Jump to content

explorer.exe and winlogin infected - win32/patched


sparky182
 Share

Recommended Posts

This computer has been having serious problems lately, loads of trojans etc... its my parents computer and they have AVG free version and spybot and now malwarebytes... avg picked up the trojans and put them in the virus vault yada yada.

But now next time im round, resident shield is popping up constantly saying explorer.exe and system32/winlogin files are infected with win32/patched,, and cant heal them, and cant get rid of them as they are important files. I downloaded HiJack this last night and am currently running Malwarebytes.

This is my log for HiJack this:

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 22:15:07, on 26/11/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\AVG\AVG PC Tuneup 2011\BoostSpeed.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Motive\McciCMService.exe

C:\WINDOWS\system32\slserv.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\PROGRA~1\AVG\AVG8\avgnsx.exe

C:\WINDOWS\system32\svchost.exe

C:\PROGRA~1\AVG\AVG8\avgemc.exe

C:\Program Files\AVG\AVG8\avgcsrvx.exe

C:\WINDOWS\zHotkey.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\ALCWZRD.EXE

C:\Program Files\Java\jre6\bin\jusched.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\WINDOWS\CameraFixer.exe

C:\WINDOWS\tsnp2std.exe

C:\WINDOWS\vsnp2std.exe

C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe

C:\Program Files\QuickTime\QTTask.exe

C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\Program Files\Bonusprint\Photoservice\dd.exe

C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe

C:\Program Files\Trusteer\Rapport\bin\RapportService.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\SkypeMate\SkypeMate.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Skype\Plugin Manager\skypePM.exe

C:\Program Files\Nokia\PC Connectivity Solution\ServiceLayer.exe

C:\Program Files\Nokia\PC Connectivity Solution\Transports\NclUSBSrv.exe

C:\Program Files\Nokia\PC Connectivity Solution\Transports\NclRSSrv.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\HiJack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.msn.com/?lc=1033

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:50370

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

F3 - REG:win.ini: load=C:\DOCUME~1\User\LOCALS~1\Temp\dwm.exe

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5612.1312\swg.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll

O3 - Toolbar: BT Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe

O4 - HKLM\..\Run: [CHotkey] zHotkey.exe

O4 - HKLM\..\Run: [showWnd] ShowWnd.exe

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [CameraFixer] C:\WINDOWS\CameraFixer.exe

O4 - HKLM\..\Run: [tsnp2std] C:\WINDOWS\tsnp2std.exe

O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe

O4 - HKLM\..\Run: [btbb_McciTrayApp] "C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [NokiaMServer] C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer /watchfiles startup

O4 - HKLM\..\Run: [NokiaMusic FastStart] "C:\Program Files\Nokia\Ovi Player\NokiaOviPlayer.exe" /command:faststart

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [Device Detection] C:\Program Files\Bonusprint\Photoservice\dd.exe

O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-21-1577321890-803091373-1801922428-1007\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Charlotte Hawkins')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Startup: SkypeMate.lnk = C:\Program Files\SkypeMate\SkypeMate.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.msn.co.uk

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab

O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1227023713062

O16 - DPF: {A1F35586-A5A8-4D37-947A-81875350B11F} (Bonusprint Image Uploader Version 4.5 Control) - http://webalbum.bonusprint.com/ukipc01/dow...geUploader4.cab

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} (Windows Live Hotmail Photo Upload Tool) - http://gfx1.hotmail.com/mail/w4/pr01/photo...ol/MSNPUpld.cab

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)

O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\570\G2AWinLogon.dll

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\570\g2aservice.exe

O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: McciCMService - Alcatel-Lucent - C:\Program Files\Common Files\Motive\McciCMService.exe

O23 - Service: Rapport Management Service (RapportMgmtService) - Trusteer Ltd. - C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe

O23 - Service: ServiceLayer - Nokia - C:\Program Files\Nokia\PC Connectivity Solution\ServiceLayer.exe

O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

--

End of file - 11832 bytes

Ive trailed through many a forum, some are saying download programs such as combo fix, but i need a trainer and stuff, so if any body can help me PLEASE id love you forever.

Thanks!

Link to post
Share on other sites

And this is the MalwareBytes log:

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 5199

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

27/11/2010 17:03:47

mbam-log-2010-11-27 (17-03-47).txt

Scan type: Quick scan

Objects scanned: 165393

Time elapsed: 27 minute(s), 24 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 1

Registry Data Items Infected: 1

Folders Infected: 0

Files Infected: 6

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{549b5ca7-4a86-11d7-a4df-000874180bb3} (Trojan.Agent) -> No action taken.

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load (Trojan.Agent) -> No action taken.

Registry Data Items Infected:

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (explorer.exe,C:\Documents and Settings\User\Application Data\Microsoft\Windows\shell.exe) Good: (Explorer.exe) -> No action taken.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Documents and Settings\User\Application Data\Microsoft\Windows\shell.exe (Trojan.Agent.Gen) -> No action taken.

C:\Documents and Settings\User\Local Settings\Temp\dwm.exe (Trojan.Agent.Gen) -> No action taken.

C:\Documents and Settings\User\Application Data\Adobe\plugs\KB1823937.exe (Trojan.Agent) -> No action taken.

C:\Documents and Settings\User\Application Data\Adobe\plugs\KB1831125.exe (Trojan.Agent) -> No action taken.

C:\Documents and Settings\User\Application Data\Microsoft\stor.cfg (Malware.Trace) -> No action taken.

C:\Documents and Settings\All Users\Documents\Server\admin.txt (Malware.Trace) -> No action taken.

Link to post
Share on other sites

Hello sparky182! Welcome to Malwarebytes' Anti-Malware Forums!

My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following:

  • The process of cleaning your system may take some time, so please be patient.
  • Follow my instructions step by step if there is a problem somewhere, stop and tell me.
  • Stay with the thread until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • If you don't know or can't understand something please ask.
  • Do not install or uninstall any software or hardware, while work on.
  • Keep me informed about any changes.

Step 1

I see you are running Teatimer.

I suggest you to disable it because it can interfere with the changes you'll make on your system.

When everything is done and your log is clean again, you can enable it again.

If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.

How to disable TeaTimer <== click me for instructions.

After you disabled Teatimer, download ResetTeaTimer.exe to your desktop.

Then run ResetTeaTimer.exe.

This will only take a few seconds.

Step 2

Please, open HiJackThis and select Do a system scan only.

Check the following entries:

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

Then, close all open windows except that of HijackThis, and select Fix Checked.

Step 3

  • Launch Malwarebytes' Anti-Malware
  • Go to "Update" tab and select "Check for Updates". If an update is found, it will download and install the latest version.
  • Go to "Scanner" tab and select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

In your next reply, please include these log(s):

  1. Malwarebytes' Anti-Malware log
  2. a new fresh HiJackThis log

Link to post
Share on other sites

Hi Borislav, thanks for helping!

