Jump to content

Recommended Posts

Hi all I'm sure you are all sick of this by now but here I am as a new member asking for tech help after stupidly allowing a virus in. Palladium is the culprit and as per other posts MBAM and AVG can't clear it (safe mode and otherwise) . I've attempted to follow the instructions of other posts but to no availe. Have OTL scan info if that is of any help to any one. I would appreciate any help .

Thanks

Corkm

Link to post
Share on other sites

:)

Please don't attach the scans / logs from these scans, use "copy/paste".

DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Stay with this topic until I give you the all clean post.

You might want to print these instructions out.

Note: Close all browsers before running ATF Cleaner: IE, FireFox, etc.

Please download ATF Cleaner by Atribune.

Download - ATF Cleaner

Link to post
Share on other sites

Hi thank you for your advice . I have followed all the steps and the TDSS found nothing. Bellow is the report from it's log.

I am getting multipul contiuous pop ups with

Windows can't access the specified device path or file c/documents and settings/MCORK/applications data/random letters exe

2011/02/09 10:13:49.0953 2132 TDSS rootkit removing tool 2.4.16.0 Feb 1 2011 10:34:03

2011/02/09 10:13:50.0937 2132 ================================================================================

2011/02/09 10:13:50.0937 2132 SystemInfo:

2011/02/09 10:13:50.0937 2132

2011/02/09 10:13:50.0937 2132 OS Version: 5.1.2600 ServicePack: 3.0

2011/02/09 10:13:50.0937 2132 Product type: Workstation

2011/02/09 10:13:50.0937 2132 ComputerName: MITCH

2011/02/09 10:13:50.0937 2132 UserName: MCork

2011/02/09 10:13:50.0937 2132 Windows directory: C:\WINDOWS

2011/02/09 10:13:50.0937 2132 System windows directory: C:\WINDOWS

2011/02/09 10:13:50.0937 2132 Processor architecture: Intel x86

2011/02/09 10:13:50.0937 2132 Number of processors: 2

2011/02/09 10:13:50.0937 2132 Page size: 0x1000

2011/02/09 10:13:50.0937 2132 Boot type: Normal boot

2011/02/09 10:13:50.0937 2132 ================================================================================

2011/02/09 10:13:51.0203 2132 Initialize success

2011/02/09 10:13:55.0750 0700 ================================================================================

2011/02/09 10:13:55.0750 0700 Scan started

2011/02/09 10:13:55.0750 0700 Mode: Manual;

2011/02/09 10:13:55.0750 0700 ================================================================================

2011/02/09 10:13:57.0093 0700 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

2011/02/09 10:13:57.0156 0700 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

2011/02/09 10:13:57.0234 0700 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

2011/02/09 10:13:57.0328 0700 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys

2011/02/09 10:13:57.0390 0700 AFS2K (0ebb674888cbdefd5773341c16dd6a07) C:\WINDOWS\system32\drivers\AFS2K.sys

2011/02/09 10:13:57.0546 0700 alcan5ln (4c53e64abb9c3dde4a101b049ab4ffa6) C:\WINDOWS\system32\DRIVERS\alcan5ln.sys

2011/02/09 10:13:57.0640 0700 alcaudsl (8080b5ea17a763bbce6c92bbc6ceefe8) C:\WINDOWS\system32\DRIVERS\alcaudsl.sys

2011/02/09 10:13:57.0859 0700 ALCXWDM (92ae420be14b0d97d14dac4aba22a702) C:\WINDOWS\system32\drivers\ALCXWDM.SYS

2011/02/09 10:13:58.0218 0700 ASPI (54ab078660e536da72b21a27f56b035b) C:\WINDOWS\System32\DRIVERS\ASPI32.sys

2011/02/09 10:13:58.0281 0700 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

2011/02/09 10:13:58.0328 0700 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

2011/02/09 10:13:58.0453 0700 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

2011/02/09 10:13:58.0500 0700 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

2011/02/09 10:13:58.0562 0700 AVG Anti-Rootkit (e8054a423e5d2bdae6062bab6da159c4) C:\WINDOWS\system32\DRIVERS\avgarkt.sys

2011/02/09 10:13:58.0625 0700 AvgArCln (ec08d1625f5c6cf2a57b79eb35186f8c) C:\WINDOWS\system32\DRIVERS\AvgArCln.sys

2011/02/09 10:13:58.0687 0700 AvgLdx86 (bc12f2404bb6f2b6b2ff3c4c246cb752) C:\WINDOWS\System32\Drivers\avgldx86.sys

2011/02/09 10:13:58.0781 0700 AvgMfx86 (5903d729d4f0c5bca74123c96a1b29e0) C:\WINDOWS\System32\Drivers\avgmfx86.sys

2011/02/09 10:13:58.0843 0700 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

2011/02/09 10:13:58.0921 0700 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

2011/02/09 10:13:58.0984 0700 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

2011/02/09 10:13:59.0031 0700 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

2011/02/09 10:13:59.0093 0700 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

2011/02/09 10:13:59.0421 0700 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

2011/02/09 10:13:59.0500 0700 DLABOIOM (a14524d3f130a57163e0b3e057fc85d5) C:\WINDOWS\system32\DLA\DLABOIOM.SYS

2011/02/09 10:13:59.0531 0700 DLACDBHM (7581407a6a3c56860ae31e6e423fe824) C:\WINDOWS\system32\Drivers\DLACDBHM.SYS

2011/02/09 10:13:59.0593 0700 DLADResN (7c4cdf8a684b63d7482e0bf7440dc3b5) C:\WINDOWS\system32\DLA\DLADResN.SYS

2011/02/09 10:13:59.0625 0700 DLAIFS_M (97bca2aac06a9fea56615b4b15bdb9b8) C:\WINDOWS\system32\DLA\DLAIFS_M.SYS

2011/02/09 10:13:59.0671 0700 DLAOPIOM (be8d558cf749424f0de612813f7c6725) C:\WINDOWS\system32\DLA\DLAOPIOM.SYS

2011/02/09 10:13:59.0703 0700 DLAPoolM (7e5277cb45dc5e2a86af8ce093c7ef31) C:\WINDOWS\system32\DLA\DLAPoolM.SYS

2011/02/09 10:13:59.0750 0700 DLARTL_N (693dfd92d41a3d270053cd97834e4960) C:\WINDOWS\system32\Drivers\DLARTL_N.SYS

2011/02/09 10:13:59.0781 0700 DLAUDFAM (d886b6d02b51e5bd61b8a571a16d5ca2) C:\WINDOWS\system32\DLA\DLAUDFAM.SYS

2011/02/09 10:13:59.0828 0700 DLAUDF_M (2c0ecf7a9d5162d87c64e2ae868b5039) C:\WINDOWS\system32\DLA\DLAUDF_M.SYS

2011/02/09 10:13:59.0921 0700 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

2011/02/09 10:13:59.0984 0700 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys

2011/02/09 10:14:00.0031 0700 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

2011/02/09 10:14:00.0109 0700 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

2011/02/09 10:14:00.0203 0700 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

2011/02/09 10:14:00.0250 0700 DRVMCDB (73623d89faef4d1aa600edee8b490bc5) C:\WINDOWS\system32\Drivers\DRVMCDB.SYS

2011/02/09 10:14:00.0296 0700 DRVNDDM (2aeee1600d0f14ba535f90a1f4411b54) C:\WINDOWS\system32\Drivers\DRVNDDM.SYS

2011/02/09 10:14:00.0390 0700 Esdpdx01 (b33fa05b6fdfd75115ef3e9d72cf0027) C:\WINDOWS\system32\Drivers\ESDPDX01.SYS

2011/02/09 10:14:00.0468 0700 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

2011/02/09 10:14:00.0515 0700 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys

2011/02/09 10:14:00.0578 0700 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

2011/02/09 10:14:00.0609 0700 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys

