Jump to content

Recommended Posts

Hello,

My Pc is infected and the malware desable any browser of intenet but skype still working.

when I start the pc, the files in the start menu dont run and for each of these file I receive the worning message :

***.exe encountered a problem and need to close.

We are sorry for the inconvenience .... etc etc

I have these messages for :

hkcmd,exe

NerocCheck.exe

issch.exe

cpqset.exe

realsched.exe

isuspm.exe

RecGuard.exe

SynTPEnh.exe

Reader-sl.exe

hpztb12.exe

QPService.exe

ehtray.exe

knlxhojt.exe

Qttask.exe

I run MAM and remove all what it found but still have the same problems.

I made the topic step by step but as the only way to communicate with you is with another pc and to send the files I use an external usb DD, I was forced to execute Defogger-Enable to take these files

well here are the files :

MAM log file :

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Version de la base de donn

Attach.zip

Link to post
Share on other sites

Hello abikhalil

Welcome to Malwarebytes.

=====================

Download ComboFix from one of these locations:

Link 1

Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Link to post
Share on other sites

Hello abikhalil

Welcome to Malwarebytes.

=====================

Download ComboFix from one of these locations:

Link 1

Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Link to post
Share on other sites

Hello Kahdah

thank you for your prompt reply and for your help

please find here the report as requested

regards

ComboFix 10-05-10.05 - Adminstrator 05/11/2010 20:06:26.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.653 [GMT 2:00]

Running from: c:\documents and settings\Adminstrator\My Documents\elimination virus\etape 2\ComboFix.exe

AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Outdated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Adminstrator\Application Data\inst.exe

c:\documents and settings\Adminstrator\knlxrhojt .exe

c:\documents and settings\Adminstrator\knlxrhojt.exe

c:\program files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe

c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe

c:\program files\CBS Software\SpeedConnect Internet Accelerator\SpeedConnectStartUp.exe

c:\program files\Common Files\InstallShield\UpdateService\issch.exe

c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe

c:\program files\Common Files\Real\Update_OB\realsched.exe

c:\program files\D-Link\AirPlus G\AirGCFG.exe

c:\program files\Hewlett-Packard\Default Settings\cpqset.exe

c:\program files\Hewlett-Packard\HP Quick Launch Buttons\qlbctrl.exe

c:\program files\HP\HP Software Update\HPWuSchd2.exe

c:\program files\HP\QuickPlay\QPService.exe

c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe

c:\program files\QuickTime\qttask.exe

c:\program files\Synaptics\SynTP\SynTPEnh.exe

c:\program files\Uniblue\SpyEraser\SpyEraser.exe

c:\program files\Windows Media Player\WMPNSCFG.exe

c:\windows\Cbemaa.exe

c:\windows\SMINST\RecGuard.exe

c:\windows\system32\8cb6910.log

c:\windows\system32\chdaudpropshortcut .exe

c:\windows\system32\chdaudpropshortcut.exe

c:\windows\system32\ctfmon .exe

c:\windows\system32\drivers\npf.sys

c:\windows\system32\hkcmd .exe

c:\windows\system32\hkcmd.exe

c:\windows\system32\igfxpers .exe

c:\windows\system32\igfxtray .exe

c:\windows\system32\KGyGaAvL.sys

c:\windows\system32\knlxrhojt .exe

c:\windows\system32\msxsltsso.dll

c:\windows\system32\nerocheck .exe

c:\windows\system32\NeroCheck.exe

c:\windows\system32\Packet.dll

c:\windows\system32\pthreadVC.dll

c:\windows\system32\regedit .exe

c:\windows\system32\spool\drivers\w32x86\3\hpztsb12.exe

c:\windows\system32\WanPacket.dll

c:\windows\system32\wpcap.dll

D:\Autorun.inf

Infected copy of c:\windows\system32\drivers\ndis.sys was found and disinfected

Restored copy from - c:\windows\ServicePackFiles\i386\ndis.sys

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_ABEL

-------\Legacy_SSHNAS

-------\Service_Abel

-------\Service_NPF

((((((((((((((((((((((((( Files Created from 2010-04-11 to 2010-05-11 )))))))))))))))))))))))))))))))

.

2010-05-11 18:01 . 2010-05-11 18:01 -------- d-sha-r- \cmdcons

2010-05-11 17:55 . 2010-05-11 18:16 -------- d-----w- \ComboFix

2010-05-11 17:53 . 2010-05-11 18:13 -------- d---a-w- \Qoobox

2010-05-09 15:57 . 2010-05-09 15:57 -------- d-----w- c:\documents and settings\Adminstrator\Local Settings\Application Data\Threat Expert

2010-05-09 15:53 . 2010-01-22 07:56 149456 ----a-w- c:\windows\SGDetectionTool.dll

2010-05-09 15:53 . 2010-01-22 07:55 767952 ----a-w- c:\windows\BDTSupport.dll

2010-05-09 15:53 . 2008-11-26 10:08 131 ----a-w- c:\windows\IDB.zip

2010-05-09 15:53 . 2010-01-22 07:56 165840 ----a-w- c:\windows\PCTBDRes.dll

2010-05-09 15:53 . 2010-01-22 07:56 1652688 ----a-w- c:\windows\PCTBDCore.dll

2010-05-09 15:53 . 2009-10-27 23:36 1152444 ----a-w- c:\windows\UDB.zip

2010-05-09 15:52 . 2010-05-09 16:14 -------- d-----w- c:\program files\Spyware Doctor

2010-05-09 15:52 . 2010-05-09 15:53 -------- d-----w- c:\program files\Common Files\PC Tools

2010-05-09 15:52 . 2010-05-09 15:52 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools

2010-05-09 15:52 . 2010-05-09 15:52 -------- d-----w- c:\documents and settings\Adminstrator\Application Data\PC Tools

2010-05-09 13:48 . 2010-05-09 13:48 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache

2010-05-09 13:46 . 2010-05-09 13:46 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE

2010-05-09 10:34 . 2010-05-09 10:34 -------- d-----w- c:\program files\CCleaner

2010-05-09 08:16 . 2010-05-09 08:18 -------- d-----w- C:\UsbFix

2010-05-09 08:16 . 2010-05-09 08:18 -------- d-----w- \UsbFix

2010-05-09 08:01 . 2010-05-09 08:01 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

2010-05-09 07:08 . 2010-05-09 07:08 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache

2010-05-09 06:05 . 2010-05-09 06:50 -------- d-----w- c:\program files\Anti Trojan Elite