Ive done most steps, just doing a scan with malwarebytes and its only been running for about 7 mins and has 8 infections as oppose to the other day when there were 6. Shall i still select get rid of all of them or shall i post the new scan log now before i remove them?

thanks! :)

Link to post
Share on other sites

Okay, here is the HiJack This! Log:

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 18:55:09, on 28/11/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Motive\McciCMService.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\AVG\AVG PC Tuneup 2011\BoostSpeed.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\WINDOWS\system32\slserv.exe

C:\PROGRA~1\AVG\AVG8\avgnsx.exe

C:\WINDOWS\system32\svchost.exe

C:\PROGRA~1\AVG\AVG8\avgemc.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\AVG\AVG8\avgcsrvx.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\zHotkey.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\ALCWZRD.EXE

C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\WINDOWS\CameraFixer.exe

C:\WINDOWS\tsnp2std.exe

C:\WINDOWS\vsnp2std.exe

C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe

C:\Program Files\QuickTime\QTTask.exe

C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\Program Files\Bonusprint\Photoservice\dd.exe

C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe

C:\Program Files\SkypeMate\SkypeMate.exe

C:\Program Files\Trusteer\Rapport\bin\RapportService.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Nokia\PC Connectivity Solution\ServiceLayer.exe

C:\Program Files\Nokia\PC Connectivity Solution\Transports\NclUSBSrv.exe

C:\Program Files\Nokia\PC Connectivity Solution\Transports\NclRSSrv.exe

C:\Program Files\Skype\Plugin Manager\skypePM.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\HiJack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.msn.com/?lc=1033

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:50370

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5612.1312\swg.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll

O3 - Toolbar: BT Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe

O4 - HKLM\..\Run: [CHotkey] zHotkey.exe

O4 - HKLM\..\Run: [showWnd] ShowWnd.exe

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [CameraFixer] C:\WINDOWS\CameraFixer.exe

O4 - HKLM\..\Run: [tsnp2std] C:\WINDOWS\tsnp2std.exe

O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe

O4 - HKLM\..\Run: [btbb_McciTrayApp] "C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [NokiaMServer] C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer /watchfiles startup

O4 - HKLM\..\Run: [NokiaMusic FastStart] "C:\Program Files\Nokia\Ovi Player\NokiaOviPlayer.exe" /command:faststart

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [Device Detection] C:\Program Files\Bonusprint\Photoservice\dd.exe

O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-21-1577321890-803091373-1801922428-1007\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Charlotte Hawkins')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Startup: SkypeMate.lnk = C:\Program Files\SkypeMate\SkypeMate.exe

O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.msn.co.uk

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab

O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1227023713062

O16 - DPF: {A1F35586-A5A8-4D37-947A-81875350B11F} (Bonusprint Image Uploader Version 4.5 Control) - http://webalbum.bonusprint.com/ukipc01/dow...geUploader4.cab

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} (Windows Live Hotmail Photo Upload Tool) - http://gfx1.hotmail.com/mail/w4/pr01/photo...ol/MSNPUpld.cab

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)

O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\570\G2AWinLogon.dll

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\570\g2aservice.exe

O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: McciCMService - Alcatel-Lucent - C:\Program Files\Common Files\Motive\McciCMService.exe

O23 - Service: Rapport Management Service (RapportMgmtService) - Trusteer Ltd. - C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe

O23 - Service: ServiceLayer - Nokia - C:\Program Files\Nokia\PC Connectivity Solution\ServiceLayer.exe

O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

--

End of file - 11579 bytes

And the Malwarebytes log:

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 5207

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

28/11/2010 18:47:14

mbam-log-2010-11-28 (18-47-14).txt

Scan type: Quick scan

Objects scanned: 165424

Time elapsed: 32 minute(s), 21 second(s)

Memory Processes Infected: 3

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 2

Registry Data Items Infected: 1

Folders Infected: 0

Files Infected: 7

Memory Processes Infected:

C:\Documents and Settings\User\Application Data\Microsoft\Windows\shell.exe (Trojan.Agent.Gen) -> Unloaded process successfully.

C:\Documents and Settings\User\Application Data\Microsoft\svchost.exe (Trojan.Agent.Gen) -> Unloaded process successfully.

C:\Documents and Settings\User\Local Settings\Temp\dwm.exe (Trojan.Agent.Gen) -> Unloaded process successfully.

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{549b5ca7-4a86-11d7-a4df-000874180bb3} (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost (Trojan.Agent.Gen) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (explorer.exe,C:\Documents and Settings\User\Application Data\Microsoft\Windows\shell.exe) Good: (Explorer.exe) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Documents and Settings\User\Application Data\Microsoft\Windows\shell.exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully.

C:\Documents and Settings\User\Application Data\Microsoft\svchost.exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully.

C:\Documents and Settings\User\Local Settings\Temp\dwm.exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully.

C:\Documents and Settings\User\Application Data\Adobe\plugs\KB1823937.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\User\Application Data\Adobe\plugs\KB1831125.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\User\Application Data\Microsoft\stor.cfg (Malware.Trace) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Documents\Server\admin.txt (Malware.Trace) -> Quarantined and deleted successfully.

Link to post
Share on other sites

Step 1

Please, open HiJackThis and select Do a system scan only.

Check the following entries:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:50370

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

Then, close all open windows except that of HijackThis, and select Fix Checked.

Step 2

**Note: If you need more detailed information, please visit the web page of ComboFix in BleepingComputer. **

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

Please download ComboFix from

Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Open Tools -> Options -> Main tab
    • Set to Always ask me where to Save the files.

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the C:\Combo-Fix.txt for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

Link to post
Share on other sites

Ahh that took much longer than i thought... mainly because my computer regused to uninstall avg!!?

but finally i was able to run combofix, here is the log:

ComboFix 10-11-28.01 - User 28/11/2010 23:22:47.1.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1015.690 [GMT 0:00]

Running from: c:\documents and settings\User\Desktop\Combo-Fix.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

