\Microsoft\Security Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully. Folders Detected: 1 C:\ProgramData\IBUpdaterService (PUP.InstallBrain) -> Quarantined and deleted successfully. Files Detected: 3 C:\ProgramData\C08CB9811AFDAA750000C08BF8FAB003\C08CB9811AFDAA750000C08BF8FAB003.exe (Trojan.FakeAV) -> Quarantined and deleted successfully. C:\$Recycle.Bin\S-1-5-21-960038448-2275100395-2325675950-1000\$R540E74D4 (Trojan.FakeMS) -> Quarantined and deleted successfully. C:\ProgramData\IBUpdaterService\repository.xml (PUP.InstallBrain) -> Quarantined and deleted successfully. (end)
  19. Is the "fix" for non Zone Alarm users to uninstall, then use the cleanup tool & disable virus scanner before downloading & installing the new version? Is it necessary to disable Comodo prior to install? Are ongoing definition updates then just a case of clicking the update button? Has the cause of the problem been identified yet btw? Please can you give an idea if we talking days, weeks or over a month for the new update? Thanks Dennis
  20. Having read all the issues being experienced ,including my own ,I'm suprised this version is still being offered for download.
  21. Just thought I'd add my findings Done 3 installs The first on Windows 7 with Security Essentials , but no 3rd party firewall .Installed without any problems The second was on XP SP3 with Solo Antivirus & Comodo Firewall where I did an uninstall of a very old version & then installed the latest without issues. However the third ,on XP SP3 with Solo Antivirus & Comodo Firewall, was where I just clicked the update & had the problems reported in this thread. I've run the cleanup utility, but don't plan to use the product again until I see that the issue has been fixed,which it appears is being worked on.
  22. I can't identify these I'm afraid. Due to the severity of the infection I've decided to reformat,as I need to get the computer back into action. Many thanks for all your assistance. Dennis
  23. Sorry I won't be able to check until Monday , but the computer won't be used again until then, so there won't be any changes. I'll see if I can find out more about these items.
  24. The computer is very slow to load up the desktop icons , but fairy useable thereafter. The previously mentioned Zone Alarm related warning boxes & Solo Antivirus Application Data startup change are still present. Here's the latest logfile. ComboFix 10-09-30.03 - Peter 01/10/2010 15:24:23.10.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.705 [GMT 1:00] Running from: c:\documents and settings\Peter\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Peter\Desktop\CFScript.txt FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B} FILE :: "c:\documents and settings\Peter\Application Data\Eqqau\fuots.exe" "c:\program files\riv87\oops.exe" "c:\windows\Mmaci.dat" "c:\windows\Wrejupukalegete.bin" . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\Peter\Application Data\Eqqau c:\documents and settings\Peter\Application Data\Eqqau\fuots.exe c:\program files\Internet Explorer\complete.dat c:\program files\Internet Explorer\dmlconf.dat c:\program files\Microsoft\DesktopLayer.exe c:\program files\riv87 c:\program files\riv87\oops.exe c:\windows\Mmaci.dat c:\windows\Wrejupukalegete.bin . ((((((((((((((((((((((((( Files Created from 2010-09-01 to 2010-10-01 ))))))))))))))))))))))))))))))) . 2010-10-01 14:41 . 2010-10-01 14:41 -------- d-----w- c:\program files\riv87 2010-09-27 16:10 . 2010-09-27 16:10 -------- d-----w- c:\program files\ESET 2010-09-20 09:21 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe 2010-09-09 12:39 . 2010-09-09 12:39 -------- d-----w- c:\program files\Trend Micro 2010-09-07 21:43 . 2010-10-01 14:41 -------- d-----w- c:\program files\Microsoft . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-10-01 14:41 . 2010-05-20 01:23 1229 ----a-w- c:\documents and settings\Peter\Application Data\Seeb\uzde.exe 2010-10-01 14:41 . 2010-05-20 01:23 -------- d-----w- c:\documents and settings\Peter\Application Data\Seeb 2010-10-01 14:39 . 