2011/02/09 10:14:00.0671 0700 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys

2011/02/09 10:14:00.0734 0700 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

2011/02/09 10:14:00.0781 0700 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

2011/02/09 10:14:00.0843 0700 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys

2011/02/09 10:14:00.0890 0700 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

2011/02/09 10:14:00.0984 0700 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys

2011/02/09 10:14:01.0078 0700 HPZid412 (d03d10f7ded688fecf50f8fbf1ea9b8a) C:\WINDOWS\system32\DRIVERS\HPZid412.sys

2011/02/09 10:14:01.0125 0700 HPZipr12 (89f41658929393487b6b7d13c8528ce3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys

2011/02/09 10:14:01.0171 0700 HPZius12 (abcb05ccdbf03000354b9553820e39f8) C:\WINDOWS\system32\DRIVERS\HPZius12.sys

2011/02/09 10:14:01.0250 0700 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys

2011/02/09 10:14:01.0390 0700 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

2011/02/09 10:14:01.0453 0700 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

2011/02/09 10:14:01.0625 0700 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys

2011/02/09 10:14:01.0671 0700 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys

2011/02/09 10:14:01.0750 0700 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

2011/02/09 10:14:01.0812 0700 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

2011/02/09 10:14:01.0875 0700 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

2011/02/09 10:14:01.0921 0700 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

2011/02/09 10:14:01.0968 0700 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

2011/02/09 10:14:02.0031 0700 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys

2011/02/09 10:14:02.0109 0700 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

2011/02/09 10:14:02.0156 0700 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys

2011/02/09 10:14:02.0203 0700 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

2011/02/09 10:14:02.0296 0700 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys

2011/02/09 10:14:02.0437 0700 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

2011/02/09 10:14:02.0531 0700 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

2011/02/09 10:14:02.0562 0700 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

2011/02/09 10:14:02.0625 0700 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

2011/02/09 10:14:02.0671 0700 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

2011/02/09 10:14:02.0781 0700 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

2011/02/09 10:14:02.0843 0700 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

2011/02/09 10:14:02.0921 0700 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

2011/02/09 10:14:02.0984 0700 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

2011/02/09 10:14:03.0031 0700 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

2011/02/09 10:14:03.0078 0700 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

2011/02/09 10:14:03.0125 0700 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

2011/02/09 10:14:03.0156 0700 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys

2011/02/09 10:14:03.0218 0700 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

2011/02/09 10:14:03.0265 0700 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

2011/02/09 10:14:03.0328 0700 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

2011/02/09 10:14:03.0375 0700 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

2011/02/09 10:14:03.0421 0700 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys

2011/02/09 10:14:03.0484 0700 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

2011/02/09 10:14:03.0531 0700 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

2011/02/09 10:14:03.0671 0700 nmwcdsa (a579a2cc4768b4b3f7e4f86808ea8206) C:\WINDOWS\system32\drivers\nmwcdsa.sys

2011/02/09 10:14:03.0718 0700 nmwcdsac (0a6436274d5cdb33b6ac2fc304037d82) C:\WINDOWS\system32\drivers\nmwcdsac.sys

2011/02/09 10:14:03.0781 0700 nmwcdsacj (23ca32dec0f1e68448c9c3c1f2e1deee) C:\WINDOWS\system32\drivers\nmwcdsacj.sys

2011/02/09 10:14:03.0843 0700 nmwcdsacm (23ca32dec0f1e68448c9c3c1f2e1deee) C:\WINDOWS\system32\drivers\nmwcdsacm.sys

2011/02/09 10:14:03.0890 0700 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

2011/02/09 10:14:03.0937 0700 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

2011/02/09 10:14:04.0031 0700 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

2011/02/09 10:14:04.0093 0700 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

2011/02/09 10:14:04.0140 0700 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

2011/02/09 10:14:04.0218 0700 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys

2011/02/09 10:14:04.0250 0700 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

2011/02/09 10:14:04.0296 0700 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

2011/02/09 10:14:04.0343 0700 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys

2011/02/09 10:14:04.0421 0700 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

2011/02/09 10:14:04.0468 0700 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys

2011/02/09 10:14:04.0937 0700 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

2011/02/09 10:14:04.0984 0700 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

2011/02/09 10:14:05.0046 0700 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

2011/02/09 10:14:05.0078 0700 PxHelp20 (153d02480a0a2f45785522e814c634b6) C:\WINDOWS\system32\Drivers\PxHelp20.sys

2011/02/09 10:14:05.0328 0700 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

2011/02/09 10:14:05.0406 0700 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

2011/02/09 10:14:05.0437 0700 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

2011/02/09 10:14:05.0484 0700 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

2011/02/09 10:14:05.0546 0700 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

2011/02/09 10:14:05.0609 0700 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

2011/02/09 10:14:05.0671 0700 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

2011/02/09 10:14:05.0734 0700 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys

2011/02/09 10:14:05.0781 0700 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys

2011/02/09 10:14:05.0906 0700 RTL8023xp (8e34400ffc7d647946d9c820678775af) C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys

2011/02/09 10:14:06.0015 0700 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

2011/02/09 10:14:06.0125 0700 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys

2011/02/09 10:14:06.0171 0700 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys

2011/02/09 10:14:06.0265 0700 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys

2011/02/09 10:14:06.0421 0700 SiS315 (e3cf27c168a97018c9f9c7ecc335a761) C:\WINDOWS\system32\DRIVERS\sisgrp.sys

2011/02/09 10:14:06.0453 0700 SiSkp (e14435cf5d555bdc2f35097e403b79c5) C:\WINDOWS\system32\DRIVERS\srvkp.sys

2011/02/09 10:14:06.0531 0700 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

2011/02/09 10:14:06.0578 0700 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys

2011/02/09 10:14:06.0734 0700 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys

2011/02/09 10:14:06.0812 0700 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

2011/02/09 10:14:06.0859 0700 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

2011/02/09 10:14:07.0078 0700 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

2011/02/09 10:14:07.0171 0700 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys

2011/02/09 10:14:07.0250 0700 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

2011/02/09 10:14:07.0296 0700 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

2011/02/09 10:14:07.0328 0700 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

2011/02/09 10:14:07.0468 0700 uagp35 (d85938f272d1bcf3db3a31fc0a048928) C:\WINDOWS\system32\DRIVERS\uagp35.sys

2011/02/09 10:14:07.0515 0700 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

2011/02/09 10:14:07.0625 0700 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

2011/02/09 10:14:07.0703 0700 USBAAPL (4b8a9c16b6d9258ed99c512aecb8c555) C:\WINDOWS\system32\Drivers\usbaapl.sys

2011/02/09 10:14:07.0750 0700 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

2011/02/09 10:14:07.0828 0700 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

2011/02/09 10:14:07.0890 0700 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

2011/02/09 10:14:07.0921 0700 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys

2011/02/09 10:14:07.0968 0700 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys

2011/02/09 10:14:08.0000 0700 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys

2011/02/09 10:14:08.0046 0700 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

2011/02/09 10:14:08.0078 0700 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

2011/02/09 10:14:08.0156 0700 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys

2011/02/09 10:14:08.0250 0700 vsdatant (050c38ebb22512122e54b47dc278bccd) C:\WINDOWS\system32\vsdatant.sys

2011/02/09 10:14:08.0375 0700 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

2011/02/09 10:14:08.0453 0700 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

2011/02/09 10:14:08.0656 0700 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys

2011/02/09 10:14:08.0734 0700 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys

2011/02/09 10:14:08.0859 0700 {95808DC4-FA4A-4c74-92FE-5B863F82066B} (8098180b3f6c430a4e60333bc036f936) C:\Program Files\CyberLink\PowerDVD\000.fcl

2011/02/09 10:14:09.0031 0700 ================================================================================

2011/02/09 10:14:09.0031 0700 Scan finished

2011/02/09 10:14:09.0031 0700 ================================================================================

Link to post
Share on other sites

c/documents and settings/MCORK/applications data/random letters exe
My guess is that's where part of the infection is.