c:\documents and settings\User\Application Data\Adobe\AdobeUpdate .exe

c:\documents and settings\User\Application Data\Adobe\plugs

c:\documents and settings\User\Application Data\Aznu

c:\documents and settings\User\Application Data\Aznu\yzacy.exe

c:\documents and settings\User\Application Data\Dodyxo

c:\documents and settings\User\Application Data\Dodyxo\buycu.mim

c:\documents and settings\User\Application Data\Dyebf

c:\documents and settings\User\Application Data\Dyebf\fube.exe

c:\documents and settings\User\Application Data\Gehy

c:\documents and settings\User\Application Data\Gehy\daatt.exe

c:\documents and settings\User\Application Data\Gepion

c:\documents and settings\User\Application Data\Gepion\tige.vei

c:\documents and settings\User\Application Data\Ifoqx

c:\documents and settings\User\Application Data\Ifoqx\ecevt.apo

c:\documents and settings\User\Application Data\Nuyduf

c:\documents and settings\User\Application Data\Nuyduf\ikyf.ahg

c:\documents and settings\User\Application Data\Ogoxmu

c:\documents and settings\User\Application Data\Ogoxmu\syxyc.exe

c:\documents and settings\User\Application Data\Riva

c:\documents and settings\User\Application Data\Riva\izanh.wyy

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc10.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc11.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc12.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc13.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc14.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc15.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc16.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc17.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc18.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc19.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc1A.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc1B.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc1C.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc1D.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc1E.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc1F.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc20.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc21.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc22.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc23.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc24.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc25.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc26.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc27.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc28.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc29.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc2A.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc2B.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc2C.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc2D.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc2E.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc2F.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc30.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc31.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc32.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc33.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc34.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc35.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc36.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc37.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc38.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc39.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc3A.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc3B.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc3C.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc3D.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc3E.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc3F.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc40.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc41.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc42.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc43.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc44.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc45.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc46.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc47.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc48.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc49.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc4A.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc4B.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc4C.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc4D.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc4E.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc4F.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc50.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc51.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc52.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc53.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc54.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc55.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc56.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc57.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc58.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc59.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc5A.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc5B.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc5C.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc5D.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc5E.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc5F.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc6.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc60.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc61.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc62.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc63.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc64.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc65.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc66.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc67.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc68.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc69.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc6A.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc6B.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc6C.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc6D.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc6E.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc6F.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc7.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc70.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc71.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc72.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc73.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc74.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc75.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc76.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc77.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc78.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc79.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc7A.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc7B.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc7C.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc7D.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc7E.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc7F.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc8.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc80.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc81.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc82.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc83.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc84.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc85.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc86.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc87.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc88.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc89.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc8A.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc8B.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc8C.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc8D.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc8E.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc8F.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc9.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc90.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc91.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc92.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc93.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc94.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc95.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc96.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc97.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc98.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc99.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc9A.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc9B.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc9C.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc9D.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc9E.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc9F.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mccA.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mccA0.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mccA1.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mccA2.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mccA3.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mccA4.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mccA5.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mccA6.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mccA7.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mccA8.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mccA9.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mccAA.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mccAB.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mccAC.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mccAD.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mccAE.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mccAF.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mccB.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mccB0.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mccB1.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mccB2.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mccB3.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mccB4.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mccB5.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mccB6.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mccB7.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mccB8.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mccB9.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mccBA.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mccBB.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mccBC.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mccBD.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mccBE.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mccBF.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mccC.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mccC0.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mccC1.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mccC2.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mccC3.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mccC4.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mccC5.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mccC6.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mccC7.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mccC8.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mccC9.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mccCA.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mccCB.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mccCC.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mccCD.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mccCE.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mccCF.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mccD.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mccE.tmp

c:\documents and settings\User\Local Settings\Temporary Internet Files\mccF.tmp

c:\windows\ctizcr.dll

----- BITS: Possible infected sites -----

hxxp://download.yimg.com

Infected copy of c:\windows\system32\winlogon.exe was found and disinfected

Restored copy from - c:\windows\ServicePackFiles\i386\winlogon.exe

Infected copy of c:\windows\explorer.exe was found and disinfected

Restored copy from - c:\windows\ServicePackFiles\i386\explorer.exe

.

\\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected

.

((((((((((((((((((((((((( Files Created from 2010-10-28 to 2010-11-28 )))))))))))))))))))))))))))))))

.

2010-11-28 21:27 . 2010-11-28 21:27 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files

2010-11-28 21:20 . 2010-11-28 22:02 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10

2010-11-28 21:19 . 2010-11-28 21:19 -------- d-----w- C:\$AVG

2010-11-28 21:11 . 2010-11-28 21:17 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData

2010-11-28 20:49 . 2010-11-28 20:49 -------- d-----w- C:\Adobe

2010-11-28 20:49 . 2009-03-08 04:31 45568 ----a-w- c:\windows\system32\YCemSCi.exe

2010-11-28 20:48 . 2010-11-28 20:48 -------- d-----w- c:\documents and settings\User\Application Data\Oqfeeg

2010-11-28 20:47 . 2010-11-28 20:47 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2010-11-28 19:58 . 2010-11-28 21:44 -------- d-----w- c:\documents and settings\All Users\Application Data\avg7

2010-11-27 16:32 . 2010-11-27 16:32 -------- d-----w- c:\documents and settings\User\Application Data\Malwarebytes

2010-11-27 16:31 . 2010-04-29 15:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-11-27 16:31 . 2010-11-27 16:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-11-27 16:31 . 2010-04-29 15:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-11-27 16:31 . 2010-11-27 17:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-11-26 22:13 . 2010-11-28 19:18 -------- d-----w- c:\program files\HiJack This

2010-11-24 15:05 . 2010-11-24 15:05 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE

2010-11-24 15:04 . 2010-11-24 15:04 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Yahoo!

2010-11-24 15:04 . 2010-11-24 15:04 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2010-11-22 22:29 . 2010-11-23 14:31 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-11-22 22:29 . 2010-11-23 00:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-11-22 16:08 . 2010-11-22 17:42 -------- d-----w- c:\documents and settings\User\Application Data\AVG

2010-11-22 16:08 . 2010-11-28 22:23 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-11-19 22:24 . 2010-11-19 22:24 189 ----a-w- c:\documents and settings\User\Application Data\Microsoft\gb_1515781.bat

2010-11-17 23:25 . 2010-11-17 23:25 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-11-16 13:33 . 2009-12-05 17:46 63941 ----a-w- c:\documents and settings\User\Application Data\mdbu.bin

2010-10-03 22:43 . 2010-10-03 22:43 59240 ----a-w- c:\windows\system32\drivers\RapportKELL.sys

2010-09-18 11:23 . 2008-11-18 20:17 974848 ----a-w- c:\windows\system32\mfc42u.dll

2010-09-18 06:53 . 2008-11-18 20:17 974848 ----a-w- c:\windows\system32\mfc42.dll

2010-09-18 06:53 . 2008-11-18 20:17 954368 ----a-w- c:\windows\system32\mfc40.dll

2010-09-18 06:53 . 2008-11-18 20:17 953856 ----a-w- c:\windows\system32\mfc40u.dll

2010-09-10 05:58 . 2008-11-18 20:19 916480 ----a-w- c:\windows\system32\wininet.dll

2010-09-10 05:58 . 2008-11-18 20:17 43520 ----a-w- c:\windows\system32\licmgr10.dll

2010-09-10 05:58 . 2008-11-18 20:16 1469440 ------w- c:\windows\system32\inetcpl.cpl

2010-09-01 11:51 . 2008-11-18 20:15 285824 ----a-w- c:\windows\system32\atmfd.dll

2010-08-31 13:42 . 2008-11-18 20:19 1852800 ----a-w- c:\windows\system32\win32k.sys

2009-01-18 20:32 . 2009-01-18 20:31 1144136 ----a-w- c:\program files\wlsetup-custom.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Skype"="c:\program files\Skype\\Phone\Skype.exe" [2008-09-29 21755688]

"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

"Device Detection"="c:\program files\Bonusprint\Photoservice\dd.exe" [2007-11-08 101376]

"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2009-11-11 1451520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NokiaMServer"="c:\program files\Common Files\Nokia\MPlatform\NokiaMServer" [X]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-06-07 155648]

"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-17 61952]

"CHotkey"="zHotkey.exe" [2004-05-18 543232]

"ShowWnd"="ShowWnd.exe" [2003-09-19 36864]

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-01 32768]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"SoundMan"="SOUNDMAN.EXE" [2004-07-02 73728]

"AlcWzrd"="ALCWZRD.EXE" [2004-07-06 2550272]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-28 149280]

"CameraFixer"="c:\windows\CameraFixer.exe" [2005-10-03 20480]

"tsnp2std"="c:\windows\tsnp2std.exe" [2005-11-03 106496]

"snp2std"="c:\windows\vsnp2std.exe" [2005-08-16 339968]

"btbb_McciTrayApp"="c:\program files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe" [2009-12-07 1584640]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-17 421888]

"NokiaMusic FastStart"="c:\program files\Nokia\Ovi Player\NokiaOviPlayer.exe" [2010-03-04 2192672]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

"AvgUninstallURL"="start http:" [X]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Charlotte Hawkins\Start Menu\Programs\Startup\

elrey.exe [2010-11-28 189736]

huin.exe [2010-11-28 153600]

koget.exe [2010-11-28 153600]

c:\documents and settings\User\Start Menu\Programs\Startup\

irfaib.exe [2010-11-28 153600]

mycuri.exe [2010-11-28 153600]

SkypeMate.lnk - c:\program files\SkypeMate\SkypeMate.exe [2007-5-22 405504]

soaps.exe [2010-11-28 189736]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-08-16 09:33 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]

2010-04-27 17:24 16680 ----a-w- c:\program files\Citrix\GoToAssist\570\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Spotify\\spotify.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [03/10/2010 22:43 59240]

R1 RapportCerberus_19917;RapportCerberus_19917;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\19917\RapportCerberus_19917.sys [03/10/2010 22:54 34792]

R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [03/10/2010 22:43 169320]

R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [03/10/2010 22:43 767208]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/04/2010 17:57 135664]

.

