Jump to content

News 11 today Pop Ups


Recommended Posts

I have just installed malwarebytes as I keep getting annoying pop ups from news 11 today. I ran malwarebytes and it shows no problems. I also tried McAfee on a full scan and its shows as clear as well?

I have just noticed I am now getting lots of blocks from

00:01:34 Neil IP-BLOCK 83.133.119.139

00:01:35 Neil IP-BLOCK 83.133.119.139

00:01:36 Neil IP-BLOCK 83.133.119.139

Steve

DDS (Ver_10-03-17.01) - NTFSx86

Run by Neil at 23:13:30.67 on 08/06/2010

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.489 [GMT 1:00]

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\McAfee.com\Agent\mcagent.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

svchost.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe

C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\Program Files\Common Files\Java\Java Update\jusched .exe

C:\Program Files\HP\HP Software Update\HPWuSchd .exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Documents and Settings\Neil\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/

uInternet Settings,ProxyOverride = <local>

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll

BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll

TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

EB: {2AA2FBF8-9C76-4E97-A226-25C5F4AB6358} - No File

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"

mRun: [nwiz] nwiz.exe /install

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe

mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd.exe"

mRun: [Alcmtr] ALCMTR.EXE

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

StartupFolder: c:\docume~1\neil\startm~1\programs\startup\bbcipl~1.lnk - c:\program files\bbc iplayer desktop\BBC iPlayer Desktop.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll

Trusted Zone: microsoft.com\update

Trusted Zone: microsoft.com\windowsupdate

DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab

DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/E/3/9/E39C664F-A8E3-4F69-A109-1AE9849204EE/OGAControl.cab

DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab

DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll

Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-4-14 385536]

R1 RapportBuka;RapportBuka;c:\windows\system32\drivers\RapportBuka.sys [2010-2-27 390528]

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2009-10-20 304464]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2010-6-6 203280]

R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2010-6-6 359952]

R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2010-6-6 144704]

R3 3xHybrid;3xHybrid service;c:\windows\system32\drivers\3xHybrid.sys [2005-5-3 710144]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-10-20 20952]

R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-6-6 79816]

R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-6-6 35272]

R3 X10Hid;X10 Hid Device;c:\windows\system32\drivers\x10hid.sys [2009-3-25 7040]

S0 qtsgs;qtsgs; [x]

S1 RapportKELL;RapportKELL;c:\program files\trusteer\rapport\bin\RapportKELL.sys [2010-3-15 0]

S1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2010-3-15 0]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-6 135664]

S2 PEVSystemStart;PEVSystemStart;"c:\combofix\pev.cfxxe" exec /i "c:\combofix\hidec.exe" "c:\combofix\swreg.exe" acl "hkey_local_machine\system\currentcontrolset\enum\root\legacy_beep" /reset /q --> c:\combofix\PEV.cfxxe [?]

S2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2010-3-15 0]

S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2010-6-6 34248]

S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2010-6-6 40552]

S4 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2010-6-6 606736]

=============== Created Last 30 ================

2010-06-08 21:45:16 0 ----a-w- c:\documents and settings\neil\defogger_reenable

2010-06-08 17:27:59 0 d-----w- c:\docume~1\neil\applic~1\ElevatedDiagnostics

2010-06-08 17:20:00 0 d-----w- c:\windows\system32\LogFiles

2010-06-08 06:23:56 0 ----a-w- C:\debug

2010-06-08 06:20:56 70148 ----a-w- c:\docume~1\alluse~1\applic~1\Ia60Fd8y.exe

2010-06-07 22:16:44 0 d-----w- c:\docume~1\neil\applic~1\SUPERAntiSpyware.com

2010-06-07 22:16:44 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com

2010-06-07 22:16:30 0 d-----w- c:\program files\SUPERAntiSpyware

2010-06-07 21:52:08 0 d-sha-r- C:\cmdcons

2010-06-07 21:48:28 98816 ----a-w- c:\windows\sed.exe

2010-06-07 21:48:28 77312 ----a-w- c:\windows\MBR.exe

2010-06-07 21:48:28 256512 ----a-w- c:\windows\PEV.exe

2010-06-07 21:48:28 161792 ----a-w- c:\windows\SWREG.exe

2010-06-07 17:56:34 0 d-----w- c:\program files\Windows Updates Downloader

2010-06-07 06:29:52 0 d-----w- C:\spybot

2010-06-06 20:31:23 107 ----a-w- c:\windows\wininit.ini

2010-06-06 20:20:03 112 ----a-w- c:\docume~1\alluse~1\applic~1\Gxogga1H.dat

2010-06-06 17:42:03 0 dc-h--w- c:\windows\ie8

2010-06-06 17:26:12 411368 ----a-w- c:\windows\system32\deployJava1.dll

2010-06-06 17:05:44 0 d-----w- c:\program files\BBC iPlayer Desktop

2010-06-06 16:24:00 0 d-----w- c:\program files\Spybot - Search & Destroy

2010-06-06 16:24:00 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy

2010-06-06 14:37:27 0 d-----w- c:\program files\Trend Micro

2010-06-06 12:45:27 11743 ----a-w- c:\windows\system32\Config.MPF

2010-06-06 12:42:12 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys

2010-06-06 12:42:12 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys

2010-06-06 12:42:12 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys

2010-06-06 12:42:07 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys

2010-06-06 12:41:39 0 d-----w- c:\program files\common files\McAfee

2010-06-06 12:41:38 0 d-----w- c:\program files\McAfee.com

2010-06-06 12:41:29 0 d-----w- c:\program files\McAfee

2010-06-06 12:39:13 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys

2010-05-30 20:47:06 0 d-----w- c:\docume~1\neil\applic~1\Sky-Banners

2010-05-30 20:46:50 339968 ----a-w- c:\windows\system32\RapportBuka.dll

2010-05-30 20:46:04 0 d-----w- c:\docume~1\neil\applic~1\Street-Ads

2010-05-30 20:44:33 0 d-----w- C:\spoolerlogs

2010-05-30 20:43:32 0 d-----w- c:\docume~1\neil\applic~1\111BE277258CC614BBE131647BE8AF4E

==================== Find3M ====================

2010-04-29 14:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-29 14:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-04-14 11:50:14 385536 ----a-w- c:\windows\system32\drivers\mfehidk.sys

============= FINISH: 23:15:24.82 ===============

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4180

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

08/06/2010 20:44:03

mbam-log-2010-06-08 (20-44-03).txt

Scan type: Quick scan

Objects scanned: 130117

Time elapsed: 9 minute(s), 10 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

GMER 1.0.15.15281 - http://www.gmer.net

Rootkit quick scan 2010-06-09 08:32:11

Windows 5.1.2600 Service Pack 3

Running: vzyrrnmk.exe; Driver: C:\DOCUME~1\Neil\LOCALS~1\Temp\ufriqaob.sys

---- System - GMER 1.0.15 ----

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateFile [0xF736CCA2]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateProcess [0xF736CC78]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xF736CC8C]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xF736CCE2]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xF736CC14]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xF736CC28]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xF736CCB6]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetContextThread [0xF736CC64]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xF736CC50]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xF736CD11]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xF736CCF8]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xF736CCCC]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtCreateFile

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

---- EOF - GMER 1.0.15 ----

Attach.zip

Link to post
Share on other sites

Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully first.

Please continue as follows:

  1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
    Remember to re-enable them afterwards.
  2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt

New dds log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

Link to post
Share on other sites

Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully first.

Please continue as follows:

  1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
    Remember to re-enable them afterwards.
  2. Click Yes to allow ComboFix to continue scanning for malware.

ComboFix 10-06-09.04 - Neil 10/06/2010 18:21:18.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.582 [GMT 1:00]

Running from: c:\documents and settings\Neil\Desktop\ComboFix.exe

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\Ia60Fd8y.exe

c:\documents and settings\Neil\Application Data\111BE277258CC614BBE131647BE8AF4E

c:\documents and settings\Neil\Application Data\111BE277258CC614BBE131647BE8AF4E\enemies-names.txt

c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe

c:\program files\Common Files\Java\Java Update\jusched.exe

c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

c:\program files\HP\HP Software Update\HPWuSchd.exe

c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe

 <pre>
c:\program files\Adobe\Reader 9.0\Reader\Reader_sl .exe --->c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe
c:\program files\Common Files\Java\Java Update\jusched .exe --->c:\program files\Common Files\Java\Java Update\jusched.exe
c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe --->c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
c:\program files\HP\HP Software Update\HPWuSchd .exe --->c:\program files\HP\HP Software Update\HPWuSchd.exe
c:\program files\Malwarebytes' Anti-Malware\mbamgui .exe --->c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe
</pre>

.

.

((((((((((((((((((((((((( Files Created from 2010-05-10 to 2010-06-10 )))))))))))))))))))))))))))))))

.

