Jump to content

Double Trojans


Recommended Posts

Hi,

i have a Compaq presario running XP.

A hearty blend of trojans, Trojan Fake Alert and DNS.Changer

They have incappacitated my Avast free antivirus and mbam. They no longer connect to the internet and update. I have reinstalled the latest versions of both and scanned. Avast does not pick anything up.

I have been able to do an MBAM scan before and after and have attached the logs.

GMER had an error and informed me that it had to close so i ran it again.

Thanks for your help in advance.

Ned

----------------------------

DDS

DDS (Ver_10-03-17.01) - NTFSx86

Run by Rachael at 23:41:37.64 on 28/07/2010

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_14

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.463 [GMT 1:00]

AV: avast! Antivirus *On-access scanning enabled* (Outdated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

svchost.exe

C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\DOCUME~1\DANAUS~1\LOCALS~1\Temp\Lmr.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\PixArt\PAC207\Monitor.exe

C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Canon\MyPrinter\BJMyPrt.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

svchost.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\WINDOWS\system32\crypserv.exe

C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\jusched.exe

C:\Program Files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe

C:\Program Files\Kontiki\KService.exe

C:\Program Files\TalkTalk\bin\sprtsvc.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\Program Files\Common Files\Supportsoft\bin\tgsrvc.exe

C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\PROGRA~1\HEWLET~1\Shared\HPQTOA~1.EXE

H:\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

uStart Page = hxxp://www.google.com/

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyServer = http=127.0.0.1:5643

uInternet Settings,ProxyOverride = <local>

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

mSearchAssistant = hxxp://www.google.com/ie

BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: EWPBrowseObject Class: {68f9551e-0411-48e4-9aaf-4bc42a6a46be} - c:\program files\canon\easy-webprint\EWPBrowseLoader.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll

TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll

TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File

TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe

uRun: [MsgCenterExe] "c:\program files\common files\real\update_ob\RealOneMessageCenter.exe" -osboot

uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background

uRun: [iMC] c:\program files\friendfinder\friendfinder messenger 4\imc.exe

uRun: [EPSON SX600FW Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatieke.exe /fu "c:\windows\temp\E_S1F4.tmp" /EF "HKCU"

uRun: [Java developer Script Browse] c:\windows\jusched.exe

uRun: [JDK5SWFMZY] c:\docume~1\danaus~1\locals~1\temp\Lmr.exe

mRun: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [NapsterShell] c:\program files\napster\napster.exe /systray

mRun: [PAC207_Monitor] c:\windows\pixart\pac207\Monitor.exe

mRun: [Monitor] c:\windows\pixart\pac207\Monitor.exe

mRun: [sSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot

mRun: [OpwareSE4] "c:\program files\scansoft\omnipagese4.0\OpwareSE4.exe"

mRun: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

mRun: [TalkTalk] "c:\program files\talktalk\bin\sprtcmd.exe" /P TalkTalk

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [Java developer Script Browse] c:\windows\jusched.exe

mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide

mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

dRun: [ALUAlert] c:\program files\symantec\liveupdate\ALUNotify.exe

dRun: [vjdhmifk] c:\documents and settings\networkservice\local settings\application data\mtlaucmwx\mocosjhtssd.exe

StartupFolder: c:\docume~1\danaus~1\startm~1\programs\startup\bbcipl~1.lnk - c:\program files\bbc iplayer desktop\BBC iPlayer Desktop.exe

StartupFolder: c:\documents and settings\dan austin\start menu\programs\startup\mapdrives.cmd

mPolicies-system: EnableLUA = 0 (0x0)

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

Trusted Zone: flybe.com\www

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204

DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {32505657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

TCP: NameServer = 93.188.162.65,93.188.161.205

TCP: {720F73F2-5248-4231-A22B-CEB6D498F6F7} = 93.188.162.65,93.188.161.205

TCP: {F7E9553A-00F4-41F9-AF97-5099D07548C9} = 93.188.162.65,93.188.161.205

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: igfxcui - igfxdev.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

LSA: Authentication Packages = msv1_0 nwprovau

Hosts: 217.28.130.188 TH03INFSER.SERVICES.BYWORKWISE.COM # Hosted Exchange Server Entry

Hosts: 217.28.130.188 THEXCHBE2X # Hosted Exchange Server Entry

Hosts: 217.28.130.188 THEXCHBE2X.SERVICES.BYWORKWISE.COM # Hosted Exchange Server Entry

Hosts: 217.28.130.188 THPDCSER.SERVICES.BYWORKWISE.COM # Hosted Exchange Server Entry

Hosts: 217.28.130.24 outlook.hostedservices.co.uk

Note: multiple HOSTS entries found. Please refer to Attach.txt

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\danaus~1\applic~1\mozilla\firefox\profiles\ox8v728k.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT392534&SearchSource=3&q={searchTerms}

FF - prefs.js: browser.search.selectedEngine - sunriseradio Customized Web Search

FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk

FF - component: c:\documents and settings\dan austin\application data\mozilla\firefox\profiles\ox8v728k.default\extensions\{6bcb9b24-850c-4fe5-a24a-b2bfcd67448f}\components\FFExternalAlert.dll

FF - component: c:\documents and settings\dan austin\application data\mozilla\firefox\profiles\ox8v728k.default\extensions\{6bcb9b24-850c-4fe5-a24a-b2bfcd67448f}\components\RadioWMPCore.dll

FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll

FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);

c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-7-28 165456]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-7-28 17744]

R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-7-28 40384]

R2 sprtsvc_TalkTalk;SupportSoft Sprocket Service (TalkTalk);c:\program files\talktalk\bin\sprtsvc.exe [2007-10-12 202016]

R2 tgsrvc_TalkTalk;SupportSoft Repair Service (TalkTalk);c:\program files\common files\supportsoft\bin\tgsrvc.exe [2007-8-2 148768]

R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]

R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-7-28 40384]

R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-7-28 40384]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-7-15 136176]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-1-11 38224]

S3 PAC207;PC Camer@;c:\windows\system32\drivers\PFC027.SYS [2009-10-16 618112]

=============== Created Last 30 ================

2010-07-28 22:38:47 0 ----a-w- c:\documents and settings\dan austin\defogger_reenable