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Download ComboFix from one of these locations:

Link 1

Link 2 If using this link, Right Click and select Save As.

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs
  • Double click on ComboFix.exe & follow the prompts.
    Notes: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.
    Note: If you have XP SP3, use the XP SP2 package.
    If Vista or Windows 7, skip the Recovery Console part
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RC1.png

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy / Paste in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.

3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.

4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Give it atleast 20-30 minutes to finish if needed.

Please do not attach the scan results from Combofx. Use copy/paste.

Also please describe how your computer behaves at the moment.

Link to post
Share on other sites

LOL too true. Sorry to be such a pain but trouble now is that AVG won't uninstall None of it makes sense to me error message as follows

local machine: installation failed

Installation:

Error: Action failed for registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows: creating registry key....

Error 0x80070005

:) cheers

Link to post
Share on other sites

Thanks the report from combofix is as follows

ComboFix 11-02-08.02 - MCork 09/02/2011 12:00:13.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1983.1477 [GMT 8:00]

Running from: c:\documents and settings\MCork\Desktop\ComboFix.exe

FW: ZoneAlarm Firewall *Enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\MCork\Application Data\AJi3J.exe

c:\documents and settings\MCork\Application Data\BET4ZZch1.exe

c:\documents and settings\MCork\Application Data\bKD65BB1.exe

c:\documents and settings\MCork\Application Data\c1SksTiL.exe

c:\documents and settings\MCork\Application Data\cMq1Yekg.exe

c:\documents and settings\MCork\Application Data\ctdWBJ79V.exe

c:\documents and settings\MCork\Application Data\eDVY28Zq.exe

c:\documents and settings\MCork\Application Data\eZ8yuDGdO.exe

c:\documents and settings\MCork\Application Data\h8iH5.exe

c:\documents and settings\MCork\Application Data\install_pal

c:\documents and settings\MCork\Application Data\iwPE466X.exe

c:\documents and settings\MCork\Application Data\kFa27HK8.exe

c:\documents and settings\MCork\Application Data\KiZEes1.exe

c:\documents and settings\MCork\Application Data\Kl7ZFmnf.exe

c:\documents and settings\MCork\Application Data\kSOlMXUZkD.exe

c:\documents and settings\MCork\Application Data\mfmDuS7.exe

c:\documents and settings\MCork\Application Data\nGPXvPjV32.exe

c:\documents and settings\MCork\Application Data\oGaTQRT0.exe

c:\documents and settings\MCork\Application Data\P6KuqxCf.exe

c:\documents and settings\MCork\Application Data\pdQwQcqoG.exe

c:\documents and settings\MCork\Application Data\QYnPqnaO.exe

c:\documents and settings\MCork\Application Data\rtnGclGNUP.exe

c:\documents and settings\MCork\Application Data\startup.js

c:\documents and settings\MCork\Application Data\sTluqRCh.exe

c:\documents and settings\MCork\Application Data\temp.js

c:\documents and settings\MCork\Application Data\TYDHYVtcr.exe

c:\documents and settings\MCork\Application Data\Uf4j2.exe

c:\documents and settings\MCork\Application Data\Ufmkt.exe

c:\documents and settings\MCork\Application Data\UjpXomy2pE.exe

c:\documents and settings\MCork\Application Data\w4XLGib.exe

c:\documents and settings\MCork\Application Data\wYhodZs.exe

c:\documents and settings\MCork\Application Data\X2LR3xT3.exe

c:\documents and settings\MCork\Application Data\X70sBotKYn.exe

c:\documents and settings\MCork\Application Data\XCrdP77jvE.exe

c:\documents and settings\MCork\Application Data\yiS0Sb0.exe

c:\documents and settings\MCork\Application Data\ypCXcP7Jt.exe

c:\documents and settings\MCork\Application Data\YXrQH.exe

c:\documents and settings\MCork\Local Settings\Temporary Internet Files\firmware.inf

c:\documents and settings\MCork\Local Settings\Temporary Internet Files\ip3picfile.temp

c:\documents and settings\MCork\Local Settings\Temporary Internet Files\ip3Wmapic.temp

c:\documents and settings\MCork\Start Menu\Programs\Startup\Startup.js

c:\documents and settings\NetworkService\Application Data\hUHnkDtU.exe

c:\documents and settings\NetworkService\Application Data\NWfaghLY2h.exe

c:\documents and settings\NetworkService\Application Data\ofLMqt.exe

c:\documents and settings\NetworkService\Application Data\x4cKGY8.exe

c:\windows\Tasks\At1.job

c:\windows\Tasks\At10.job

c:\windows\Tasks\At11.job

c:\windows\Tasks\At12.job

c:\windows\Tasks\At13.job

c:\windows\Tasks\At14.job

c:\windows\Tasks\At15.job

c:\windows\Tasks\At16.job

c:\windows\Tasks\At17.job

c:\windows\Tasks\At18.job

c:\windows\Tasks\At19.job

c:\windows\Tasks\At2.job

c:\windows\Tasks\At20.job

c:\windows\Tasks\At21.job

c:\windows\Tasks\At22.job

c:\windows\Tasks\At23.job

c:\windows\Tasks\At24.job

c:\windows\Tasks\At3.job

c:\windows\Tasks\At4.job

c:\windows\Tasks\At5.job

c:\windows\Tasks\At6.job

c:\windows\Tasks\At7.job

c:\windows\Tasks\At8.job

c:\windows\Tasks\At9.job

----- File Replicators -----

c:\documents and settings\MCork\Application Data\AJi3J.exe

c:\documents and settings\MCork\Application Data\BET4ZZch1.exe

c:\documents and settings\MCork\Application Data\bKD65BB1.exe

c:\documents and settings\MCork\Application Data\c1SksTiL.exe

c:\documents and settings\MCork\Application Data\cMq1Yekg.exe

c:\documents and settings\MCork\Application Data\ctdWBJ79V.exe

c:\documents and settings\MCork\Application Data\eDVY28Zq.exe

c:\documents and settings\MCork\Application Data\eZ8yuDGdO.exe

c:\documents and settings\MCork\Application Data\h8iH5.exe

c:\documents and settings\MCork\Application Data\iwPE466X.exe

c:\documents and settings\MCork\Application Data\kFa27HK8.exe

c:\documents and settings\MCork\Application Data\KiZEes1.exe

c:\documents and settings\MCork\Application Data\Kl7ZFmnf.exe

c:\documents and settings\MCork\Application Data\kSOlMXUZkD.exe

c:\documents and settings\MCork\Application Data\mfmDuS7.exe

c:\documents and settings\MCork\Application Data\nGPXvPjV32.exe

c:\documents and settings\MCork\Application Data\oGaTQRT0.exe

c:\documents and settings\MCork\Application Data\P6KuqxCf.exe

c:\documents and settings\MCork\Application Data\pdQwQcqoG.exe

c:\documents and settings\MCork\Application Data\QYnPqnaO.exe

c:\documents and settings\MCork\Application Data\rtnGclGNUP.exe

c:\documents and settings\MCork\Application Data\sTluqRCh.exe

c:\documents and settings\MCork\Application Data\TYDHYVtcr.exe

c:\documents and settings\MCork\Application Data\Uf4j2.exe

c:\documents and settings\MCork\Application Data\Ufmkt.exe

c:\documents and settings\MCork\Application Data\UjpXomy2pE.exe

c:\documents and settings\MCork\Application Data\w4XLGib.exe

c:\documents and settings\MCork\Application Data\wYhodZs.exe

c:\documents and settings\MCork\Application Data\X2LR3xT3.exe

c:\documents and settings\MCork\Application Data\X70sBotKYn.exe

c:\documents and settings\MCork\Application Data\XCrdP77jvE.exe

c:\documents and settings\MCork\Application Data\yiS0Sb0.exe

c:\documents and settings\MCork\Application Data\ypCXcP7Jt.exe

c:\documents and settings\MCork\Application Data\YXrQH.exe

c:\documents and settings\MCork\Local Settings\Temporary Internet Files\Content.IE5\ASXTFL1F\cbta[2].exe

c:\documents and settings\MCork\Local Settings\Temporary Internet Files\Content.IE5\QISJRAMK\cbta[2].exe

c:\documents and settings\NetworkService\Application Data\hUHnkDtU.exe

c:\documents and settings\NetworkService\Application Data\NWfaghLY2h.exe

c:\documents and settings\NetworkService\Application Data\ofLMqt.exe

c:\documents and settings\NetworkService\Application Data\x4cKGY8.exe

c:\documents and settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\0NCMNOGP\cbta[1].exe

.