Contents of the 'Scheduled Tasks' folder

2010-10-09 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2010-11-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-12 17:57]

2010-11-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-12 17:57]

.

.

------- Supplementary Scan -------

.

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html

.

- - - - ORPHANS REMOVED - - - -

HKLM-Run-AVG8_TRAY - c:\progra~1\AVG\AVG8\avgtray.exe

HKU-Default-Run-Umusi - c:\windows\ctizcr.dll

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-11-28 23:41

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\docume~1\User\LOCALS~1\Temp\etilqs_4kohraPnbp5n5bv 0 bytes

c:\docume~1\User\LOCALS~1\Temp\etilqs_IptuzVUmctibcLI 0 bytes

c:\docume~1\User\LOCALS~1\Temp\etilqs_kLWN5HHHceWDvjx 0 bytes

c:\docume~1\User\LOCALS~1\Temp\etilqs_l93UCPFmqf1gknK 0 bytes

c:\docume~1\User\LOCALS~1\Temp\etilqs_nTQRw5KyXPBmtMH 0 bytes

scan completed successfully

hidden files: 5

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(676)

c:\program files\Citrix\GoToAssist\570\G2AWinLogon.dll

- - - - - - - > 'explorer.exe'(1828)

c:\windows\system32\WININET.dll

c:\program files\Trusteer\Rapport\bin\rooksbas.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\program files\Nokia\Nokia PC Suite 7\PhoneBrowser.dll

c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll

c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_eng.nlr

c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\Motive\McciCMService.exe

c:\windows\system32\wscntfy.exe

c:\windows\zHotkey.exe

c:\windows\SOUNDMAN.EXE

c:\windows\ALCWZRD.EXE

c:\program files\Common Files\Nokia\MPlatform\NokiaMServer.exe

c:\program files\Skype\Phone\Skype.exe

c:\documents and settings\User\Start Menu\Programs\Startup\irfaib.exe

c:\documents and settings\User\Start Menu\Programs\Startup\mycuri.exe

c:\documents and settings\User\Application Data\Ovyri\ufzyi.exe

c:\documents and settings\User\Start Menu\Programs\Startup\soaps.exe

c:\program files\iPod\bin\iPodService.exe

c:\documents and settings\User\Application Data\Toel\myfe.exe

c:\program files\Nokia\PC Connectivity Solution\ServiceLayer.exe

c:\program files\Nokia\PC Connectivity Solution\Transports\NclUSBSrv.exe

c:\program files\Nokia\PC Connectivity Solution\Transports\NclRSSrv.exe

c:\program files\Skype\Plugin Manager\skypePM.exe

.

**************************************************************************

.

Completion time: 2010-11-28 23:47:37 - machine was rebooted

ComboFix-quarantined-files.txt 2010-11-28 23:47

Pre-Run: 45,326,090,240 bytes free

Post-Run: 45,848,186,880 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

timeout=2

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect

[spybotsd]

timeout.old=30

- - End Of File - - 3F97594A9AE0BAA4C7B468DE4B3F4A15

After this i reinstalled AVG and it has popped up with two trojan threats, i know you said not to fix anything or perform any scans but these were automatic and ive just put them in the virus vault.

Sorry it took so long, whats next/?

Link to post
Share on other sites

No problem. ComboFix did a great job, but left some things to clean.

Open Notepad and copy and paste the text in the code box below into it:

http://forums.malwarebytes.org/index.php?showtopic=68731

Collect::[8]
c:\documents and settings\Charlotte Hawkins\Start Menu\Programs\Startup\elrey.exe
c:\documents and settings\Charlotte Hawkins\Start Menu\Programs\Startup\huin.exe
c:\documents and settings\Charlotte Hawkins\Start Menu\Programs\Startup\koget.exe
c:\documents and settings\User\Start Menu\Programs\Startup\irfaib.exe
c:\documents and settings\User\Start Menu\Programs\Startup\mycuri.exe
c:\documents and settings\User\Start Menu\Programs\Startup\soaps.exe

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

Link to post
Share on other sites

Heres the combofix log:

ComboFix 10-11-28.05 - User 29/11/2010 10:38:41.2.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1015.532 [GMT 0:00]

Running from: c:\documents and settings\User\Desktop\Combo-Fix.exe

Command switches used :: c:\documents and settings\User\Desktop\CFScript.txt

file zipped: c:\documents and settings\Charlotte Hawkins\Start Menu\Programs\Startup\elrey.exe

file zipped: c:\documents and settings\Charlotte Hawkins\Start Menu\Programs\Startup\huin.exe

file zipped: c:\documents and settings\Charlotte Hawkins\Start Menu\Programs\Startup\koget.exe

file zipped: c:\documents and settings\User\Start Menu\Programs\Startup\soaps.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Charlotte Hawkins\Start Menu\Programs\Startup\elrey.exe

c:\documents and settings\Charlotte Hawkins\Start Menu\Programs\Startup\huin.exe

c:\documents and settings\Charlotte Hawkins\Start Menu\Programs\Startup\koget.exe

c:\documents and settings\User\Application Data\Cumi

c:\documents and settings\User\Application Data\Cumi\odzoe.dyw

c:\documents and settings\User\Application Data\Ewaw

c:\documents and settings\User\Application Data\Ewaw\fynu.exe

c:\documents and settings\User\Application Data\Intyin

c:\documents and settings\User\Application Data\Lorae

c:\documents and settings\User\Application Data\Lorae\uclym.due

c:\documents and settings\User\Application Data\Oqorac

c:\documents and settings\User\Application Data\Oqorac\ilos.fye

c:\documents and settings\User\Application Data\Ovyri

c:\documents and settings\User\Application Data\Ovyri\ufzyi.exe

c:\documents and settings\User\Application Data\Toel

c:\documents and settings\User\Application Data\Toel\myfe.exe

c:\documents and settings\User\Application Data\Voyz

c:\documents and settings\User\Application Data\Voyz\asag.arc

c:\documents and settings\User\Application Data\Xelyc

c:\documents and settings\User\Application Data\Xelyc\kequ.exe

c:\documents and settings\User\Application Data\Ywomte

c:\documents and settings\User\Application Data\Ywomte\opqub.exe

c:\documents and settings\User\Start Menu\Programs\Startup\soaps.exe

.

((((((((((((((((((((((((( Files Created from 2010-10-28 to 2010-11-29 )))))))))))))))))))))))))))))))

.

2010-11-28 21:27 . 2010-11-28 21:27 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files

2010-11-28 21:20 . 2010-11-29 10:17 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10

2010-11-28 21:11 . 2010-11-28 23:48 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData

2010-11-28 20:49 . 2010-11-28 20:49 -------- d-----w- C:\Adobe

2010-11-28 20:49 . 2009-03-08 04:31 45568 ----a-w- c:\windows\system32\YCemSCi.exe

2010-11-28 20:48 . 2010-11-28 20:48 -------- d-----w- c:\documents and settings\User\Application Data\Oqfeeg

2010-11-28 20:47 . 2010-11-28 20:47 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2010-11-28 19:58 . 2010-11-28 21:44 -------- d-----w- c:\documents and settings\All Users\Application Data\avg7

2010-11-27 16:32 . 2010-11-27 16:32 -------- d-----w- c:\documents and settings\User\Application Data\Malwarebytes

2010-11-27 16:31 . 2010-04-29 15:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-11-27 16:31 . 2010-11-27 16:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-11-27 16:31 . 2010-04-29 15:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-11-27 16:31 . 2010-11-27 17:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-11-26 22:13 . 2010-11-29 10:03 -------- d-----w- c:\program files\HiJack This

2010-11-24 15:05 . 2010-11-24 15:05 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE

2010-11-24 15:04 . 2010-11-24 15:04 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Yahoo!