2010-07-28 20:36:15 38848 ----a-w- c:\windows\avastSS.scr

2010-07-28 14:05:39 0 d-----w- c:\program files\Spybot - Search & Destroy

2010-07-28 14:05:39 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy

2010-07-27 11:20:03 3249 ----a-w- c:\windows\system32\wbem\Outlook_01cb2d7da86007be.mof

2010-07-23 09:26:56 0 d-----w- c:\program files\BBC iPlayer Desktop

2010-07-19 10:09:57 2815 ----a-w- C:\tolo.exe

2010-07-19 10:09:56 2815 ----a-w- C:\sta.exe

2010-07-16 18:52:01 2815 ----a-w- C:\do.exe

2010-07-16 17:14:28 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-07-16 00:50:52 2815 ----a-w- C:\sdfsdf.exe

2010-07-15 16:41:52 2815 ----a-w- C:\wos.exe

2010-07-15 16:41:51 2815 ----a-w- C:\oe.exe

2010-07-15 12:58:19 183808 ----a-w- c:\windows\Lfovia.exe

2010-07-15 09:18:53 118 ----a-w- c:\windows\system32\MRT.INI

2010-07-15 09:17:57 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software

2010-07-14 19:39:04 3968 --sh--r- c:\windows\wintybrdf.jpg

2010-07-14 19:39:04 3416 --sh--r- c:\windows\wintybrd.png

2010-07-14 19:39:03 2209 ------w- c:\windows\mdll.dl

2010-07-14 19:34:40 72704 --sh--r- c:\windows\jusched.exe

2010-07-14 11:30:56 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe

==================== Find3M ====================

2010-05-06 10:41:53 916480 ----a-w- c:\windows\system32\wininet.dll

2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys

============= FINISH: 23:45:09.67 ===============

Before quickscan

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

28/07/2010 20:38:31

mbam-log-2010-07-28 (20-38-31).txt

Scan type: Quick scan

Objects scanned: 128936

Time elapsed: 15 minute(s), 23 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 4

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> No action taken.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.65,93.188.161.205 -> No action taken.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{720f73f2-5248-4231-a22b-ceb6d498f6f7}\DhcpNameServer (Trojan.DNSChanger) -> Data: 93.188.162.65,93.188.161.205 -> No action taken.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{720f73f2-5248-4231-a22b-ceb6d498f6f7}\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.65,93.188.161.205 -> No action taken.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{f7e9553a-00f4-41f9-af97-5099d07548c9}\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.65,93.188.161.205 -> No action taken.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

after

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

28/07/2010 20:38:53

mbam-log-2010-07-28 (20-38-53).txt

Scan type: Quick scan

Objects scanned: 128936

Time elapsed: 15 minute(s), 23 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 4

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.65,93.188.161.205 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{720f73f2-5248-4231-a22b-ceb6d498f6f7}\DhcpNameServer (Trojan.DNSChanger) -> Data: 93.188.162.65,93.188.161.205 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{720f73f2-5248-4231-a22b-ceb6d498f6f7}\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.65,93.188.161.205 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{f7e9553a-00f4-41f9-af97-5099d07548c9}\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.65,93.188.161.205 -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Attach.zip

Link to post
Share on other sites

Hello albinoyogachick

Welcome to Malwarebytes.

=====================

Download ComboFix from one of these locations:

Link 1

Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Link to post
Share on other sites

Hi go ahead and close the blue window.

Something may have caused it to stall.

Then reboot the system.

You may have to manually restart it via the power button if it will not shut down normally.

Then delete your version of Combofix and redownload it from Link 1 or

Link 2 and save it again to the desktop.

Disable your antivirus before even downloading it as it may prevent combofix from running or downloading correctly.

Link to post
Share on other sites

Hi Kahdah,

So closed it down. Deleted and copied the file to desktop (from a datastick) as the laptop in question would not go to the malwarebytes page (crafty buggers),,

Log reads

ComboFix 10-07-29.01 - Rachael 29/07/2010 21:25:19.1.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.563 [GMT 1:00]

Running from: c:\documents and settings\Dan Austin\Desktop\omboFix.exe

AV: avast! Antivirus *On-access scanning disabled* (Outdated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\~WRD3963.tmp

C:\do.exe

c:\documents and settings\All Users\Start Menu\Programs\PC Camer@

c:\documents and settings\All Users\Start Menu\Programs\PC Camer@ \Amcap.lnk

c:\documents and settings\All Users\Start Menu\Programs\PC Camer@ \Uninstall.lnk

c:\documents and settings\Dan Austin\Application Data\444ee5dd.exe

C:\oe.exe

C:\sdfsdf.exe

C:\sta.exe

C:\tolo.exe

c:\windows\jusched.exe

c:\windows\Lfovia.exe

c:\windows\mdll.dl

c:\windows\system32\ernel32.dll

c:\windows\wintybrd.png

c:\windows\wintybrdf.jpg

C:\wos.exe

D:\AUTORUN.INF

.

((((((((((((((((((((((((( Files Created from 2010-06-28 to 2010-07-29 )))))))))))))))))))))))))))))))

.

2010-07-28 20:37 . 2010-06-28 20:37 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys

2010-07-28 20:37 . 2010-06-28 20:32 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys

2010-07-28 20:37 . 2010-06-28 20:33 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys

2010-07-28 20:37 . 2010-06-28 20:37 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys

2010-07-28 20:37 . 2010-06-28 20:32 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys

2010-07-28 20:37 . 2010-06-28 20:32 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys

2010-07-28 20:37 . 2010-06-28 20:32 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys

2010-07-28 20:36 . 2010-06-28 20:57 38848 ----a-w- c:\windows\avastSS.scr

2010-07-28 20:36 . 2010-06-28 20:57 165032 ----a-w- c:\windows\system32\aswBoot.exe

2010-07-28 14:05 . 2010-07-28 14:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-07-28 14:05 . 2010-07-28 14:05 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-07-28 13:43 . 2010-07-28 13:43 -------- d-----w- c:\program files\Windows Defender

2010-07-23 09:26 . 2010-07-23 09:26 -------- d-----w- c:\program files\BBC iPlayer Desktop

2010-07-22 10:57 . 2010-01-21 19:27 52224 ----a-w- c:\documents and settings\Dan Austin\Application Data\Mozilla\Firefox\Profiles\ox8v728k.default\extensions\{6bcb9b24-850c-4fe5-a24a-b2bfcd67448f}\components\FFExternalAlert.dll

