Jump to content

sparky182

Members
  • Posts

    18
  • Joined

  • Last visited

Everything posted by sparky182

  1. I dont think so, it seems fine running spybot now, just in case. do you think its all clear then?? yipee! can you recommend any other programs that would help prevent this happening again, as avg didnt do a brilliant job :/ maybe a better firewall??
  2. scan finshed, 0 infections, 0 warnings, absolutely nothing :):)
  3. oops, i mean, do you want me to do avg scan again or the online one again? im running avg now, the test results from last night said no infections but there were like 25 warnings... tracking cookies etc, all been healed or moved to virus vault.
  4. well it found 21 things and healed them all... there hasnt been anything popping up so far with avg and i did a scan too and its fine... shall i run it again for safe measure or shall we wait?
  5. Im so stupid arghhh. Just finished scan, opened the folder for log, uninstalled it then tried to open log and obviously it had been deleted! arghhh! so sorry, it had 21 threates though, all healed... sorry ;)
  6. ahah, i thought it was all fixed and lovely. but nope. 8 threats! 7 in the System Volume Infomation folder... Trojan horse PSW.Agent.AJPA. and one in C:\adobe\plugs.... Trojan horse Hiloti.BW Lots of files with broken signatures too? C:\Windows\Installer\28fc128.msi and things like that... sad times I think avg will be able to put the adobe one in the virus vault, but what about the system volume info ones? :/ what to do what to do???
  7. ComboFix 10-11-30.02 - User 30/11/2010 22:22:57.5.1 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1015.539 [GMT 0:00] Running from: c:\documents and settings\User\Desktop\Combo-Fix.exe Command switches used :: c:\documents and settings\User\Desktop\CFScript.txt FILE :: "c:\documents and settings\Default User\Start Menu\Programs\Startup\encu.exe" "c:\documents and settings\Default User\Start Menu\Programs\Startup\erci.exe" "c:\documents and settings\Default User\Start Menu\Programs\Startup\sytyo.exe" . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\Default User\Start Menu\Programs\Startup\encu.exe c:\documents and settings\Default User\Start Menu\Programs\Startup\erci.exe c:\documents and settings\Default User\Start Menu\Programs\Startup\sytyo.exe . ((((((((((((((((((((((((( Files Created from 2010-10-28 to 2010-11-30 ))))))))))))))))))))))))))))))) . 2010-11-28 21:27 . 2010-11-28 21:27 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files 2010-11-28 21:20 . 2010-11-30 22:15 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10 2010-11-28 21:11 . 2010-11-30 21:01 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData 2010-11-28 20:49 . 2010-11-28 20:49 -------- d-----w- C:\Adobe 2010-11-28 20:47 . 2010-11-28 20:47 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe 2010-11-28 19:58 . 2010-11-28 21:44 -------- d-----w- c:\documents and settings\All Users\Application Data\avg7 2010-11-27 16:32 . 2010-11-27 16:32 -------- d-----w- c:\documents and settings\User\Application Data\Malwarebytes 2010-11-27 16:31 . 2010-04-29 15:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-11-27 16:31 . 2010-11-27 16:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2010-11-27 16:31 . 2010-04-29 15:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-11-27 16:31 . 2010-11-27 17:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-11-26 22:13 . 2010-11-29 10:03 -------- d-----w- c:\program files\HiJack This 2010-11-24 15:05 . 2010-11-24 15:05 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE 2010-11-24 15:04 . 2010-11-24 15:04 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Yahoo! 2010-11-24 15:04 . 2010-11-24 15:04 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache 2010-11-22 22:29 . 2010-11-23 14:31 -------- d-----w- c:\program files\Spybot - Search & Destroy 2010-11-22 22:29 . 2010-11-23 00:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2010-11-22 16:08 . 2010-11-22 17:42 -------- d-----w- c:\documents and settings\User\Application Data\AVG 2010-11-22 16:08 . 2010-11-28 22:23 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP 2010-11-19 22:24 . 2010-11-19 22:24 189 ----a-w- c:\documents and settings\User\Application Data\Microsoft\gb_1515781.bat 2010-11-17 23:25 . 2010-11-17 23:25 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-11-16 13:33 . 2009-12-05 17:46 63941 ----a-w- c:\documents and settings\User\Application Data\mdbu.bin 2010-10-03 22:43 . 2010-10-03 22:43 59240 ----a-w- c:\windows\system32\drivers\RapportKELL.sys 2010-09-18 11:23 . 2008-11-18 20:17 974848 ----a-w- c:\windows\system32\mfc42u.dll 2010-09-18 06:53 . 2008-11-18 20:17 974848 ----a-w- c:\windows\system32\mfc42.dll 2010-09-18 06:53 . 2008-11-18 20:17 954368 ----a-w- c:\windows\system32\mfc40.dll 2010-09-18 06:53 . 2008-11-18 20:17 953856 ----a-w- c:\windows\system32\mfc40u.dll 2010-09-10 05:58 . 2008-11-18 20:19 916480 ----a-w- c:\windows\system32\wininet.dll 2010-09-10 05:58 . 2008-11-18 20:17 43520 ----a-w- c:\windows\system32\licmgr10.dll 2010-09-10 05:58 . 2008-11-18 20:16 1469440 ------w- c:\windows\system32\inetcpl.cpl 2009-01-18 20:32 . 2009-01-18 20:31 1144136 ----a-w- c:\program files\wlsetup-custom.exe . ((((((((((((((((((((((((((((( SnapShot@2010-11-29_10.51.37 ))))))))))))))))))))))))))))))))))))))))) . + 2010-11-30 22:25 . 2010-11-30 22:25 16384 c:\windows\Temp\Perflib_Perfdata_cc0.dat + 2010-11-30 22:15 . 2010-11-30 22:15 16384 c:\windows\Temp\Perflib_Perfdata_94.dat + 2010-11-30 21:16 . 2010-11-30 21:16 3065856 c:\windows\Installer\1f5563.msi + 2010-11-30 21:13 . 2010-11-30 21:13 1548288 c:\windows\Installer\1f555f.msi + 2010-11-29 23:37 . 2010-11-29 23:37 3065856 c:\windows\Installer\161e71.msi + 2010-11-29 23:35 . 2010-11-29 23:35 1548288 c:\windows\Installer\161e6d.msi + 2010-11-29 16:48 . 2010-11-29 16:48 3065856 c:\windows\Installer\1598f77.msi + 2010-11-29 16:45 . 2010-11-29 16:45 1548288 c:\windows\Installer\1598f73.msi . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Skype"="c:\program files\Skype\\Phone\Skype.exe" [2008-09-29 21755688] "msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856] "Device Detection"="c:\program files\Bonusprint\Photoservice\dd.exe" [2007-11-08 101376] "PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2009-11-11 1451520] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NokiaMServer"="c:\program files\Common Files\Nokia\MPlatform\NokiaMServer" [X] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-06-07 155648] "High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-17 61952] "CHotkey"="zHotkey.exe" [2004-05-18 543232] "ShowWnd"="ShowWnd.exe" [2003-09-19 36864] "RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-01 32768] "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648] "SoundMan"="SOUNDMAN.EXE" [2004-07-02 73728] "AlcWzrd"="ALCWZRD.EXE" [2004-07-06 2550272] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-28 149280] "CameraFixer"="c:\windows\CameraFixer.exe" [2005-10-03 20480] "tsnp2std"="c:\windows\tsnp2std.exe" [2005-11-03 106496] "snp2std"="c:\windows\vsnp2std.exe" [2005-08-16 339968] "btbb_McciTrayApp"="c:\program files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe" [2009-12-07 1584640] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-17 421888] "NokiaMusic FastStart"="c:\program files\Nokia\Ovi Player\NokiaOviPlayer.exe" [2010-03-04 2192672] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] c:\documents and settings\User\Start Menu\Programs\Startup\ SkypeMate.lnk - c:\program files\SkypeMate\SkypeMate.exe [2007-5-22 405504] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-08-16 09:33 11952 ----a-w- c:\windows\system32\avgrsstx.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist] 2010-04-27 17:24 16680 ----a-w- c:\program files\Citrix\GoToAssist\570\g2awinlogon.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys] @="Driver" [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Spotify\\spotify.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\WINDOWS\\system32\\dpvsetup.exe"= R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [03/10/2010 22:43 59240] R1 RapportCerberus_19917;RapportCerberus_19917;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\19917\RapportCerberus_19917.sys [03/10/2010 22:54 34792] R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [03/10/2010 22:43 169320] R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [03/10/2010 22:43 767208] S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/04/2010 17:57 135664] . Contents of the 'Scheduled Tasks' folder 2010-10-09 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34] 2010-11-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-04-12 17:57] 2010-11-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-04-12 17:57] . . ------- Supplementary Scan ------- . IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-11-30 22:31 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(676) c:\program files\Citrix\GoToAssist\570\G2AWinLogon.dll . Completion time: 2010-11-30 22:34:57 ComboFix-quarantined-files.txt 2010-11-30 22:34 ComboFix2.txt 2010-11-30 21:00 ComboFix3.txt 2010-11-29 23:30 ComboFix4.txt 2010-11-29 10:55 ComboFix5.txt 2010-11-30 22:21 Pre-Run: 44,726,988,800 bytes free Post-Run: 44,707,274,752 bytes free - - End Of File - - 5ADBF66C57FAEB1E6F28DE54C9C4C138 also it wanted to send some malware files for further analysis but couldnt connect to webserver so saved it in the C drive