2009-07-09 11:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Kontiki 2010-10-01 14:22 . 2010-07-21 14:49 0 ----a-w- c:\documents and settings\Peter\Application Data\Trusteer\Rapport\RapportBukaExt.dll 2010-10-01 14:09 . 2008-09-06 15:22 -------- d-----w- c:\documents and settings\Peter\Application Data\Hoodeh 2010-10-01 09:53 . 2008-04-08 15:32 4212 ---ha-w- c:\windows\system32\zllictbl.dat 2010-10-01 09:33 . 2008-10-25 09:01 -------- d-----w- c:\documents and settings\Peter\Application Data\Elah 2010-09-30 13:25 . 2010-07-19 15:33 -------- d-----w- c:\documents and settings\Peter\Application Data\Oxto 2010-09-30 08:08 . 2009-10-10 13:11 -------- d-----w- c:\documents and settings\Peter\Application Data\Iqimun 2010-09-29 12:45 . 2009-07-28 02:30 -------- d-----w- c:\documents and settings\Peter\Application Data\Ruafa 2010-09-29 12:08 . 2010-06-28 16:54 -------- d-----w- c:\program files\QuickTime 2010-09-29 11:54 . 2008-08-08 10:23 -------- d-----w- c:\program files\Cricinfo Toolbar 2010-09-29 11:33 . 2009-07-10 06:39 -------- d-----w- c:\documents and settings\Peter\Application Data\Naylr 2010-09-28 20:19 . 2009-12-01 18:15 -------- d-----w- c:\documents and settings\Peter\Application Data\Omgix 2010-09-28 20:13 . 2009-03-09 01:01 -------- d-----w- c:\documents and settings\Peter\Application Data\Yvria 2010-09-27 16:58 . 2010-03-11 08:13 -------- d-----w- c:\documents and settings\Peter\Application Data\Dadaet 2010-09-27 16:54 . 2010-07-20 12:10 -------- d-----w- c:\program files\ZoneAlarm 2010-09-27 16:51 . 2008-04-11 14:04 -------- d-----w- c:\program files\SopCast 2010-09-27 16:49 . 2008-04-11 14:09 -------- d-----w- c:\program files\Safari 2010-09-27 16:48 . 2010-07-20 08:46 -------- d-----w- c:\program files\Registry Patrol 2010-09-27 16:39 . 2008-04-11 14:07 -------- d-----w- c:\program files\PCLinq2 Hi-Speed USB Bridge Cable 2010-09-27 16:33 . 2010-08-05 21:18 -------- d-----w- c:\program files\Free M4a to MP3 Converter 2010-09-27 16:28 . 2009-08-06 10:59 -------- d-----w- c:\program files\Avanquest update 2010-09-27 16:17 . 2010-05-02 04:00 -------- d-----w- c:\documents and settings\Peter\Application Data\Ceula 2010-09-24 13:11 . 2010-01-01 09:32 -------- d-----w- c:\documents and settings\Peter\Application Data\Hehi 2010-09-24 12:56 . 2009-05-12 15:49 -------- d-----w- c:\documents and settings\Peter\Application Data\Syucac 2010-09-22 14:56 . 2010-07-02 05:58 -------- d-----w- c:\documents and settings\Peter\Application Data\Keel 2010-09-20 09:59 . 2009-07-07 09:57 -------- d-----w- c:\program files\Microsoft Silverlight 2010-09-20 09:53 . 2008-04-08 14:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help 2010-09-20 08:52 . 2009-03-27 08:28 -------- d-----w- c:\documents and settings\Peter\Application Data\Raar 2010-09-20 07:58 . 2010-04-04 13:22 -------- d-----w- c:\documents and settings\Peter\Application Data\Nusy 2010-09-16 12:18 . 2009-06-16 08:40 -------- d-----w- c:\program files\Reali-Design 2010-09-09 10:50 . 2010-02-23 08:00 -------- d-----w- c:\documents and settings\Peter\Application Data\Uxmoez 2010-09-09 08:49 . 2008-09-11 11:27 -------- d-----w- c:\documents and settings\Peter\Application Data\Kaiz 2010-09-09 08:31 . 2009-10-07 14:59 -------- d-----w- c:\documents and settings\Peter\Application Data\Ydaz 2010-09-09 08:10 . 2008-04-30 02:42 -------- d-----w- c:\documents and settings\Peter\Application Data\Utakl 2010-09-09 08:04 . 2009-07-10 05:35 -------- d-----w- c:\documents and settings\Peter\Application Data\Qeca 2010-09-09 07:48 . 2010-05-07 10:07 -------- d-----w- c:\documents and settings\Peter\Application Data\Ogoton 2010-09-08 15:04 . 2008-09-29 02:51 -------- d-----w- c:\documents and settings\Peter\Application Data\Ewrahi 2010-09-08 14:40 . 2010-05-16 11:24 -------- d-----w- c:\documents and settings\Peter\Application Data\Oqid 2010-09-08 14:40 . 2010-01-21 11:30 -------- d-----w- c:\documents and settings\Peter\Application Data\Axyduc 2010-09-08 14:31 . 2008-09-22 14:26 -------- d-----w- c:\documents and settings\Peter\Application Data\Geope 2010-09-08 14:29 . 