2010-05-09 04:26 . 2010-05-09 04:26 -------- d-----w- c:\documents and settings\Adminstrator\Application Data\Malwarebytes

2010-05-09 04:26 . 2010-05-09 04:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-05-09 04:26 . 2010-05-09 04:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-05-09 04:07 . 2009-08-02 16:49 3036024 ----a-w- c:\documents and settings\Adminstrator\Application Data\Simply Super Software\Trojan Remover\lwp1847.exe

2010-05-08 19:53 . 2010-05-08 19:56 -------- d-----w- c:\program files\RegCleaner

2010-05-08 18:40 . 2010-05-08 18:40 -------- d-----w- c:\program files\7-Zip

2010-05-08 17:19 . 2010-05-09 05:49 -------- d-----w- c:\documents and settings\Adminstrator\Local Settings\Application Data\eiblmnnvq

2010-04-24 20:14 . 2010-04-24 20:14 -------- d-----w- c:\documents and settings\Adminstrator\Application Data\InstallShield

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-05-11 18:16 . 2009-04-08 06:32 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-05-11 18:13 . 2008-07-18 15:40 -------- d-----w- c:\program files\QuickTime

2010-05-10 15:43 . 2007-06-10 12:11 -------- d-----w- c:\documents and settings\Adminstrator\Application Data\Canon

2010-05-09 14:54 . 2006-11-13 16:15 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-05-09 14:54 . 2007-06-10 19:29 -------- d-----w- c:\program files\Google

2010-05-09 07:57 . 2009-08-27 19:04 -------- d-----w- c:\program files\NETGEAR

2010-05-08 18:56 . 2009-11-11 11:54 1053184 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

2010-05-08 18:45 . 2008-12-01 19:05 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET

2010-05-05 14:42 . 2008-01-28 16:42 -------- d-----w- c:\program files\NetAppel

2010-05-03 19:11 . 2010-04-09 18:03 -------- d-----w- c:\documents and settings\Adminstrator\Application Data\Image Zone Express

2010-05-02 09:47 . 2007-04-03 13:10 -------- d-----w- c:\documents and settings\Adminstrator\Application Data\HP

2010-04-25 16:23 . 2009-12-06 16:49 -------- d-----w- c:\documents and settings\Adminstrator\Application Data\Skype

2010-04-25 14:54 . 2009-12-06 16:51 -------- d-----w- c:\documents and settings\Adminstrator\Application Data\skypePM

2010-04-23 14:53 . 2007-10-16 20:26 -------- d-----w- c:\documents and settings\Adminstrator\Application Data\Corel

2010-04-20 17:21 . 2007-11-08 20:10 -------- d-----w- c:\program files\D-Link

2010-04-09 08:15 . 2010-04-09 07:58 113139 ----a-w- c:\windows\hpoins07.dat

2010-04-09 08:13 . 2006-11-13 16:15 -------- d-----w- c:\program files\HP

2010-04-09 08:13 . 2010-04-09 08:13 -------- d-----w- c:\program files\Common Files\HP

2010-04-09 08:10 . 2010-04-09 08:10 -------- d-----w- c:\program files\Common Files\Hewlett-Packard

2010-03-19 08:06 . 2008-06-30 12:43 -------- d-----w- c:\program files\OfficeReady 4.0

2010-03-13 17:48 . 2010-03-13 17:48 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll

2010-03-13 17:48 . 2010-03-13 17:48 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll

2010-03-13 17:48 . 2010-03-13 17:48 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll

2010-03-13 17:48 . 2010-03-13 17:48 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll

2010-03-13 17:48 . 2010-03-13 17:48 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll

2010-03-13 17:48 . 2010-03-13 17:48 300616 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll

2010-03-13 17:48 . 2010-03-13 17:48 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll

2010-03-13 17:48 . 2010-03-13 17:48 329312 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll

2010-03-13 17:48 . 2007-05-31 19:42 -------- d-----w- c:\program files\Common Files\Real

2010-03-13 17:48 . 2007-06-10 19:29 -------- d-----w- c:\program files\Real

2010-03-13 17:48 . 2010-03-13 17:48 -------- d-----w- c:\program files\Common Files\xing shared

2008-06-11 17:58 . 2008-06-11 17:35 72 --sh--w- c:\windows\SF9F4C5A4.tmp

2007-10-18 19:30 . 2007-10-18 19:24 88 --sh--r- c:\windows\system32\3F72B0686F.sys

2007-10-17 09:33 . 2007-10-17 09:33 56 --sh--r- c:\windows\system32\6F68B0723F.sys

.

<pre>
c:\program files\Adobe\Acrobat 8.0\Acrobat\acrotray .exe
c:\program files\Adobe\Reader 8.0\Reader\reader_sl .exe
c:\program files\CBS Software\SpeedConnect Internet Accelerator\speedconnectstartup .exe
c:\program files\Common Files\InstallShield\UpdateService\issch .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm .exe
c:\program files\Common Files\Real\Update_OB\realsched .exe
c:\program files\D-Link\AirPlus G\airgcfg .exe
c:\program files\ESET\ESET Smart Security\egui .exe
c:\program files\Google\GoogleToolbarNotifier\googletoolbarnotifier .exe
c:\program files\Hewlett-Packard\Default Settings\cpqset .exe
c:\program files\Hewlett-Packard\HP Quick Launch Buttons\qlbctrl .exe
c:\program files\HP\HP Software Update\hpwuschd2 .exe
c:\program files\HP\QuickPlay\qpservice .exe
c:\program files\HPQ\HP Wireless Assistant\hp wireless assistant .exe
c:\program files\QuickTime\qttask .exe
c:\program files\ScanSoft\OmniPageSE\opware32 .exe
c:\program files\Synaptics\SynTP\syntpenh .exe
c:\program files\Uniblue\SpyEraser\spyeraser .exe
c:\program files\Windows Media Player\wmpnscfg .exe
c:\windows\ehome\ehtray .exe
c:\windows\SMINST\recguard .exe
c:\windows\system32\spool\drivers\w32x86\3\hpztsb12 .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"knlxrhojt"="c:\documents and settings\Adminstrator\knlxrhojt.exe" [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [N/A]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [N/A]

"RecGuard"="c:\windows\SMINST\RecGuard.exe" [N/A]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [N/A]

"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [N/A]

"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [N/A]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [N/A]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [N/A]

"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [N/A]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [N/A]