  8. ComboFix 10-11-30.02 - User 30/11/2010 20:49:54.4.1 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1015.607 [GMT 0:00] Running from: c:\documents and settings\User\Desktop\Combo-Fix.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc11.tmp c:\documents and settings\User\Start Menu\Programs\Win HDD c:\documents and settings\User\Start Menu\Programs\Win HDD\Uninstall Win HDD.lnk . ((((((((((((((((((((((((( Files Created from 2010-10-28 to 2010-11-30 ))))))))))))))))))))))))))))))) . 2010-11-28 21:27 . 2010-11-28 21:27 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files 2010-11-28 21:20 . 2010-11-30 20:37 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10 2010-11-28 21:11 . 2010-11-29 23:33 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData 2010-11-28 20:49 . 2010-11-28 20:49 -------- d-----w- C:\Adobe 2010-11-28 20:47 . 2010-11-28 20:47 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe 2010-11-28 19:58 . 2010-11-28 21:44 -------- d-----w- c:\documents and settings\All Users\Application Data\avg7 2010-11-27 16:32 . 2010-11-27 16:32 -------- d-----w- c:\documents and settings\User\Application Data\Malwarebytes 2010-11-27 16:31 . 2010-04-29 15:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-11-27 16:31 . 2010-11-27 16:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2010-11-27 16:31 . 2010-04-29 15:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-11-27 16:31 . 2010-11-27 17:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-11-26 22:13 . 2010-11-29 10:03 -------- d-----w- c:\program files\HiJack This 2010-11-24 15:05 . 2010-11-24 15:05 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE 2010-11-24 15:04 . 2010-11-24 15:04 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Yahoo! 2010-11-24 15:04 . 2010-11-24 15:04 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache 2010-11-22 22:29 . 2010-11-23 14:31 -------- d-----w- c:\program files\Spybot - Search & Destroy 2010-11-22 22:29 . 2010-11-23 00:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2010-11-22 16:08 . 2010-11-22 17:42 -------- d-----w- c:\documents and settings\User\Application Data\AVG 2010-11-22 16:08 . 2010-11-28 22:23 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP 2010-11-19 22:24 . 2010-11-19 22:24 189 ----a-w- c:\documents and settings\User\Application Data\Microsoft\gb_1515781.bat 2010-11-17 23:25 . 2010-11-17 23:25 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-11-16 13:33 . 2009-12-05 17:46 63941 ----a-w- c:\documents and settings\User\Application Data\mdbu.bin 2010-10-03 22:43 . 2010-10-03 22:43 59240 ----a-w- c:\windows\system32\drivers\RapportKELL.sys 2010-09-18 11:23 . 2008-11-18 20:17 974848 ----a-w- c:\windows\system32\mfc42u.dll 2010-09-18 06:53 . 2008-11-18 20:17 974848 ----a-w- c:\windows\system32\mfc42.dll 2010-09-18 06:53 . 2008-11-18 20:17 954368 ----a-w- c:\windows\system32\mfc40.dll 2010-09-18 06:53 . 2008-11-18 20:17 953856 ----a-w- c:\windows\system32\mfc40u.dll 2010-09-10 05:58 . 2008-11-18 20:19 916480 ----a-w- c:\windows\system32\wininet.dll 2010-09-10 05:58 . 2008-11-18 20:17 43520 ----a-w- c:\windows\system32\licmgr10.dll 2010-09-10 05:58 . 2008-11-18 20:16 1469440 ------w- c:\windows\system32\inetcpl.cpl 2009-01-18 20:32 . 2009-01-18 20:31 1144136 ----a-w- c:\program files\wlsetup-custom.exe . ((((((((((((((((((((((((((((( SnapShot@2010-11-29_10.51.37 ))))))))))))))))))))))))))))))))))))))))) . + 2010-11-30 20:39 . 2010-11-30 20:39 16384 c:\windows\Temp\Perflib_Perfdata_d0.dat + 2010-11-30 20:49 . 2010-11-30 20:49 16384 c:\windows\Temp\Perflib_Perfdata_9d4.dat + 2010-11-29 23:37 . 2010-11-29 23:37 3065856 c:\windows\Installer\161e71.msi + 2010-11-29 23:35 . 2010-11-29 23:35 1548288 c:\windows\Installer\161e6d.msi + 2010-11-29 16:48 . 2010-11-29 16:48 3065856 c:\windows\Installer\1598f77.msi + 2010-11-29 16:45 . 2010-11-29 16:45 1548288 c:\windows\Installer\1598f73.msi . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Skype"="c:\program files\Skype\\Phone\Skype.exe" [2008-09-29 21755688] "msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856] "Device Detection"="c:\program files\Bonusprint\Photoservice\dd.exe" [2007-11-08 101376] "PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2009-11-11 1451520] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NokiaMServer"="c:\program files\Common Files\Nokia\MPlatform\NokiaMServer" [X] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-06-07 155648] "High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-17 61952] "CHotkey"="zHotkey.exe" [2004-05-18 543232] "ShowWnd"="ShowWnd.exe" [2003-09-19 36864] "RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-01 32768] "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648] "SoundMan"="SOUNDMAN.EXE" [2004-07-02 73728] "AlcWzrd"="ALCWZRD.EXE" [2004-07-06 2550272] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-28 149280] "CameraFixer"="c:\windows\CameraFixer.exe" [2005-10-03 20480] "tsnp2std"="c:\windows\tsnp2std.exe" [2005-11-03 106496] "snp2std"="c:\windows\vsnp2std.exe" [2005-08-16 339968] "btbb_McciTrayApp"="c:\program files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe" [2009-12-07 1584640] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-17 421888] "NokiaMusic FastStart"="c:\program files\Nokia\Ovi Player\NokiaOviPlayer.exe" [2010-03-04 2192672] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] c:\documents and settings\User\Start Menu\Programs\Startup\ SkypeMate.lnk - c:\program files\SkypeMate\SkypeMate.exe [2007-5-22 405504] c:\documents and settings\Default User\Start Menu\Programs\Startup\ encu.exe [2010-11-28 189736] erci.exe [2010-11-28 153600] sytyo.exe [2010-11-28 153600] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-08-16 09:33 11952 ----a-w- c:\windows\system32\avgrsstx.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist] 2010-04-27 17:24 16680 ----a-w- c:\program files\Citrix\GoToAssist\570\g2awinlogon.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys] @="Driver" [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Spotify\\spotify.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\WINDOWS\\system32\\dpvsetup.exe"= R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [03/10/2010 22:43 59240] R1 RapportCerberus_19917;RapportCerberus_19917;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\19917\RapportCerberus_19917.sys [03/10/2010 22:54 34792] R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [03/10/2010 22:43 169320] R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [03/10/2010 22:43 767208] S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/04/2010 17:57 135664] . Contents of the 'Scheduled Tasks' folder 2010-10-09 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34] 2010-11-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-04-12 17:57] 2010-11-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-04-12 17:57] . . ------- Supplementary Scan ------- . IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-11-30 20:57 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(676) c:\program files\Citrix\GoToAssist\570\G2AWinLogon.dll . Completion time: 2010-11-30 21:00:49 ComboFix-quarantined-files.txt 2010-11-30 21:00 ComboFix2.txt 2010-11-29 23:30 ComboFix3.txt 2010-11-29 10:55 ComboFix4.txt 2010-11-28 23:47 Pre-Run: 45,034,086,400 bytes free Post-Run: 45,005,406,208 bytes free - - End Of File - - DF23079A03E0D425342E2C06EFFEBDA4
  9. Sent the file by the way, Avg is popping up that svchost.exe is infected with a trojan