2009-01-19 14:21 29748924 ----a-w- c:\windows\Internet Logs\tvDebug.Zip 2010-09-07 22:13 . 2009-01-08 15:12 664 ----a-w- c:\windows\system32\d3d9caps.dat 2010-09-07 22:04 . 2009-08-11 19:27 162304 ----a-w- C:\UNWISE.EXE 2010-09-07 22:03 . 2008-07-12 09:38 -------- d-----w- c:\documents and settings\Peter\Application Data\Foacru 2010-09-07 21:45 . 2008-10-06 17:24 110592 ----a-w- c:\documents and settings\Peter\Application Data\U3\temp\cleanup.exe 2010-09-07 21:45 . 2009-06-12 11:53 152576 ----a-w- c:\documents and settings\Peter\Application Data\Sun\Java\jre1.6.0_14\lzma.dll 2010-09-07 21:45 . 2010-05-23 12:07 348160 ----a-w- c:\documents and settings\Peter\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-70c9cf9b-n\msvcr71.dll 2010-09-07 21:43 . 2010-07-01 11:07 434176 ----a-w- c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportMS\17053\RapportMS.dll 2010-09-07 21:43 . 2010-03-01 21:16 249856 ----a-w- c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportBukaBroom\13897\RapportBukaBroom.dll 2010-09-07 21:43 . 2010-09-08 15:02 170982 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Professional_32_1033.dat 2010-09-01 13:37 . 2010-03-16 18:36 -------- d-----w- c:\documents and settings\Peter\Application Data\Ofexug 2010-08-17 13:17 . 2004-08-04 10:00 58880 ----a-w- c:\windows\system32\spoolsv.exe 2010-07-26 12:36 . 2010-07-26 12:36 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.1.5\SetupAdmin.exe 2010-07-22 15:49 . 2004-08-04 10:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll 2010-07-22 05:57 . 2010-04-06 11:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll 2010-07-21 14:49 . 2010-07-21 14:49 339968 ----a-w- c:\windows\system32\RapportBuka.dll 2010-07-20 10:20 . 2010-07-20 10:20 38 ----a-w- c:\windows\SOLOSCAN.BAT . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks] "{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}"= "c:\program files\ZoneAlarm\tbZone.dll" [2010-05-09 2517088] [HKEY_CLASSES_ROOT\clsid\{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}] 2010-05-09 10:50 2517088 ----a-w- c:\program files\ZoneAlarm\tbZone.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}"= "c:\program files\ZoneAlarm\tbZone.dll" [2010-05-09 2517088] [HKEY_CLASSES_ROOT\clsid\{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}] [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser] "{66F2E20D-0DA8-4C11-A9C8-DD8477B88ACD}"= "c:\program files\ZoneAlarm\tbZone.dll" [2010-05-09 2517088] [HKEY_CLASSES_ROOT\clsid\{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "{E0A2501B-F1A1-65FB-2FEA-50C8FA682158}"="c:\documents and settings\Peter\Application Data\Adwiom\urcum.exe" [2008-08-18 113664] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2010-09-09 860160] "IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2010-09-09 753664] "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-07-14 77824] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 39792] "SoloSentry"="c:\srnmic~1\SOLOSENT.EXE" [2010-09-20 135168] "SoloSchedule"="c:\srnmic~1\SOLOCFG.EXE" [2010-09-20 360448] "SoloSysCheck"="c:\srnmic~1\SYSCHECK.COM" [2010-03-27 237568] "ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-06-23 1043968] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] "Userinit"="c:\windows\system32\userinit.exe,,c:\program files\microsoft\desktoplayer.exe" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer] @="Service" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier] 2010-07-13 14:10 47904 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gStart] 2008-08-13 13:34 1891416 ----a-w- c:\garmin\gStart.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers] 2006-07-14 16:08 118784 ----a-w- c:\windows\system32\igfxpers.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray] 2006-07-14 16:07 94208 ----a-w- c:\windows\system32\igfxtray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Inini] 2008-04-14 00:12 33280 ----a-w- c:\windows\system32\rundll32.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISW] 2010-05-26 13:35 730600 ----a-w- c:\program files\CheckPoint\ZAForceField\ForceField.