.

((((((((((((((((((((((((( Files Created from 2011-01-09 to 2011-02-09 )))))))))))))))))))))))))))))))

.

2011-02-08 10:00 . 2011-02-08 10:00 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2011-02-08 09:48 . 2011-02-08 15:25 -------- d-----w- c:\documents and settings\Administrator

2011-02-05 09:07 . 2011-02-05 09:07 -------- d-----w- c:\documents and settings\MCork\Application Data\Malwarebytes

2011-02-05 09:07 . 2010-12-20 10:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-02-05 09:07 . 2011-02-05 09:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2011-02-05 09:07 . 2011-02-05 09:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-02-05 09:07 . 2010-12-20 10:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-02-04 18:55 . 2011-02-04 18:55 185 ----a-w- c:\documents and settings\NetworkService\Application Data\4532.bat

2011-02-04 18:55 . 2011-02-04 18:55 163 ----a-w- c:\documents and settings\MCork\Application Data\2859.bat

2011-02-04 18:50 . 2011-02-04 18:50 167 ----a-w- c:\documents and settings\MCork\Application Data\9521.bat

2011-02-04 18:44 . 2011-02-04 18:44 167 ----a-w- c:\documents and settings\MCork\Application Data\5883.bat

2011-02-04 18:31 . 2011-02-04 18:31 167 ----a-w- c:\documents and settings\MCork\Application Data\4878.bat

2011-02-04 18:30 . 2011-02-04 18:30 169 ----a-w- c:\documents and settings\MCork\Application Data\2928.bat

2011-02-04 18:18 . 2011-02-04 18:18 161 ----a-w- c:\documents and settings\MCork\Application Data\1587.bat

2011-02-04 18:12 . 2011-02-04 18:12 169 ----a-w- c:\documents and settings\MCork\Application Data\8613.bat

2011-02-04 18:12 . 2011-02-04 18:12 169 ----a-w- c:\documents and settings\MCork\Application Data\6787.bat

2011-02-04 18:06 . 2011-02-04 18:06 169 ----a-w- c:\documents and settings\MCork\Application Data\9313.bat

2011-02-04 18:05 . 2011-02-04 18:05 165 ----a-w- c:\documents and settings\MCork\Application Data\3846.bat

2011-02-04 17:56 . 2011-02-04 17:56 165 ----a-w- c:\documents and settings\MCork\Application Data\429.bat

2011-02-04 17:55 . 2011-02-04 17:55 189 ----a-w- c:\documents and settings\NetworkService\Application Data\1332.bat

2011-02-04 17:41 . 2011-02-04 17:41 165 ----a-w- c:\documents and settings\MCork\Application Data\3557.bat

2011-02-04 17:33 . 2011-02-04 17:33 167 ----a-w- c:\documents and settings\MCork\Application Data\825.bat

2011-02-04 17:31 . 2011-02-04 17:31 163 ----a-w- c:\documents and settings\MCork\Application Data\8532.bat

2011-02-04 17:24 . 2011-02-04 17:24 171 ----a-w- c:\documents and settings\MCork\Application Data\1628.bat

2011-02-04 17:09 . 2011-02-04 17:09 163 ----a-w- c:\documents and settings\MCork\Application Data\3285.bat

2011-02-04 16:59 . 2011-02-04 16:59 161 ----a-w- c:\documents and settings\MCork\Application Data\2451.bat

2011-02-04 16:55 . 2011-02-04 16:55 185 ----a-w- c:\documents and settings\NetworkService\Application Data\8665.bat

2011-02-04 16:39 . 2011-02-04 16:39 171 ----a-w- c:\documents and settings\MCork\Application Data\3493.bat

2011-02-04 16:33 . 2011-02-04 16:33 163 ----a-w- c:\documents and settings\MCork\Application Data\4128.bat

2011-02-04 16:32 . 2011-02-04 16:32 171 ----a-w- c:\documents and settings\MCork\Application Data\3659.bat

2011-02-04 16:25 . 2011-02-04 16:25 165 ----a-w- c:\documents and settings\MCork\Application Data\2486.bat

2011-02-04 16:18 . 2011-02-04 16:18 161 ----a-w- c:\documents and settings\MCork\Application Data\4910.bat

2011-02-04 16:09 . 2011-02-04 16:09 165 ----a-w- c:\documents and settings\MCork\Application Data\6213.bat

2011-02-04 16:07 . 2011-02-04 16:07 169 ----a-w- c:\documents and settings\MCork\Application Data\2037.bat

2011-02-04 15:58 . 2011-02-04 15:58 161 ----a-w- c:\documents and settings\MCork\Application Data\9059.bat

2011-02-04 15:55 . 2011-02-04 15:55 183 ----a-w- c:\documents and settings\NetworkService\Application Data\8207.bat

2011-02-04 15:44 . 2011-02-04 15:44 169 ----a-w- c:\documents and settings\MCork\Application Data\817.bat

2011-02-04 15:36 . 2011-02-04 15:36 171 ----a-w- c:\documents and settings\MCork\Application Data\4742.bat

2011-02-04 15:34 . 2011-02-04 15:34 165 ----a-w- c:\documents and settings\MCork\Application Data\5103.bat

2011-02-04 15:28 . 2011-02-04 15:28 171 ----a-w- c:\documents and settings\MCork\Application Data\8030.bat

2011-02-04 15:24 . 2011-02-04 15:24 169 ----a-w- c:\documents and settings\MCork\Application Data\2617.bat

2011-02-04 15:23 . 2011-02-04 15:23 169 ----a-w- c:\documents and settings\MCork\Application Data\4186.bat

2011-02-04 15:18 . 2011-02-04 15:18 165 ----a-w- c:\documents and settings\MCork\Application Data\1421.bat

2011-02-04 15:12 . 2011-02-04 15:12 165 ----a-w- c:\documents and settings\MCork\Application Data\8522.bat

2011-02-04 15:11 . 2011-02-04 15:11 165 ----a-w- c:\documents and settings\MCork\Application Data\5315.bat

2011-02-04 15:08 . 2011-02-04 15:08 167 ----a-w- c:\documents and settings\MCork\Application Data\4890.bat

2011-02-04 14:55 . 2011-02-04 14:55 181 ----a-w- c:\documents and settings\NetworkService\Application Data\7972.bat

2011-02-04 14:46 . 2011-02-04 14:46 169 ----a-w- c:\documents and settings\MCork\Application Data\5048.bat

2011-02-04 14:46 . 2011-02-04 14:46 169 ----a-w- c:\documents and settings\MCork\Application Data\4756.bat

2011-02-04 14:45 . 2011-02-04 14:45 167 ----a-w- c:\documents and settings\MCork\Application Data\6767.bat

2011-02-04 14:35 . 2011-02-04 14:35 167 ----a-w- c:\documents and settings\MCork\Application Data\9955.bat

2011-02-04 14:32 . 2011-02-04 14:32 163 ----a-w- c:\documents and settings\MCork\Application Data\1104.bat