  10. ComboFix 10-11-29.03 - User 29/11/2010 23:19:15.3.1 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1015.532 [GMT 0:00] Running from: c:\documents and settings\User\Desktop\Combo-Fix.exe Command switches used :: c:\documents and settings\User\Desktop\CFScript.txt file zipped: c:\windows\system32\YCemSCi.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\User\Application Data\Oqfeeg c:\documents and settings\User\Application Data\Oqfeeg\alyl.exe c:\documents and settings\User\Local Settings\Temporary Internet Files\mccC7.tmp c:\windows\system32\YCemSCi.exe . ((((((((((((((((((((((((( Files Created from 2010-10-28 to 2010-11-29 ))))))))))))))))))))))))))))))) . 2010-11-28 21:27 . 2010-11-28 21:27 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files 2010-11-28 21:20 . 2010-11-29 23:09 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10 2010-11-28 21:11 . 2010-11-29 16:42 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData 2010-11-28 20:49 . 2010-11-28 20:49 -------- d-----w- C:\Adobe 2010-11-28 20:47 . 2010-11-28 20:47 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe 2010-11-28 19:58 . 2010-11-28 21:44 -------- d-----w- c:\documents and settings\All Users\Application Data\avg7 2010-11-27 16:32 . 2010-11-27 16:32 -------- d-----w- c:\documents and settings\User\Application Data\Malwarebytes 2010-11-27 16:31 . 2010-04-29 15:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-11-27 16:31 . 2010-11-27 16:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2010-11-27 16:31 . 2010-04-29 15:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-11-27 16:31 . 2010-11-27 17:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-11-26 22:13 . 2010-11-29 10:03 -------- d-----w- c:\program files\HiJack This 2010-11-24 15:05 . 2010-11-24 15:05 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE 2010-11-24 15:04 . 2010-11-24 15:04 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Yahoo! 2010-11-24 15:04 . 2010-11-24 15:04 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache 2010-11-22 22:29 . 2010-11-23 14:31 -------- d-----w- c:\program files\Spybot - Search & Destroy 2010-11-22 22:29 . 2010-11-23 00:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2010-11-22 16:08 . 2010-11-22 17:42 -------- d-----w- c:\documents and settings\User\Application Data\AVG 2010-11-22 16:08 . 2010-11-28 22:23 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP 2010-11-19 22:24 . 2010-11-19 22:24 189 ----a-w- c:\documents and settings\User\Application Data\Microsoft\gb_1515781.bat 2010-11-17 23:25 . 2010-11-17 23:25 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-11-16 13:33 . 2009-12-05 17:46 63941 ----a-w- c:\documents and settings\User\Application Data\mdbu.bin 2010-10-03 22:43 . 2010-10-03 22:43 59240 ----a-w- c:\windows\system32\drivers\RapportKELL.sys 2010-09-18 11:23 . 2008-11-18 20:17 974848 ----a-w- c:\windows\system32\mfc42u.dll 2010-09-18 06:53 . 2008-11-18 20:17 974848 ----a-w- c:\windows\system32\mfc42.dll 2010-09-18 06:53 . 2008-11-18 20:17 954368 ----a-w- c:\windows\system32\mfc40.dll 2010-09-18 06:53 . 2008-11-18 20:17 953856 ----a-w- c:\windows\system32\mfc40u.dll 2010-09-10 05:58 . 2008-11-18 20:19 916480 ----a-w- c:\windows\system32\wininet.dll 2010-09-10 05:58 . 2008-11-18 20:17 43520 ----a-w- c:\windows\system32\licmgr10.dll 2010-09-10 05:58 . 2008-11-18 20:16 1469440 ------w- c:\windows\system32\inetcpl.cpl 2010-09-01 11:51 . 2008-11-18 20:15 285824 ----a-w- c:\windows\system32\atmfd.dll 2009-01-18 20:32 . 2009-01-18 20:31 1144136 ----a-w- c:\program files\wlsetup-custom.exe . ((((((((((((((((((((((((((((( SnapShot@2010-11-29_10.51.37 ))))))))))))))))))))))))))))))))))))))))) . + 2010-11-29 23:21 . 2010-11-29 23:21 16384 c:\windows\Temp\Perflib_Perfdata_b74.dat + 2010-11-29 23:11 . 2010-11-29 23:11 16384 c:\windows\Temp\Perflib_Perfdata_90.dat + 2010-11-29 16:48 . 2010-11-29 16:48 3065856 c:\windows\Installer\1598f77.msi + 2010-11-29 16:45 . 2010-11-29 16:45 1548288 c:\windows\Installer\1598f73.msi . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Skype"="c:\program files\Skype\\Phone\Skype.exe" [2008-09-29 21755688] "msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856] "Device Detection"="c:\program files\Bonusprint\Photoservice\dd.exe" [2007-11-08 101376] "PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2009-11-11 1451520] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NokiaMServer"="c:\program files\Common Files\Nokia\MPlatform\NokiaMServer" [X] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-06-07 155648] "High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-17 61952] "CHotkey"="zHotkey.exe" [2004-05-18 543232] "ShowWnd"="ShowWnd.exe" [2003-09-19 36864] "RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-01 32768] "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648] "SoundMan"="SOUNDMAN.EXE" [2004-07-02 73728] "AlcWzrd"="ALCWZRD.EXE" [2004-07-06 2550272] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-28 149280] "CameraFixer"="c:\windows\CameraFixer.exe" [2005-10-03 20480] "tsnp2std"="c:\windows\tsnp2std.exe" [2005-11-03 106496] "snp2std"="c:\windows\vsnp2std.exe" [2005-08-16 339968] "btbb_McciTrayApp"="c:\program files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe" [2009-12-07 1584640] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-17 421888] "NokiaMusic FastStart"="c:\program files\Nokia\Ovi Player\NokiaOviPlayer.exe" [2010-03-04 2192672] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] c:\documents and settings\User\Start Menu\Programs\Startup\ SkypeMate.lnk - c:\program files\SkypeMate\SkypeMate.exe [2007-5-22 405504] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-08-16 09:33 11952 ----a-w- c:\windows\system32\avgrsstx.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist] 2010-04-27 17:24 16680 ----a-w- c:\program files\Citrix\GoToAssist\570\g2awinlogon.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys] @="Driver" [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Spotify\\spotify.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\WINDOWS\\system32\\dpvsetup.exe"= R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [03/10/2010 22:43 59240] R1 RapportCerberus_19917;RapportCerberus_19917;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\19917\RapportCerberus_19917.sys [03/10/2010 22:54 34792] R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [03/10/2010 22:43 169320] R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [03/10/2010 22:43 767208] S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/04/2010 17:57 135664] . Contents of the 'Scheduled Tasks' folder 2010-10-09 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34] 2010-11-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-04-12 17:57] 2010-11-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-04-12 17:57] . . ------- Supplementary Scan ------- . IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html . - - - - ORPHANS REMOVED - - - - Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file) WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file) ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-11-29 23:25 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(676) c:\program files\Citrix\GoToAssist\570\G2AWinLogon.dll . Completion time: 2010-11-29 23:30:00 ComboFix-quarantined-files.txt 2010-11-29 23:29 ComboFix2.txt 2010-11-29 10:55 ComboFix3.txt 2010-11-28 23:47 Pre-Run: 45,196,701,696 bytes free Post-Run: 45,187,252,224 bytes free - - End Of File - - 4471D9EFE98D69B3D2801412CCB16D34 and the message said it couldnt connect to server so its now saved as a file on my C drive to manually upload later
  11. Just a note, these files: c:\documents and settings\User\Start Menu\Programs\Startup\irfaib.exe c:\documents and settings\User\Start Menu\Programs\Startup\mycuri.exe you asked to put in the Notepad file, and i did, but they havent appeared on the new combofix log because they were the virus' AVG picked up on and put in the virus vault
  12. Heres the combofix log: ComboFix 10-11-28.05 - User 29/11/2010 10:38:41.2.1 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1015.532 [GMT 0:00] Running from: c:\documents and settings\User\Desktop\Combo-Fix.exe Command switches used :: c:\documents and settings\User\Desktop\CFScript.txt file zipped: c:\documents and settings\Charlotte Hawkins\Start Menu\Programs\Startup\elrey.exe file zipped: c:\documents and settings\Charlotte Hawkins\Start Menu\Programs\Startup\huin.exe file zipped: c:\documents and settings\Charlotte Hawkins\Start Menu\Programs\Startup\koget.exe file zipped: c:\documents and settings\User\Start Menu\Programs\Startup\soaps.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\Charlotte Hawkins\Start Menu\Programs\Startup\elrey.exe c:\documents and settings\Charlotte Hawkins\Start Menu\Programs\Startup\huin.exe c:\documents and settings\Charlotte Hawkins\Start Menu\Programs\Startup\koget.exe c:\documents and settings\User\Application Data\Cumi c:\documents and settings\User\Application Data\Cumi\odzoe.dyw c:\documents and settings\User\Application Data\Ewaw c:\documents and settings\User\Application Data\Ewaw\fynu.exe c:\documents and settings\User\Application Data\Intyin c:\documents and settings\User\Application Data\Lorae c:\documents and settings\User\Application Data\Lorae\uclym.due c:\documents and settings\User\Application Data\Oqorac c:\documents and settings\User\Application Data\Oqorac\ilos.fye c:\documents and settings\User\Application Data\Ovyri c:\documents and settings\User\Application Data\Ovyri\ufzyi.exe c:\documents and settings\User\Application Data\Toel c:\documents and settings\User\Application Data\Toel\myfe.exe c:\documents and settings\User\Application Data\Voyz c:\documents and settings\User\Application Data\Voyz\asag.arc c:\documents and settings\User\Application Data\Xelyc c:\documents and settings\User\Application Data\Xelyc\kequ.exe c:\documents and settings\User\Application Data\Ywomte c:\documents and settings\User\Application Data\Ywomte\opqub.exe c:\documents and settings\User\Start Menu\Programs\Startup\soaps.exe . ((((((((((((((((((((((((( Files Created from 2010-10-28 to 2010-11-29 ))))))))))))))))))))))))))))))) . 