2010-11-24 15:04 . 2010-11-24 15:04 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2010-11-22 22:29 . 2010-11-23 14:31 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-11-22 22:29 . 2010-11-23 00:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-11-22 16:08 . 2010-11-22 17:42 -------- d-----w- c:\documents and settings\User\Application Data\AVG

2010-11-22 16:08 . 2010-11-28 22:23 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-11-19 22:24 . 2010-11-19 22:24 189 ----a-w- c:\documents and settings\User\Application Data\Microsoft\gb_1515781.bat

2010-11-17 23:25 . 2010-11-17 23:25 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-11-16 13:33 . 2009-12-05 17:46 63941 ----a-w- c:\documents and settings\User\Application Data\mdbu.bin

2010-10-03 22:43 . 2010-10-03 22:43 59240 ----a-w- c:\windows\system32\drivers\RapportKELL.sys

2010-09-18 11:23 . 2008-11-18 20:17 974848 ----a-w- c:\windows\system32\mfc42u.dll

2010-09-18 06:53 . 2008-11-18 20:17 974848 ----a-w- c:\windows\system32\mfc42.dll

2010-09-18 06:53 . 2008-11-18 20:17 954368 ----a-w- c:\windows\system32\mfc40.dll

2010-09-18 06:53 . 2008-11-18 20:17 953856 ----a-w- c:\windows\system32\mfc40u.dll

2010-09-10 05:58 . 2008-11-18 20:19 916480 ----a-w- c:\windows\system32\wininet.dll

2010-09-10 05:58 . 2008-11-18 20:17 43520 ----a-w- c:\windows\system32\licmgr10.dll

2010-09-10 05:58 . 2008-11-18 20:16 1469440 ------w- c:\windows\system32\inetcpl.cpl

2010-09-01 11:51 . 2008-11-18 20:15 285824 ----a-w- c:\windows\system32\atmfd.dll

2010-08-31 13:42 . 2008-11-18 20:19 1852800 ----a-w- c:\windows\system32\win32k.sys

2009-01-18 20:32 . 2009-01-18 20:31 1144136 ----a-w- c:\program files\wlsetup-custom.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Skype"="c:\program files\Skype\\Phone\Skype.exe" [2008-09-29 21755688]

"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

"Device Detection"="c:\program files\Bonusprint\Photoservice\dd.exe" [2007-11-08 101376]

"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2009-11-11 1451520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NokiaMServer"="c:\program files\Common Files\Nokia\MPlatform\NokiaMServer" [X]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-06-07 155648]

"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-17 61952]

"CHotkey"="zHotkey.exe" [2004-05-18 543232]

"ShowWnd"="ShowWnd.exe" [2003-09-19 36864]

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-01 32768]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"SoundMan"="SOUNDMAN.EXE" [2004-07-02 73728]

"AlcWzrd"="ALCWZRD.EXE" [2004-07-06 2550272]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-28 149280]

"CameraFixer"="c:\windows\CameraFixer.exe" [2005-10-03 20480]

"tsnp2std"="c:\windows\tsnp2std.exe" [2005-11-03 106496]

"snp2std"="c:\windows\vsnp2std.exe" [2005-08-16 339968]

"btbb_McciTrayApp"="c:\program files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe" [2009-12-07 1584640]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-17 421888]

"NokiaMusic FastStart"="c:\program files\Nokia\Ovi Player\NokiaOviPlayer.exe" [2010-03-04 2192672]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\User\Start Menu\Programs\Startup\

SkypeMate.lnk - c:\program files\SkypeMate\SkypeMate.exe [2007-5-22 405504]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-08-16 09:33 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]

2010-04-27 17:24 16680 ----a-w- c:\program files\Citrix\GoToAssist\570\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Spotify\\spotify.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [03/10/2010 22:43 59240]

R1 RapportCerberus_19917;RapportCerberus_19917;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\19917\RapportCerberus_19917.sys [03/10/2010 22:54 34792]

R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [03/10/2010 22:43 169320]

R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [03/10/2010 22:43 767208]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/04/2010 17:57 135664]

.

Contents of the 'Scheduled Tasks' folder

2010-10-09 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2010-11-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-12 17:57]

2010-11-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-12 17:57]

.

.

------- Supplementary Scan -------

.

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-11-29 10:51

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(676)

c:\program files\Citrix\GoToAssist\570\G2AWinLogon.dll

.

Completion time: 2010-11-29 10:55:29

ComboFix-quarantined-files.txt 2010-11-29 10:55

ComboFix2.txt 2010-11-28 23:47

Pre-Run: 45,586,235,392 bytes free

Post-Run: 45,555,490,816 bytes free

- - End Of File - - 47F39FEED17EA912A4469FDA022501CA

Link to post
Share on other sites

Just a note, these files:

c:\documents and settings\User\Start Menu\Programs\Startup\irfaib.exe

c:\documents and settings\User\Start Menu\Programs\Startup\mycuri.exe

you asked to put in the Notepad file, and i did, but they havent appeared on the new combofix log because they were the virus' AVG picked up on and put in the virus vault :lol:

Link to post
Share on other sites

Disable AVG and again:

Open Notepad and copy and paste the text in the code box below into it:

http://forums.malwarebytes.org/index.php?showtopic=68731

Collect::[8]
c:\windows\system32\YCemSCi.exe

Folder::
c:\documents and settings\User\Application Data\Oqfeeg

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

By the way, what was the message from ComboFix? Have successfully sent files?

Link to post
Share on other sites

ComboFix 10-11-29.03 - User 29/11/2010 23:19:15.3.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1015.532 [GMT 0:00]

Running from: c:\documents and settings\User\Desktop\Combo-Fix.exe

Command switches used :: c:\documents and settings\User\Desktop\CFScript.txt

file zipped: c:\windows\system32\YCemSCi.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\User\Application Data\Oqfeeg

c:\documents and settings\User\Application Data\Oqfeeg\alyl.exe

c:\documents and settings\User\Local Settings\Temporary Internet Files\mccC7.tmp

c:\windows\system32\YCemSCi.exe

.

((((((((((((((((((((((((( Files Created from 2010-10-28 to 2010-11-29 )))))))))))))))))))))))))))))))

.

2010-11-28 21:27 . 2010-11-28 21:27 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files

2010-11-28 21:20 . 2010-11-29 23:09 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10

2010-11-28 21:11 . 2010-11-29 16:42 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData

2010-11-28 20:49 . 2010-11-28 20:49 -------- d-----w- C:\Adobe

2010-11-28 20:47 . 2010-11-28 20:47 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2010-11-28 19:58 . 2010-11-28 21:44 -------- d-----w- c:\documents and settings\All Users\Application Data\avg7

2010-11-27 16:32 . 2010-11-27 16:32 -------- d-----w- c:\documents and settings\User\Application Data\Malwarebytes

2010-11-27 16:31 . 2010-04-29 15:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-11-27 16:31 . 2010-11-27 16:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-11-27 16:31 . 2010-04-29 15:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-11-27 16:31 . 2010-11-27 17:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-11-26 22:13 . 2010-11-29 10:03 -------- d-----w- c:\program files\HiJack This

2010-11-24 15:05 . 2010-11-24 15:05 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE

2010-11-24 15:04 . 2010-11-24 15:04 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Yahoo!