2011-02-04 14:31 . 2011-02-04 14:31 167 ----a-w- c:\documents and settings\MCork\Application Data\1514.bat

2011-02-04 14:16 . 2011-02-04 14:16 161 ----a-w- c:\documents and settings\MCork\Application Data\1277.bat

2011-02-04 14:11 . 2011-02-04 14:11 171 ----a-w- c:\documents and settings\MCork\Application Data\9449.bat

2011-02-04 14:03 . 2011-02-04 14:03 163 ----a-w- c:\documents and settings\MCork\Application Data\809.bat

2011-02-04 14:01 . 2011-02-04 14:01 169 ----a-w- c:\documents and settings\MCork\Application Data\2723.bat

2011-02-04 13:59 . 2011-02-04 13:59 167 ----a-w- c:\documents and settings\MCork\Application Data\9510.bat

2011-02-04 13:55 . 2011-02-04 13:55 185 ----a-w- c:\documents and settings\NetworkService\Application Data\3787.bat

2011-02-04 13:43 . 2011-02-04 13:43 171 ----a-w- c:\documents and settings\MCork\Application Data\7893.bat

2011-02-04 13:41 . 2011-02-04 13:41 167 ----a-w- c:\documents and settings\MCork\Application Data\134.bat

2011-02-04 13:38 . 2011-02-04 13:38 167 ----a-w- c:\documents and settings\MCork\Application Data\9863.bat

2011-02-04 13:30 . 2011-02-04 13:30 171 ----a-w- c:\documents and settings\MCork\Application Data\9383.bat

2011-02-04 13:25 . 2011-02-04 13:25 171 ----a-w- c:\documents and settings\MCork\Application Data\1994.bat

2011-02-04 13:20 . 2011-02-04 13:20 165 ----a-w- c:\documents and settings\MCork\Application Data\6266.bat

2011-02-04 13:15 . 2011-02-04 13:15 167 ----a-w- c:\documents and settings\MCork\Application Data\362.bat

2011-02-04 13:08 . 2011-02-04 13:08 165 ----a-w- c:\documents and settings\MCork\Application Data\5135.bat

2011-02-04 13:04 . 2011-02-04 13:04 171 ----a-w- c:\documents and settings\MCork\Application Data\3227.bat

2011-02-04 12:55 . 2011-02-04 12:55 185 ----a-w- c:\documents and settings\NetworkService\Application Data\3763.bat

2011-02-04 12:48 . 2011-02-04 12:48 163 ----a-w- c:\documents and settings\MCork\Application Data\151.bat

2011-02-04 12:36 . 2011-02-04 12:36 167 ----a-w- c:\documents and settings\MCork\Application Data\3211.bat

2011-02-04 12:31 . 2011-02-04 12:31 163 ----a-w- c:\documents and settings\MCork\Application Data\2970.bat

2011-02-04 12:27 . 2011-02-04 12:27 161 ----a-w- c:\documents and settings\MCork\Application Data\6383.bat

2011-02-04 12:24 . 2011-02-04 12:24 167 ----a-w- c:\documents and settings\MCork\Application Data\1219.bat

2011-02-04 12:18 . 2011-02-04 12:18 167 ----a-w- c:\documents and settings\MCork\Application Data\7272.bat

2011-02-04 12:05 . 2011-02-04 16:57 163 ----a-w- c:\documents and settings\MCork\Application Data\3276.bat

2011-02-04 12:01 . 2011-02-04 12:01 163 ----a-w- c:\documents and settings\MCork\Application Data\9095.bat

2011-02-04 11:56 . 2011-02-04 11:56 165 ----a-w- c:\documents and settings\MCork\Application Data\3556.bat

2011-02-04 11:55 . 2011-02-04 11:55 187 ----a-w- c:\documents and settings\NetworkService\Application Data\9444.bat

2011-02-04 11:54 . 2011-02-04 11:54 163 ----a-w- c:\documents and settings\MCork\Application Data\6531.bat

2011-02-04 11:36 . 2011-02-04 11:36 165 ----a-w- c:\documents and settings\MCork\Application Data\3231.bat

2011-02-04 11:36 . 2011-02-04 11:36 171 ----a-w- c:\documents and settings\MCork\Application Data\352.bat

2011-02-04 11:29 . 2011-02-04 11:29 165 ----a-w- c:\documents and settings\MCork\Application Data\2044.bat

2011-02-04 11:23 . 2011-02-04 11:23 167 ----a-w- c:\documents and settings\MCork\Application Data\2763.bat

2011-02-04 11:21 . 2011-02-04 11:21 163 ----a-w- c:\documents and settings\MCork\Application Data\5805.bat

2011-02-04 11:03 . 2011-02-04 11:03 163 ----a-w- c:\documents and settings\MCork\Application Data\273.bat

2011-02-04 10:59 . 2011-02-04 10:59 167 ----a-w- c:\documents and settings\MCork\Application Data\6200.bat

2011-02-04 10:55 . 2011-02-04 10:55 171 ----a-w- c:\documents and settings\MCork\Application Data\1805.bat

2011-02-04 10:55 . 2011-02-04 10:55 189 ----a-w- c:\documents and settings\NetworkService\Application Data\2279.bat

2011-02-04 10:46 . 2011-02-04 10:46 167 ----a-w- c:\documents and settings\MCork\Application Data\1771.bat

2011-02-04 10:37 . 2011-02-04 10:37 167 ----a-w- c:\documents and settings\MCork\Application Data\5110.bat

2011-02-04 10:29 . 2011-02-04 10:29 171 ----a-w- c:\documents and settings\MCork\Application Data\7158.bat

2011-02-04 10:27 . 2011-02-04 10:27 163 ----a-w- c:\documents and settings\MCork\Application Data\9391.bat

2011-02-04 10:26 . 2011-02-04 10:26 167 ----a-w- c:\documents and settings\MCork\Application Data\7392.bat

2011-02-04 10:14 . 2011-02-04 10:14 163 ----a-w- c:\documents and settings\MCork\Application Data\9822.bat

2011-02-04 09:58 . 2011-02-04 09:58 169 ----a-w- c:\documents and settings\MCork\Application Data\2367.bat

2011-02-04 09:55 . 2011-02-04 09:55 169 ----a-w- c:\documents and settings\MCork\Application Data\2159.bat

2011-02-04 09:55 . 2011-02-04 09:55 183 ----a-w- c:\documents and settings\NetworkService\Application Data\1759.bat

2011-02-04 09:53 . 2011-02-04 09:53 171 ----a-w- c:\documents and settings\MCork\Application Data\965.bat

2011-02-04 09:49 . 2011-02-04 09:49 161 ----a-w- c:\documents and settings\MCork\Application Data\4095.bat

2011-02-04 09:28 . 2011-02-04 09:28 169 ----a-w- c:\documents and settings\MCork\Application Data\5799.bat

2011-02-04 09:26 . 2011-02-04 09:26 167 ----a-w- c:\documents and settings\MCork\Application Data\1385.bat

2011-02-04 09:24 . 2011-02-04 09:24 165 ----a-w- c:\documents and settings\MCork\Application Data\4962.bat

2011-02-04 09:01 . 2011-02-04 09:01 165 ----a-w- c:\documents and settings\MCork\Application Data\9093.bat

2011-02-04 08:55 . 2011-02-04 08:55 179 ----a-w- c:\documents and settings\NetworkService\Application Data\2657.bat

2011-02-04 08:52 . 2011-02-04 08:52 165 ----a-w- c:\documents and settings\MCork\Application Data\9371.bat

2011-02-04 08:51 . 2011-02-04 08:51 171 ----a-w- c:\documents and settings\MCork\Application Data\5100.bat

2011-02-04 08:32 . 2011-02-04 08:32 163 ----a-w- c:\documents and settings\MCork\Application Data\6418.bat

2011-02-04 08:28 . 2011-02-04 08:28 171 ----a-w- c:\documents and settings\MCork\Application Data\2751.bat