"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb12.exe" [N/A]

"ehTray"="c:\windows\ehome\ehtray.exe" [2010-05-07 56766]

"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2009-02-06 2021400]

"Cpqset"="c:\program files\Hewlett-Packard\Default Settings\cpqset.exe" [N/A]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [N/A]

c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\

Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [2006-5-9 73728]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\

Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [2006-5-9 73728]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

NETGEAR WN111v2 Smart Wizard.lnk - c:\program files\NETGEAR\WN111v2\WN111V2.exe [2008-5-9 1474631]

NETGEAR WNDA3100v2 Smart Wizard.lnk - c:\program files\NETGEAR\WNDA3100v2\WNDA3100v2.exe [2010-5-9 3272704]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk

backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SANTIS USB and PC Card Utility.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\SANTIS USB and PC Card Utility.lnk

backup=c:\windows\pss\SANTIS USB and PC Card Utility.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]

c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\D-Link AirPlus G]

c:\program files\D-Link\AirPlus G\AirGCFG.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]

CHDAudPropShortcut.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

c:\program files\HP\HP Software Update\HPWuSchd2.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]

c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\M5T8QL3YW3]

c:\docume~1\ADMINS~1\LOCALS~1\Temp\Cjd.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpeedConnectStartUp]

c:\program files\CBS Software\SpeedConnect Internet Accelerator\SpeedConnectStartUp.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue SpyEraser]

c:\program files\Uniblue\SpyEraser\SpyEraser.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]

c:\program files\Windows Media Player\WMPNSCFG.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\WINDOWS\\system32\\mqsvc.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Macromedia\\Dreamweaver 8\\Dreamweaver.exe"=

"c:\\Program Files\\NetAppel\\NetAppel.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\WINDOWS\\system32\\igfxsrvc.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [5/9/2010 5:52 PM 218592]

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2/6/2009 2:23 PM 106208]

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2/6/2009 2:24 PM 93336]

R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [5/9/2010 5:53 PM 112592]

R2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [2/6/2009 2:23 PM 727720]

R2 Uniblue DiskRescue;Uniblue DiskRescue;c:\program files\Uniblue\DiskRescue\UBDiskRescueSrv.exe [9/10/2008 5:22 PM 229648]

R3 JSWSCIMD;jswscimd Service;c:\windows\system32\drivers\jswscimd.sys [2/12/2008 7:05 PM 57440]

S2 ATE_PROCMON;ATE_PROCMON;\??\c:\program files\Anti Trojan Elite\ATEPMon.sys --> c:\program files\Anti Trojan Elite\ATEPMon.sys [?]

S2 DCamUSB20;TRUST USB2 AUDIO VIDEO EDITOR;c:\windows\system32\drivers\csmini20.sys [6/3/2007 6:36 PM 46216]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/31/2010 10:19 AM 135664]

S2 WSWNDA3100;WSWNDA3100;c:\program files\NETGEAR\WNDA3100v2\WifiSvc.exe [5/9/2010 9:57 AM 278528]

S3 5U870CAP_VID_1262&PID_25FD;HP Pavilion Webcam ;c:\windows\system32\drivers\5u870cap.sys [6/6/2006 10:39 PM 61952]

S3 ATMEL FVNETusbASKEY (AR)®;ATMEL FVNETusbASKEY (AR)® Service for SANTIS WLAN USB Adapter;c:\windows\system32\drivers\vnetusbk.sys [2/20/2003 6:15 PM 93184]

S3 ATMEL WinXP PCMCIAFVNETR (2ARC)®;ATMEL WinXP PCMCIAFVNETR (2ARC)® Service for SANTIS WLAN PC Card;c:\windows\system32\drivers\fvnetr51.sys [1/14/2003 12:44 PM 91648]

S3 BCMH43XX;Broadcom 802.11 USB Network Adapter Driver;c:\windows\system32\drivers\bcmwlhigh5.sys [5/9/2010 9:57 AM 632576]

S3 CH341SER;CH341SER;c:\windows\system32\drivers\ch341ser.sys [8/17/2008 8:10 PM 35824]

S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [7/24/2003 1:10 PM 17149]

S3 INIDVD;Initio USB DVD Filter Driver;c:\windows\system32\drivers\inidvd.sys [4/5/2009 2:46 PM 7936]

S3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\NETGEAR\WN111v2\jswpsapi.exe [2/27/2008 11:54 AM 360547]

S3 m4301a;Linksys Wireless-B USB Network Adapter v4.0 Driver;c:\windows\system32\drivers\m4301a.sys [8/7/2007 8:20 PM 116192]

S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [5/9/2010 5:52 PM 366840]

S3 WN111v2;NETGEAR WN111v2 USB2.0 Wireless Card Service;c:\windows\system32\drivers\wn111v2.sys [5/31/2008 3:46 PM 434688]

.

.

------- Supplementary Scan -------

.

uLocal Page = c:\windows\system32\blank.htm

uStart Page = hxxp://www.google.be/ig?hl=fr

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mLocal Page = c:\windows\system32\blank.htm

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = *.local

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll

FF - ProfilePath - c:\documents and settings\Adminstrator\Application Data\Mozilla\Firefox\Profiles\9nzm0n5r.default\

FF - prefs.js: browser.search.selectedEngine - Yahoo

FF - component: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordext.dll

FF - plugin: c:\documents and settings\Adminstrator\Application Data\Move Networks\plugins\npqmp071700000016.dll

FF - plugin: c:\documents and settings\Adminstrator\Local Settings\Application Data\Yahoo!\BrowserPlus\2.7.1\Plugins\npybrowserplus_2.7.1.dll

FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

.

- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)

SSODL-GootkitSSO-{09F8EFA3-B472-40B0-B41C-CD96A30D9BA6} - c:\windows\System32\msxsltsso.dll

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-05-11 20:18

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\INIDVD]

"ImagePath"=multi:"system32\DRIVERS\inidvd.sys\00"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\INIDVD]

"ImagePath"=multi:"system32\DRIVERS\inidvd.sys\00"

.