2010-07-22 10:57 . 2010-01-21 19:27 101376 ----a-w- c:\documents and settings\Dan Austin\Application Data\Mozilla\Firefox\Profiles\ox8v728k.default\extensions\{6bcb9b24-850c-4fe5-a24a-b2bfcd67448f}\components\RadioWMPCore.dll

2010-07-16 17:14 . 2010-07-16 17:14 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-07-15 15:17 . 2010-07-15 15:17 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE

2010-07-15 14:49 . 2010-07-19 12:48 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\mtlaucmwx

2010-07-15 14:48 . 2010-07-15 14:49 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2010-07-15 13:32 . 2010-07-15 13:32 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

2010-07-15 09:24 . 2010-07-15 09:24 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google

2010-07-15 09:19 . 2010-07-15 09:20 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Temp

2010-07-15 09:19 . 2010-07-15 09:21 -------- d-----w- c:\program files\Google

2010-07-15 09:19 . 2010-07-15 09:19 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google

2010-07-15 09:17 . 2010-07-15 09:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software

2010-07-14 11:30 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-07-29 20:48 . 2008-02-05 14:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Kontiki

2010-07-29 13:56 . 2009-04-18 19:35 -------- d-----w- c:\documents and settings\Dan Austin\Application Data\U3

2010-07-29 10:14 . 2010-01-11 20:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-07-19 13:00 . 2009-05-16 12:17 -------- d-----w- c:\program files\FreeMind

2010-07-15 09:26 . 2009-05-01 10:56 -------- d-----w- c:\program files\Alwil Software

2010-06-14 14:31 . 2007-09-16 13:09 744448 ----a-w- c:\windows\PCHealth\HelpCtr\Binaries\helpsvc.exe

2010-05-25 16:11 . 2010-05-25 16:11 503808 ----a-w- c:\documents and settings\Dan Austin\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-21599f8e-n\msvcp71.dll

2010-05-25 16:11 . 2010-05-25 16:11 499712 ----a-w- c:\documents and settings\Dan Austin\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-21599f8e-n\jmc.dll

2010-05-25 16:11 . 2010-05-25 16:11 348160 ----a-w- c:\documents and settings\Dan Austin\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-21599f8e-n\msvcr71.dll

2010-05-06 10:41 . 2002-08-29 04:41 916480 ----a-w- c:\windows\system32\wininet.dll

2010-05-02 05:22 . 2002-08-29 03:14 1851264 ----a-w- c:\windows\system32\win32k.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-01-10 472776]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-08-24 135168]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-08-24 159744]

"Persistence"="c:\windows\system32\igfxpers.exe" [2007-08-24 131072]

"PAC207_Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2007-12-10 323584]

"Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2007-12-10 323584]

"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-09-28 185896]

"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-10-11 75304]

"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]

"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2008-03-18 1848648]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]

"TalkTalk"="c:\program files\TalkTalk\bin\sprtcmd.exe" [2007-10-12 202016]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-28 141600]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]

"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-06-28 2837864]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Dan Austin\Start Menu\Programs\Startup\

BBC iPlayer Desktop.lnk - c:\program files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe [2010-7-23 95232]

mapdrives.cmd [2008-4-26 135]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\BitTorrent_DNA\\dna.exe"=

"c:\\Program Files\\Kontiki\\KService.exe"=

"c:\\Program Files\\DNA\\btdna.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\TalkTalk\\agent\\bin\\bcont.exe"=

"c:\\Program Files\\Common Files\\SupportSoft\\bin\\tgsrvc.exe"=

"c:\\Program Files\\TalkTalk\\agent\\bin\\bcont_nm.exe"=

"c:\\Program Files\\TalkTalk\\bin\\sprtcmd.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\WINDOWS\\system32\\spoolsv.exe"=

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [28/07/2010 21:37 165456]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [28/07/2010 21:37 17744]

R2 sprtsvc_TalkTalk;SupportSoft Sprocket Service (TalkTalk);c:\program files\TalkTalk\bin\sprtsvc.exe [12/10/2007 09:33 202016]

R2 tgsrvc_TalkTalk;SupportSoft Repair Service (TalkTalk);c:\program files\Common Files\SupportSoft\bin\tgsrvc.exe [02/08/2007 14:42 148768]

R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 19:19 13592]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [15/07/2010 10:19 136176]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [11/01/2010 21:55 38224]

S3 PAC207;PC Camer@;c:\windows\system32\drivers\PFC027.SYS [16/10/2009 11:54 618112]

.

Contents of the 'Scheduled Tasks' folder

2010-07-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-15 09:19]

2010-07-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-15 09:19]

2010-07-29 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyServer = http=127.0.0.1:5643

uInternet Settings,ProxyOverride = <local>

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

Trusted Zone: flybe.com\www

FF - ProfilePath - c:\documents and settings\Dan Austin\Application Data\Mozilla\Firefox\Profiles\ox8v728k.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT392534&SearchSource=3&q={searchTerms}

FF - prefs.js: browser.search.selectedEngine - sunriseradio Customized Web Search

FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk

FF - component: c:\documents and settings\Dan Austin\Application Data\Mozilla\Firefox\Profiles\ox8v728k.default\extensions\{6bcb9b24-850c-4fe5-a24a-b2bfcd67448f}\components\FFExternalAlert.dll

FF - component: c:\documents and settings\Dan Austin\Application Data\Mozilla\Firefox\Profiles\ox8v728k.default\extensions\{6bcb9b24-850c-4fe5-a24a-b2bfcd67448f}\components\RadioWMPCore.dll

FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll

FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

.