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] 2010-07-21 14:53 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcexecwin] 2008-04-14 00:12 33280 ----a-w- c:\windows\system32\rundll32.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Monitor] 2009-11-10 09:14 443728 ----a-w- c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] 2010-09-07 21:59 421888 ----a-w- c:\program files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp] 2007-05-10 09:22 405504 ----a-w- c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "AntiVirusDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"= "c:\\Program Files\\SopCast\\adv\\SopAdver.exe"= "c:\\Program Files\\SopCast\\SopCast.exe"= "c:\\Program Files\\Common Files\\ProspectSoft Shared\\ASA\\Win32\\dbeng9.exe"= "c:\\Program Files\\Kontiki\\KService.exe"= "c:\\Program Files\\Sony Ericsson\\Sony Ericsson Media Manager\\MediaManager.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= R1 RapportBuka;RapportBuka;c:\windows\system32\drivers\RapportBuka.sys [01/03/2010 22:16 390528] R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [26/05/2010 14:35 26352] R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [26/05/2010 14:35 493032] R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [01/07/2010 12:07 840936] S1 RapportKELL;RapportKELL;c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [01/07/2010 12:07 0] S1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [01/07/2010 12:07 0] S2 SSPORT;SSPORT;\??\c:\windows\system32\Drivers\SSPORT.sys --> c:\windows\system32\Drivers\SSPORT.sys [?] S3 esgiguard;esgiguard;\??\c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys --> c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [?] S3 s1018bus;Sony Ericsson Device 1018 driver (WDM);c:\windows\system32\drivers\s1018bus.sys [06/08/2009 11:58 90408] S3 s1018mdfl;Sony Ericsson Device 1018 USB WMC Modem Filter;c:\windows\system32\drivers\s1018mdfl.sys [06/08/2009 11:58 15016] S3 s1018mdm;Sony Ericsson Device 1018 USB WMC Modem Driver;c:\windows\system32\drivers\s1018mdm.sys [06/08/2009 11:58 122024] S3 s1018mgmt;Sony Ericsson Device 1018 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s1018mgmt.sys [06/08/2009 11:59 115368] S3 s1018nd5;Sony Ericsson Device 1018 USB Ethernet Emulation (NDIS);c:\windows\system32\drivers\s1018nd5.sys [06/08/2009 11:59 25768] S3 s1018obex;Sony Ericsson Device 1018 USB WMC OBEX Interface;c:\windows\system32\drivers\s1018obex.sys [06/08/2009 11:59 111784] S3 s1018unic;Sony Ericsson Device 1018 USB Ethernet Emulation (WDM);c:\windows\system32\drivers\s1018unic.sys [06/08/2009 11:59 117544] . Contents of the 'Scheduled Tasks' folder 2010-09-27 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 10:50] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.co.uk/ uInternet Connection Wizard,ShellNext = hxxp://downloadcenter.intel.com/detail_desc.aspx?DwnldID=8061&ProductID=1784 IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 . - - - - ORPHANS REMOVED - - - - HKLM-Run-nonep - c:\program files\riv87\oops.exe ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-10-01 15:43 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(2252) c:\windows\system32\WININET.dll c:\program files\Trusteer\Rapport\bin\rooksbas.dll c:\windows\system32\ieframe.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\System32\SCardSvr.exe c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Kontiki\KService.exe c:\program files\Internet Explorer\iexplore.exe c:\program files\Trusteer\Rapport\bin\RapportService.exe . ************************************************************************** . Completion time: 2010-10-01 15:51:38 - machine was rebooted ComboFix-quarantined-files.txt 2010-10-01 14:51 ComboFix2.txt 2010-10-01 10:03 ComboFix3.txt 2010-09-30 14:07 ComboFix4.txt 2010-09-30 09:54 ComboFix5.txt 2010-10-01 14:14 Pre-Run: 74,287,087,616 bytes free Post-Run: 72,592,588,800 bytes free - - End Of File - - B5AA1FE6DDE3DDDF6FFCF4D0C2883F43
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.