2010-11-24 15:04 . 2010-11-24 15:04 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2010-11-22 22:29 . 2010-11-23 14:31 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-11-22 22:29 . 2010-11-23 00:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-11-22 16:08 . 2010-11-22 17:42 -------- d-----w- c:\documents and settings\User\Application Data\AVG

2010-11-22 16:08 . 2010-11-28 22:23 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-11-19 22:24 . 2010-11-19 22:24 189 ----a-w- c:\documents and settings\User\Application Data\Microsoft\gb_1515781.bat

2010-11-17 23:25 . 2010-11-17 23:25 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-11-16 13:33 . 2009-12-05 17:46 63941 ----a-w- c:\documents and settings\User\Application Data\mdbu.bin

2010-10-03 22:43 . 2010-10-03 22:43 59240 ----a-w- c:\windows\system32\drivers\RapportKELL.sys

2010-09-18 11:23 . 2008-11-18 20:17 974848 ----a-w- c:\windows\system32\mfc42u.dll

2010-09-18 06:53 . 2008-11-18 20:17 974848 ----a-w- c:\windows\system32\mfc42.dll

2010-09-18 06:53 . 2008-11-18 20:17 954368 ----a-w- c:\windows\system32\mfc40.dll

2010-09-18 06:53 . 2008-11-18 20:17 953856 ----a-w- c:\windows\system32\mfc40u.dll

2010-09-10 05:58 . 2008-11-18 20:19 916480 ----a-w- c:\windows\system32\wininet.dll

2010-09-10 05:58 . 2008-11-18 20:17 43520 ----a-w- c:\windows\system32\licmgr10.dll

2010-09-10 05:58 . 2008-11-18 20:16 1469440 ------w- c:\windows\system32\inetcpl.cpl

2010-09-01 11:51 . 2008-11-18 20:15 285824 ----a-w- c:\windows\system32\atmfd.dll

2009-01-18 20:32 . 2009-01-18 20:31 1144136 ----a-w- c:\program files\wlsetup-custom.exe

.

((((((((((((((((((((((((((((( SnapShot@2010-11-29_10.51.37 )))))))))))))))))))))))))))))))))))))))))

.

+ 2010-11-29 23:21 . 2010-11-29 23:21 16384 c:\windows\Temp\Perflib_Perfdata_b74.dat

+ 2010-11-29 23:11 . 2010-11-29 23:11 16384 c:\windows\Temp\Perflib_Perfdata_90.dat

+ 2010-11-29 16:48 . 2010-11-29 16:48 3065856 c:\windows\Installer\1598f77.msi

+ 2010-11-29 16:45 . 2010-11-29 16:45 1548288 c:\windows\Installer\1598f73.msi

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Skype"="c:\program files\Skype\\Phone\Skype.exe" [2008-09-29 21755688]

"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

"Device Detection"="c:\program files\Bonusprint\Photoservice\dd.exe" [2007-11-08 101376]

"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2009-11-11 1451520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NokiaMServer"="c:\program files\Common Files\Nokia\MPlatform\NokiaMServer" [X]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-06-07 155648]

"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-17 61952]

"CHotkey"="zHotkey.exe" [2004-05-18 543232]

"ShowWnd"="ShowWnd.exe" [2003-09-19 36864]

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-01 32768]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"SoundMan"="SOUNDMAN.EXE" [2004-07-02 73728]

"AlcWzrd"="ALCWZRD.EXE" [2004-07-06 2550272]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-28 149280]

"CameraFixer"="c:\windows\CameraFixer.exe" [2005-10-03 20480]

"tsnp2std"="c:\windows\tsnp2std.exe" [2005-11-03 106496]

"snp2std"="c:\windows\vsnp2std.exe" [2005-08-16 339968]

"btbb_McciTrayApp"="c:\program files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe" [2009-12-07 1584640]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-17 421888]

"NokiaMusic FastStart"="c:\program files\Nokia\Ovi Player\NokiaOviPlayer.exe" [2010-03-04 2192672]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\User\Start Menu\Programs\Startup\

SkypeMate.lnk - c:\program files\SkypeMate\SkypeMate.exe [2007-5-22 405504]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-08-16 09:33 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]

2010-04-27 17:24 16680 ----a-w- c:\program files\Citrix\GoToAssist\570\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Spotify\\spotify.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [03/10/2010 22:43 59240]

R1 RapportCerberus_19917;RapportCerberus_19917;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\19917\RapportCerberus_19917.sys [03/10/2010 22:54 34792]

R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [03/10/2010 22:43 169320]

R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [03/10/2010 22:43 767208]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/04/2010 17:57 135664]

.

Contents of the 'Scheduled Tasks' folder

2010-10-09 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2010-11-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-12 17:57]

2010-11-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-12 17:57]

.

.

------- Supplementary Scan -------

.

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html

.

- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-11-29 23:25

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(676)

c:\program files\Citrix\GoToAssist\570\G2AWinLogon.dll

.

Completion time: 2010-11-29 23:30:00

ComboFix-quarantined-files.txt 2010-11-29 23:29

ComboFix2.txt 2010-11-29 10:55

ComboFix3.txt 2010-11-28 23:47

Pre-Run: 45,196,701,696 bytes free

Post-Run: 45,187,252,224 bytes free

- - End Of File - - 4471D9EFE98D69B3D2801412CCB16D34

and the message said it couldnt connect to server so its now saved as a file on my C drive to manually upload later

Link to post
Share on other sites

  1. Please visit this website: Submit Malware Sample
  2. Against the inscription: "Link to topic where this file was requested:", insert links pointing to this topic in our forum.
  3. Against the inscription: "Browse to the file you want to submit:", click on the Choose... button.
  4. Navigate to the following file: C:\Qoobox\Quarantine\[8]-Submit_date_time.zip (date_time will be replaced with the date and time when this file was created)
  5. Against the inscription: "Leave any comments, further information about this file, or contact information:" should be written as follows:
    Sent at the request of Borislav.
  6. Once you're ready, click the Send File button.

Link to post
Share on other sites

ComboFix 10-11-30.02 - User 30/11/2010 20:49:54.4.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1015.607 [GMT 0:00]

Running from: c:\documents and settings\User\Desktop\Combo-Fix.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\User\Local Settings\Temporary Internet Files\mcc11.tmp

c:\documents and settings\User\Start Menu\Programs\Win HDD

c:\documents and settings\User\Start Menu\Programs\Win HDD\Uninstall Win HDD.lnk

.

((((((((((((((((((((((((( Files Created from 2010-10-28 to 2010-11-30 )))))))))))))))))))))))))))))))

.

2010-11-28 21:27 . 2010-11-28 21:27 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files

2010-11-28 21:20 . 2010-11-30 20:37 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10

2010-11-28 21:11 . 2010-11-29 23:33 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData

2010-11-28 20:49 . 2010-11-28 20:49 -------- d-----w- C:\Adobe

2010-11-28 20:47 . 2010-11-28 20:47 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2010-11-28 19:58 . 2010-11-28 21:44 -------- d-----w- c:\documents and settings\All Users\Application Data\avg7

2010-11-27 16:32 . 2010-11-27 16:32 -------- d-----w- c:\documents and settings\User\Application Data\Malwarebytes

2010-11-27 16:31 . 2010-04-29 15:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-11-27 16:31 . 2010-11-27 16:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-11-27 16:31 . 2010-04-29 15:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-11-27 16:31 . 2010-11-27 17:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-11-26 22:13 . 2010-11-29 10:03 -------- d-----w- c:\program files\HiJack This

2010-11-24 15:05 . 2010-11-24 15:05 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE

2010-11-24 15:04 . 2010-11-24 15:04 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Yahoo!