2011-02-04 08:25 . 2011-02-04 08:25 167 ----a-w- c:\documents and settings\MCork\Application Data\5434.bat

2011-02-04 08:22 . 2011-02-04 08:22 169 ----a-w- c:\documents and settings\MCork\Application Data\3516.bat

2011-02-04 08:07 . 2011-02-04 08:07 163 ----a-w- c:\documents and settings\MCork\Application Data\8455.bat

2011-02-04 08:04 . 2011-02-04 08:04 161 ----a-w- c:\documents and settings\MCork\Application Data\5021.bat

2011-02-04 07:59 . 2011-02-04 07:59 169 ----a-w- c:\documents and settings\MCork\Application Data\6468.bat

2011-02-04 07:19 . 2011-02-04 07:19 161 ----a-w- c:\documents and settings\MCork\Application Data\9279.bat

2011-02-04 07:11 . 2011-02-04 07:11 171 ----a-w- c:\documents and settings\MCork\Application Data\3721.bat

2011-02-04 07:10 . 2011-02-04 07:10 163 ----a-w- c:\documents and settings\MCork\Application Data\976.bat

2011-02-04 07:07 . 2011-02-04 07:07 169 ----a-w- c:\documents and settings\MCork\Application Data\78.bat

2011-02-04 07:00 . 2011-02-04 07:00 169 ----a-w- c:\documents and settings\MCork\Application Data\1987.bat

2011-02-04 06:56 . 2011-02-04 06:56 163 ----a-w- c:\documents and settings\MCork\Application Data\206.bat

2011-02-04 06:55 . 2011-02-04 06:55 179 ----a-w- c:\documents and settings\NetworkService\Application Data\7384.bat

2011-02-04 06:51 . 2011-02-04 06:51 167 ----a-w- c:\documents and settings\MCork\Application Data\9003.bat

2011-02-04 06:45 . 2011-02-04 06:45 161 ----a-w- c:\documents and settings\MCork\Application Data\8922.bat

2011-02-04 06:33 . 2011-02-04 06:33 163 ----a-w- c:\documents and settings\MCork\Application Data\5201.bat

2011-02-04 06:33 . 2011-02-04 06:33 161 ----a-w- c:\documents and settings\MCork\Application Data\9495.bat

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-11-18 18:12 . 2008-02-21 06:37 81920 ----a-w- c:\windows\system32\isign32.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-09-29 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SoundMan"="SOUNDMAN.EXE" [2005-08-16 90112]

"SiSPower"="SiSPower.dll" [2005-07-13 49152]

"SpeedTouch USB Diagnostics"="c:\program files\Alcatel\SpeedTouch USB\Dragdiag.exe" [2002-06-06 861184]

"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2006-06-12 127036]

"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]

"ESDUSBMon.exe"="c:\windows\system32\ESDUSBMon.exe" [2005-05-26 188416]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-06-17 40368]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-06-23 1043968]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-23 421160]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-10-08 47904]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

"PcSync"="c:\program files\Samsung\Samsung PC Studio 7\PcSync2.exe" [2006-06-27 1449984]

c:\documents and settings\MCork\Start Menu\Programs\Startup\

Picture Motion Browser Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe [2009-6-29 380928]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

LaunchU3.exe.lnk - c:\windows\Installer\{D8E363A7-88B7-446D-B2C0-E26CE4DC8E54}\_2cd672ae.exe [2008-4-1 1078]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk

backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2010-06-17 06:24 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]

2004-05-12 07:18 241664 ----a-w- c:\program files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

2003-08-04 08:28 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2010-09-23 18:10 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]

2007-02-07 08:21 54832 ----a-w- c:\program files\CyberLink\PowerDVD\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2010-09-08 03:17 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]

2007-02-07 08:24 71216 ------w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 EPSON ESCPOS Status Service;EPSON ESC/POS Status Service;EpStsSrv.exe --> EpStsSrv.exe [?]

R2 Esdpdx01;Esdpdx01;c:\windows\system32\drivers\ESDPDX01.SYS [25/12/2003 11:00 AM 95485]

R3 alcan5ln;Alcatel SpeedTouch USB ADSL RFC1483 Networking Driver (NDIS);c:\windows\system32\drivers\alcan5ln.sys [21/02/2008 10:19 PM 36048]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [22/12/2009 9:13 AM 135664]

S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [18/03/2009 9:02 PM 16512]

S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG8\Toolbar\ToolbarBroker.exe --> c:\program files\AVG\AVG8\Toolbar\ToolbarBroker.exe [?]

S3 nmwcdsa;Samsung USB Phone Parent;c:\windows\system32\drivers\nmwcdsa.sys [4/08/2008 6:09 PM 135680]

S3 nmwcdsac;Samsung USB Generic;c:\windows\system32\drivers\nmwcdsac.sys [4/08/2008 6:09 PM 8320]

S3 nmwcdsacj;Samsung USB Port;c:\windows\system32\drivers\nmwcdsacj.sys [4/08/2008 6:09 PM 12288]

S3 nmwcdsacm;Samsung USB Modem;c:\windows\system32\drivers\nmwcdsacm.sys [4/08/2008 6:09 PM 12288]

.

Contents of the 'Scheduled Tasks' folder

2011-02-05 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 04:34]

2010-10-05 c:\windows\Tasks\expressburnSevenDays.job

- c:\program files\NCH Swift Sound\ExpressBurn\expressburn.exe [2010-10-05 02:16]

2010-10-08 c:\windows\Tasks\expressburnShakeIcon.job

- c:\program files\NCH Swift Sound\ExpressBurn\expressburn.exe [2010-10-05 02:16]

2011-02-09 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-09-12 07:43]

2011-02-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-22 01:13]

2011-02-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-22 01:13]

2011-02-09 c:\windows\Tasks\WGASetup.job

- c:\windows\system32\KB905474\wgasetup.exe [2009-04-01 14:18]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com.au/

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html

Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} -

FF - ProfilePath - c:\documents and settings\MCork\Application Data\Mozilla\Firefox\Profiles\kcy1ubnp.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2405280&SearchSource=3&q={searchTerms}

FF - prefs.js: browser.search.selectedEngine - AVG Secure Search

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: Softonic-Eng7 Toolbar: {414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3} - %profile%\extensions\{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}

.

- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{66f2e20d-0da8-4c11-a9c8-dd8477b88acd} - (no file)

URLSearchHooks-{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3} - (no file)

BHO-{A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)

WebBrowser-{4F11ACBB-393F-4C86-A214-FF3D0D155CC3} - (no file)

HKLM-Run-DXDllRegExe - dxdllreg.exe

HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe

Notify-avgrsstarter - (no file)

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-02-09 12:09

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]

"ImagePath"="\??\c:\program files\CyberLink\PowerDVD\000.fcl"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

Completion time: 2011-02-09 12:20:43

ComboFix-quarantined-files.txt 2011-02-09 04:20

Pre-Run: 50,848,768,000 bytes free

Post-Run: 51,869,941,760 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 7B7FFDBED47C084C6264328E5499019D

Link to post
Share on other sites

The .js files are from Java. Lets leave those alone

Copy/paste the text in the Codebox below into notepad:

Here's how to do that:

Click Start > Run type Notepad click OK.

This will open an empty notepad file:

Take your mouse, and place your cursor at the beginning of the text in the box below, then click and hold the left mouse button, while pulling your mouse over the text. This should highlight the text. Now release the left mouse button. Now, with the cursor over the highlighted text, right click the mouse for options, and select 'copy'. Now over the empty Notepad box, right click your mouse again, and select 'paste' and you will have copied and pasted the text.