2010-11-28 21:27 . 2010-11-28 21:27 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files 2010-11-28 21:20 . 2010-11-29 10:17 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10 2010-11-28 21:11 . 2010-11-28 23:48 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData 2010-11-28 20:49 . 2010-11-28 20:49 -------- d-----w- C:\Adobe 2010-11-28 20:49 . 2009-03-08 04:31 45568 ----a-w- c:\windows\system32\YCemSCi.exe 2010-11-28 20:48 . 2010-11-28 20:48 -------- d-----w- c:\documents and settings\User\Application Data\Oqfeeg 2010-11-28 20:47 . 2010-11-28 20:47 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe 2010-11-28 19:58 . 2010-11-28 21:44 -------- d-----w- c:\documents and settings\All Users\Application Data\avg7 2010-11-27 16:32 . 2010-11-27 16:32 -------- d-----w- c:\documents and settings\User\Application Data\Malwarebytes 2010-11-27 16:31 . 2010-04-29 15:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-11-27 16:31 . 2010-11-27 16:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2010-11-27 16:31 . 2010-04-29 15:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-11-27 16:31 . 2010-11-27 17:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-11-26 22:13 . 2010-11-29 10:03 -------- d-----w- c:\program files\HiJack This 2010-11-24 15:05 . 2010-11-24 15:05 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE 2010-11-24 15:04 . 2010-11-24 15:04 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Yahoo! 2010-11-24 15:04 . 2010-11-24 15:04 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache 2010-11-22 22:29 . 2010-11-23 14:31 -------- d-----w- c:\program files\Spybot - Search & Destroy 2010-11-22 22:29 . 2010-11-23 00:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2010-11-22 16:08 . 2010-11-22 17:42 -------- d-----w- c:\documents and settings\User\Application Data\AVG 2010-11-22 16:08 . 2010-11-28 22:23 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP 2010-11-19 22:24 . 2010-11-19 22:24 189 ----a-w- c:\documents and settings\User\Application Data\Microsoft\gb_1515781.bat 2010-11-17 23:25 . 2010-11-17 23:25 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-11-16 13:33 . 2009-12-05 17:46 63941 ----a-w- c:\documents and settings\User\Application Data\mdbu.bin 2010-10-03 22:43 . 2010-10-03 22:43 59240 ----a-w- c:\windows\system32\drivers\RapportKELL.sys 2010-09-18 11:23 . 2008-11-18 20:17 974848 ----a-w- c:\windows\system32\mfc42u.dll 2010-09-18 06:53 . 2008-11-18 20:17 974848 ----a-w- c:\windows\system32\mfc42.dll 2010-09-18 06:53 . 2008-11-18 20:17 954368 ----a-w- c:\windows\system32\mfc40.dll 2010-09-18 06:53 . 2008-11-18 20:17 953856 ----a-w- c:\windows\system32\mfc40u.dll 2010-09-10 05:58 . 2008-11-18 20:19 916480 ----a-w- c:\windows\system32\wininet.dll 2010-09-10 05:58 . 2008-11-18 20:17 43520 ----a-w- c:\windows\system32\licmgr10.dll 2010-09-10 05:58 . 2008-11-18 20:16 1469440 ------w- c:\windows\system32\inetcpl.cpl 2010-09-01 11:51 . 2008-11-18 20:15 285824 ----a-w- c:\windows\system32\atmfd.dll 2010-08-31 13:42 . 2008-11-18 20:19 1852800 ----a-w- c:\windows\system32\win32k.sys 2009-01-18 20:32 . 2009-01-18 20:31 1144136 ----a-w- c:\program files\wlsetup-custom.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Skype"="c:\program files\Skype\\Phone\Skype.exe" [2008-09-29 21755688] "msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856] "Device Detection"="c:\program files\Bonusprint\Photoservice\dd.exe" [2007-11-08 101376] "PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2009-11-11 1451520] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NokiaMServer"="c:\program files\Common Files\Nokia\MPlatform\NokiaMServer" [X] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-06-07 155648] "High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-17 61952] "CHotkey"="zHotkey.exe" [2004-05-18 543232] "ShowWnd"="ShowWnd.exe" [2003-09-19 36864] "RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-01 32768] "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648] "SoundMan"="SOUNDMAN.EXE" [2004-07-02 73728] "AlcWzrd"="ALCWZRD.EXE" [2004-07-06 2550272] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-28 149280] "CameraFixer"="c:\windows\CameraFixer.exe" [2005-10-03 20480] "tsnp2std"="c:\windows\tsnp2std.exe" [2005-11-03 106496] "snp2std"="c:\windows\vsnp2std.exe" [2005-08-16 339968] "btbb_McciTrayApp"="c:\program files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe" [2009-12-07 1584640] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-17 421888] "NokiaMusic FastStart"="c:\program files\Nokia\Ovi Player\NokiaOviPlayer.exe" [2010-03-04 2192672] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] c:\documents and settings\User\Start Menu\Programs\Startup\ SkypeMate.lnk - c:\program files\SkypeMate\SkypeMate.exe [2007-5-22 405504] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-08-16 09:33 11952 ----a-w- c:\windows\system32\avgrsstx.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist] 2010-04-27 17:24 16680 ----a-w- c:\program files\Citrix\GoToAssist\570\g2awinlogon.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys] @="Driver" [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Spotify\\spotify.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\WINDOWS\\system32\\dpvsetup.exe"= R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [03/10/2010 22:43 59240] R1 RapportCerberus_19917;RapportCerberus_19917;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\19917\RapportCerberus_19917.sys [03/10/2010 22:54 34792] R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [03/10/2010 22:43 169320] R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [03/10/2010 22:43 767208] S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/04/2010 17:57 135664] . Contents of the 'Scheduled Tasks' folder 2010-10-09 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34] 2010-11-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-04-12 17:57] 2010-11-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-04-12 17:57] . . ------- Supplementary Scan ------- . IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-11-29 10:51 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(676) c:\program files\Citrix\GoToAssist\570\G2AWinLogon.dll . Completion time: 2010-11-29 10:55:29 ComboFix-quarantined-files.txt 2010-11-29 10:55 ComboFix2.txt 2010-11-28 23:47 Pre-Run: 45,586,235,392 bytes free Post-Run: 45,555,490,816 bytes free - - End Of File - - 47F39FEED17EA912A4469FDA022501CA
  13. Ahh that took much longer than i thought... mainly because my computer regused to uninstall avg!!? but finally i was able to run combofix, here is the log: ComboFix 10-11-28.01 - User 28/11/2010 23:22:47.1.1 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1015.690 [GMT 0:00] Running from: c:\documents and settings\User\Desktop\Combo-Fix.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat c:\documents and settings\User\Application Data\Adobe\AdobeUpdate .exe c:\documents and settings\User\Application Data\Adobe\plugs c:\documents and settings\User\Application Data\Aznu c:\documents and settings\User\Application Data\Aznu\yzacy.exe c:\documents and settings\User\Application Data\Dodyxo c:\documents and settings\User\Application Data\Dodyxo\buycu.mim c:\documents and settings\User\Application Data\Dyebf c:\documents and settings\User\Application Data\Dyebf\fube.exe c:\documents and settings\User\Application Data\Gehy c:\documents and settings\User\Application Data\Gehy\daatt.exe c:\documents and settings\User\Application Data\Gepion c:\documents and settings\User\Application Data\Gepion\tige.vei c:\documents and settings\User\Application Data\Ifoqx c:\documents and settings\User\Application Data\Ifoqx\ecevt.apo c:\documents and settings\User\Application Data\Nuyduf c:\documents and settings\User\Application Data\Nuyduf\ikyf.ahg c:\documents and settings\User\Application Data\Ogoxmu c:\documents and settings\User\Application Data\Ogoxmu\syxyc.exe c:\documents and settings\User\Application Data\Riva c:\documents and settings\User\Application Data\Riva\izanh.wyy c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc10.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc11.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc12.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc13.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc14.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc15.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc16.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc17.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc18.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc19.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc1A.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc1B.