2010-06-08 17:27 . 2010-06-08 17:27 -------- d-----w- c:\documents and settings\Neil\Application Data\ElevatedDiagnostics

2010-06-08 17:20 . 2010-06-08 17:20 -------- d-----w- c:\windows\system32\LogFiles

2010-06-07 22:17 . 2010-06-07 22:17 63488 ----a-w- c:\documents and settings\Neil\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll

2010-06-07 22:17 . 2010-06-07 22:17 52224 ----a-w- c:\documents and settings\Neil\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll

2010-06-07 22:17 . 2010-06-07 22:17 117760 ----a-w- c:\documents and settings\Neil\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2010-06-07 22:16 . 2010-06-07 22:16 -------- d-----w- c:\documents and settings\Neil\Application Data\SUPERAntiSpyware.com

2010-06-07 22:16 . 2010-06-07 22:16 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2010-06-07 22:16 . 2010-06-07 22:16 -------- d-----w- c:\program files\SUPERAntiSpyware

2010-06-07 17:56 . 2010-06-07 17:56 -------- d-----w- c:\documents and settings\Neil\Local Settings\Application Data\Supremus Corporation

2010-06-07 17:56 . 2010-06-07 17:56 -------- d-----w- c:\program files\Windows Updates Downloader

2010-06-07 06:29 . 2010-06-07 06:29 -------- d-----w- C:\spybot

2010-06-06 18:48 . 2010-06-06 18:48 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2010-06-06 17:42 . 2010-06-07 06:30 -------- dc-h--w- c:\windows\ie8

2010-06-06 17:26 . 2010-06-06 17:26 -------- d-----w- c:\program files\Common Files\Java

2010-06-06 17:26 . 2010-04-12 16:29 411368 ----a-w- c:\windows\system32\deployJava1.dll

2010-06-06 17:23 . 2010-06-06 17:23 503808 ----a-w- c:\documents and settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-6f24bc57-n\msvcp71.dll

2010-06-06 17:23 . 2010-06-06 17:23 499712 ----a-w- c:\documents and settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-6f24bc57-n\jmc.dll

2010-06-06 17:23 . 2010-06-06 17:23 348160 ----a-w- c:\documents and settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-6f24bc57-n\msvcr71.dll

2010-06-06 17:05 . 2010-06-07 06:29 -------- d-----w- c:\program files\BBC iPlayer Desktop

2010-06-06 16:24 . 2010-06-07 18:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-06-06 16:24 . 2010-06-07 06:29 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-06-06 14:37 . 2010-06-06 14:37 -------- d-----w- c:\program files\Trend Micro

2010-06-06 12:47 . 2010-06-06 12:47 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore

2010-06-06 12:45 . 2010-06-06 12:45 -------- d-----w- c:\documents and settings\All Users\Application Data\SiteAdvisor

2010-06-06 12:42 . 2010-02-17 15:52 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys

2010-06-06 12:42 . 2010-02-17 15:52 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys

2010-06-06 12:42 . 2010-02-17 15:52 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys

2010-06-06 12:42 . 2009-07-16 11:32 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys

2010-06-06 12:41 . 2010-06-06 12:42 -------- d-----w- c:\program files\Common Files\McAfee

2010-06-06 12:41 . 2010-06-06 12:41 -------- d-----w- c:\program files\McAfee.com

2010-06-06 12:41 . 2010-06-08 17:00 -------- d-----w- c:\program files\McAfee

2010-06-06 12:39 . 2010-02-17 15:52 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys

2010-06-06 12:28 . 2010-06-06 16:15 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee

2010-05-30 20:47 . 2010-05-30 20:47 -------- d-----w- c:\documents and settings\Neil\Application Data\Sky-Banners

2010-05-30 20:46 . 2010-05-30 20:46 0 ----a-w- c:\documents and settings\Neil\Application Data\Trusteer\Rapport\RapportBukaExt.dll

2010-05-30 20:46 . 2010-05-30 20:46 339968 ----a-w- c:\windows\system32\RapportBuka.dll

2010-05-30 20:46 . 2010-05-30 20:46 -------- d-----w- c:\documents and settings\Neil\Application Data\Street-Ads

2010-05-30 20:45 . 2010-06-06 11:56 -------- d-----w- c:\documents and settings\Neil\Local Settings\Application Data\swthcrcap

2010-05-30 20:44 . 2010-05-30 20:44 -------- d-----w- c:\program files\$NtUninstallWTF1012$

2010-05-30 20:44 . 2010-05-30 20:44 -------- d-----w- C:\spoolerlogs

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-06-10 17:35 . 2009-10-20 13:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-06-09 04:55 . 2010-06-06 20:20 112 ----a-w- c:\documents and settings\All Users\Application Data\Gxogga1H.dat

2010-06-07 22:06 . 2009-03-25 09:01 18992 ----a-w- c:\documents and settings\Neil\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-06-06 17:26 . 2009-03-25 16:45 -------- d-----w- c:\program files\Java

2010-06-06 11:46 . 2010-03-08 15:24 -------- d-----w- c:\documents and settings\Neil\Application Data\Ezzi

2010-05-31 18:50 . 2010-04-10 00:33 -------- d-----w- c:\documents and settings\Neil\Application Data\Absei

2010-05-27 20:27 . 2009-03-25 18:45 -------- d-----w- c:\program files\Common Files\Adobe

2010-04-29 14:39 . 2009-10-20 13:56 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-29 14:39 . 2009-10-20 13:56 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-04-14 11:50 . 2010-04-14 11:50 385536 ----a-w- c:\windows\system32\drivers\mfehidk.sys

.

<pre>
c:\program files\CyberLink\PowerDVD\PDVDServ .exe
c:\program files\Java\jre6\bin\jusched .exe
c:\program files\McAfee.com\Agent\mcagent .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-01-01 39408]

"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-17 13574144]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

"RTHDCPL"="RTHDCPL.EXE" [2006-01-11 15961088]

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [N/A]

"nwiz"="nwiz.exe" [2008-09-17 1657376]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-17 86016]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-02-11 1218008]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd.exe" [2003-08-04 49152]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Neil\Start Menu\Programs\Startup\

BBC iPlayer Desktop.lnk - c:\program files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe [2010-6-6 95232]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2003-9-16 237568]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"c:\\WINDOWS\\system32\\spoolsv.exe"=

"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R1 RapportBuka;RapportBuka;c:\windows\system32\drivers\RapportBuka.sys [27/02/2010 11:00 390528]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17/02/2010 19:25 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/05/2010 19:41 67656]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [20/10/2009 14:56 304464]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [06/06/2010 13:44 203280]

R3 3xHybrid;3xHybrid service;c:\windows\system32\drivers\3xHybrid.sys [03/05/2005 12:25 710144]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [20/10/2009 14:56 20952]

R3 X10Hid;X10 Hid Device;c:\windows\system32\drivers\x10hid.sys [25/03/2009 17:54 7040]

S0 qtsgs;qtsgs; [x]

S1 RapportKELL;RapportKELL;c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [15/03/2010 14:47 0]

S1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [15/03/2010 14:47 0]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [06/02/2010 12:58 135664]

S2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [15/03/2010 14:47 0]

.

Contents of the 'Scheduled Tasks' folder

2010-06-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-06 11:58]

2010-06-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-06 11:58]

2010-06-06 c:\windows\Tasks\McDefragTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-06-06 11:22]

2010-06-06 c:\windows\Tasks\McQcTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-06-06 11:22]

2010-06-10 c:\windows\Tasks\User_Feed_Synchronization-{8959302F-D951-401A-AA54-755F876C0499}.job

- c:\windows\system32\msfeedssync.exe [2007-08-13 03:31]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.co.uk/

uInternet Settings,ProxyOverride = <local>

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html

Trusted Zone: microsoft.com\update

Trusted Zone: microsoft.com\windowsupdate

.

- - - - ORPHANS REMOVED - - - -

AddRemove-tompynfaryxouvu - c:\windows\system32\tompynfaryxouvu.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-06-10 18:34

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully

user: MBR read successfully

called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x86A87EC5]<<

kernel: MBR read successfully

detected MBR rootkit hooks:

\Driver\Disk -> CLASSPNP.SYS @ 0xf76b4f28

\Driver\ACPI -> ACPI.sys @ 0xf7527cb8

\Driver\atapi -> atapi.sys @ 0xf74b9852

IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8

ParseProcedure -> ntkrnlpa.exe @ 0x805827e8

\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8

ParseProcedure -> ntkrnlpa.exe @ 0x805827e8

NDIS: Realtek RTL8139/810x Family Fast Ethernet NIC -> SendCompleteHandler -> NDIS.sys @ 0xf73c5bb0

PacketIndicateHandler -> NDIS.sys @ 0xf73b4a0d

SendHandler -> NDIS.sys @ 0xf73c8b40

user & kernel MBR OK

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(672)

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

.

Completion time: 2010-06-10 18:44:08

ComboFix-quarantined-files.txt 2010-06-10 17:43

Pre-Run: 62,707,290,112 bytes free

Post-Run: 62,717,423,616 bytes free

- - End Of File - - 515913E38C765E08DD9910CAAA0403DF

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt

New dds log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 18:52:50, on 10/06/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\Program Files\McAfee.com\Agent\mcagent.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\WINDOWS\System32\svchost.exe

C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe

C:\Program Files\HP\HP Software Update\HPWuSchd .exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll

O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll

O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey

O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O4 - Startup: BBC iPlayer Desktop.lnk = C:\Program Files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html

O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: Rapport Management Service (RapportMgmtService) - Unknown owner - C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe

O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

--

End of file - 8027 bytes

Link to post
Share on other sites

Hi Steve,

Please use t_reply.gif-button while replying. That prevents previous reply from being added to post :)

Open notepad and copy/paste the text in the quotebox below into it:

http://forums.malwarebytes.org/index.php?showtopic=53306
Driver::
qtsgs
Suspect[76]::
c:\documents and settings\All Users\Application Data\Gxogga1H.dat
DDS::
EB: {2AA2FBF8-9C76-4E97-A226-25C5F4AB6358} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
RenV::
c:\program files\CyberLink\PowerDVD\PDVDServ .exe
c:\program files\Java\jre6\bin\jusched .exe
c:\program files\McAfee.com\Agent\mcagent .exe

Save this as

CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

CFScriptB-4.gif

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe

Then post the resultant log.