KillAll::

File::
c:\documents and settings\NetworkService\Application Data\4532.bat
c:\documents and settings\MCork\Application Data\2859.bat
c:\documents and settings\MCork\Application Data\9521.bat
c:\documents and settings\MCork\Application Data\5883.bat
c:\documents and settings\MCork\Application Data\4878.bat
c:\documents and settings\MCork\Application Data\2928.bat
c:\documents and settings\MCork\Application Data\1587.bat
c:\documents and settings\MCork\Application Data\8613.bat
c:\documents and settings\MCork\Application Data\6787.bat
c:\documents and settings\MCork\Application Data\9313.bat
c:\documents and settings\MCork\Application Data\3846.bat
c:\documents and settings\MCork\Application Data\429.bat
c:\documents and settings\NetworkService\Application Data\1332.bat
c:\documents and settings\MCork\Application Data\3557.bat
c:\documents and settings\MCork\Application Data\825.bat
c:\documents and settings\MCork\Application Data\8532.bat
c:\documents and settings\MCork\Application Data\1628.bat
c:\documents and settings\MCork\Application Data\3285.bat
c:\documents and settings\MCork\Application Data\2451.bat
c:\documents and settings\NetworkService\Application Data\8665.bat
c:\documents and settings\MCork\Application Data\3493.bat
c:\documents and settings\MCork\Application Data\4128.bat
c:\documents and settings\MCork\Application Data\3659.bat
c:\documents and settings\MCork\Application Data\2486.bat
c:\documents and settings\MCork\Application Data\4910.bat
c:\documents and settings\MCork\Application Data\6213.bat
c:\documents and settings\MCork\Application Data\2037.bat
c:\documents and settings\MCork\Application Data\9059.bat
c:\documents and settings\NetworkService\Application Data\8207.bat
c:\documents and settings\MCork\Application Data\817.bat
c:\documents and settings\MCork\Application Data\4742.bat
c:\documents and settings\MCork\Application Data\5103.bat
c:\documents and settings\MCork\Application Data\8030.bat
c:\documents and settings\MCork\Application Data\2617.bat
c:\documents and settings\MCork\Application Data\4186.bat
c:\documents and settings\MCork\Application Data\1421.bat
C:\documents and settings\MCork\Application Data\8522.bat
c:\documents and settings\MCork\Application Data\5315.bat
c:\documents and settings\MCork\Application Data\4890.bat
c:\documents and settings\NetworkService\Application Data\7972.bat
c:\documents and settings\MCork\Application Data\5048.bat
c:\documents and settings\MCork\Application Data\4756.bat
c:\documents and settings\MCork\Application Data\6767.bat
c:\documents and settings\MCork\Application Data\9955.bat
c:\documents and settings\MCork\Application Data\1104.bat
c:\documents and settings\MCork\Application Data\1514.bat
c:\documents and settings\MCork\Application Data\1277.bat
c:\documents and settings\MCork\Application Data\9449.bat
c:\documents and settings\MCork\Application Data\809.bat
c:\documents and settings\MCork\Application Data\2723.bat
c:\documents and settings\MCork\Application Data\9510.bat
c:\documents and settings\NetworkService\Application Data\3787.bat
c:\documents and settings\MCork\Application Data\7893.bat
c:\documents and settings\MCork\Application Data\134.bat
c:\documents and settings\MCork\Application Data\9863.bat
c:\documents and settings\MCork\Application Data\9383.bat
c:\documents and settings\MCork\Application Data\1994.bat
c:\documents and settings\MCork\Application Data\6266.bat
c:\documents and settings\MCork\Application Data\362.bat
c:\documents and settings\MCork\Application Data\5135.bat
c:\documents and settings\MCork\Application Data\3227.bat
c:\documents and settings\NetworkService\Application Data\3763.bat
c:\documents and settings\MCork\Application Data\151.bat
c:\documents and settings\MCork\Application Data\3211.bat
c:\documents and settings\MCork\Application Data\2970.bat
c:\documents and settings\MCork\Application Data\6383.bat
c:\documents and settings\MCork\Application Data\1219.bat
c:\documents and settings\MCork\Application Data\7272.bat
c:\documents and settings\MCork\Application Data\3276.bat
c:\documents and settings\MCork\Application Data\9095.bat
c:\documents and settings\MCork\Application Data\3556.bat
c:\documents and settings\NetworkService\Application Data\9444.bat
c:\documents and settings\MCork\Application Data\6531.bat
c:\documents and settings\MCork\Application Data\3231.bat
c:\documents and settings\MCork\Application Data\352.bat
c:\documents and settings\MCork\Application Data\2044.bat
c:\documents and settings\MCork\Application Data\2763.bat
c:\documents and settings\MCork\Application Data\5805.bat
c:\documents and settings\MCork\Application Data\273.bat
c:\documents and settings\MCork\Application Data\6200.bat
c:\documents and settings\MCork\Application Data\1805.bat
c:\documents and settings\NetworkService\Application Data\2279.bat
c:\documents and settings\MCork\Application Data\1771.bat
c:\documents and settings\MCork\Application Data\5110.bat
c:\documents and settings\MCork\Application Data\7158.bat
c:\documents and settings\MCork\Application Data\9391.bat
c:\documents and settings\MCork\Application Data\7392.bat
c:\documents and settings\MCork\Application Data\9822.bat
c:\documents and settings\MCork\Application Data\2367.bat
c:\documents and settings\MCork\Application Data\2159.bat
c:\documents and settings\NetworkService\Application Data\1759.bat
c:\documents and settings\MCork\Application Data\965.bat
c:\documents and settings\MCork\Application Data\4095.bat
c:\documents and settings\MCork\Application Data\5799.bat
c:\documents and settings\MCork\Application Data\1385.bat
c:\documents and settings\MCork\Application Data\4962.bat
c:\documents and settings\MCork\Application Data\9093.bat
c:\documents and settings\NetworkService\Application Data\2657.bat
c:\documents and settings\MCork\Application Data\9371.bat
c:\documents and settings\MCork\Application Data\5100.bat
c:\documents and settings\MCork\Application Data\6418.bat
c:\documents and settings\MCork\Application Data\2751.bat
c:\documents and settings\MCork\Application Data\5434.bat
c:\documents and settings\MCork\Application Data\3516.bat
c:\documents and settings\MCork\Application Data\8455.bat
c:\documents and settings\MCork\Application Data\5021.bat
c:\documents and settings\MCork\Application Data\6468.bat
c:\documents and settings\MCork\Application Data\9279.bat
c:\documents and settings\MCork\Application Data\3721.bat
c:\documents and settings\MCork\Application Data\976.bat
c:\documents and settings\MCork\Application Data\78.bat
c:\documents and settings\MCork\Application Data\1987.bat
c:\documents and settings\MCork\Application Data\206.bat
c:\documents and settings\NetworkService\Application Data\7384.bat
c:\documents and settings\MCork\Application Data\9003.bat
c:\documents and settings\MCork\Application Data\8922.bat
c:\documents and settings\MCork\Application Data\5201.bat
c:\documents and settings\MCork\Application Data\9495.bat

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;

2.Click Save As... Change the directory to your desktop;

3.Change the Save as type to "All Files";

4.Type in the file name: CFScript

5.Click Save ...