------------------------ Other Running Processes ------------------------

.

c:\windows\System32\smss.exe

c:\windows\system32\csrss.exe

c:\windows\system32\winlogon.exe

c:\windows\system32\services.exe

c:\windows\system32\lsass.exe

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe

c:\windows\System32\svchost.exe

c:\windows\system32\svchost.exe

c:\windows\system32\spoolsv.exe

c:\windows\system32\acs.exe

c:\windows\system32\svchost.exe

c:\windows\system32\msdtc.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\windows\System32\svchost.exe

c:\program files\Common Files\LightScribe\LSSrvc.exe

c:\windows\system32\HPZipm12.exe

c:\windows\system32\svchost.exe

c:\windows\system32\UTSCSI.EXE

c:\windows\system32\mqsvc.exe

c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe

c:\windows\system32\mqtgsvc.exe

c:\windows\system32\wuauclt.exe

c:\windows\System32\alg.exe

c:\windows\system32\wscntfy.exe

c:\windows\system32\wbem\wmiprvse.exe

.

**************************************************************************

.

Completion time: 2010-05-11 20:21:24 - machine was rebooted

ComboFix-quarantined-files.txt 2010-05-11 18:21

Pre-Run: 34,090,975,232 bytes free

Post-Run: 33,989,861,376 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

- - End Of File - - 28CA3E7E2C09FABCE4CF4FF792F164FD

Link to post
Share on other sites

1. Please open Notepad

  • Click Start , then Run
  • type in notepad in the Run Box then hit ok.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

KILLALL::

RenV::
c:\program files\Adobe\Acrobat 8.0\Acrobat\acrotray .exe
c:\program files\Adobe\Reader 8.0\Reader\reader_sl .exe
c:\program files\CBS Software\SpeedConnect Internet Accelerator\speedconnectstartup .exe
c:\program files\Common Files\InstallShield\UpdateService\issch .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm .exe
c:\program files\Common Files\Real\Update_OB\realsched .exe
c:\program files\D-Link\AirPlus G\airgcfg .exe
c:\program files\ESET\ESET Smart Security\egui .exe
c:\program files\Google\GoogleToolbarNotifier\googletoolbarnotifier .exe
c:\program files\Hewlett-Packard\Default Settings\cpqset .exe
c:\program files\Hewlett-Packard\HP Quick Launch Buttons\qlbctrl .exe
c:\program files\HP\HP Software Update\hpwuschd2 .exe
c:\program files\HP\QuickPlay\qpservice .exe
c:\program files\HPQ\HP Wireless Assistant\hp wireless assistant .exe
c:\program files\QuickTime\qttask .exe
c:\program files\ScanSoft\OmniPageSE\opware32 .exe
c:\program files\Synaptics\SynTP\syntpenh .exe
c:\program files\Uniblue\SpyEraser\spyeraser .exe
c:\program files\Windows Media Player\wmpnscfg .exe
c:\windows\ehome\ehtray .exe
c:\windows\SMINST\recguard .exe
c:\windows\system32\spool\drivers\w32x86\3\hpztsb12 .exe


Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"knlxrhojt"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\M5T8QL3YW3]

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScriptB-4.gif

5. After reboot, (in case it asks to reboot), please post the following report/log into your next reply:

  • Combofix.txt

Link to post
Share on other sites

HI,

HERE IS THE NEW REPORT

THANKS

ComboFix 10-05-10.05 - Adminstrator 05/12/2010 5:27.2.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.631 [GMT 2:00]

Running from: c:\documents and settings\Adminstrator\My Documents\elimination virus\etape 2\ComboFix.exe

Command switches used :: c:\documents and settings\Adminstrator\My Documents\elimination virus\etape 2\CFScript.txt

AV: ESET Smart Security 3.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}

FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

* Resident AV is active

.

((((((((((((((((((((((((( Files Created from 2010-04-12 to 2010-05-12 )))))))))))))))))))))))))))))))

.

2010-05-09 15:57 . 2010-05-09 15:57 -------- d-----w- c:\documents and settings\Adminstrator\Local Settings\Application Data\Threat Expert

2010-05-09 15:53 . 2010-01-22 07:56 149456 ----a-w- c:\windows\SGDetectionTool.dll

2010-05-09 15:53 . 2010-01-22 07:55 767952 ----a-w- c:\windows\BDTSupport.dll

2010-05-09 15:53 . 2008-11-26 10:08 131 ----a-w- c:\windows\IDB.zip

2010-05-09 15:53 . 2010-01-22 07:56 165840 ----a-w- c:\windows\PCTBDRes.dll

2010-05-09 15:53 . 2010-01-22 07:56 1652688 ----a-w- c:\windows\PCTBDCore.dll

2010-05-09 15:53 . 2009-10-27 23:36 1152444 ----a-w- c:\windows\UDB.zip

2010-05-09 15:53 . 2010-02-05 07:17 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys

2010-05-09 15:52 . 2010-03-29 08:06 218592 ----a-w- c:\windows\system32\drivers\PCTCore.sys

2010-05-09 15:52 . 2009-11-23 11:54 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys

2010-05-09 15:52 . 2010-04-08 12:29 63360 ----a-w- c:\windows\system32\drivers\pctplsg.sys

2010-05-09 15:52 . 2010-05-09 16:14 -------- d-----w- c:\program files\Spyware Doctor

2010-05-09 15:52 . 2010-05-09 15:53 -------- d-----w- c:\program files\Common Files\PC Tools

2010-05-09 15:52 . 2010-05-09 15:52 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools

2010-05-09 15:52 . 2010-05-09 15:52 -------- d-----w- c:\documents and settings\Adminstrator\Application Data\PC Tools

2010-05-09 13:48 . 2010-05-09 13:48 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache

2010-05-09 13:46 . 2010-05-09 13:46 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE

2010-05-09 10:34 . 2010-05-09 10:34 -------- d-----w- c:\program files\CCleaner

2010-05-09 08:16 . 2010-05-09 08:18 -------- d-----w- C:\UsbFix

2010-05-09 08:01 . 2010-05-09 08:01 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

2010-05-09 07:57 . 2009-05-05 10:00 632576 ----a-w- c:\windows\system32\drivers\bcmwlhigh5.sys

2010-05-09 07:57 . 2008-11-14 15:35 196608 ----a-w- c:\windows\system32\wps_api.dll

2010-05-09 07:08 . 2010-05-09 07:08 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache

2010-05-09 06:05 . 2010-05-09 06:50 -------- d-----w- c:\program files\Anti Trojan Elite

2010-05-09 04:26 . 2010-05-09 04:26 -------- d-----w- c:\documents and settings\Adminstrator\Application Data\Malwarebytes