Download ATF (Atribune Temp File) Cleaner

Link to post
Share on other sites

I tried to run combofix but half way through PC did a reboot and went back to start ? There was no combofix log on drive C:?

I have run ATF cleaner and did a new scan here is the dds log

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 22:22:25, on 10/06/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\McAfee.com\Agent\mcagent.exe

C:\Program Files\HP\HP Software Update\HPWuSchd.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

C:\Program Files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Windows Live\Contacts\wlcomm.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Java\jre6\bin\java.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll

O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll

O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey

O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O4 - Startup: BBC iPlayer Desktop.lnk = C:\Program Files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html

O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PEVSystemStart - Unknown owner - C:\ComboFix\PEV.cfxxe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: Rapport Management Service (RapportMgmtService) - Unknown owner - C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe

O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

--

End of file - 8645 bytes

Still scanning with Kaspersky at the minute

Thank you for your help Steve

Link to post
Share on other sites

Sorry about that wrong log, here is the one you asked for

DDS (Ver_10-03-17.01) - NTFSx86

Run by Neil at 9:09:14.92 on 11/06/2010

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.643 [GMT 1:00]

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\McAfee.com\Agent\mcagent.exe

C:\Program Files\HP\HP Software Update\HPWuSchd.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Windows Live\Contacts\wlcomm.exe

C:\WINDOWS\system32\wscntfy.exe

C:\PROGRA~1\McAfee\MSM\McSmtFwk.exe

C:\PROGRA~1\COMMON~1\McAfee\MSC\McUICnt.exe

C:\Documents and Settings\Neil\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/

uInternet Settings,ProxyOverride = <local>

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll

BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll

TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"

mRun: [nwiz] nwiz.exe /install

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe

mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

StartupFolder: c:\docume~1\neil\startm~1\programs\startup\bbcipl~1.lnk - c:\program files\bbc iplayer desktop\BBC iPlayer Desktop.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll

Trusted Zone: microsoft.com\update

Trusted Zone: microsoft.com\windowsupdate

DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab

DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/E/3/9/E39C664F-A8E3-4F69-A109-1AE9849204EE/OGAControl.cab

DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab

DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll

Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-4-14 385536]

R1 RapportBuka;RapportBuka;c:\windows\system32\drivers\RapportBuka.sys [2010-2-27 390528]

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2009-10-20 304464]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2010-6-6 203280]

R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2010-6-6 359952]

R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2010-6-6 144704]

R3 3xHybrid;3xHybrid service;c:\windows\system32\drivers\3xHybrid.sys [2005-5-3 710144]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-10-20 20952]

R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-6-6 79816]

R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-6-6 35272]

R3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2010-6-6 34248]

R3 X10Hid;X10 Hid Device;c:\windows\system32\drivers\x10hid.sys [2009-3-25 7040]

S0 qtsgs;qtsgs; [x]

S1 RapportKELL;RapportKELL;c:\program files\trusteer\rapport\bin\RapportKELL.sys [2010-3-15 0]

S1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2010-3-15 0]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-6 135664]

S2 PEVSystemStart;PEVSystemStart;c:\combofix\PEV.cfxxe [2010-6-10 256512]

S2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2010-3-15 0]

S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2010-6-6 40552]

S4 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2010-6-6 606736]

=============== Created Last 30 ================

2010-06-10 21:08:41 0 d-s---w- C:\ComboFix

2010-06-10 14:01:00 0 ----a-w- C:\debug

2010-06-08 21:45:16 0 ----a-w- c:\documents and settings\neil\defogger_reenable

2010-06-08 17:27:59 0 d-----w- c:\docume~1\neil\applic~1\ElevatedDiagnostics

2010-06-08 17:20:00 0 d-----w- c:\windows\system32\LogFiles

2010-06-07 22:16:44 0 d-----w- c:\docume~1\neil\applic~1\SUPERAntiSpyware.com

2010-06-07 22:16:44 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com

2010-06-07 22:16:30 0 d-----w- c:\program files\SUPERAntiSpyware

2010-06-07 21:52:08 0 d-sha-r- C:\cmdcons

2010-06-07 21:48:28 98816 ----a-w- c:\windows\sed.exe

2010-06-07 21:48:28 77312 ----a-w- c:\windows\MBR.exe

2010-06-07 21:48:28 256512 ----a-w- c:\windows\PEV.exe

2010-06-07 21:48:28 161792 ----a-w- c:\windows\SWREG.exe

2010-06-07 17:56:34 0 d-----w- c:\program files\Windows Updates Downloader

2010-06-07 06:29:52 0 d-----w- C:\spybot

2010-06-06 20:31:23 107 ----a-w- c:\windows\wininit.ini

2010-06-06 20:20:03 112 ----a-w- c:\docume~1\alluse~1\applic~1\Gxogga1H.dat

2010-06-06 17:42:03 0 dc-h--w- c:\windows\ie8

2010-06-06 17:26:12 411368 ----a-w- c:\windows\system32\deployJava1.dll

2010-06-06 17:05:44 0 d-----w- c:\program files\BBC iPlayer Desktop

2010-06-06 16:24:00 0 d-----w- c:\program files\Spybot - Search & Destroy

2010-06-06 16:24:00 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy

2010-06-06 14:37:27 0 d-----w- c:\program files\Trend Micro

2010-06-06 12:45:27 12179 ----a-w- c:\windows\system32\Config.MPF

2010-06-06 12:42:12 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys

2010-06-06 12:42:12 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys

2010-06-06 12:42:12 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys

2010-06-06 12:42:07 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys

2010-06-06 12:41:39 0 d-----w- c:\program files\common files\McAfee

2010-06-06 12:41:38 0 d-----w- c:\program files\McAfee.com

2010-06-06 12:41:29 0 d-----w- c:\program files\McAfee

2010-06-06 12:39:13 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys

2010-05-30 20:47:06 0 d-----w- c:\docume~1\neil\applic~1\Sky-Banners

2010-05-30 20:46:50 339968 ----a-w- c:\windows\system32\RapportBuka.dll

2010-05-30 20:46:04 0 d-----w- c:\docume~1\neil\applic~1\Street-Ads

2010-05-30 20:44:33 0 d-----w- C:\spoolerlogs

==================== Find3M ====================

2010-04-29 14:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-29 14:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-04-14 11:50:14 385536 ----a-w- c:\windows\system32\drivers\mfehidk.sys

============= FINISH: 9:10:49.07 ===============

Kaspersky has finished and here is the result

scan.html

Link to post
Share on other sites

I have tried again but every time I run combofix its starts to scan and the pc reboots. I does not create a log file either :P I have just run the dds file again here is the log.

DDS (Ver_10-03-17.01) - NTFSx86

Run by Neil at 21:34:08.01 on 11/06/2010

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.563 [GMT 1:00]

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\WgaTray.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\McAfee.com\Agent\mcagent.exe

C:\Program Files\HP\HP Software Update\HPWuSchd.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

svchost.exe

C:\Program Files\Google\Update\GoogleUpdate.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Documents and Settings\Neil\Desktop\dds.com

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\rundll32.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/

uInternet Settings,ProxyOverride = <local>

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll

BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll

TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"

mRun: [nwiz] nwiz.exe /install

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe

mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll

Trusted Zone: microsoft.com\update

Trusted Zone: microsoft.com\windowsupdate

DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab

DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/E/3/9/E39C664F-A8E3-4F69-A109-1AE9849204EE/OGAControl.cab

DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab

DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll

Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-4-14 385536]

R1 RapportBuka;RapportBuka;c:\windows\system32\drivers\RapportBuka.sys [2010-2-27 390528]

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]

R3 3xHybrid;3xHybrid service;c:\windows\system32\drivers\3xHybrid.sys [2005-5-3 710144]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-10-20 20952]

R3 X10Hid;X10 Hid Device;c:\windows\system32\drivers\x10hid.sys [2009-3-25 7040]

S0 qtsgs;qtsgs; [x]

S1 RapportKELL;RapportKELL;c:\program files\trusteer\rapport\bin\RapportKELL.sys [2010-3-15 0]

S1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2010-3-15 0]

S3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-6-6 79816]

S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-6-6 35272]

S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2010-6-6 34248]

S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2010-6-6 40552]