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc1C.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc1D.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc1E.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc1F.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc20.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc21.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc22.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc23.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc24.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc25.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc26.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc27.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc28.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc29.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc2A.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc2B.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc2C.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc2D.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc2E.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc2F.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc30.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc31.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc32.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc33.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc34.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc35.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc36.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc37.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc38.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc39.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc3A.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc3B.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc3C.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc3D.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc3E.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc3F.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc40.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc41.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc42.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc43.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc44.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc45.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc46.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc47.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc48.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc49.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc4A.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc4B.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc4C.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc4D.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc4E.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc4F.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc50.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc51.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc52.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc53.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc54.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc55.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc56.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc57.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc58.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc59.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc5A.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc5B.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc5C.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc5D.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc5E.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc5F.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc6.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc60.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc61.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc62.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc63.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc64.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc65.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc66.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc67.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc68.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc69.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc6A.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc6B.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc6C.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc6D.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc6E.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc6F.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc7.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc70.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc71.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc72.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc73.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc74.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc75.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc76.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc77.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc78.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc79.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc7A.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc7B.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc7C.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc7D.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc7E.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc7F.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc8.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc80.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc81.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc82.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc83.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc84.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc85.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc86.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc87.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc88.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc89.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc8A.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc8B.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc8C.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc8D.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc8E.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc8F.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc9.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc90.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc91.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc92.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc93.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc94.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc95.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc96.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc97.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc98.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc99.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc9A.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc9B.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc9C.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc9D.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc9E.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc9F.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mccA.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mccA0.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mccA1.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mccA2.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mccA3.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mccA4.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mccA5.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mccA6.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mccA7.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mccA8.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mccA9.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mccAA.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mccAB.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mccAC.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mccAD.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mccAE.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mccAF.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mccB.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mccB0.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mccB1.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mccB2.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mccB3.