2010-05-09 04:26 . 2010-04-29 13:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-05-09 04:26 . 2010-05-09 04:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-05-09 04:26 . 2010-05-09 04:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-05-09 04:26 . 2010-04-29 13:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-05-09 04:07 . 2009-08-02 16:49 3036024 ----a-w- c:\documents and settings\Adminstrator\Application Data\Simply Super Software\Trojan Remover\lwp1847.exe

2010-05-08 19:53 . 2010-05-08 19:56 -------- d-----w- c:\program files\RegCleaner

2010-05-08 18:40 . 2010-05-08 18:40 -------- d-----w- c:\program files\7-Zip

2010-05-08 17:56 . 2010-05-08 17:56 30728 ----a-w- c:\windows\system32\drivers\Epfwndis.sys.vir

2010-05-08 17:20 . 2008-04-13 18:40 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys

2010-05-08 17:20 . 2008-04-13 18:40 34688 ----a-w- c:\windows\system32\dllcache\lbrtfdc.sys

2010-05-08 17:20 . 2008-04-13 18:40 8192 ----a-w- c:\windows\system32\drivers\changer.sys

2010-05-08 17:20 . 2008-04-13 18:40 8192 ----a-w- c:\windows\system32\dllcache\changer.sys

2010-05-08 17:19 . 2010-05-09 05:49 -------- d-----w- c:\documents and settings\Adminstrator\Local Settings\Application Data\eiblmnnvq

2010-05-07 20:14 . 2010-05-07 20:16 56766 ----a-w- c:\windows\system32\knlxrhojt.exe

2010-04-24 20:14 . 2010-04-24 20:14 -------- d-----w- c:\documents and settings\Adminstrator\Application Data\InstallShield

2010-04-20 16:27 . 2009-04-15 12:31 221184 ----a-w- c:\windows\system32\RaCoInst.dll

2010-04-20 16:27 . 2009-04-15 12:31 13931 ----a-w- c:\windows\system32\RaCoInst.dat

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-05-12 03:37 . 2009-04-08 06:32 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-05-12 03:27 . 2008-07-18 15:40 -------- d-----w- c:\program files\QuickTime

2010-05-10 15:43 . 2007-06-10 12:11 -------- d-----w- c:\documents and settings\Adminstrator\Application Data\Canon

2010-05-09 14:54 . 2006-11-13 16:15 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-05-09 14:54 . 2007-06-10 19:29 -------- d-----w- c:\program files\Google

2010-05-09 07:57 . 2009-08-27 19:04 -------- d-----w- c:\program files\NETGEAR

2010-05-08 18:56 . 2009-11-11 11:54 1053184 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

2010-05-08 18:45 . 2008-12-01 19:05 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET

2010-05-07 20:15 . 2006-03-22 20:17 56766 ----a-w- c:\windows\system32\igfxpers.exe

2010-05-05 14:42 . 2008-01-28 16:42 -------- d-----w- c:\program files\NetAppel

2010-05-03 19:11 . 2010-04-09 18:03 -------- d-----w- c:\documents and settings\Adminstrator\Application Data\Image Zone Express

2010-05-02 09:47 . 2007-04-03 13:10 -------- d-----w- c:\documents and settings\Adminstrator\Application Data\HP

2010-04-25 16:23 . 2009-12-06 16:49 -------- d-----w- c:\documents and settings\Adminstrator\Application Data\Skype

2010-04-25 14:54 . 2009-12-06 16:51 -------- d-----w- c:\documents and settings\Adminstrator\Application Data\skypePM

2010-04-23 14:53 . 2007-10-16 20:26 -------- d-----w- c:\documents and settings\Adminstrator\Application Data\Corel

2010-04-20 17:21 . 2007-11-08 20:10 -------- d-----w- c:\program files\D-Link

2010-04-09 08:15 . 2010-04-09 07:58 113139 ----a-w- c:\windows\hpoins07.dat

2010-04-09 08:13 . 2006-11-13 16:15 -------- d-----w- c:\program files\HP

2010-04-09 08:13 . 2010-04-09 08:13 -------- d-----w- c:\program files\Common Files\HP

2010-04-09 08:10 . 2010-04-09 08:10 -------- d-----w- c:\program files\Common Files\Hewlett-Packard

2010-03-19 08:06 . 2008-06-30 12:43 -------- d-----w- c:\program files\OfficeReady 4.0

2010-03-13 17:48 . 2010-03-13 17:48 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll

2010-03-13 17:48 . 2010-03-13 17:48 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll

2010-03-13 17:48 . 2010-03-13 17:48 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll

2010-03-13 17:48 . 2010-03-13 17:48 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll

2010-03-13 17:48 . 2010-03-13 17:48 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll

2010-03-13 17:48 . 2010-03-13 17:48 300616 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll

2010-03-13 17:48 . 2010-03-13 17:48 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll

2010-03-13 17:48 . 2010-03-13 17:48 329312 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll

2010-03-13 17:48 . 2007-05-31 19:42 -------- d-----w- c:\program files\Common Files\Real

2010-03-13 17:48 . 2007-06-10 19:29 -------- d-----w- c:\program files\Real

2010-03-13 17:48 . 2010-03-13 17:48 -------- d-----w- c:\program files\Common Files\xing shared

2010-03-10 06:15 . 2006-03-16 04:00 420352 ----a-w- c:\windows\system32\vbscript.dll

2010-02-25 06:24 . 2006-03-16 04:00 916480 ----a-w- c:\windows\system32\wininet.dll

2010-02-24 13:11 . 2005-01-19 12:26 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2010-02-16 14:08 . 2006-03-16 04:00 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe

2010-02-16 13:25 . 2006-03-16 04:00 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe

2010-02-12 10:03 . 2010-03-01 05:42 293376 ------w- c:\windows\system32\browserchoice.exe

2010-02-12 04:33 . 2006-03-16 04:00 100864 ----a-w- c:\windows\system32\6to4svc.dll

2010-02-11 12:02 . 2006-03-16 04:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys

2008-06-11 17:58 . 2008-06-11 17:35 72 --sh--w- c:\windows\SF9F4C5A4.tmp

2007-10-18 19:30 . 2007-10-18 19:24 88 --sh--r- c:\windows\system32\3F72B0686F.sys

2007-10-17 09:33 . 2007-10-17 09:33 56 --sh--r- c:\windows\system32\6F68B0723F.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-03-13 202256]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-06-17 794713]

"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-10 417792]

"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2006-07-19 102400]

"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-06-19 163840]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-12 81920]

"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-12 249856]

"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb12.exe" [2005-03-08 176128]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]