=============== Created Last 30 ================

2010-06-11 20:30:37 0 d-s---w- C:\combofix.exe

2010-06-10 14:01:00 0 ----a-w- C:\debug

2010-06-08 21:45:16 0 ----a-w- c:\documents and settings\neil\defogger_reenable

2010-06-08 17:27:59 0 d-----w- c:\docume~1\neil\applic~1\ElevatedDiagnostics

2010-06-08 17:20:00 0 d-----w- c:\windows\system32\LogFiles

2010-06-07 22:16:44 0 d-----w- c:\docume~1\neil\applic~1\SUPERAntiSpyware.com

2010-06-07 22:16:44 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com

2010-06-07 22:16:30 0 d-----w- c:\program files\SUPERAntiSpyware

2010-06-07 21:52:08 0 d-sha-r- C:\cmdcons

2010-06-07 21:48:28 98816 ----a-w- c:\windows\sed.exe

2010-06-07 21:48:28 77312 ----a-w- c:\windows\MBR.exe

2010-06-07 21:48:28 256512 ----a-w- c:\windows\PEV.exe

2010-06-07 21:48:28 161792 ----a-w- c:\windows\SWREG.exe

2010-06-07 17:56:34 0 d-----w- c:\program files\Windows Updates Downloader

2010-06-07 06:29:52 0 d-----w- C:\spybot

2010-06-06 20:31:23 107 ----a-w- c:\windows\wininit.ini

2010-06-06 20:20:03 112 ----a-w- c:\docume~1\alluse~1\applic~1\Gxogga1H.dat

2010-06-06 17:42:03 0 dc-h--w- c:\windows\ie8

2010-06-06 17:26:12 411368 ----a-w- c:\windows\system32\deployJava1.dll

2010-06-06 17:05:44 0 d-----w- c:\program files\BBC iPlayer Desktop

2010-06-06 16:24:00 0 d-----w- c:\program files\Spybot - Search & Destroy

2010-06-06 16:24:00 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy

2010-06-06 14:37:27 0 d-----w- c:\program files\Trend Micro

2010-06-06 12:45:27 12353 ----a-w- c:\windows\system32\Config.MPF

2010-06-06 12:42:12 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys

2010-06-06 12:42:12 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys

2010-06-06 12:42:12 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys

2010-06-06 12:42:07 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys

2010-06-06 12:41:39 0 d-----w- c:\program files\common files\McAfee

2010-06-06 12:41:38 0 d-----w- c:\program files\McAfee.com

2010-06-06 12:41:29 0 d-----w- c:\program files\McAfee

2010-06-06 12:39:13 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys

2010-05-30 20:47:06 0 d-----w- c:\docume~1\neil\applic~1\Sky-Banners

2010-05-30 20:46:50 339968 ----a-w- c:\windows\system32\RapportBuka.dll

2010-05-30 20:46:04 0 d-----w- c:\docume~1\neil\applic~1\Street-Ads

2010-05-30 20:44:33 0 d-----w- C:\spoolerlogs

==================== Find3M ====================

2010-04-29 14:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-29 14:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-04-14 11:50:14 385536 ----a-w- c:\windows\system32\drivers\mfehidk.sys

============= FINISH: 21:35:59.23 ===============

Link to post
Share on other sites

Hi,

Please run ComboFix with the following script (in safe mode if needed):

http://forums.malwarebytes.org/index.php?showtopic=53306
Suspect[76]::
c:\documents and settings\All Users\Application Data\Gxogga1H.dat
DDS::
EB: {2AA2FBF8-9C76-4E97-A226-25C5F4AB6358} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
RenV::
c:\program files\CyberLink\PowerDVD\PDVDServ .exe
c:\program files\Java\jre6\bin\jusched .exe
c:\program files\McAfee.com\Agent\mcagent .exe

Link to post
Share on other sites

Thanks much better that time it ran all the way to the end :P

Steve

ComboFix 10-06-10.06 - Neil 12/06/2010 8:43.2.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.612 [GMT 1:00]

Running from: c:\documents and settings\Neil\Desktop\combofix.exe.exe

Command switches used :: c:\documents and settings\Neil\Desktop\CFScript.txt

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

Infected copy of c:\windows\system32\drivers\kbdhid.sys was found and disinfected

Restored copy from - Kitty had a snack :P

.

((((((((((((((((((((((((( Files Created from 2010-05-12 to 2010-06-12 )))))))))))))))))))))))))))))))

.

2010-06-12 07:33 . 2010-06-12 07:33 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-06-08 17:27 . 2010-06-08 17:27 -------- d-----w- c:\documents and settings\Neil\Application Data\ElevatedDiagnostics

2010-06-08 17:20 . 2010-06-08 17:20 -------- d-----w- c:\windows\system32\LogFiles

2010-06-07 22:17 . 2010-06-07 22:17 63488 ----a-w- c:\documents and settings\Neil\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll

2010-06-07 22:17 . 2010-06-07 22:17 52224 ----a-w- c:\documents and settings\Neil\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll

2010-06-07 22:17 . 2010-06-07 22:17 117760 ----a-w- c:\documents and settings\Neil\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2010-06-07 22:16 . 2010-06-07 22:16 -------- d-----w- c:\documents and settings\Neil\Application Data\SUPERAntiSpyware.com

2010-06-07 22:16 . 2010-06-07 22:16 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2010-06-07 22:16 . 2010-06-07 22:16 -------- d-----w- c:\program files\SUPERAntiSpyware

2010-06-07 17:56 . 2010-06-07 17:56 -------- d-----w- c:\documents and settings\Neil\Local Settings\Application Data\Supremus Corporation

2010-06-07 17:56 . 2010-06-07 17:56 -------- d-----w- c:\program files\Windows Updates Downloader

2010-06-07 06:29 . 2010-06-07 06:29 -------- d-----w- C:\spybot

2010-06-06 18:48 . 2010-06-06 18:48 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2010-06-06 17:42 . 2010-06-07 06:30 -------- dc-h--w- c:\windows\ie8

2010-06-06 17:26 . 2010-06-06 17:26 -------- d-----w- c:\program files\Common Files\Java

2010-06-06 17:26 . 2010-04-12 16:29 411368 ----a-w- c:\windows\system32\deployJava1.dll

2010-06-06 17:23 . 2010-06-06 17:23 503808 ----a-w- c:\documents and settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-6f24bc57-n\msvcp71.dll

2010-06-06 17:23 . 2010-06-06 17:23 499712 ----a-w- c:\documents and settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-6f24bc57-n\jmc.dll

2010-06-06 17:23 . 2010-06-06 17:23 348160 ----a-w- c:\documents and settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-6f24bc57-n\msvcr71.dll

2010-06-06 17:05 . 2010-06-07 06:29 -------- d-----w- c:\program files\BBC iPlayer Desktop

2010-06-06 16:24 . 2010-06-07 18:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-06-06 16:24 . 2010-06-07 06:29 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-06-06 14:37 . 2010-06-06 14:37 -------- d-----w- c:\program files\Trend Micro

2010-06-06 12:47 . 2010-06-06 12:47 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore

2010-06-06 12:45 . 2010-06-06 12:45 -------- d-----w- c:\documents and settings\All Users\Application Data\SiteAdvisor

2010-06-06 12:42 . 2010-02-17 15:52 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys

2010-06-06 12:42 . 2010-02-17 15:52 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys

2010-06-06 12:42 . 2010-02-17 15:52 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys

2010-06-06 12:42 . 2009-07-16 11:32 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys

2010-06-06 12:41 . 2010-06-06 12:42 -------- d-----w- c:\program files\Common Files\McAfee

2010-06-06 12:41 . 2010-06-06 12:41 -------- d-----w- c:\program files\McAfee.com

2010-06-06 12:41 . 2010-06-11 18:48 -------- d-----w- c:\program files\McAfee

2010-06-06 12:39 . 2010-02-17 15:52 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys

2010-06-06 12:28 . 2010-06-06 16:15 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee

2010-05-30 20:47 . 2010-05-30 20:47 -------- d-----w- c:\documents and settings\Neil\Application Data\Sky-Banners

2010-05-30 20:46 . 2010-05-30 20:46 0 ----a-w- c:\documents and settings\Neil\Application Data\Trusteer\Rapport\RapportBukaExt.dll

2010-05-30 20:46 . 2010-05-30 20:46 339968 ----a-w- c:\windows\system32\RapportBuka.dll

2010-05-30 20:46 . 2010-05-30 20:46 -------- d-----w- c:\documents and settings\Neil\Application Data\Street-Ads

2010-05-30 20:45 . 2010-06-06 11:56 -------- d-----w- c:\documents and settings\Neil\Local Settings\Application Data\swthcrcap

2010-05-30 20:44 . 2010-05-30 20:44 -------- d-----w- c:\program files\$NtUninstallWTF1012$

2010-05-30 20:44 . 2010-05-30 20:44 -------- d-----w- C:\spoolerlogs

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-06-10 17:35 . 2009-10-20 13:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-06-09 04:55 . 2010-06-06 20:20 112 ----a-w- c:\documents and settings\All Users\Application Data\Gxogga1H.dat

2010-06-07 22:06 . 2009-03-25 09:01 18992 ----a-w- c:\documents and settings\Neil\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-06-06 17:26 . 2009-03-25 16:45 -------- d-----w- c:\program files\Java

2010-06-06 11:46 . 2010-03-08 15:24 -------- d-----w- c:\documents and settings\Neil\Application Data\Ezzi

2010-05-31 18:50 . 2010-04-10 00:33 -------- d-----w- c:\documents and settings\Neil\Application Data\Absei

2010-05-27 20:27 . 2009-03-25 18:45 -------- d-----w- c:\program files\Common Files\Adobe

2010-04-29 14:39 . 2009-10-20 13:56 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-29 14:39 . 2009-10-20 13:56 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-04-14 11:50 . 2010-04-14 11:50 385536 ----a-w- c:\windows\system32\drivers\mfehidk.sys

.