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mccB4.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mccB5.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mccB6.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mccB7.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mccB8.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mccB9.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mccBA.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mccBB.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mccBC.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mccBD.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mccBE.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mccBF.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mccC.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mccC0.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mccC1.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mccC2.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mccC3.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mccC4.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mccC5.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mccC6.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mccC7.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mccC8.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mccC9.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mccCA.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mccCB.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mccCC.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mccCD.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mccCE.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mccCF.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mccD.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mccE.tmp c:\documents and settings\User\Local Settings\Temporary Internet Files\mccF.tmp c:\windows\ctizcr.dll ----- BITS: Possible infected sites ----- hxxp://download.yimg.com Infected copy of c:\windows\system32\winlogon.exe was found and disinfected Restored copy from - c:\windows\ServicePackFiles\i386\winlogon.exe Infected copy of c:\windows\explorer.exe was found and disinfected Restored copy from - c:\windows\ServicePackFiles\i386\explorer.exe . \\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected . ((((((((((((((((((((((((( Files Created from 2010-10-28 to 2010-11-28 ))))))))))))))))))))))))))))))) . 2010-11-28 21:27 . 2010-11-28 21:27 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files 2010-11-28 21:20 . 2010-11-28 22:02 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10 2010-11-28 21:19 . 2010-11-28 21:19 -------- d-----w- C:\$AVG 2010-11-28 21:11 . 2010-11-28 21:17 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData 2010-11-28 20:49 . 2010-11-28 20:49 -------- d-----w- C:\Adobe 2010-11-28 20:49 . 2009-03-08 04:31 45568 ----a-w- c:\windows\system32\YCemSCi.exe 2010-11-28 20:48 . 2010-11-28 20:48 -------- d-----w- c:\documents and settings\User\Application Data\Oqfeeg 2010-11-28 20:47 . 2010-11-28 20:47 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe 2010-11-28 19:58 . 2010-11-28 21:44 -------- d-----w- c:\documents and settings\All Users\Application Data\avg7 2010-11-27 16:32 . 2010-11-27 16:32 -------- d-----w- c:\documents and settings\User\Application Data\Malwarebytes 2010-11-27 16:31 . 2010-04-29 15:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-11-27 16:31 . 2010-11-27 16:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2010-11-27 16:31 . 2010-04-29 15:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-11-27 16:31 . 2010-11-27 17:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-11-26 22:13 . 2010-11-28 19:18 -------- d-----w- c:\program files\HiJack This 2010-11-24 15:05 . 2010-11-24 15:05 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE 2010-11-24 15:04 . 2010-11-24 15:04 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Yahoo! 2010-11-24 15:04 . 2010-11-24 15:04 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache 2010-11-22 22:29 . 2010-11-23 14:31 -------- d-----w- c:\program files\Spybot - Search & Destroy 2010-11-22 22:29 . 2010-11-23 00:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2010-11-22 16:08 . 2010-11-22 17:42 -------- d-----w- c:\documents and settings\User\Application Data\AVG 2010-11-22 16:08 . 2010-11-28 22:23 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP 2010-11-19 22:24 . 2010-11-19 22:24 189 ----a-w- c:\documents and settings\User\Application Data\Microsoft\gb_1515781.bat 2010-11-17 23:25 . 2010-11-17 23:25 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-11-16 13:33 . 2009-12-05 17:46 63941 ----a-w- c:\documents and settings\User\Application Data\mdbu.bin 2010-10-03 22:43 . 2010-10-03 22:43 59240 ----a-w- c:\windows\system32\drivers\RapportKELL.sys 2010-09-18 11:23 . 2008-11-18 20:17 974848 ----a-w- c:\windows\system32\mfc42u.dll 2010-09-18 06:53 . 2008-11-18 20:17 974848 ----a-w- c:\windows\system32\mfc42.dll 2010-09-18 06:53 . 2008-11-18 20:17 954368 ----a-w- c:\windows\system32\mfc40.dll 2010-09-18 06:53 . 2008-11-18 20:17 953856 ----a-w- c:\windows\system32\mfc40u.dll 2010-09-10 05:58 . 2008-11-18 20:19 916480 ----a-w- c:\windows\system32\wininet.dll 2010-09-10 05:58 . 2008-11-18 20:17 43520 ----a-w- c:\windows\system32\licmgr10.dll 2010-09-10 05:58 . 2008-11-18 20:16 1469440 ------w- c:\windows\system32\inetcpl.cpl 2010-09-01 11:51 . 2008-11-18 20:15 285824 ----a-w- c:\windows\system32\atmfd.dll 2010-08-31 13:42 . 2008-11-18 20:19 1852800 ----a-w- c:\windows\system32\win32k.sys 2009-01-18 20:32 . 2009-01-18 20:31 1144136 ----a-w- c:\program files\wlsetup-custom.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Skype"="c:\program files\Skype\\Phone\Skype.exe" [2008-09-29 21755688] "msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856] "Device Detection"="c:\program files\Bonusprint\Photoservice\dd.exe" [2007-11-08 101376] "PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2009-11-11 1451520] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NokiaMServer"="c:\program files\Common Files\Nokia\MPlatform\NokiaMServer" [X] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-06-07 155648] "High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-17 61952] "CHotkey"="zHotkey.exe" [2004-05-18 543232] "ShowWnd"="ShowWnd.exe" [2003-09-19 36864] "RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-01 32768] "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648] "SoundMan"="SOUNDMAN.EXE" [2004-07-02 73728] "AlcWzrd"="ALCWZRD.EXE" [2004-07-06 2550272] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-28 149280] "CameraFixer"="c:\windows\CameraFixer.exe" [2005-10-03 20480] "tsnp2std"="c:\windows\tsnp2std.exe" [2005-11-03 106496] "snp2std"="c:\windows\vsnp2std.exe" [2005-08-16 339968] "btbb_McciTrayApp"="c:\program files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe" [2009-12-07 1584640] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-17 421888] "NokiaMusic FastStart"="c:\program files\Nokia\Ovi Player\NokiaOviPlayer.exe" [2010-03-04 2192672] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] "AvgUninstallURL"="start http:" [X] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] c:\documents and settings\Charlotte Hawkins\Start Menu\Programs\Startup\ elrey.exe [2010-11-28 189736] huin.exe [2010-11-28 153600] koget.exe [2010-11-28 153600] c:\documents and settings\User\Start Menu\Programs\Startup\ irfaib.exe [2010-11-28 153600] mycuri.exe [2010-11-28 153600] SkypeMate.lnk - c:\program files\SkypeMate\SkypeMate.exe [2007-5-22 405504] soaps.exe [2010-11-28 189736] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-08-16 09:33 11952 ----a-w- c:\windows\system32\avgrsstx.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist] 2010-04-27 17:24 16680 ----a-w- c:\program files\Citrix\GoToAssist\570\g2awinlogon.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys] @="Driver" [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Spotify\\spotify.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\WINDOWS\\system32\\dpvsetup.exe"= R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [03/10/2010 22:43 59240] R1 RapportCerberus_19917;RapportCerberus_19917;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\19917\RapportCerberus_19917.sys [03/10/2010 22:54 34792] R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [03/10/2010 22:43 169320] R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [03/10/2010 22:43 767208] S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/04/2010 17:57 135664] . Contents of the 'Scheduled Tasks' folder 2010-10-09 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34] 2010-11-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-04-12 17:57] 2010-11-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-04-12 17:57] . . ------- Supplementary Scan ------- . IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html . - - - - ORPHANS REMOVED - - - - HKLM-Run-AVG8_TRAY - c:\progra~1\AVG\AVG8\avgtray.exe HKU-Default-Run-Umusi - c:\windows\ctizcr.dll ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-11-28 23:41 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... c:\docume~1\User\LOCALS~1\Temp\etilqs_4kohraPnbp5n5bv 0 bytes c:\docume~1\User\LOCALS~1\Temp\etilqs_IptuzVUmctibcLI 0 bytes c:\docume~1\User\LOCALS~1\Temp\etilqs_kLWN5HHHceWDvjx 0 bytes c:\docume~1\User\LOCALS~1\Temp\etilqs_l93UCPFmqf1gknK 0 bytes c:\docume~1\User\LOCALS~1\Temp\etilqs_nTQRw5KyXPBmtMH 0 bytes scan completed successfully hidden files: 5 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(676) c:\program files\Citrix\GoToAssist\570\G2AWinLogon.dll - - - - - - - > 'explorer.exe'(1828) c:\windows\system32\WININET.dll c:\program files\Trusteer\Rapport\bin\rooksbas.