2010-11-24 15:04 . 2010-11-24 15:04 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2010-11-22 22:29 . 2010-11-23 14:31 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-11-22 22:29 . 2010-11-23 00:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-11-22 16:08 . 2010-11-22 17:42 -------- d-----w- c:\documents and settings\User\Application Data\AVG

2010-11-22 16:08 . 2010-11-28 22:23 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-11-19 22:24 . 2010-11-19 22:24 189 ----a-w- c:\documents and settings\User\Application Data\Microsoft\gb_1515781.bat

2010-11-17 23:25 . 2010-11-17 23:25 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-11-16 13:33 . 2009-12-05 17:46 63941 ----a-w- c:\documents and settings\User\Application Data\mdbu.bin

2010-10-03 22:43 . 2010-10-03 22:43 59240 ----a-w- c:\windows\system32\drivers\RapportKELL.sys

2010-09-18 11:23 . 2008-11-18 20:17 974848 ----a-w- c:\windows\system32\mfc42u.dll

2010-09-18 06:53 . 2008-11-18 20:17 974848 ----a-w- c:\windows\system32\mfc42.dll

2010-09-18 06:53 . 2008-11-18 20:17 954368 ----a-w- c:\windows\system32\mfc40.dll

2010-09-18 06:53 . 2008-11-18 20:17 953856 ----a-w- c:\windows\system32\mfc40u.dll

2010-09-10 05:58 . 2008-11-18 20:19 916480 ----a-w- c:\windows\system32\wininet.dll

2010-09-10 05:58 . 2008-11-18 20:17 43520 ----a-w- c:\windows\system32\licmgr10.dll

2010-09-10 05:58 . 2008-11-18 20:16 1469440 ------w- c:\windows\system32\inetcpl.cpl

2009-01-18 20:32 . 2009-01-18 20:31 1144136 ----a-w- c:\program files\wlsetup-custom.exe

.

((((((((((((((((((((((((((((( SnapShot@2010-11-29_10.51.37 )))))))))))))))))))))))))))))))))))))))))

.

+ 2010-11-30 20:39 . 2010-11-30 20:39 16384 c:\windows\Temp\Perflib_Perfdata_d0.dat

+ 2010-11-30 20:49 . 2010-11-30 20:49 16384 c:\windows\Temp\Perflib_Perfdata_9d4.dat

+ 2010-11-29 23:37 . 2010-11-29 23:37 3065856 c:\windows\Installer\161e71.msi

+ 2010-11-29 23:35 . 2010-11-29 23:35 1548288 c:\windows\Installer\161e6d.msi

+ 2010-11-29 16:48 . 2010-11-29 16:48 3065856 c:\windows\Installer\1598f77.msi

+ 2010-11-29 16:45 . 2010-11-29 16:45 1548288 c:\windows\Installer\1598f73.msi

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Skype"="c:\program files\Skype\\Phone\Skype.exe" [2008-09-29 21755688]

"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

"Device Detection"="c:\program files\Bonusprint\Photoservice\dd.exe" [2007-11-08 101376]

"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2009-11-11 1451520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NokiaMServer"="c:\program files\Common Files\Nokia\MPlatform\NokiaMServer" [X]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-06-07 155648]

"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-17 61952]

"CHotkey"="zHotkey.exe" [2004-05-18 543232]

"ShowWnd"="ShowWnd.exe" [2003-09-19 36864]

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-01 32768]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"SoundMan"="SOUNDMAN.EXE" [2004-07-02 73728]

"AlcWzrd"="ALCWZRD.EXE" [2004-07-06 2550272]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-28 149280]

"CameraFixer"="c:\windows\CameraFixer.exe" [2005-10-03 20480]

"tsnp2std"="c:\windows\tsnp2std.exe" [2005-11-03 106496]

"snp2std"="c:\windows\vsnp2std.exe" [2005-08-16 339968]

"btbb_McciTrayApp"="c:\program files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe" [2009-12-07 1584640]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-17 421888]

"NokiaMusic FastStart"="c:\program files\Nokia\Ovi Player\NokiaOviPlayer.exe" [2010-03-04 2192672]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\User\Start Menu\Programs\Startup\

SkypeMate.lnk - c:\program files\SkypeMate\SkypeMate.exe [2007-5-22 405504]

c:\documents and settings\Default User\Start Menu\Programs\Startup\

encu.exe [2010-11-28 189736]

erci.exe [2010-11-28 153600]

sytyo.exe [2010-11-28 153600]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-08-16 09:33 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]

2010-04-27 17:24 16680 ----a-w- c:\program files\Citrix\GoToAssist\570\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Spotify\\spotify.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [03/10/2010 22:43 59240]

R1 RapportCerberus_19917;RapportCerberus_19917;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\19917\RapportCerberus_19917.sys [03/10/2010 22:54 34792]

R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [03/10/2010 22:43 169320]

R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [03/10/2010 22:43 767208]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/04/2010 17:57 135664]

.

Contents of the 'Scheduled Tasks' folder

2010-10-09 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2010-11-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-12 17:57]

2010-11-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-12 17:57]

.

.

------- Supplementary Scan -------

.

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-11-30 20:57

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(676)

c:\program files\Citrix\GoToAssist\570\G2AWinLogon.dll

.

Completion time: 2010-11-30 21:00:49

ComboFix-quarantined-files.txt 2010-11-30 21:00

ComboFix2.txt 2010-11-29 23:30

ComboFix3.txt 2010-11-29 10:55

ComboFix4.txt 2010-11-28 23:47

Pre-Run: 45,034,086,400 bytes free

Post-Run: 45,005,406,208 bytes free

- - End Of File - - DF23079A03E0D425342E2C06EFFEBDA4

Link to post
Share on other sites

Step 1

Open Notepad and copy and paste the text in the code box below into it:

File::
c:\documents and settings\Default User\Start Menu\Programs\Startup\encu.exe
c:\documents and settings\Default User\Start Menu\Programs\Startup\erci.exe
c:\documents and settings\Default User\Start Menu\Programs\Startup\sytyo.exe

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

Link to post
Share on other sites

ComboFix 10-11-30.02 - User 30/11/2010 22:22:57.5.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1015.539 [GMT 0:00]

Running from: c:\documents and settings\User\Desktop\Combo-Fix.exe

Command switches used :: c:\documents and settings\User\Desktop\CFScript.txt

FILE ::

"c:\documents and settings\Default User\Start Menu\Programs\Startup\encu.exe"

"c:\documents and settings\Default User\Start Menu\Programs\Startup\erci.exe"

"c:\documents and settings\Default User\Start Menu\Programs\Startup\sytyo.exe"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Default User\Start Menu\Programs\Startup\encu.exe

c:\documents and settings\Default User\Start Menu\Programs\Startup\erci.exe

c:\documents and settings\Default User\Start Menu\Programs\Startup\sytyo.exe

.

((((((((((((((((((((((((( Files Created from 2010-10-28 to 2010-11-30 )))))))))))))))))))))))))))))))

.

2010-11-28 21:27 . 2010-11-28 21:27 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files

2010-11-28 21:20 . 2010-11-30 22:15 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10

2010-11-28 21:11 . 2010-11-30 21:01 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData

2010-11-28 20:49 . 2010-11-28 20:49 -------- d-----w- C:\Adobe

2010-11-28 20:47 . 2010-11-28 20:47 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2010-11-28 19:58 . 2010-11-28 21:44 -------- d-----w- c:\documents and settings\All Users\Application Data\avg7

2010-11-27 16:32 . 2010-11-27 16:32 -------- d-----w- c:\documents and settings\User\Application Data\Malwarebytes

2010-11-27 16:31 . 2010-04-29 15:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-11-27 16:31 . 2010-11-27 16:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-11-27 16:31 . 2010-04-29 15:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-11-27 16:31 . 2010-11-27 17:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-11-26 22:13 . 2010-11-29 10:03 -------- d-----w- c:\program files\HiJack This

2010-11-24 15:05 . 2010-11-24 15:05 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE

2010-11-24 15:04 . 2010-11-24 15:04 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Yahoo!