- - - - ORPHANS REMOVED - - - -

HKCU-Run-MsgCenterExe - c:\program files\Common Files\Real\Update_OB\RealOneMessageCenter.exe

HKCU-Run-IMC - c:\program files\FriendFinder\FriendFinder Messenger 4\imc.exe

HKCU-Run-Java developer Script Browse - c:\windows\jusched.exe

HKLM-Run-NapsterShell - c:\program files\Napster\napster.exe

HKLM-Run-WinampAgent - c:\program files\Winamp\winampa.exe

HKU-Default-Run-ALUAlert - c:\program files\Symantec\LiveUpdate\ALUNotify.exe

AddRemove-Winamp - c:\program files\Winamp\UninstWA.exe

AddRemove-{6E7DD182-9FC6-4651-0095-2E666CC6AF35} - c:\program files\EA GAMES\The Sims 2\EAUninstall.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-07-29 21:46

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2010-07-29 21:50:43

ComboFix-quarantined-files.txt 2010-07-29 20:50

Pre-Run: 52,344,877,056 bytes free

Post-Run: 53,843,386,368 bytes free

- - End Of File - - 03FDE706AE0AB6C5BB1FE4BB9F5FD363

Link to post
Share on other sites

1. Please open Notepad

  • Click Start , then Run
  • type in notepad in the Run Box then hit ok.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Dequarantine::
C:\Qoobox\Quarantine\c\documents and settings\All Users\Start Menu\Programs\PC Camer@

DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:5643
uInternet Settings,ProxyOverride = <local>

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScriptB-4.gif

5. After reboot, (in case it asks to reboot), please post the following report/log into your next reply:

  • Combofix.txt

=============

Update Run Malwarebytes

Please update\run Malwarebytes' Anti-Malware.

Double Click the Malwarebytes Anti-Malware icon to run the application.

  • Click on the update tab then click on Check for updates.
  • If an update is found, it will download and install the latest version.
  • Once the update has loaded, go to the Scanner tab and select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.

=====

Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.

  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Link to post
Share on other sites

Hi Kahdah,

Kaspesrsky wont run as it keeps telling me that the download keeps getting interupted/ Any ideas?

Ned

ComboFix 10-07-29.02 - Rachael 30/07/2010 13:15:34.2.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.547 [GMT 1:00]

Running from: c:\documents and settings\Dan Austin\Desktop\omboFix.exe

Command switches used :: c:\documents and settings\Dan Austin\Desktop\CFScript.txt

AV: avast! Antivirus *On-access scanning disabled* (Outdated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

* Created a new restore point

.

((((((((((((((((((((((((( Files Created from 2010-06-28 to 2010-07-30 )))))))))))))))))))))))))))))))

.

2010-07-29 21:24 . 2010-07-29 21:24 -------- d-----w- c:\documents and settings\Dan Austin\Local Settings\Application Data\Temp

2010-07-28 20:37 . 2010-06-28 20:37 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys

2010-07-28 20:37 . 2010-06-28 20:32 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys

2010-07-28 20:37 . 2010-06-28 20:33 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys

2010-07-28 20:37 . 2010-06-28 20:37 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys

2010-07-28 20:37 . 2010-06-28 20:32 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys

2010-07-28 20:37 . 2010-06-28 20:32 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys

2010-07-28 20:37 . 2010-06-28 20:32 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys

2010-07-28 20:36 . 2010-06-28 20:57 38848 ----a-w- c:\windows\avastSS.scr

2010-07-28 20:36 . 2010-06-28 20:57 165032 ----a-w- c:\windows\system32\aswBoot.exe

2010-07-28 14:05 . 2010-07-28 14:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-07-28 14:05 . 2010-07-28 14:05 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-07-28 13:43 . 2010-07-28 13:43 -------- d-----w- c:\program files\Windows Defender

2010-07-23 09:26 . 2010-07-23 09:26 -------- d-----w- c:\program files\BBC iPlayer Desktop

2010-07-22 10:57 . 2010-01-21 19:27 52224 ----a-w- c:\documents and settings\Dan Austin\Application Data\Mozilla\Firefox\Profiles\ox8v728k.default\extensions\{6bcb9b24-850c-4fe5-a24a-b2bfcd67448f}\components\FFExternalAlert.dll

2010-07-22 10:57 . 2010-01-21 19:27 101376 ----a-w- c:\documents and settings\Dan Austin\Application Data\Mozilla\Firefox\Profiles\ox8v728k.default\extensions\{6bcb9b24-850c-4fe5-a24a-b2bfcd67448f}\components\RadioWMPCore.dll

2010-07-16 17:14 . 2010-07-16 17:14 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-07-15 15:17 . 2010-07-15 15:17 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE

2010-07-15 14:49 . 2010-07-19 12:48 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\mtlaucmwx

2010-07-15 14:48 . 2010-07-15 14:49 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2010-07-15 13:32 . 2010-07-15 13:32 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

2010-07-15 09:24 . 2010-07-15 09:24 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google

2010-07-15 09:19 . 2010-07-15 09:20 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Temp

2010-07-15 09:19 . 2010-07-15 09:21 -------- d-----w- c:\program files\Google

2010-07-15 09:19 . 2010-07-15 09:19 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google

2010-07-15 09:17 . 2010-07-15 09:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software

2010-07-14 11:30 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-07-30 12:23 . 2008-02-05 14:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Kontiki

2010-07-29 13:56 . 2009-04-18 19:35 -------- d-----w- c:\documents and settings\Dan Austin\Application Data\U3

2010-07-29 10:14 . 2010-01-11 20:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-07-19 13:00 . 2009-05-16 12:17 -------- d-----w- c:\program files\FreeMind

2010-07-15 09:26 . 2009-05-01 10:56 -------- d-----w- c:\program files\Alwil Software

2010-06-14 14:31 . 2007-09-16 13:09 744448 ----a-w- c:\windows\PCHealth\HelpCtr\Binaries\helpsvc.exe

2010-05-25 16:11 . 2010-05-25 16:11 503808 ----a-w- c:\documents and settings\Dan Austin\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-21599f8e-n\msvcp71.dll

2010-05-25 16:11 . 2010-05-25 16:11 499712 ----a-w- c:\documents and settings\Dan Austin\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-21599f8e-n\jmc.dll

2010-05-25 16:11 . 2010-05-25 16:11 348160 ----a-w- c:\documents and settings\Dan Austin\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-21599f8e-n\msvcr71.dll

2010-05-06 10:41 . 2002-08-29 04:41 916480 ----a-w- c:\windows\system32\wininet.dll

2010-05-02 05:22 . 2002-08-29 03:14 1851264 ----a-w- c:\windows\system32\win32k.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-01-10 472776]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-08-24 135168]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-08-24 159744]

"Persistence"="c:\windows\system32\igfxpers.exe" [2007-08-24 131072]

"PAC207_Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2007-12-10 323584]

"Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2007-12-10 323584]

"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-09-28 185896]

"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-10-11 75304]

"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]

"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2008-03-18 1848648]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]