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\program files\Nokia\Nokia PC Suite 7\PhoneBrowser.dll c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_eng.nlr c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Common Files\Motive\McciCMService.exe c:\windows\system32\wscntfy.exe c:\windows\zHotkey.exe c:\windows\SOUNDMAN.EXE c:\windows\ALCWZRD.EXE c:\program files\Common Files\Nokia\MPlatform\NokiaMServer.exe c:\program files\Skype\Phone\Skype.exe c:\documents and settings\User\Start Menu\Programs\Startup\irfaib.exe c:\documents and settings\User\Start Menu\Programs\Startup\mycuri.exe c:\documents and settings\User\Application Data\Ovyri\ufzyi.exe c:\documents and settings\User\Start Menu\Programs\Startup\soaps.exe c:\program files\iPod\bin\iPodService.exe c:\documents and settings\User\Application Data\Toel\myfe.exe c:\program files\Nokia\PC Connectivity Solution\ServiceLayer.exe c:\program files\Nokia\PC Connectivity Solution\Transports\NclUSBSrv.exe c:\program files\Nokia\PC Connectivity Solution\Transports\NclRSSrv.exe c:\program files\Skype\Plugin Manager\skypePM.exe . ************************************************************************** . Completion time: 2010-11-28 23:47:37 - machine was rebooted ComboFix-quarantined-files.txt 2010-11-28 23:47 Pre-Run: 45,326,090,240 bytes free Post-Run: 45,848,186,880 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS timeout=2 [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons UnsupportedDebug="do not select this" /debug multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect [spybotsd] timeout.old=30 - - End Of File - - 3F97594A9AE0BAA4C7B468DE4B3F4A15 After this i reinstalled AVG and it has popped up with two trojan threats, i know you said not to fix anything or perform any scans but these were automatic and ive just put them in the virus vault. Sorry it took so long, whats next/?
  14. Okay, here is the HiJack This! Log: Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 18:55:09, on 28/11/2010 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\Motive\McciCMService.exe C:\WINDOWS\Explorer.EXE C:\Program Files\AVG\AVG PC Tuneup 2011\BoostSpeed.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\WINDOWS\system32\slserv.exe C:\PROGRA~1\AVG\AVG8\avgnsx.exe C:\WINDOWS\system32\svchost.exe C:\PROGRA~1\AVG\AVG8\avgemc.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\AVG\AVG8\avgcsrvx.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\zHotkey.exe C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\ALCWZRD.EXE C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\WINDOWS\CameraFixer.exe C:\WINDOWS\tsnp2std.exe C:\WINDOWS\vsnp2std.exe C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe C:\Program Files\QuickTime\QTTask.exe C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Skype\Phone\Skype.exe C:\Program Files\Windows Live\Messenger\msnmsgr.exe C:\Program Files\Bonusprint\Photoservice\dd.exe C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe C:\Program Files\SkypeMate\SkypeMate.exe C:\Program Files\Trusteer\Rapport\bin\RapportService.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Nokia\PC Connectivity Solution\ServiceLayer.exe C:\Program Files\Nokia\PC Connectivity Solution\Transports\NclUSBSrv.exe C:\Program Files\Nokia\PC Connectivity Solution\Transports\NclRSSrv.exe C:\Program Files\Skype\Plugin Manager\skypePM.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\HiJack This\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.msn.com/?lc=1033 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:50370 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5612.1312\swg.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll O3 - Toolbar: BT Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe O4 - HKLM\..\Run: [CHotkey] zHotkey.exe O4 - HKLM\..\Run: [showWnd] ShowWnd.exe O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKLM\..\Run: [CameraFixer] C:\WINDOWS\CameraFixer.exe O4 - HKLM\..\Run: [tsnp2std] C:\WINDOWS\tsnp2std.exe O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe O4 - HKLM\..\Run: [btbb_McciTrayApp] "C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [NokiaMServer] C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer /watchfiles startup O4 - HKLM\..\Run: [NokiaMusic FastStart] "C:\Program Files\Nokia\Ovi Player\NokiaOviPlayer.exe" /command:faststart O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\\Phone\Skype.exe" /nosplash /minimized O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [Device Detection] C:\Program Files\Bonusprint\Photoservice\dd.exe O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-21-1577321890-803091373-1801922428-1007\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Charlotte Hawkins') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Startup: SkypeMate.lnk = C:\Program Files\SkypeMate\SkypeMate.exe O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://www.msn.co.uk O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1227023713062 O16 - DPF: {A1F35586-A5A8-4D37-947A-81875350B11F} (Bonusprint Image Uploader Version 4.5 Control) - http://webalbum.bonusprint.com/ukipc01/dow...geUploader4.cab O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} (Windows Live Hotmail Photo Upload Tool) - http://gfx1.hotmail.com/mail/w4/pr01/photo...ol/MSNPUpld.cab O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing) O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\570\G2AWinLogon.dll O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\570\g2aservice.exe O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: McciCMService - Alcatel-Lucent - C:\Program Files\Common Files\Motive\McciCMService.exe O23 - Service: Rapport Management Service (RapportMgmtService) - Trusteer Ltd. - C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe O23 - Service: ServiceLayer - Nokia - C:\Program Files\Nokia\PC Connectivity Solution\ServiceLayer.exe O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe -- End of file - 11579 bytes And the Malwarebytes log: Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Database version: 5207 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 28/11/2010 18:47:14 mbam-log-2010-11-28 (18-47-14).txt Scan type: Quick scan Objects scanned: 165424 Time elapsed: 32 minute(s), 21 second(s) Memory Processes Infected: 3 Memory Modules Infected: 0 Registry Keys Infected: 1 Registry Values Infected: 2 Registry Data Items Infected: 1 Folders Infected: 0 Files Infected: 7 Memory Processes Infected: C:\Documents and Settings\User\Application Data\Microsoft\Windows\shell.exe (Trojan.Agent.Gen) -> Unloaded process successfully. C:\Documents and Settings\User\Application Data\Microsoft\svchost.exe (Trojan.Agent.Gen) -> Unloaded process successfully. C:\Documents and Settings\User\Local Settings\Temp\dwm.exe (Trojan.Agent.Gen) -> Unloaded process successfully. Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{549b5ca7-4a86-11d7-a4df-000874180bb3} (Trojan.Agent) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost (Trojan.Agent.Gen) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load (Trojan.Agent) -> Quarantined and deleted successfully. Registry Data Items Infected: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (explorer.exe,C:\Documents and Settings\User\Application Data\Microsoft\Windows\shell.exe) Good: (Explorer.exe) -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: C:\Documents and Settings\User\Application Data\Microsoft\Windows\shell.exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully. C:\Documents and Settings\User\Application Data\Microsoft\svchost.exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully. C:\Documents and Settings\User\Local Settings\Temp\dwm.exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully. C:\Documents and Settings\User\Application Data\Adobe\plugs\KB1823937.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\User\Application Data\Adobe\plugs\KB1831125.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\User\Application Data\Microsoft\stor.cfg (Malware.Trace) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Documents\Server\admin.txt (Malware.Trace) -> Quarantined and deleted successfully.