2010-11-24 15:04 . 2010-11-24 15:04 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2010-11-22 22:29 . 2010-11-23 14:31 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-11-22 22:29 . 2010-11-23 00:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-11-22 16:08 . 2010-11-22 17:42 -------- d-----w- c:\documents and settings\User\Application Data\AVG

2010-11-22 16:08 . 2010-11-28 22:23 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-11-19 22:24 . 2010-11-19 22:24 189 ----a-w- c:\documents and settings\User\Application Data\Microsoft\gb_1515781.bat

2010-11-17 23:25 . 2010-11-17 23:25 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-11-16 13:33 . 2009-12-05 17:46 63941 ----a-w- c:\documents and settings\User\Application Data\mdbu.bin

2010-10-03 22:43 . 2010-10-03 22:43 59240 ----a-w- c:\windows\system32\drivers\RapportKELL.sys

2010-09-18 11:23 . 2008-11-18 20:17 974848 ----a-w- c:\windows\system32\mfc42u.dll

2010-09-18 06:53 . 2008-11-18 20:17 974848 ----a-w- c:\windows\system32\mfc42.dll

2010-09-18 06:53 . 2008-11-18 20:17 954368 ----a-w- c:\windows\system32\mfc40.dll

2010-09-18 06:53 . 2008-11-18 20:17 953856 ----a-w- c:\windows\system32\mfc40u.dll

2010-09-10 05:58 . 2008-11-18 20:19 916480 ----a-w- c:\windows\system32\wininet.dll

2010-09-10 05:58 . 2008-11-18 20:17 43520 ----a-w- c:\windows\system32\licmgr10.dll

2010-09-10 05:58 . 2008-11-18 20:16 1469440 ------w- c:\windows\system32\inetcpl.cpl

2009-01-18 20:32 . 2009-01-18 20:31 1144136 ----a-w- c:\program files\wlsetup-custom.exe

.

((((((((((((((((((((((((((((( SnapShot@2010-11-29_10.51.37 )))))))))))))))))))))))))))))))))))))))))

.

+ 2010-11-30 22:25 . 2010-11-30 22:25 16384 c:\windows\Temp\Perflib_Perfdata_cc0.dat

+ 2010-11-30 22:15 . 2010-11-30 22:15 16384 c:\windows\Temp\Perflib_Perfdata_94.dat

+ 2010-11-30 21:16 . 2010-11-30 21:16 3065856 c:\windows\Installer\1f5563.msi

+ 2010-11-30 21:13 . 2010-11-30 21:13 1548288 c:\windows\Installer\1f555f.msi

+ 2010-11-29 23:37 . 2010-11-29 23:37 3065856 c:\windows\Installer\161e71.msi

+ 2010-11-29 23:35 . 2010-11-29 23:35 1548288 c:\windows\Installer\161e6d.msi

+ 2010-11-29 16:48 . 2010-11-29 16:48 3065856 c:\windows\Installer\1598f77.msi

+ 2010-11-29 16:45 . 2010-11-29 16:45 1548288 c:\windows\Installer\1598f73.msi

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Skype"="c:\program files\Skype\\Phone\Skype.exe" [2008-09-29 21755688]

"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

"Device Detection"="c:\program files\Bonusprint\Photoservice\dd.exe" [2007-11-08 101376]

"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2009-11-11 1451520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NokiaMServer"="c:\program files\Common Files\Nokia\MPlatform\NokiaMServer" [X]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-06-07 155648]

"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-17 61952]

"CHotkey"="zHotkey.exe" [2004-05-18 543232]

"ShowWnd"="ShowWnd.exe" [2003-09-19 36864]

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-01 32768]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"SoundMan"="SOUNDMAN.EXE" [2004-07-02 73728]

"AlcWzrd"="ALCWZRD.EXE" [2004-07-06 2550272]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-28 149280]

"CameraFixer"="c:\windows\CameraFixer.exe" [2005-10-03 20480]

"tsnp2std"="c:\windows\tsnp2std.exe" [2005-11-03 106496]

"snp2std"="c:\windows\vsnp2std.exe" [2005-08-16 339968]

"btbb_McciTrayApp"="c:\program files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe" [2009-12-07 1584640]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-17 421888]

"NokiaMusic FastStart"="c:\program files\Nokia\Ovi Player\NokiaOviPlayer.exe" [2010-03-04 2192672]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\User\Start Menu\Programs\Startup\

SkypeMate.lnk - c:\program files\SkypeMate\SkypeMate.exe [2007-5-22 405504]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-08-16 09:33 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]

2010-04-27 17:24 16680 ----a-w- c:\program files\Citrix\GoToAssist\570\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Spotify\\spotify.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [03/10/2010 22:43 59240]

R1 RapportCerberus_19917;RapportCerberus_19917;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\19917\RapportCerberus_19917.sys [03/10/2010 22:54 34792]

R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [03/10/2010 22:43 169320]

R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [03/10/2010 22:43 767208]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/04/2010 17:57 135664]

.

Contents of the 'Scheduled Tasks' folder

2010-10-09 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2010-11-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-12 17:57]

2010-11-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-12 17:57]

.

.

------- Supplementary Scan -------

.

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-11-30 22:31

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(676)

c:\program files\Citrix\GoToAssist\570\G2AWinLogon.dll

.

Completion time: 2010-11-30 22:34:57

ComboFix-quarantined-files.txt 2010-11-30 22:34

ComboFix2.txt 2010-11-30 21:00

ComboFix3.txt 2010-11-29 23:30

ComboFix4.txt 2010-11-29 10:55

ComboFix5.txt 2010-11-30 22:21

Pre-Run: 44,726,988,800 bytes free

Post-Run: 44,707,274,752 bytes free

- - End Of File - - 5ADBF66C57FAEB1E6F28DE54C9C4C138

also it wanted to send some malware files for further analysis but couldnt connect to webserver so saved it in the C drive

Link to post
Share on other sites

ahah, i thought it was all fixed and lovely. but nope.

8 threats!

7 in the System Volume Infomation folder... Trojan horse PSW.Agent.AJPA.

and one in C:\adobe\plugs.... Trojan horse Hiloti.BW

Lots of files with broken signatures too? C:\Windows\Installer\28fc128.msi and things like that...

sad times ;)

I think avg will be able to put the adobe one in the virus vault, but what about the system volume info ones? :/

what to do what to do???

Link to post
Share on other sites

Several of them in System Volume Information folder, which is normal. Let's clean the infected system restore points with restart:

http://support.microsoft.com/kb/310405

ESET Online Scanner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however may need to disable your current installed Anti-Virus, how to do so can be read here.

  • Please go here then click on: EOLS1.gif
  • Select the option YES, I accept the Terms of Use then click on: EOLS2.gif
  • When prompted allow the Add-On/Active X to install.
  • Now click on Advanced Settings and select the following:

    • Remove found threats
    • Scan archives
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology

[*]Now click on: EOLS3.gif

[*]The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.

[*]When completed the Online Scan will begin automatically.

[*]Do not touch either the Mouse or keyboard during the scan otherwise it may stall.

[*]When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!

[*]Now click on: EOLS4.gif

[*]Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.

[*]Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.