"TalkTalk"="c:\program files\TalkTalk\bin\sprtcmd.exe" [2007-10-12 202016]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-28 141600]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]

"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-06-28 2837864]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Dan Austin\Start Menu\Programs\Startup\

BBC iPlayer Desktop.lnk - c:\program files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe [2010-7-23 95232]

mapdrives.cmd [2008-4-26 135]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\BitTorrent_DNA\\dna.exe"=

"c:\\Program Files\\Kontiki\\KService.exe"=

"c:\\Program Files\\DNA\\btdna.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\TalkTalk\\agent\\bin\\bcont.exe"=

"c:\\Program Files\\Common Files\\SupportSoft\\bin\\tgsrvc.exe"=

"c:\\Program Files\\TalkTalk\\agent\\bin\\bcont_nm.exe"=

"c:\\Program Files\\TalkTalk\\bin\\sprtcmd.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\WINDOWS\\system32\\spoolsv.exe"=

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [28/07/2010 21:37 165456]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [28/07/2010 21:37 17744]

R2 sprtsvc_TalkTalk;SupportSoft Sprocket Service (TalkTalk);c:\program files\TalkTalk\bin\sprtsvc.exe [12/10/2007 09:33 202016]

R2 tgsrvc_TalkTalk;SupportSoft Repair Service (TalkTalk);c:\program files\Common Files\SupportSoft\bin\tgsrvc.exe [02/08/2007 14:42 148768]

R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 19:19 13592]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [15/07/2010 10:19 136176]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [11/01/2010 21:55 38224]

S3 PAC207;PC Camer@;c:\windows\system32\drivers\PFC027.SYS [16/10/2009 11:54 618112]

.

Contents of the 'Scheduled Tasks' folder

2010-07-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-15 09:19]

2010-07-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-15 09:19]

2010-07-29 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uInternet Connection Wizard,ShellNext = iexplore

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

Trusted Zone: flybe.com\www

FF - ProfilePath - c:\documents and settings\Dan Austin\Application Data\Mozilla\Firefox\Profiles\ox8v728k.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT392534&SearchSource=3&q={searchTerms}

FF - prefs.js: browser.search.selectedEngine - sunriseradio Customized Web Search

FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk

FF - component: c:\documents and settings\Dan Austin\Application Data\Mozilla\Firefox\Profiles\ox8v728k.default\extensions\{6bcb9b24-850c-4fe5-a24a-b2bfcd67448f}\components\FFExternalAlert.dll

FF - component: c:\documents and settings\Dan Austin\Application Data\Mozilla\Firefox\Profiles\ox8v728k.default\extensions\{6bcb9b24-850c-4fe5-a24a-b2bfcd67448f}\components\RadioWMPCore.dll

FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll

FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-07-30 13:21

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(712)

c:\windows\system32\igfxdev.dll

- - - - - - - > 'explorer.exe'(992)

c:\windows\system32\WININET.dll

c:\program files\ScanSoft\OmniPageSE4.0\OpHookSE4.dll

c:\windows\system32\ieframe.dll

c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2010-07-30 13:25:23

ComboFix-quarantined-files.txt 2010-07-30 12:25

ComboFix2.txt 2010-07-29 20:50

C:\DeQuarantine.txt

Pre-Run: 53,700,120,576 bytes free

Post-Run: 53,680,472,064 bytes free

- - End Of File - - 00789DEC568C5E78EC6542B68D585EDD

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4369

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

30/07/2010 14:19:28

mbam-log-2010-07-30 (14-19-28).txt

Scan type: Quick scan

Objects scanned: 129581

Time elapsed: 5 minute(s), 59 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

Please click here to download Kaspersky Virus Removal Tool.

  1. Double click on the file you just downloaded and let it install.
  2. It will install to your desktop.
  3. After that leave what is selected and put a check next to My Computer.
  4. Click on the option that says Threat Detection and change it to Disinfect,delete if disinfection fails.
  5. Then click on Start Scan.
  6. Before it is done it may prompt for action regardless of the setting so choose delete if prompted.
  7. When the scan is done no log will be produced.
  8. Click on the bottom where it says Report to open the report.
  9. Then highlight of of the items found by using ctrl + a on your keyboard to select all or use your mouse to select all then right click and choose copy.
  10. This will copy the items that it found to the clipboard you can then open notepad (go to start then run then type in notepad) and choose paste to paste the contents into Notepad.
  11. You can save this on the desktop.
  12. Post the contents of the document in your next reply.

Note: This tool will self uninstall when you close it so please save the log before closing it.

Link to post
Share on other sites

Hi Kahdah,

From Kaspersky

C:\

D:\

E:\

Scan statistics

Objects scanned 81383

Threats found 5

Infected objects found 8

Suspicious objects found 0

Scan duration 03:02:32

File name Threat Threats count

C:\Qoobox\32788R22FWJFW\dmio.sys Infected: Rootkit.Win32.TDSS.ap 1

C:\Qoobox\Quarantine\C\Documents and Settings\Dan Austin\Application Data\444ee5dd.exe.vir Infected: Backdoor.Win32.TDSS.ue 1

C:\Qoobox\Quarantine\C\WINDOWS\jusched.exe.vir Infected: Backdoor.Win32.IRCBot.prf 1

C:\Qoobox\Quarantine\C\WINDOWS\Lfovia.exe.vir Infected: Packed.Win32.Katusha.n 1

C:\System Volume Information\_restore{7DDD34C1-6DDD-4E49-AFD4-A22CBB49D785}\RP587\A0194526.exe Infected: Trojan.Win32.FraudPack.azvc 1

C:\System Volume Information\_restore{7DDD34C1-6DDD-4E49-AFD4-A22CBB49D785}\RP595\A0198151.exe Infected: Backdoor.Win32.TDSS.ue 1

C:\System Volume Information\_restore{7DDD34C1-6DDD-4E49-AFD4-A22CBB49D785}\RP595\A0198156.exe Infected: Backdoor.Win32.IRCBot.prf 1

C:\System Volume Information\_restore{7DDD34C1-6DDD-4E49-AFD4-A22CBB49D785}\RP595\A0198157.exe Infected: Packed.Win32.Katusha.n 1

Selected area has been scanned.

Link to post
Share on other sites

Hi,

Not had much running. Anything I should do to check - ie. put it through its paces?

All apps seem ok/ opened word windiws explorer, mozilla,

Spybot wont run?