<pre>
c:\program files\McAfee.com\Agent\mcagent .exe
</pre>

((((((((((((((((((((((((((((( SnapShot@2010-06-10_17.35.19 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-03-25 08:15 . 2010-06-11 18:49 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

- 2009-03-25 08:15 . 2010-06-09 04:45 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

+ 2009-03-25 08:15 . 2010-06-11 18:49 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

- 2009-03-25 08:15 . 2010-06-09 04:45 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

+ 2010-06-11 01:29 . 2010-06-11 18:49 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat

- 2009-03-25 08:15 . 2010-06-09 04:45 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat

+ 2010-06-11 20:11 . 2010-06-11 20:11 231888 c:\windows\system32\Macromed\Flash\FlashUtil10h_ActiveX.exe

+ 2010-06-11 20:11 . 2010-06-11 20:11 311760 c:\windows\system32\Macromed\Flash\FlashUtil10h_ActiveX.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-01-01 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-17 13574144]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

"RTHDCPL"="RTHDCPL.EXE" [2006-01-11 15961088]

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]

"nwiz"="nwiz.exe" [2008-09-17 1657376]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-17 86016]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-02-11 1218008]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd.exe" [2003-08-04 49152]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2003-9-16 237568]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"c:\\WINDOWS\\system32\\spoolsv.exe"=

"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R1 RapportBuka;RapportBuka;c:\windows\system32\drivers\RapportBuka.sys [27/02/2010 11:00 390528]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17/02/2010 19:25 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/05/2010 19:41 67656]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [20/10/2009 14:56 304464]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [06/06/2010 13:44 203280]

R3 3xHybrid;3xHybrid service;c:\windows\system32\drivers\3xHybrid.sys [03/05/2005 12:25 710144]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [20/10/2009 14:56 20952]

R3 X10Hid;X10 Hid Device;c:\windows\system32\drivers\x10hid.sys [25/03/2009 17:54 7040]

S0 qtsgs;qtsgs; [x]

S1 RapportKELL;RapportKELL;c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [15/03/2010 14:47 0]

S1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [15/03/2010 14:47 0]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [06/02/2010 12:58 135664]

S2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [15/03/2010 14:47 0]

.

Contents of the 'Scheduled Tasks' folder

2010-06-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-06 11:58]

2010-06-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-06 11:58]

2010-06-06 c:\windows\Tasks\McDefragTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-06-06 11:22]

2010-06-06 c:\windows\Tasks\McQcTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-06-06 11:22]

2010-06-12 c:\windows\Tasks\User_Feed_Synchronization-{8959302F-D951-401A-AA54-755F876C0499}.job

- c:\windows\system32\msfeedssync.exe [2007-08-13 03:31]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.co.uk/

uInternet Settings,ProxyOverride = <local>

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html

Trusted Zone: microsoft.com\update

Trusted Zone: microsoft.com\windowsupdate

.

**************************************************************************

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files:

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(680)

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

- - - - - - - > 'explorer.exe'(5244)

c:\program files\McAfee\SiteAdvisor\saHook.dll

c:\progra~1\WINDOW~2\wmpband.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\OneX.DLL

c:\windows\system32\eappprxy.dll

c:\windows\system32\webcheck.dll

.

------------------------ Other Running Processes ------------------------

.

c:\progra~1\McAfee\MSC\mcmscsvc.exe

c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe

c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

c:\progra~1\McAfee\VIRUSS~1\mcshield.exe

c:\program files\McAfee\MPF\MPFSrv.exe

c:\windows\system32\nvsvc32.exe

c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

c:\windows\system32\wdfmgr.exe

c:\progra~1\COMMON~1\X10\Common\x10nets.exe

c:\progra~1\mcafee.com\agent\mcagent.exe

c:\windows\system32\wscntfy.exe

c:\windows\RTHDCPL.EXE

c:\windows\system32\RUNDLL32.EXE

.

**************************************************************************

.

Completion time: 2010-06-12 08:58:43 - machine was rebooted

ComboFix-quarantined-files.txt 2010-06-12 07:58

ComboFix2.txt 2010-06-10 17:44

Pre-Run: 62,715,670,528 bytes free

Post-Run: 62,805,942,272 bytes free

- - End Of File - - F04A9C51B8F0834C1B8EAEAEFB4E3205

Link to post
Share on other sites

Good. Let's have one more run.

Open notepad and copy/paste the text in the quotebox below into it:

http://forums.malwarebytes.org/index.php?showtopic=53306
Suspect::[76]
c:\documents and settings\All Users\Application Data\Gxogga1H.dat
RenV::
c:\program files\McAfee.com\Agent\mcagent .exe
RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

Save this as

CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

CFScriptB-4.gif

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe

Then post the resultant log.

Link to post
Share on other sites

here you go this is another attempt

Steve

ComboFix 10-06-10.06 - Neil 12/06/2010 12:00:02.3.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.609 [GMT 1:00]

Running from: c:\documents and settings\Neil\Desktop\combofix.exe.exe

Command switches used :: c:\documents and settings\Neil\Desktop\CFScript.txt

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

file zipped: c:\documents and settings\All Users\Application Data\Gxogga1H.dat

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

Infected copy of c:\windows\system32\drivers\kbdhid.sys was found and disinfected

Restored copy from - Kitty had a snack :P

.

((((((((((((((((((((((((( Files Created from 2010-05-12 to 2010-06-12 )))))))))))))))))))))))))))))))

.

2010-06-12 07:34 . 2010-06-12 07:58 -------- d-----w- C:\combofix.exe

2010-06-12 07:33 . 2010-06-12 10:50 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-06-08 17:27 . 2010-06-08 17:27 -------- d-----w- c:\documents and settings\Neil\Application Data\ElevatedDiagnostics

2010-06-08 17:20 . 2010-06-08 17:20 -------- d-----w- c:\windows\system32\LogFiles

2010-06-07 22:17 . 2010-06-07 22:17 63488 ----a-w- c:\documents and settings\Neil\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll

2010-06-07 22:17 . 2010-06-07 22:17 52224 ----a-w- c:\documents and settings\Neil\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll

2010-06-07 22:17 . 2010-06-07 22:17 117760 ----a-w- c:\documents and settings\Neil\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2010-06-07 22:16 . 2010-06-07 22:16 -------- d-----w- c:\documents and settings\Neil\Application Data\SUPERAntiSpyware.com

2010-06-07 22:16 . 2010-06-07 22:16 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2010-06-07 22:16 . 2010-06-07 22:16 -------- d-----w- c:\program files\SUPERAntiSpyware

2010-06-07 17:56 . 2010-06-07 17:56 -------- d-----w- c:\documents and settings\Neil\Local Settings\Application Data\Supremus Corporation

2010-06-07 17:56 . 2010-06-07 17:56 -------- d-----w- c:\program files\Windows Updates Downloader

2010-06-07 06:29 . 2010-06-07 06:29 -------- d-----w- C:\spybot

2010-06-06 18:48 . 2010-06-06 18:48 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2010-06-06 17:42 . 2010-06-07 06:30 -------- dc-h--w- c:\windows\ie8

2010-06-06 17:26 . 2010-06-06 17:26 -------- d-----w- c:\program files\Common Files\Java

2010-06-06 17:26 . 2010-04-12 16:29 411368 ----a-w- c:\windows\system32\deployJava1.dll

2010-06-06 17:23 . 2010-06-06 17:23 503808 ----a-w- c:\documents and settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-6f24bc57-n\msvcp71.dll

2010-06-06 17:23 . 2010-06-06 17:23 499712 ----a-w- c:\documents and settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-6f24bc57-n\jmc.dll

2010-06-06 17:23 . 2010-06-06 17:23 348160 ----a-w- c:\documents and settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-6f24bc57-n\msvcr71.dll

2010-06-06 17:05 . 2010-06-07 06:29 -------- d-----w- c:\program files\BBC iPlayer Desktop

2010-06-06 16:24 . 2010-06-07 18:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-06-06 16:24 . 2010-06-07 06:29 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-06-06 14:37 . 2010-06-06 14:37 -------- d-----w- c:\program files\Trend Micro

2010-06-06 12:47 . 2010-06-06 12:47 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore

2010-06-06 12:45 . 2010-06-06 12:45 -------- d-----w- c:\documents and settings\All Users\Application Data\SiteAdvisor

2010-06-06 12:42 . 2010-02-17 15:52 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys

2010-06-06 12:42 . 2010-02-17 15:52 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys

2010-06-06 12:42 . 2010-02-17 15:52 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys

2010-06-06 12:42 . 2009-07-16 11:32 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys

2010-06-06 12:41 . 2010-06-06 12:42 -------- d-----w- c:\program files\Common Files\McAfee

2010-06-06 12:41 . 2010-06-06 12:41 -------- d-----w- c:\program files\McAfee.com

2010-06-06 12:41 . 2010-06-11 18:48 -------- d-----w- c:\program files\McAfee

2010-06-06 12:39 . 2010-02-17 15:52 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys

2010-06-06 12:28 . 2010-06-06 16:15 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee

2010-05-30 20:47 . 2010-05-30 20:47 -------- d-----w- c:\documents and settings\Neil\Application Data\Sky-Banners

2010-05-30 20:46 . 2010-05-30 20:46 0 ----a-w- c:\documents and settings\Neil\Application Data\Trusteer\Rapport\RapportBukaExt.dll

2010-05-30 20:46 . 2010-05-30 20:46 339968 ----a-w- c:\windows\system32\RapportBuka.dll

2010-05-30 20:46 . 2010-05-30 20:46 -------- d-----w- c:\documents and settings\Neil\Application Data\Street-Ads

2010-05-30 20:45 . 2010-06-06 11:56 -------- d-----w- c:\documents and settings\Neil\Local Settings\Application Data\swthcrcap

2010-05-30 20:44 . 2010-05-30 20:44 -------- d-----w- c:\program files\$NtUninstallWTF1012$

2010-05-30 20:44 . 2010-05-30 20:44 -------- d-----w- C:\spoolerlogs

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-06-10 17:35 . 2009-10-20 13:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-06-09 04:55 . 2010-06-06 20:20 112 ----a-w- c:\documents and settings\All Users\Application Data\Gxogga1H.dat

2010-06-07 22:06 . 2009-03-25 09:01 18992 ----a-w- c:\documents and settings\Neil\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-06-06 17:26 . 2009-03-25 16:45 -------- d-----w- c:\program files\Java

2010-06-06 11:46 . 2010-03-08 15:24 -------- d-----w- c:\documents and settings\Neil\Application Data\Ezzi

2010-05-31 18:50 . 2010-04-10 00:33 -------- d-----w- c:\documents and settings\Neil\Application Data\Absei

2010-05-27 20:27 . 2009-03-25 18:45 -------- d-----w- c:\program files\Common Files\Adobe

2010-04-29 14:39 . 2009-10-20 13:56 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-29 14:39 . 2009-10-20 13:56 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-04-14 11:50 . 2010-04-14 11:50 385536 ----a-w- c:\windows\system32\drivers\mfehidk.sys

.