"Cpqset"="c:\program files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-06-19 40960]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-14 39792]

"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-14 623992]

"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2008-03-13 1443072]

c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\

Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [2006-5-9 73728]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\

Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [2006-5-9 73728]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

NETGEAR WN111v2 Smart Wizard.lnk - c:\program files\NETGEAR\WN111v2\WN111V2.exe [2008-5-9 1474631]

NETGEAR WNDA3100v2 Smart Wizard.lnk - c:\program files\NETGEAR\WNDA3100v2\WNDA3100v2.exe [2010-5-9 3272704]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk

backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SANTIS USB and PC Card Utility.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\SANTIS USB and PC Card Utility.lnk

backup=c:\windows\pss\SANTIS USB and PC Card Utility.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]

2008-10-14 19:38 623992 ----a-w- c:\program files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\D-Link AirPlus G]

2006-11-17 15:54 1552384 ----a-w- c:\program files\D-Link\AirPlus G\airgcfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

2005-05-11 21:12 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuschd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]

2006-05-04 05:58 458752 ----a-w- c:\program files\HPQ\HP Wireless Assistant\hp wireless assistant.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpeedConnectStartUp]

2009-12-20 14:02 565760 ----a-w- c:\program files\CBS Software\SpeedConnect Internet Accelerator\speedconnectstartup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue SpyEraser]

2009-04-08 08:34 1424648 ----a-w- c:\program files\Uniblue\SpyEraser\spyeraser.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]

2006-10-18 19:05 204288 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\WINDOWS\\system32\\mqsvc.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Macromedia\\Dreamweaver 8\\Dreamweaver.exe"=

"c:\\Program Files\\NetAppel\\NetAppel.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\WINDOWS\\system32\\igfxsrvc.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [5/9/2010 5:52 PM 218592]

R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [5/9/2010 5:53 PM 112592]

R2 ekrn;Eset Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [12/21/2007 8:21 AM 468224]

R2 Uniblue DiskRescue;Uniblue DiskRescue;c:\program files\Uniblue\DiskRescue\UBDiskRescueSrv.exe [9/10/2008 5:22 PM 229648]

R3 JSWSCIMD;jswscimd Service;c:\windows\system32\drivers\jswscimd.sys [2/12/2008 7:05 PM 57440]

S2 ATE_PROCMON;ATE_PROCMON;\??\c:\program files\Anti Trojan Elite\ATEPMon.sys --> c:\program files\Anti Trojan Elite\ATEPMon.sys [?]

S2 DCamUSB20;TRUST USB2 AUDIO VIDEO EDITOR;c:\windows\system32\drivers\csmini20.sys [6/3/2007 6:36 PM 46216]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/31/2010 10:19 AM 135664]

S2 WSWNDA3100;WSWNDA3100;c:\program files\NETGEAR\WNDA3100v2\WifiSvc.exe [5/9/2010 9:57 AM 278528]

S3 5U870CAP_VID_1262&PID_25FD;HP Pavilion Webcam ;c:\windows\system32\drivers\5u870cap.sys [6/6/2006 10:39 PM 61952]

S3 ATMEL FVNETusbASKEY (AR)®;ATMEL FVNETusbASKEY (AR)® Service for SANTIS WLAN USB Adapter;c:\windows\system32\drivers\vnetusbk.sys [2/20/2003 6:15 PM 93184]

S3 ATMEL WinXP PCMCIAFVNETR (2ARC)®;ATMEL WinXP PCMCIAFVNETR (2ARC)® Service for SANTIS WLAN PC Card;c:\windows\system32\drivers\fvnetr51.sys [1/14/2003 12:44 PM 91648]

S3 BCMH43XX;Broadcom 802.11 USB Network Adapter Driver;c:\windows\system32\drivers\bcmwlhigh5.sys [5/9/2010 9:57 AM 632576]

S3 CH341SER;CH341SER;c:\windows\system32\drivers\ch341ser.sys [8/17/2008 8:10 PM 35824]

S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [7/24/2003 1:10 PM 17149]

S3 INIDVD;Initio USB DVD Filter Driver;c:\windows\system32\drivers\inidvd.sys [4/5/2009 2:46 PM 7936]

S3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\NETGEAR\WN111v2\jswpsapi.exe [2/27/2008 11:54 AM 360547]

S3 m4301a;Linksys Wireless-B USB Network Adapter v4.0 Driver;c:\windows\system32\drivers\m4301a.sys [8/7/2007 8:20 PM 116192]

S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [5/9/2010 5:52 PM 366840]

S3 WN111v2;NETGEAR WN111v2 USB2.0 Wireless Card Service;c:\windows\system32\drivers\wn111v2.sys [5/31/2008 3:46 PM 434688]

.

Contents of the 'Scheduled Tasks' folder

2010-04-28 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2010-05-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-31 08:19]

2010-05-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-31 08:19]

2010-01-17 c:\windows\Tasks\Install_NSS.job

- c:\program files\DivX\Symantec\scstubinstaller.exe [2009-11-14 00:49]

2010-05-12 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-3334975394-2050389398-157988612-1005.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]

2010-05-11 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-3334975394-2050389398-157988612-1005.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]

2009-04-08 c:\windows\Tasks\Uniblue DiskRescue 2009.job

- c:\program files\Uniblue\DiskRescue\UBDiskRescue.exe [2008-09-10 15:22]

2010-05-03 c:\windows\Tasks\Uniblue SpyEraser Nag.job

- c:\program files\Uniblue\SpyEraser\SpyEraser.exe [2009-04-08 08:34]

2009-04-08 c:\windows\Tasks\Uniblue SpyEraser.job

- c:\program files\Uniblue\SpyEraser\SpyEraser.exe [2009-04-08 08:34]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.be/ig?hl=fr

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = *.local

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll

FF - ProfilePath - c:\documents and settings\Adminstrator\Application Data\Mozilla\Firefox\Profiles\9nzm0n5r.default\

FF - prefs.js: browser.search.selectedEngine - Yahoo

FF - component: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordext.dll

FF - plugin: c:\documents and settings\Adminstrator\Application Data\Move Networks\plugins\npqmp071700000016.dll

FF - plugin: c:\documents and settings\Adminstrator\Local Settings\Application Data\Yahoo!\BrowserPlus\2.7.1\Plugins\npybrowserplus_2.7.1.dll

FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

.