  15. Hi Borislav, thanks for helping! Ive done most steps, just doing a scan with malwarebytes and its only been running for about 7 mins and has 8 infections as oppose to the other day when there were 6. Shall i still select get rid of all of them or shall i post the new scan log now before i remove them? thanks!
  16. And this is the MalwareBytes log: Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Database version: 5199 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 27/11/2010 17:03:47 mbam-log-2010-11-27 (17-03-47).txt Scan type: Quick scan Objects scanned: 165393 Time elapsed: 27 minute(s), 24 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 1 Registry Values Infected: 1 Registry Data Items Infected: 1 Folders Infected: 0 Files Infected: 6 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{549b5ca7-4a86-11d7-a4df-000874180bb3} (Trojan.Agent) -> No action taken. Registry Values Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load (Trojan.Agent) -> No action taken. Registry Data Items Infected: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (explorer.exe,C:\Documents and Settings\User\Application Data\Microsoft\Windows\shell.exe) Good: (Explorer.exe) -> No action taken. Folders Infected: (No malicious items detected) Files Infected: C:\Documents and Settings\User\Application Data\Microsoft\Windows\shell.exe (Trojan.Agent.Gen) -> No action taken. C:\Documents and Settings\User\Local Settings\Temp\dwm.exe (Trojan.Agent.Gen) -> No action taken. C:\Documents and Settings\User\Application Data\Adobe\plugs\KB1823937.exe (Trojan.Agent) -> No action taken. C:\Documents and Settings\User\Application Data\Adobe\plugs\KB1831125.exe (Trojan.Agent) -> No action taken. C:\Documents and Settings\User\Application Data\Microsoft\stor.cfg (Malware.Trace) -> No action taken. C:\Documents and Settings\All Users\Documents\Server\admin.txt (Malware.Trace) -> No action taken.
  17. This computer has been having serious problems lately, loads of trojans etc... its my parents computer and they have AVG free version and spybot and now malwarebytes... avg picked up the trojans and put them in the virus vault yada yada. But now next time im round, resident shield is popping up constantly saying explorer.exe and system32/winlogin files are infected with win32/patched,, and cant heal them, and cant get rid of them as they are important files. I downloaded HiJack this last night and am currently running Malwarebytes. This is my log for HiJack this: Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 22:15:07, on 26/11/2010 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\AVG\AVG PC Tuneup 2011\BoostSpeed.exe C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\Motive\McciCMService.exe C:\WINDOWS\system32\slserv.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\PROGRA~1\AVG\AVG8\avgnsx.exe C:\WINDOWS\system32\svchost.exe C:\PROGRA~1\AVG\AVG8\avgemc.exe C:\Program Files\AVG\AVG8\avgcsrvx.exe C:\WINDOWS\zHotkey.exe C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\ALCWZRD.EXE C:\Program Files\Java\jre6\bin\jusched.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\WINDOWS\CameraFixer.exe C:\WINDOWS\tsnp2std.exe C:\WINDOWS\vsnp2std.exe C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe C:\Program Files\QuickTime\QTTask.exe C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Skype\Phone\Skype.exe C:\Program Files\Windows Live\Messenger\msnmsgr.exe C:\Program Files\Bonusprint\Photoservice\dd.exe C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe C:\Program Files\Trusteer\Rapport\bin\RapportService.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\SkypeMate\SkypeMate.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Skype\Plugin Manager\skypePM.exe C:\Program Files\Nokia\PC Connectivity Solution\ServiceLayer.exe C:\Program Files\Nokia\PC Connectivity Solution\Transports\NclUSBSrv.exe C:\Program Files\Nokia\PC Connectivity Solution\Transports\NclRSSrv.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\HiJack This\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.msn.com/?lc=1033 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:50370 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local F3 - REG:win.ini: load=C:\DOCUME~1\User\LOCALS~1\Temp\dwm.exe O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5612.1312\swg.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll O3 - Toolbar: BT Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe O4 - HKLM\..\Run: [CHotkey] zHotkey.exe O4 - HKLM\..\Run: [showWnd] ShowWnd.exe O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKLM\..\Run: [CameraFixer] C:\WINDOWS\CameraFixer.exe O4 - HKLM\..\Run: [tsnp2std] C:\WINDOWS\tsnp2std.exe O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe O4 - HKLM\..\Run: [btbb_McciTrayApp] "C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [NokiaMServer] C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer /watchfiles startup O4 - HKLM\..\Run: [NokiaMusic FastStart] "C:\Program Files\Nokia\Ovi Player\NokiaOviPlayer.exe" /command:faststart O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\\Phone\Skype.exe" /nosplash /minimized O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [Device Detection] C:\Program Files\Bonusprint\Photoservice\dd.exe O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-21-1577321890-803091373-1801922428-1007\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Charlotte Hawkins') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Startup: SkypeMate.lnk = C:\Program Files\SkypeMate\SkypeMate.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://www.msn.co.uk O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1227023713062 O16 - DPF: {A1F35586-A5A8-4D37-947A-81875350B11F} (Bonusprint Image Uploader Version 4.5 Control) - http://webalbum.bonusprint.com/ukipc01/dow...geUploader4.cab O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} (Windows Live Hotmail Photo Upload Tool) - http://gfx1.hotmail.com/mail/w4/pr01/photo...ol/MSNPUpld.cab O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing) O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\570\G2AWinLogon.dll O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\570\g2aservice.exe O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: McciCMService - Alcatel-Lucent - C:\Program Files\Common Files\Motive\McciCMService.exe O23 - Service: Rapport Management Service (RapportMgmtService) - Trusteer Ltd. - C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe O23 - Service: ServiceLayer - Nokia - C:\Program Files\Nokia\PC Connectivity Solution\ServiceLayer.exe O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe -- End of file - 11832 bytes Ive trailed through many a forum, some are saying download programs such as combo fix, but i need a trainer and stuff, so if any body can help me PLEASE id love you forever. Thanks!
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.