Ned

DDS (Ver_10-03-17.01) - NTFSx86

Run by Rachael at 13:41:40.23 on 02/08/2010

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_14

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.622 [GMT 1:00]

AV: avast! Antivirus *On-access scanning disabled* (Outdated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

svchost.exe

C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

svchost.exe

C:\WINDOWS\system32\crypserv.exe

C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\PixArt\PAC207\Monitor.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe

C:\Program Files\Canon\MyPrinter\BJMyPrt.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\TalkTalk\bin\sprtsvc.exe

C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIEKE.EXE

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\Program Files\Common Files\Supportsoft\bin\tgsrvc.exe

C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\wscntfy.exe

C:\PROGRA~1\HEWLET~1\Shared\HPQTOA~1.EXE

C:\WINDOWS\explorer.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

H:\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/

uInternet Connection Wizard,ShellNext = iexplore

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: EWPBrowseObject Class: {68f9551e-0411-48e4-9aaf-4bc42a6a46be} - c:\program files\canon\easy-webprint\EWPBrowseLoader.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll

TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll

TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File

TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background

mRun: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [PAC207_Monitor] c:\windows\pixart\pac207\Monitor.exe

mRun: [Monitor] c:\windows\pixart\pac207\Monitor.exe

mRun: [sSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot

mRun: [OpwareSE4] "c:\program files\scansoft\omnipagese4.0\OpwareSE4.exe"

mRun: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

mRun: [TalkTalk] "c:\program files\talktalk\bin\sprtcmd.exe" /P TalkTalk

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide

mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

StartupFolder: c:\docume~1\danaus~1\startm~1\programs\startup\bbcipl~1.lnk - c:\program files\bbc iplayer desktop\BBC iPlayer Desktop.exe

StartupFolder: c:\documents and settings\dan austin\start menu\programs\startup\mapdrives.cmd

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

Trusted Zone: flybe.com\www

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204

DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {32505657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: igfxcui - igfxdev.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

LSA: Authentication Packages = msv1_0 nwprovau

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\danaus~1\applic~1\mozilla\firefox\profiles\ox8v728k.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT392534&SearchSource=3&q={searchTerms}

FF - prefs.js: browser.search.selectedEngine - sunriseradio Customized Web Search

FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk

FF - component: c:\documents and settings\dan austin\application data\mozilla\firefox\profiles\ox8v728k.default\extensions\{6bcb9b24-850c-4fe5-a24a-b2bfcd67448f}\components\FFExternalAlert.dll

FF - component: c:\documents and settings\dan austin\application data\mozilla\firefox\profiles\ox8v728k.default\extensions\{6bcb9b24-850c-4fe5-a24a-b2bfcd67448f}\components\RadioWMPCore.dll

FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll

FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);

c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-7-28 165456]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-7-28 17744]

R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-7-28 40384]

R2 sprtsvc_TalkTalk;SupportSoft Sprocket Service (TalkTalk);c:\program files\talktalk\bin\sprtsvc.exe [2007-10-12 202016]

R2 tgsrvc_TalkTalk;SupportSoft Repair Service (TalkTalk);c:\program files\common files\supportsoft\bin\tgsrvc.exe [2007-8-2 148768]

R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-7-15 136176]

S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-7-28 40384]

S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-7-28 40384]

S3 PAC207;PC Camer@;c:\windows\system32\drivers\PFC027.SYS [2009-10-16 618112]

=============== Created Last 30 ================

2010-07-29 14:17:49 0 d-sha-r- C:\cmdcons

2010-07-29 14:02:15 98816 ----a-w- c:\windows\sed.exe

2010-07-29 14:02:15 77312 ----a-w- c:\windows\MBR.exe

2010-07-29 14:02:15 256512 ----a-w- c:\windows\PEV.exe

2010-07-29 14:02:15 161792 ----a-w- c:\windows\SWREG.exe

2010-07-28 22:38:47 0 ----a-w- c:\documents and settings\dan austin\defogger_reenable

2010-07-28 20:36:15 38848 ----a-w- c:\windows\avastSS.scr

2010-07-28 14:05:39 0 d-----w- c:\program files\Spybot - Search & Destroy

2010-07-28 14:05:39 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy

2010-07-27 11:20:03 3249 ----a-w- c:\windows\system32\wbem\Outlook_01cb2d7da86007be.mof

2010-07-23 09:26:56 0 d-----w- c:\program files\BBC iPlayer Desktop

2010-07-16 17:14:28 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-07-15 09:18:53 118 ----a-w- c:\windows\system32\MRT.INI

2010-07-15 09:17:57 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software

2010-07-14 11:30:56 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe

==================== Find3M ====================

2010-05-06 10:41:53 916480 ----a-w- c:\windows\system32\wininet.dll

============= FINISH: 13:42:26.29 ===============

Link to post
Share on other sites

Hi Kahdah.

Just tried to download definitiions for Avast - It wont connect to the server to update (which it was doing before). I then uninstalled and reinstalled and still have the same problem.

I just looked at the kaspersky report and it found five threats. Did it get rid of these?

Sorry to question but I like to gain a bit of knowledge when I'm doing this.

Would you advise me to get any specific antivirus?

Thanks for your help Kahdah.

Deity and star!

Ned

Link to post
Share on other sites

Ok can you manually go to the Avast website?

If so then it is not being blocked.

Could be a temporary issue.

Try another antivirus such as Avira or Microsoft Security Essentials see if they have the same result.

For the items that kaspersky found they are all in quarantine by Combofix and the rest are only in the system restore cache they will be removed when we do our final cleanup.

Try another antivirus and let me know the results.

Uninstall avast first though.

Link to post
Share on other sites

Hi Dahwah,

All seems fine. I will continue on with Avira. Report below.

What do I need to do to close this off?

Thanks again.

Ned

Avira AntiVir Personal

Report file date: 03 August 2010 13:39

Scanning for 2671665 virus strains and unwanted programs.

The program is running as an unrestricted full version.