- - - - ORPHANS REMOVED - - - -

HKLM-Run-NeroFilterCheck - c:\windows\system32\NeroCheck.exe

HKLM-Run-igfxhkcmd - c:\windows\system32\hkcmd.exe

MSConfigStartUp-High Definition Audio Property Page Shortcut - CHDAudPropShortcut.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-05-12 05:38

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Cpqset = c:\program files\Hewlett-Packard\Default Settings\cpqset.exe????????????L?@? ????c??????`?@?????L?@

scanning hidden files ...

scan completed successfully

hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\INIDVD]

"ImagePath"=multi:"system32\DRIVERS\inidvd.sys\00"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\INIDVD]

"ImagePath"=multi:"system32\DRIVERS\inidvd.sys\00"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1232)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\acs.exe

c:\windows\system32\msdtc.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Common Files\LightScribe\LSSrvc.exe

c:\windows\system32\HPZipm12.exe

c:\windows\system32\UTSCSI.EXE

c:\windows\system32\mqsvc.exe

c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe

c:\windows\system32\mqtgsvc.exe

c:\program files\Common Files\InstallShield\UpdateService\agent.exe

c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

.

**************************************************************************

.

Completion time: 2010-05-12 05:42:27 - machine was rebooted

ComboFix-quarantined-files.txt 2010-05-12 03:42

ComboFix2.txt 2010-05-11 18:21

Pre-Run: 34,513,666,048 bytes free

Post-Run: 34,475,819,008 bytes free

- - End Of File - - D61E79D682E871FBCCD2CCD6ACEBA9FF

Link to post
Share on other sites

Please uninstall Norton Internet Worm Protection.

Also Spyware Doctor if you have not paid for it.

===============

Run OTL

  • Under the Custom Scans/Fixes box at the bottom, paste in the following
    :Files
    c:\documents and settings\Adminstrator\Local Settings\Application Data\eiblmnnvq

    :Commands
    [emptytemp]


  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • It will produce a log for you on reboot, please post that log in your next reply.

================================Malwarebytes' Anti-Malware=================================

Please update\run Malwarebytes' Anti-Malware.

Double Click the Malwarebytes Anti-Malware icon to run the application.

  • Click on the update tab then click on Check for updates.
  • If an update is found, it will download and install the latest version.
  • Once the update has loaded, go to the Scanner tab and select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.

================================Online scan=================================

* Go here to run an online scannner from ESET.

  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Check next options: Remove found threats and Scan unwanted applications.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\ESET\ESET Online Scanner\log.txt
  • Copy and paste that log as a reply to this topic

Link to post
Share on other sites

Hi,

I havenot Norton and the spydoctor was a freeware dowloaded when the pc was infected as the malwarebytes

I uninstal the spydoctor but i cannot see in remove software any Norton software

please find here the LOG files

1) Log files of OTL

All processes killed

========== FILES ==========

c:\documents and settings\Adminstrator\Local Settings\Application Data\eiblmnnvq folder moved successfully.

========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator

->Temp folder emptied: 0 bytes

User: Adminstrator

->Temp folder emptied: 1191642 bytes

->Temporary Internet Files folder emptied: 114822 bytes

->Java cache emptied: 0 bytes

->FireFox cache emptied: 38342267 bytes

->Google Chrome cache emptied: 6499992 bytes

->Flash cache emptied: 3669 bytes

User: All Users

User: Default User

->Temp folder emptied: 0 bytes

User: LocalService

->Temp folder emptied: 0 bytes

User: NetworkService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 1402584 bytes

User: Papoun

->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 19641 bytes

%systemroot%\System32 .tmp files removed: 2675729 bytes

%systemroot%\System32\dllcache .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 1191 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes

RecycleBin emptied: 0 bytes

Total Files Cleaned = 48.00 mb

OTL by OldTimer - Version 3.2.4.1 log created on 05122010_221313

Files\Folders moved on Reboot...

File move failed. C:\WINDOWS\SF9F4C5A4.tmp scheduled to be moved on reboot.

Registry entries deleted on Reboot...

2) the log of Malwarebytes

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Version de la base de donn

Link to post
Share on other sites

Great let me know of any remaining issues.

  • Double click on OTL to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open one notepad window. OTL.Txt a This is saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of this file and post it with your next reply.

Link to post
Share on other sites

Hi Kahdah,

here is the otl.txt report

many thanks for your help

OTL logfile created on: 5/13/2010 2:23:26 PM - Run 1

OTL by OldTimer - Version 3.2.4.1 Folder = C:\Documents and Settings\Adminstrator\My Documents\elimination virus\etape 3

Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,014.00 Mb Total Physical Memory | 534.00 Mb Available Physical Memory | 53.00% Memory free

2.00 Gb Paging File | 2.00 Gb Available in Paging File | 87.00% Paging File free

Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 99.09 Gb Total Space | 32.06 Gb Free Space | 32.35% Space Free | Partition Type: NTFS

Drive D: | 11.68 Gb Total Space | 11.68 Gb Free Space | 99.99% Space Free | Partition Type: FAT32

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: PC189242386017

Current User Name: Adminstrator

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: Current user

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Adminstrator\My Documents\elimination virus\etape 3\OTL.exe (OldTimer Tools)

PRC - C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)

PRC - C:\Program Files\NETGEAR\WNDA3100v2\WNDA3100v2.exe ()

PRC - C:\Program Files\Uniblue\SpyEraser\spyeraser.exe (Uniblue Software)

PRC - C:\WINDOWS\system32\UTSCSI.EXE ()

PRC - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe (Adobe Systems Inc.)

PRC - C:\Program Files\Uniblue\DiskRescue\UBDiskRescueSrv.exe (Uniblue)

PRC - C:\Program Files\NETGEAR\WN111v2\WN111V2.exe (NETGEAR)

PRC - C:\WINDOWS\system32\acs.exe (Atheros)

PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)

PRC - C:\Program Files\ESET\ESET Smart Security\egui.exe (ESET)

PRC - C:\Program Files\ESET\ESET Smart Security\ekrn.exe (ESET)

PRC - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe (Macrovision Europe Ltd.)