<pre>
c:\program files\McAfee.com\Agent\mcagent .exe
</pre>

((((((((((((((((((((((((((((( SnapShot@2010-06-10_17.35.19 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-03-25 08:15 . 2010-06-11 18:49 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

- 2009-03-25 08:15 . 2010-06-09 04:45 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

+ 2009-03-25 08:15 . 2010-06-11 18:49 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

- 2009-03-25 08:15 . 2010-06-09 04:45 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

+ 2010-06-11 20:11 . 2010-06-11 20:11 231888 c:\windows\system32\Macromed\Flash\FlashUtil10h_ActiveX.exe

+ 2010-06-11 20:11 . 2010-06-11 20:11 311760 c:\windows\system32\Macromed\Flash\FlashUtil10h_ActiveX.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-01-01 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-17 13574144]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

"RTHDCPL"="RTHDCPL.EXE" [2006-01-11 15961088]

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]

"nwiz"="nwiz.exe" [2008-09-17 1657376]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-17 86016]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-02-11 1218008]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd.exe" [2003-08-04 49152]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2003-9-16 237568]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"c:\\WINDOWS\\system32\\spoolsv.exe"=

"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R1 RapportBuka;RapportBuka;c:\windows\system32\drivers\RapportBuka.sys [27/02/2010 11:00 390528]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17/02/2010 19:25 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/05/2010 19:41 67656]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [20/10/2009 14:56 304464]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [06/06/2010 13:44 203280]

R3 3xHybrid;3xHybrid service;c:\windows\system32\drivers\3xHybrid.sys [03/05/2005 12:25 710144]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [20/10/2009 14:56 20952]

R3 X10Hid;X10 Hid Device;c:\windows\system32\drivers\x10hid.sys [25/03/2009 17:54 7040]

S0 qtsgs;qtsgs; [x]

S1 RapportKELL;RapportKELL;c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [15/03/2010 14:47 0]

S1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [15/03/2010 14:47 0]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [06/02/2010 12:58 135664]

S2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [15/03/2010 14:47 0]

.

Contents of the 'Scheduled Tasks' folder

2010-06-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-06 11:58]

2010-06-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-06 11:58]

2010-06-06 c:\windows\Tasks\McDefragTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-06-06 11:22]

2010-06-06 c:\windows\Tasks\McQcTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-06-06 11:22]

2010-06-12 c:\windows\Tasks\User_Feed_Synchronization-{8959302F-D951-401A-AA54-755F876C0499}.job

- c:\windows\system32\msfeedssync.exe [2007-08-13 03:31]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.co.uk/

uInternet Settings,ProxyOverride = <local>

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html

Trusted Zone: microsoft.com\update

Trusted Zone: microsoft.com\windowsupdate

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-06-12 12:10

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully

user: MBR read successfully

called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x86C09EC5]<<

kernel: MBR read successfully

detected MBR rootkit hooks:

\Driver\Disk -> CLASSPNP.SYS @ 0xf76b4f28

\Driver\ACPI -> ACPI.sys @ 0xf7527cb8

\Driver\atapi -> atapi.sys @ 0xf74b9852

IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8

ParseProcedure -> ntkrnlpa.exe @ 0x805827e8

\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8

ParseProcedure -> ntkrnlpa.exe @ 0x805827e8

NDIS: Realtek RTL8139/810x Family Fast Ethernet NIC -> SendCompleteHandler -> NDIS.sys @ 0xf73c5bb0

PacketIndicateHandler -> NDIS.sys @ 0xf73b4a0d

SendHandler -> NDIS.sys @ 0xf73c8b40

user & kernel MBR OK

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(680)

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

- - - - - - - > 'explorer.exe'(1064)

c:\program files\McAfee\SiteAdvisor\saHook.dll

c:\progra~1\WINDOW~2\wmpband.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\OneX.DLL

c:\windows\system32\eappprxy.dll

c:\windows\system32\webcheck.dll

.

------------------------ Other Running Processes ------------------------

.

c:\progra~1\McAfee\MSC\mcmscsvc.exe

c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe

c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

c:\progra~1\McAfee\VIRUSS~1\mcshield.exe

c:\program files\McAfee\MPF\MPFSrv.exe

c:\windows\system32\nvsvc32.exe

c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

c:\progra~1\mcafee.com\agent\mcagent.exe

c:\windows\system32\wdfmgr.exe

c:\progra~1\COMMON~1\X10\Common\x10nets.exe

c:\windows\system32\wscntfy.exe

c:\windows\RTHDCPL.EXE

c:\windows\system32\RUNDLL32.EXE

.

**************************************************************************

.

Completion time: 2010-06-12 12:15:53 - machine was rebooted

ComboFix-quarantined-files.txt 2010-06-12 11:15

ComboFix2.txt 2010-06-12 07:58

ComboFix3.txt 2010-06-10 17:44

Pre-Run: 62,815,698,944 bytes free

Post-Run: 62,775,197,696 bytes free

- - End Of File - - 55A2F037C4EED8CCFDE29CF9B4624356

Link to post
Share on other sites

Hi,

One of McAfee files is infected. Uninstall the program now and reinstall later after we've get the case finished.

Look for a zip file with name like [76]-Submit in c:\qoobox\quarantine folder and upload it to this website. Kindly include a link to this topic in the message.

1. Download TDSSKiller and extract its contents into a folder in desired location (i.e. c:\tdsskiller).

2. Execute the file TDSSKiller.exe and wait for the process to finish.

3. Post back contents of log file in c: drive root (name should be in UtilityName.Version_Date_Time_log.txt format)

Link to post
Share on other sites

I have removed McAfee as requested and uploaded the file you asked me to. Here is the TDSSKiller log you asked for.

Thanks for your help

Steve

16:28:35:140 3532 TDSS rootkit removing tool 2.3.2.0 May 31 2010 10:39:48

16:28:35:140 3532 ================================================================================

16:28:35:156 3532 SystemInfo:

16:28:35:156 3532 OS Version: 5.1.2600 ServicePack: 3.0

16:28:35:156 3532 Product type: Workstation

16:28:35:156 3532 ComputerName: PACKARD-BELL

16:28:35:156 3532 UserName: Neil

16:28:35:156 3532 Windows directory: C:\WINDOWS

16:28:35:156 3532 Processor architecture: Intel x86

16:28:35:156 3532 Number of processors: 2

16:28:35:156 3532 Page size: 0x1000

16:28:35:156 3532 Boot type: Normal boot

16:28:35:156 3532 ================================================================================

16:28:35:406 3532 Initialize success

16:28:35:406 3532

16:28:35:406 3532 Scanning Services ...

16:28:35:750 3532 Raw services enum returned 337 services

16:28:35:750 3532

16:28:35:750 3532 Scanning Drivers ...

16:28:36:125 3532 3xHybrid (8c859744bb069a86e9159dd7b5b92629) C:\WINDOWS\system32\DRIVERS\3xHybrid.sys

16:28:36:250 3532 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

16:28:36:312 3532 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

16:28:36:406 3532 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

16:28:36:484 3532 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys

16:28:36:531 3532 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys

16:28:36:578 3532 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

16:28:36:640 3532 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

16:28:36:671 3532 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

16:28:36:703 3532 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

16:28:36:765 3532 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

16:28:36:796 3532 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

16:28:36:828 3532 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys

16:28:36:859 3532 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

16:28:36:890 3532 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

16:28:36:953 3532 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

16:28:37:031 3532 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

16:28:37:109 3532 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

16:28:37:218 3532 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys

16:28:37:234 3532 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

16:28:37:265 3532 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

16:28:37:296 3532 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

16:28:37:312 3532 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

16:28:37:343 3532 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys

16:28:37:359 3532 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

16:28:37:375 3532 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys

16:28:37:437 3532 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys

16:28:37:468 3532 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

16:28:37:515 3532 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

16:28:37:562 3532 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

16:28:37:609 3532 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys

16:28:37:625 3532 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys

16:28:37:671 3532 HPZid412 (287a63bd8509bd78e7978823b38afa81) C:\WINDOWS\system32\DRIVERS\HPZid412.sys

16:28:37:687 3532 HPZipr12 (0b4fda2657c3e0315eaa57f9c6d4fd1f) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys

16:28:37:703 3532 HPZius12 (29559db25258b60510a60c4e470fce32) C:\WINDOWS\system32\DRIVERS\HPZius12.sys

16:28:37:734 3532 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys

16:28:37:812 3532 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

16:28:37:828 3532 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

16:28:37:984 3532 IntcAzAudAddService (a30685283f90ae02f1cd50972c6065e3) C:\WINDOWS\system32\drivers\RtkHDAud.sys

16:28:38:046 3532 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys

16:28:38:062 3532 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys

16:28:38:109 3532 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

16:28:38:109 3532 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

16:28:38:140 3532 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

16:28:38:156 3532 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

16:28:38:187 3532 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

16:28:38:234 3532 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys

16:28:38:265 3532 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

16:28:38:281 3532 kbdhid (45f1b087d18265b316846816c1f47095) C:\WINDOWS\system32\DRIVERS\kbdhid.sys

16:28:38:281 3532 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\kbdhid.sys. Real md5: 45f1b087d18265b316846816c1f47095, Fake md5: 9ef487a186dea361aa06913a75b3fa99

16:28:38:281 3532 File "C:\WINDOWS\system32\DRIVERS\kbdhid.sys" infected by TDSS rootkit ... 16:28:40:031 3532 Backup copy found, using it..