Online services are available:

Licensee : Avira AntiVir Personal - FREE Antivirus

Serial number : 0000149996-ADJIE-0000001

Platform : Windows XP

Windows version : (Service Pack 3) [5.1.2600]

Boot mode : Normally booted

Username : Rachael

Computer name : RACHAELPC

Version information:

BUILD.DAT : 10.0.0.567 32097 Bytes 4/19/2010 15:07:00

AVSCAN.EXE : 10.0.3.0 433832 Bytes 4/1/2010 12:37:38

AVSCAN.DLL : 10.0.3.0 46440 Bytes 4/1/2010 12:57:04

LUKE.DLL : 10.0.2.3 104296 Bytes 3/7/2010 18:33:04

LUKERES.DLL : 10.0.0.1 12648 Bytes 2/10/2010 23:40:49

VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 09:05:36

VBASE001.VDF : 7.10.1.0 1372672 Bytes 11/19/2009 19:27:49

VBASE002.VDF : 7.10.3.1 3143680 Bytes 1/20/2010 17:37:42

VBASE003.VDF : 7.10.3.75 996864 Bytes 1/26/2010 16:37:42

VBASE004.VDF : 7.10.4.203 1579008 Bytes 3/5/2010 11:29:03

VBASE005.VDF : 7.10.6.82 2494464 Bytes 4/15/2010 12:37:42

VBASE006.VDF : 7.10.7.218 2294784 Bytes 6/2/2010 12:37:45

VBASE007.VDF : 7.10.9.165 4840960 Bytes 7/23/2010 12:37:52

VBASE008.VDF : 7.10.9.166 2048 Bytes 7/23/2010 12:37:52

VBASE009.VDF : 7.10.9.167 2048 Bytes 7/23/2010 12:37:52

VBASE010.VDF : 7.10.9.168 2048 Bytes 7/23/2010 12:37:52

VBASE011.VDF : 7.10.9.169 2048 Bytes 7/23/2010 12:37:52

VBASE012.VDF : 7.10.9.170 2048 Bytes 7/23/2010 12:37:52

VBASE013.VDF : 7.10.9.198 157696 Bytes 7/26/2010 12:37:53

VBASE014.VDF : 7.10.9.255 997888 Bytes 7/29/2010 12:37:54

VBASE015.VDF : 7.10.10.28 139264 Bytes 8/2/2010 12:37:55

VBASE016.VDF : 7.10.10.29 2048 Bytes 8/2/2010 12:37:55

VBASE017.VDF : 7.10.10.30 2048 Bytes 8/2/2010 12:37:55

VBASE018.VDF : 7.10.10.31 2048 Bytes 8/2/2010 12:37:55

VBASE019.VDF : 7.10.10.32 2048 Bytes 8/2/2010 12:37:55

VBASE020.VDF : 7.10.10.33 2048 Bytes 8/2/2010 12:37:55

VBASE021.VDF : 7.10.10.34 2048 Bytes 8/2/2010 12:37:55

VBASE022.VDF : 7.10.10.35 2048 Bytes 8/2/2010 12:37:55

VBASE023.VDF : 7.10.10.36 2048 Bytes 8/2/2010 12:37:55

VBASE024.VDF : 7.10.10.37 2048 Bytes 8/2/2010 12:37:55

VBASE025.VDF : 7.10.10.38 2048 Bytes 8/2/2010 12:37:55

VBASE026.VDF : 7.10.10.39 2048 Bytes 8/2/2010 12:37:55

VBASE027.VDF : 7.10.10.40 2048 Bytes 8/2/2010 12:37:55

VBASE028.VDF : 7.10.10.41 2048 Bytes 8/2/2010 12:37:56

VBASE029.VDF : 7.10.10.42 2048 Bytes 8/2/2010 12:37:56

VBASE030.VDF : 7.10.10.43 2048 Bytes 8/2/2010 12:37:56

VBASE031.VDF : 7.10.10.49 111104 Bytes 8/3/2010 12:37:56

Engineversion : 8.2.4.32

AEVDF.DLL : 8.1.2.1 106868 Bytes 8/3/2010 12:38:05

AESCRIPT.DLL : 8.1.3.42 1364347 Bytes 8/3/2010 12:38:05

AESCN.DLL : 8.1.6.1 127347 Bytes 8/3/2010 12:38:04

AESBX.DLL : 8.1.3.1 254324 Bytes 8/3/2010 12:38:05

AERDL.DLL : 8.1.8.2 614772 Bytes 8/3/2010 12:38:04

AEPACK.DLL : 8.2.3.3 471414 Bytes 8/3/2010 12:38:03

AEOFFICE.DLL : 8.1.1.8 201081 Bytes 8/3/2010 12:38:02

AEHEUR.DLL : 8.1.2.10 2830711 Bytes 8/3/2010 12:38:02

AEHELP.DLL : 8.1.13.2 242039 Bytes 8/3/2010 12:37:59

AEGEN.DLL : 8.1.3.18 393589 Bytes 8/3/2010 12:37:59

AEEMU.DLL : 8.1.2.0 393588 Bytes 8/3/2010 12:37:58

AECORE.DLL : 8.1.16.2 192887 Bytes 8/3/2010 12:37:58

AEBB.DLL : 8.1.1.0 53618 Bytes 8/3/2010 12:37:57

AVWINLL.DLL : 10.0.0.0 19304 Bytes 1/14/2010 12:03:38

AVPREF.DLL : 10.0.0.0 44904 Bytes 1/14/2010 12:03:35

AVREP.DLL : 10.0.0.8 62209 Bytes 2/18/2010 16:47:40

AVREG.DLL : 10.0.3.0 53096 Bytes 4/1/2010 12:35:46

AVSCPLR.DLL : 10.0.3.0 83816 Bytes 4/1/2010 12:39:51

AVARKT.DLL : 10.0.0.14 227176 Bytes 4/1/2010 12:22:13

AVEVTLOG.DLL : 10.0.0.8 203112 Bytes 1/26/2010 09:53:30

SQLITE3.DLL : 3.6.19.0 355688 Bytes 1/28/2010 12:57:58

AVSMTP.DLL : 10.0.0.17 63848 Bytes 3/16/2010 15:38:56

NETNT.DLL : 10.0.0.0 11624 Bytes 2/19/2010 14:41:00

RCIMAGE.DLL : 10.0.0.26 2550120 Bytes 1/28/2010 13:10:20

RCTEXT.DLL : 10.0.53.0 97128 Bytes 4/9/2010 14:14:29

Configuration settings for the scan:

Jobname.............................: Short system scan after installation

Configuration file..................: c:\program files\avira\antivir desktop\setupprf.dat