PRC - C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (Macrovision Corporation)

PRC - C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe (HP)

========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\Adminstrator\My Documents\elimination virus\etape 3\OTL.exe (OldTimer Tools)

MOD - C:\WINDOWS\system32\msscript.ocx (Microsoft Corporation)

========== Win32 Services (SafeList) ==========

SRV - (WSWNDA3100) -- C:\Program Files\NETGEAR\WNDA3100v2\WifiSvc.exe ()

SRV - (UTSCSI) -- C:\WINDOWS\system32\UTSCSI.EXE ()

SRV - (Uniblue DiskRescue) -- C:\Program Files\Uniblue\DiskRescue\UBDiskRescueSrv.exe (Uniblue)

SRV - (ACS) -- C:\WINDOWS\system32\acs.exe (Atheros)

SRV - (EhttpSrv) -- C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe (ESET)

SRV - (jswpsapi) -- C:\Program Files\NETGEAR\WN111v2\jswpsapi.exe (Atheros Communications, Inc.)

SRV - (ekrn) -- C:\Program Files\ESET\ESET Smart Security\ekrn.exe (ESET)

SRV - (FLEXnet Licensing Service) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe (Macrovision Europe Ltd.)

SRV - (ANIWZCSdService) -- C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe (Wireless Service)

SRV - (AddFiltr) -- C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe (Hewlett-Packard Development Company, L.P.)

SRV - (Pml Driver HPZ12) -- C:\WINDOWS\system32\HPZipm12.exe (HP)

========== Driver Services (SafeList) ==========

DRV - (BCMH43XX) -- C:\WINDOWS\system32\drivers\bcmwlhigh5.sys (Broadcom Corporation)

DRV - (ANIO) -- C:\WINDOWS\system32\ANIO.sys ()

DRV - (AnyDVD) -- C:\WINDOWS\system32\drivers\AnyDVD.sys (SlySoft, Inc.)

DRV - (WN111v2) -- C:\WINDOWS\system32\drivers\wn111v2.sys (Atheros Communications, Inc.)

DRV - (RMCAST) -- C:\WINDOWS\system32\drivers\rmcast.sys (Microsoft Corporation)

DRV - (nm) -- C:\WINDOWS\system32\drivers\nmnt.sys (Microsoft Corporation)

DRV - (usbaudio) USB Audio Driver (WDM) -- C:\WINDOWS\system32\drivers\usbaudio.sys (Microsoft Corporation)

DRV - (Changer) -- C:\WINDOWS\system32\drivers\changer.sys (Microsoft Corporation)

DRV - (lbrtfdc) -- C:\WINDOWS\system32\drivers\lbrtfdc.sys (Toshiba Corp.)

DRV - (MQAC) -- C:\WINDOWS\system32\drivers\mqac.sys (Microsoft Corporation)

DRV - (amdagp) -- C:\WINDOWS\system32\DRIVERS\amdagp.sys (Advanced Micro Devices, Inc.)

DRV - (sisagp) -- C:\WINDOWS\system32\DRIVERS\sisagp.sys (Silicon Integrated Systems Corporation)

DRV - (HDAudBus) -- C:\WINDOWS\system32\drivers\hdaudbus.sys (Windows ® Server 2003 DDK provider)

DRV - (Epfwndis) -- C:\WINDOWS\system32\drivers\epfwndis.sys (ESET)

DRV - (epfwtdi) -- C:\WINDOWS\system32\drivers\epfwtdi.sys (ESET)

DRV - (epfw) -- C:\WINDOWS\system32\drivers\epfw.sys (ESET)

DRV - (easdrv) -- C:\WINDOWS\system32\drivers\easdrv.sys (ESET)

DRV - (eamon) -- C:\WINDOWS\system32\drivers\eamon.sys (ESET)

DRV - (JSWSCIMD) -- C:\WINDOWS\system32\drivers\jswscimd.sys (Atheros Communications, Inc.)

DRV - (WSIMD) -- C:\WINDOWS\system32\drivers\wsimd.sys (Atheros Communications, Inc.)

DRV - (INIDVD) -- C:\WINDOWS\system32\drivers\inidvd.sys (Initio Corporation)

DRV - (windrvNT) -- C:\WINDOWS\system32\windrvNT.sys ()

DRV - (ElbyCDIO) -- C:\WINDOWS\system32\drivers\ElbyCDIO.sys (Elaborate Bytes AG)

DRV - (MCSTRM) -- C:\WINDOWS\system32\drivers\mcstrm.sys (RealNetworks, Inc.)

DRV - (SynTP) -- C:\WINDOWS\system32\drivers\SynTP.sys (Synaptics, Inc.)

DRV - (5U870CAP_VID_1262&PID_25FD) -- C:\WINDOWS\system32\drivers\5u870cap.sys (Ricoh)

DRV - (CH341SER) -- C:\WINDOWS\system32\drivers\ch341ser.sys (www.winchiphead.com)

DRV - (HdAudAddService) -- C:\WINDOWS\system32\drivers\CHDAud.sys (Conexant Systems Inc.)

DRV - (w39n51) Intel® -- C:\WINDOWS\system32\drivers\w39n51.sys (Intel

Link to post
Share on other sites

You are welcome one of your eset files have been renamed did you di this on purpose?

Or did it happen by other means?

Go to Start then Run then type in cmd and hit enter.

In the black window that opens copy and paste in this command:

ren C:\WINDOWS\System32\drivers\Epfwndis.sys.vir Epfwndis.sys then hit Enter it should go to the same line it started with when complete.

After that close out of the command window.

========================

=======Cleanup=======

  • Click START then RUN
  • Now type Combofix /uninstall in the runbox and click OK. Note the space between the X and the Uninstall, it needs to be there.

======Next======

  • Double click on OTL to run it.
  • Click on the Cleanup button at the top.
  • You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.
  • This will remove itself and other tools we may have used.

===============Update Java===============

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:

  • Download the latest version of Java SE Runtime Environment (JRE) and save it to your desktop.
  • Scroll down to where it says "(JRE) then click on it
  • Click the "Download" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u20-windows-i586.exe to install the newest version.

======================Clear out infected System Restore points======================

Then we need to reset your System Restore points.

The link below shows how to do this.

How to Turn On and Turn Off System Restore in Windows XP

http://support.microsoft.com/kb/310405/en-us

If you are using Vista then see this link: http://www.bleepingcomputer.com/tutorials/...143.html#manual

Delete\uninstall anything else that we have used that is leftover.

=====================================

After that your all set.

The following are some articles and a Windows Update link that I like to suggest to people to prevent malware and general PC maintenance.

Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

Prevention article To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections please read the Prevention artice by Miekiemoes.

If your computer is slow Is a tutorial on what you can do if your computer is slow.

File sharing program dangers Reasons to stay away from File sharing programs for ex: BitTorrent,Limewire,Kazaa,emule,Utorrent,Limewire etc...

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.