16:28:40:031 3532 will be cured on next reboot

16:28:40:125 3532 klmd23 (67e1faa88fb397b3d56909d7e04f4dd3) C:\WINDOWS\system32\drivers\klmd.sys

16:28:40:171 3532 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

16:28:40:203 3532 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys

16:28:40:234 3532 MBAMProtector (67b48a903430c6d4fb58cbaca1866601) C:\WINDOWS\system32\drivers\mbam.sys

16:28:40:265 3532 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

16:28:40:296 3532 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

16:28:40:375 3532 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

16:28:40:421 3532 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

16:28:40:453 3532 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

16:28:40:468 3532 MPE (c0f8e0c2c3c0437cf37c6781896dc3ec) C:\WINDOWS\system32\DRIVERS\MPE.sys

16:28:40:500 3532 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

16:28:40:546 3532 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

16:28:40:578 3532 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

16:28:40:593 3532 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

16:28:40:609 3532 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

16:28:40:625 3532 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

16:28:40:671 3532 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

16:28:40:703 3532 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys

16:28:40:734 3532 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys

16:28:40:750 3532 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys

16:28:40:781 3532 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

16:28:40:796 3532 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys

16:28:40:796 3532 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

16:28:40:812 3532 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

16:28:40:828 3532 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

16:28:40:843 3532 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys

16:28:40:859 3532 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

16:28:40:875 3532 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

16:28:40:906 3532 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys

16:28:40:906 3532 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

16:28:40:937 3532 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

16:28:40:984 3532 NuidFltr (e8717d9b0d1919cadafd8896a8e23e17) C:\WINDOWS\system32\DRIVERS\NuidFltr.sys

16:28:41:031 3532 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

16:28:41:234 3532 nv (70cb8915895ccb92ddf23ce890c4f5be) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys

16:28:41:406 3532 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

16:28:41:421 3532 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

16:28:41:468 3532 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys

16:28:41:515 3532 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys

16:28:41:546 3532 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

16:28:41:562 3532 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

16:28:41:609 3532 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys

16:28:41:640 3532 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

16:28:41:671 3532 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys

16:28:41:750 3532 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

16:28:41:765 3532 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys

16:28:41:765 3532 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

16:28:41:781 3532 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

16:28:41:859 3532 RapportBuka (e2aa111b00f5205ffd52a57f48b4f642) C:\WINDOWS\system32\drivers\RapportBuka.sys

16:28:41:953 3532 !dthrs6

16:28:41:953 3532 !dthrs6

16:28:41:968 3532 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

16:28:42:015 3532 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

16:28:42:031 3532 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

16:28:42:046 3532 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

16:28:42:062 3532 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

16:28:42:078 3532 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

16:28:42:093 3532 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

16:28:42:109 3532 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys

16:28:42:156 3532 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys

16:28:42:203 3532 RT61 (b1a055f3b4cf2a60ada63009f157126c) C:\WINDOWS\system32\DRIVERS\RT61.sys

16:28:42:234 3532 RTL8023xp (67c9511a760149797e806ffd9f14ad37) C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys

16:28:42:250 3532 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS

16:28:42:328 3532 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS

16:28:42:328 3532 SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS

16:28:42:359 3532 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

16:28:42:390 3532 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys

16:28:42:406 3532 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\DRIVERS\sfloppy.sys

16:28:42:437 3532 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys

16:28:42:468 3532 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

16:28:42:515 3532 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys

16:28:42:578 3532 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys

16:28:42:640 3532 ss_bus (5a1d0ca8a5f1e7b4ec50b9d76c001f0e) C:\WINDOWS\system32\DRIVERS\ss_bus.sys

16:28:42:671 3532 ss_mdfl (f0a85580e36a3a85059037d39a9cf079) C:\WINDOWS\system32\DRIVERS\ss_mdfl.sys

16:28:42:687 3532 ss_mdm (84c3dbfd1bfa4adc0a950b3d5506cb00) C:\WINDOWS\system32\DRIVERS\ss_mdm.sys

16:28:42:718 3532 StarOpen (306521935042fc0a6988d528643619b3) C:\WINDOWS\system32\drivers\StarOpen.sys

16:28:42:765 3532 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys

16:28:42:781 3532 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

16:28:42:796 3532 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

16:28:42:859 3532 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

16:28:42:906 3532 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys

16:28:42:953 3532 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

16:28:42:968 3532 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

16:28:43:000 3532 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

16:28:43:031 3532 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

16:28:43:093 3532 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

16:28:43:109 3532 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

16:28:43:125 3532 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

16:28:43:140 3532 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

16:28:43:140 3532 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys

16:28:43:187 3532 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys

16:28:43:218 3532 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys

16:28:43:250 3532 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

16:28:43:296 3532 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

16:28:43:359 3532 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys

16:28:43:375 3532 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

16:28:43:421 3532 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys

16:28:43:500 3532 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

16:28:43:531 3532 WpdUsb (1385e5aa9c9821790d33a9563b8d2dd0) C:\WINDOWS\system32\Drivers\wpdusb.sys

16:28:43:578 3532 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS

16:28:43:609 3532 X10Hid (81e8da36ce70858898d5eb81e28a47d2) C:\WINDOWS\system32\Drivers\x10hid.sys

16:28:43:656 3532 XUIF (41cf36a3cc7786575247ed456918e112) C:\WINDOWS\system32\Drivers\x10ufx2.sys

16:28:43:656 3532 Reboot required for cure complete..

16:28:44:046 3532 Cure on reboot scheduled successfully

16:28:44:046 3532

16:28:44:046 3532 Completed

16:28:44:046 3532

16:28:44:046 3532 Results:

16:28:44:046 3532 Registry objects infected / cured / cured on reboot: 0 / 0 / 0

16:28:44:046 3532 File objects infected / cured / cured on reboot: 1 / 0 / 1

16:28:44:046 3532

16:28:44:046 3532 KLMD(ARK) unloaded successfully

Link to post
Share on other sites

I have just run combo fix again and here is the result. After runing it it wanted to upload the results to the server so I allowed it to do so. I tried connecting to windows update and it did! :angry: so it all looks like its ok. Shall I run the Kaspersky online scan to make sure and shall I install McAfee etc.

Very many thanks for your help.

ComboFix 10-06-10.06 - Neil 12/06/2010 18:07:43.4.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.682 [GMT 1:00]

Running from: c:\documents and settings\Neil\Desktop\combofix.exe.exe

Command switches used :: c:\documents and settings\Neil\Desktop\CFScript.txt

* Created a new restore point

file zipped: c:\documents and settings\All Users\Application Data\Gxogga1H.dat

.

((((((((((((((((((((((((( Files Created from 2010-05-12 to 2010-06-12 )))))))))))))))))))))))))))))))

.

2010-06-12 15:27 . 2010-06-12 15:28 -------- d-----w- C:\TDSSKiller

2010-06-12 07:34 . 2010-06-12 07:58 -------- d-----w- C:\combofix.exe

2010-06-12 07:33 . 2010-06-12 10:50 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-06-08 17:27 . 2010-06-08 17:27 -------- d-----w- c:\documents and settings\Neil\Application Data\ElevatedDiagnostics

2010-06-08 17:20 . 2010-06-08 17:20 -------- d-----w- c:\windows\system32\LogFiles

2010-06-07 22:17 . 2010-06-07 22:17 63488 ----a-w- c:\documents and settings\Neil\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll

2010-06-07 22:17 . 2010-06-07 22:17 52224 ----a-w- c:\documents and settings\Neil\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll

2010-06-07 22:17 . 2010-06-07 22:17 117760 ----a-w- c:\documents and settings\Neil\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2010-06-07 22:16 . 2010-06-07 22:16 -------- d-----w- c:\documents and settings\Neil\Application Data\SUPERAntiSpyware.com

2010-06-07 22:16 . 2010-06-07 22:16 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2010-06-07 22:16 . 2010-06-07 22:16 -------- d-----w- c:\program files\SUPERAntiSpyware

2010-06-07 17:56 . 2010-06-07 17:56 -------- d-----w- c:\documents and settings\Neil\Local Settings\Application Data\Supremus Corporation

2010-06-07 17:56 . 2010-06-07 17:56 -------- d-----w- c:\program files\Windows Updates Downloader