Logging.............................: low

Primary action......................: interactive

Secondary action....................: ignore

Scan master boot sector.............: on

Scan boot sector....................: on

Process scan........................: on

Scan registry.......................: on

Search for rootkits.................: off

Integrity checking of system files..: off

Scan all files......................: Intelligent file selection

Scan archives.......................: on

Recursion depth.....................: 20

Smart extensions....................: on

Macro heuristic.....................: on

File heuristic......................: high

Deviating risk categories...........: +PFS,

Start of the scan: 03 August 2010 13:39

The scan of running processes will be started

Scan process 'avscan.exe' - '1' Module(s) have been scanned

Scan process 'avnotify.exe' - '1' Module(s) have been scanned

Scan process 'avcenter.exe' - '1' Module(s) have been scanned

Scan process 'avconfig.exe' - '1' Module(s) have been scanned

Scan process 'avgnt.exe' - '1' Module(s) have been scanned

Scan process 'sched.exe' - '1' Module(s) have been scanned

Scan process 'avshadow.exe' - '1' Module(s) have been scanned

Scan process 'avguard.exe' - '1' Module(s) have been scanned

Scan process 'setup.exe' - '1' Module(s) have been scanned

Scan process 'presetup.exe' - '1' Module(s) have been scanned

Scan process 'avira_antivir_personal_en.exe' - '1' Module(s) have been scanned

Scan process 'rundll32.exe' - '1' Module(s) have been scanned

Scan process 'AvastSvc.exe' - '1' Module(s) have been scanned

Scan process 'plugin-container.exe' - '1' Module(s) have been scanned

Scan process 'firefox.exe' - '1' Module(s) have been scanned

Scan process 'iPodService.exe' - '1' Module(s) have been scanned

Scan process 'HPQTOA~1.EXE' - '1' Module(s) have been scanned

Scan process 'msnmsgr.exe' - '1' Module(s) have been scanned

Scan process 'MSASCui.exe' - '1' Module(s) have been scanned

Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned

Scan process 'sprtcmd.exe' - '1' Module(s) have been scanned

Scan process 'jusched.exe' - '1' Module(s) have been scanned

Scan process 'BJMyPrt.exe' - '1' Module(s) have been scanned

Scan process 'rundll32.exe' - '1' Module(s) have been scanned

Scan process 'OpwareSE4.exe' - '1' Module(s) have been scanned

Scan process 'igfxsrvc.exe' - '1' Module(s) have been scanned

Scan process 'Monitor.exe' - '1' Module(s) have been scanned

Scan process 'wmiprvse.exe' - '1' Module(s) have been scanned

Scan process 'igfxpers.exe' - '1' Module(s) have been scanned

Scan process 'hkcmd.exe' - '1' Module(s) have been scanned

Scan process 'igfxtray.exe' - '1' Module(s) have been scanned

Scan process 'HPWAMain.exe' - '1' Module(s) have been scanned

Scan process 'wuauclt.exe' - '1' Module(s) have been scanned

Scan process 'Explorer.EXE' - '1' Module(s) have been scanned

Scan process 'alg.exe' - '1' Module(s) have been scanned

Scan process 'hpqwmiex.exe' - '1' Module(s) have been scanned

Scan process 'tgsrvc.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'sprtsvc.exe' - '1' Module(s) have been scanned

Scan process 'KService.exe' - '1' Module(s) have been scanned

Scan process 'jqs.exe' - '1' Module(s) have been scanned

Scan process 'crypserv.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'mDNSResponder.exe' - '1' Module(s) have been scanned

Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'spoolsv.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'MsMpEng.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'lsass.exe' - '1' Module(s) have been scanned

Scan process 'services.exe' - '1' Module(s) have been scanned

Scan process 'winlogon.exe' - '1' Module(s) have been scanned

Scan process 'csrss.exe' - '1' Module(s) have been scanned

Scan process 'smss.exe' - '1' Module(s) have been scanned

Starting master boot sector scan:

Master boot sector HD0

[iNFO] No virus was found!

Master boot sector HD1

[iNFO] No virus was found!

Start scanning boot sectors:

Starting to scan executable files (registry).

The registry was scanned ( '1743' files ).

End of the scan: 03 August 2010 13:40

Used time: 00:58 Minute(s)

The scan has been done completely.

0 Scanned directories

2236 Files were scanned

0 Viruses and/or unwanted programs were found

0 Files were classified as suspicious

0 files were deleted

0 Viruses and unwanted programs were repaired

0 Files were moved to quarantine

0 Files were renamed

0 Files cannot be scanned

2236 Files not concerned

5 Archives were scanned

0 Warnings

0 Notes

Link to post
Share on other sites

=======Cleanup=======

  • Click START then RUN
  • Now type Combofix /uninstall in the runbox and click OK. Note the space between the X and the Uninstall, it needs to be there.

===============Update Java

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:

  • Download the latest version of Java SE Runtime Environment (JRE) and save it to your desktop.
  • Scroll down to where it says "(JRE) then click on it
  • Click the "Download" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u21-windows-i586.exe to install the newest version.

======================Clear out infected System Restore points======================

Then we need to reset your System Restore points.

The link below shows how to do this.

How to Turn On and Turn Off System Restore in Windows XP

http://support.microsoft.com/kb/310405/en-us

If you are using Vista then see this link: http://www.bleepingcomputer.com/tutorials/...143.html#manual

Delete\uninstall anything else that we have used that is leftover.

After that your all set.

=======The following are some articles and a Windows Update link that I like to suggest to people to prevent malware and general PC maintenance=======

Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

Prevention article Some great guidelines to follow to prevent future infections please read the Prevention artice by Miekiemoes.

"How did I get infected in the first place?" Also this one by Tony Klein.

If your computer is slow Is a tutorial on what you can do if your computer is slow.

File sharing program dangers Reasons to stay away from File sharing programs for ex: BitTorrent,Limewire,Kazaa,emule,Utorrent etc...

==================Free antimalware tools used for on demand scanning and cleaning no real time unless purchased==================

Malwarebytes Antimalware

superantispyware

==================Free antivirus links==================

This is antivirus and antispyware.

Microsoft Security Essentials

This is free antispyware protection and Antivirus protection.

AVG free 9.0

This is just antivirus protection.

Antivir

This is antivirus and antispyware protection.

Avast

Link to post
Share on other sites

  • 4 weeks later...
  • Staff

Glad we could help. :P

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.