2010-06-07 06:29 . 2010-06-07 06:29 -------- d-----w- C:\spybot

2010-06-06 18:48 . 2010-06-06 18:48 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2010-06-06 17:42 . 2010-06-07 06:30 -------- dc-h--w- c:\windows\ie8

2010-06-06 17:26 . 2010-06-06 17:26 -------- d-----w- c:\program files\Common Files\Java

2010-06-06 17:26 . 2010-04-12 16:29 411368 ----a-w- c:\windows\system32\deployJava1.dll

2010-06-06 17:23 . 2010-06-06 17:23 503808 ----a-w- c:\documents and settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-6f24bc57-n\msvcp71.dll

2010-06-06 17:23 . 2010-06-06 17:23 499712 ----a-w- c:\documents and settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-6f24bc57-n\jmc.dll

2010-06-06 17:23 . 2010-06-06 17:23 348160 ----a-w- c:\documents and settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-6f24bc57-n\msvcr71.dll

2010-06-06 17:05 . 2010-06-07 06:29 -------- d-----w- c:\program files\BBC iPlayer Desktop

2010-06-06 16:24 . 2010-06-07 18:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-06-06 16:24 . 2010-06-07 06:29 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-06-06 14:37 . 2010-06-06 14:37 -------- d-----w- c:\program files\Trend Micro

2010-06-06 12:47 . 2010-06-06 12:47 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore

2010-06-06 12:45 . 2010-06-06 12:45 -------- d-----w- c:\documents and settings\All Users\Application Data\SiteAdvisor

2010-06-06 12:28 . 2010-06-12 15:16 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee

2010-05-30 20:47 . 2010-05-30 20:47 -------- d-----w- c:\documents and settings\Neil\Application Data\Sky-Banners

2010-05-30 20:46 . 2010-05-30 20:46 0 ----a-w- c:\documents and settings\Neil\Application Data\Trusteer\Rapport\RapportBukaExt.dll

2010-05-30 20:46 . 2010-05-30 20:46 339968 ----a-w- c:\windows\system32\RapportBuka.dll

2010-05-30 20:46 . 2010-05-30 20:46 -------- d-----w- c:\documents and settings\Neil\Application Data\Street-Ads

2010-05-30 20:45 . 2010-06-06 11:56 -------- d-----w- c:\documents and settings\Neil\Local Settings\Application Data\swthcrcap

2010-05-30 20:44 . 2010-05-30 20:44 -------- d-----w- c:\program files\$NtUninstallWTF1012$

2010-05-30 20:44 . 2010-05-30 20:44 -------- d-----w- C:\spoolerlogs

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-06-12 15:29 . 2003-03-31 12:00 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys

2010-06-10 17:35 . 2009-10-20 13:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-06-09 04:55 . 2010-06-06 20:20 112 ----a-w- c:\documents and settings\All Users\Application Data\Gxogga1H.dat

2010-06-07 22:06 . 2009-03-25 09:01 18992 ----a-w- c:\documents and settings\Neil\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-06-06 17:26 . 2009-03-25 16:45 -------- d-----w- c:\program files\Java

2010-06-06 11:46 . 2010-03-08 15:24 -------- d-----w- c:\documents and settings\Neil\Application Data\Ezzi

2010-05-31 18:50 . 2010-04-10 00:33 -------- d-----w- c:\documents and settings\Neil\Application Data\Absei

2010-05-27 20:27 . 2009-03-25 18:45 -------- d-----w- c:\program files\Common Files\Adobe

2010-04-29 14:39 . 2009-10-20 13:56 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-29 14:39 . 2009-10-20 13:56 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

.

((((((((((((((((((((((((((((( SnapShot@2010-06-10_17.35.19 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-03-25 08:15 . 2010-06-11 18:49 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

- 2009-03-25 08:15 . 2010-06-09 04:45 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

+ 2009-03-25 08:15 . 2010-06-11 18:49 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

- 2009-03-25 08:15 . 2010-06-09 04:45 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

+ 2010-06-11 20:11 . 2010-06-11 20:11 231888 c:\windows\system32\Macromed\Flash\FlashUtil10h_ActiveX.exe

+ 2010-06-11 20:11 . 2010-06-11 20:11 311760 c:\windows\system32\Macromed\Flash\FlashUtil10h_ActiveX.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-01-01 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-17 13574144]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

"RTHDCPL"="RTHDCPL.EXE" [2006-01-11 15961088]

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]

"nwiz"="nwiz.exe" [2008-09-17 1657376]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-17 86016]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd.exe" [2003-08-04 49152]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2003-9-16 237568]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"c:\\WINDOWS\\system32\\spoolsv.exe"=

R1 RapportBuka;RapportBuka;c:\windows\system32\drivers\RapportBuka.sys [27/02/2010 11:00 390528]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17/02/2010 19:25 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/05/2010 19:41 67656]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [20/10/2009 14:56 304464]

R3 3xHybrid;3xHybrid service;c:\windows\system32\drivers\3xHybrid.sys [03/05/2005 12:25 710144]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [20/10/2009 14:56 20952]

R3 X10Hid;X10 Hid Device;c:\windows\system32\drivers\x10hid.sys [25/03/2009 17:54 7040]

S0 qtsgs;qtsgs; [x]

S1 RapportKELL;RapportKELL;c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [15/03/2010 14:47 0]

S1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [15/03/2010 14:47 0]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [06/02/2010 12:58 135664]

S2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [15/03/2010 14:47 0]

.

Contents of the 'Scheduled Tasks' folder

2010-06-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-06 11:58]

2010-06-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-06 11:58]

2010-06-12 c:\windows\Tasks\User_Feed_Synchronization-{8959302F-D951-401A-AA54-755F876C0499}.job

- c:\windows\system32\msfeedssync.exe [2007-08-13 03:31]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.co.uk/

uInternet Settings,ProxyOverride = <local>

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html

Trusted Zone: microsoft.com\update

Trusted Zone: microsoft.com\windowsupdate

.

- - - - ORPHANS REMOVED - - - -

SafeBoot-klmdb.sys

SafeBoot-mcmscsvc

SafeBoot-MCODS

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-06-12 18:11

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(656)

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

- - - - - - - > 'explorer.exe'(13840)

c:\progra~1\WINDOW~2\wmpband.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\OneX.DLL

c:\windows\system32\eappprxy.dll

c:\windows\system32\webcheck.dll

.

Completion time: 2010-06-12 18:13:12

ComboFix-quarantined-files.txt 2010-06-12 17:13

ComboFix2.txt 2010-06-12 11:15

ComboFix3.txt 2010-06-12 07:58

ComboFix4.txt 2010-06-10 17:44

Pre-Run: 62,963,073,024 bytes free

Post-Run: 62,926,622,720 bytes free

- - End Of File - - A824B2D92E49A94302CE71787CF1AF26

Upload was successful

Link to post
Share on other sites

Hi Steve,

Those findings will be removed when ComboFix is uninstalled and system restore reseted (instructions below).

THESE STEPS ARE VERY IMPORTANT

Let's reset system restore

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.

1. Turn off System Restore.

On the Desktop, right-click My Computer.

Click Properties.

Click the System Restore tab.

Check Turn off System Restore.

Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.

Click Properties.

Click the System Restore tab.

UN-Check *Turn off System Restore*.

Click Apply, and then click OK.

NOTE: only do this ONCE,NOT on a regular basis

Now lets uninstall ComboFix (disable McAfee before that):

  • Click START then RUN
  • Now copy-paste Combofix /uninstall in the runbox and click OK

Please download OTC and save it to desktop.

  • Double-click OTC.exe.
  • Click the CleanUp! button.
  • Select Yes when the
    Begin cleanup Process?
    prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes, if not delete it by yourself.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

UPDATING WINDOWS AND INTERNET EXPLORER

IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site to get the critical updates.

If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.

Make your Internet Explorer more secure

This can be done by following these simple instructions:

From within Internet Explorer click on the Tools menu and then click on Options.

Click once on the Security tab

Click once on the Internet icon so it becomes highlighted.

Click once on the Custom Level button.

Change the Download signed ActiveX controls to Prompt

Change the Download unsigned ActiveX controls to Disable

Change the Initialize and script ActiveX controls not marked as safe to Disable

Change the Installation of desktop items to Prompt

Change the Launching programs and files in an IFRAME to Prompt

Change the Navigate sub-frames across different domains to Prompt

When all these settings have been made, click on the OK button.

If it prompts you as to whether or not you want to save the settings, press the Yes button.

Next press the Apply button and then the OK to exit the Internet Properties page.

The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.

  • hosts file:
    • Every version of windows has a hosts file as part of them.
    • In a very basic sense, they are used to locate webpages.
    • We can customize a hosts file so that it blocks certain webpages.
    • However, it can slow down certain computers.
    • This is why using a hosts file is optional!!

    Download it here. Make sure you read the instructions on how to install the hosts file. There is a good tutorial here

    If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:



    1. Click the start button (at the lower left hand corner of your screen)
    2. Click run
    3. In the dialog box, type services.msc
    4. hit enter, then locate dns client
    5. Highlight it, then double-click it.
    6. On the dropdown box, change the setting from automatic to manual.
    7. Click ok

    [*]Run Secunia vulnerability check here and fix its findings.

Just a final reminder for you. I am trying to stress these two points.

UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.

Make sure all of your security programs are up to date.

Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Once again, please post and tell me how things are going with your system... problems etc.

Have a great day,

Blade :)

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.