CFScriptB-4.gif

Drag CFScript.txt into ComboFix.exe

Then post the results log using Copy / Paste

Link to post
Share on other sites

Thanks report is As follows

ComboFix 11-02-08.02 - MCork 11/02/2011 22:50:11.2.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1983.1562 [GMT 8:00]

Running from: c:\documents and settings\MCork\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\MCork\Desktop\cfscript.txt

FW: ZoneAlarm Firewall *Enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

FILE ::

"c:\documents and settings\MCork\Application Data\1104.bat"

"c:\documents and settings\MCork\Application Data\1219.bat"

"c:\documents and settings\MCork\Application Data\1277.bat"

"c:\documents and settings\MCork\Application Data\134.bat"

"c:\documents and settings\MCork\Application Data\1385.bat"

"c:\documents and settings\MCork\Application Data\1421.bat"

"c:\documents and settings\MCork\Application Data\151.bat"

"c:\documents and settings\MCork\Application Data\1514.bat"

"c:\documents and settings\MCork\Application Data\1587.bat"

"c:\documents and settings\MCork\Application Data\1628.bat"

"c:\documents and settings\MCork\Application Data\1771.bat"

"c:\documents and settings\MCork\Application Data\1805.bat"

"c:\documents and settings\MCork\Application Data\1987.bat"

"c:\documents and settings\MCork\Application Data\1994.bat"

"c:\documents and settings\MCork\Application Data\2037.bat"

"c:\documents and settings\MCork\Application Data\2044.bat"

"c:\documents and settings\MCork\Application Data\206.bat"

"c:\documents and settings\MCork\Application Data\2159.bat"

"c:\documents and settings\MCork\Application Data\2367.bat"

"c:\documents and settings\MCork\Application Data\2451.bat"

"c:\documents and settings\MCork\Application Data\2486.bat"

"c:\documents and settings\MCork\Application Data\2617.bat"

"c:\documents and settings\MCork\Application Data\2723.bat"

"c:\documents and settings\MCork\Application Data\273.bat"

"c:\documents and settings\MCork\Application Data\2751.bat"

"c:\documents and settings\MCork\Application Data\2763.bat"

"c:\documents and settings\MCork\Application Data\2859.bat"

"c:\documents and settings\MCork\Application Data\2928.bat"

"c:\documents and settings\MCork\Application Data\2970.bat"

"c:\documents and settings\MCork\Application Data\3211.bat"

"c:\documents and settings\MCork\Application Data\3227.bat"

"c:\documents and settings\MCork\Application Data\3231.bat"

"c:\documents and settings\MCork\Application Data\3276.bat"

"c:\documents and settings\MCork\Application Data\3285.bat"

"c:\documents and settings\MCork\Application Data\3493.bat"

"c:\documents and settings\MCork\Application Data\3516.bat"

"c:\documents and settings\MCork\Application Data\352.bat"

"c:\documents and settings\MCork\Application Data\3556.bat"

"c:\documents and settings\MCork\Application Data\3557.bat"

"c:\documents and settings\MCork\Application Data\362.bat"

"c:\documents and settings\MCork\Application Data\3659.bat"

"c:\documents and settings\MCork\Application Data\3721.bat"

"c:\documents and settings\MCork\Application Data\3846.bat"

"c:\documents and settings\MCork\Application Data\4095.bat"

"c:\documents and settings\MCork\Application Data\4128.bat"

"c:\documents and settings\MCork\Application Data\4186.bat"

"c:\documents and settings\MCork\Application Data\429.bat"

"c:\documents and settings\MCork\Application Data\4742.bat"

"c:\documents and settings\MCork\Application Data\4756.bat"

"c:\documents and settings\MCork\Application Data\4878.bat"

"c:\documents and settings\MCork\Application Data\4890.bat"

"c:\documents and settings\MCork\Application Data\4910.bat"

"c:\documents and settings\MCork\Application Data\4962.bat"

"c:\documents and settings\MCork\Application Data\5021.bat"

"c:\documents and settings\MCork\Application Data\5048.bat"

"c:\documents and settings\MCork\Application Data\5100.bat"

"c:\documents and settings\MCork\Application Data\5103.bat"

"c:\documents and settings\MCork\Application Data\5110.bat"

"c:\documents and settings\MCork\Application Data\5135.bat"

"c:\documents and settings\MCork\Application Data\5201.bat"

"c:\documents and settings\MCork\Application Data\5315.bat"

"c:\documents and settings\MCork\Application Data\5434.bat"

"c:\documents and settings\MCork\Application Data\5799.bat"

"c:\documents and settings\MCork\Application Data\5805.bat"

"c:\documents and settings\MCork\Application Data\5883.bat"

"c:\documents and settings\MCork\Application Data\6200.bat"

"c:\documents and settings\MCork\Application Data\6213.bat"

"c:\documents and settings\MCork\Application Data\6266.bat"

"c:\documents and settings\MCork\Application Data\6383.bat"

"c:\documents and settings\MCork\Application Data\6418.bat"

"c:\documents and settings\MCork\Application Data\6468.bat"

"c:\documents and settings\MCork\Application Data\6531.bat"

"c:\documents and settings\MCork\Application Data\6767.bat"

"c:\documents and settings\MCork\Application Data\6787.bat"

"c:\documents and settings\MCork\Application Data\7158.bat"

"c:\documents and settings\MCork\Application Data\7272.bat"

"c:\documents and settings\MCork\Application Data\7392.bat"

"c:\documents and settings\MCork\Application Data\78.bat"

"c:\documents and settings\MCork\Application Data\7893.bat"

"c:\documents and settings\MCork\Application Data\8030.bat"

"c:\documents and settings\MCork\Application Data\809.bat"

"c:\documents and settings\MCork\Application Data\817.bat"

"c:\documents and settings\MCork\Application Data\825.bat"

"c:\documents and settings\MCork\Application Data\8455.bat"

"c:\documents and settings\MCork\Application Data\8522.bat"

"c:\documents and settings\MCork\Application Data\8532.bat"

"c:\documents and settings\MCork\Application Data\8613.bat"

"c:\documents and settings\MCork\Application Data\8922.bat"

"c:\documents and settings\MCork\Application Data\9003.bat"

"c:\documents and settings\MCork\Application Data\9059.bat"

"c:\documents and settings\MCork\Application Data\9093.bat"

"c:\documents and settings\MCork\Application Data\9095.bat"

"c:\documents and settings\MCork\Application Data\9279.bat"

"c:\documents and settings\MCork\Application Data\9313.bat"

"c:\documents and settings\MCork\Application Data\9371.bat"

"c:\documents and settings\MCork\Application Data\9383.bat"

"c:\documents and settings\MCork\Application Data\9391.bat"

"c:\documents and settings\MCork\Application Data\9449.bat"

"c:\documents and settings\MCork\Application Data\9495.bat"

"c:\documents and settings\MCork\Application Data\9510.bat"

"c:\documents and settings\MCork\Application Data\9521.bat"

"c:\documents and settings\MCork\Application Data\965.bat"

"c:\documents and settings\MCork\Application Data\976.bat"

"c:\documents and settings\MCork\Application Data\9822.bat"

"c:\documents and settings\MCork\Application Data\9863.bat"

"c:\documents and settings\MCork\Application Data\9955.bat"

"c:\documents and settings\NetworkService\Application Data\1332.bat"

"c:\documents and settings\NetworkService\Application Data\1759.bat"

"c:\documents and settings\NetworkService\Application Data\2279.bat"

"c:\documents and settings\NetworkService\Application Data\2657.bat"

"c:\documents and settings\NetworkService\Application Data\3763.bat"

"c:\documents and settings\NetworkService\Application Data\3787.bat"

"c:\documents and settings\NetworkService\Application Data\4532.bat"

"c:\documents and settings\NetworkService\Application Data\7384.bat"

"c:\documents and settings\NetworkService\Application Data\7972.bat"

"c:\documents and settings\NetworkService\Application Data\8207.bat"

"c:\documents and settings\NetworkService\Application Data\8665.bat"

"c:\documents and settings\NetworkService\Application Data\9444.bat"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\MCork\Application Data\1104.bat

c:\documents and settings\MCork\Application Data\1219.bat

c:\documents and settings\MCork\Application Data\1277.bat

c:\documents and settings\MCork\Application Data\134.bat

c:\documents and settings\MCork\Application Data\1385.bat

c:\documents and settings\MCork\Application Data\1421.bat

c:\documents and settings\MCork\Application Data\151.bat

c:\documents and settings\MCork\Application Data\1514.bat

c:\documents and settings\MCork\Application Data\1587.bat

c:\documents and settings\MCork\Application Data\1628.bat

c:\documents and settings\MCork\Application Data\1771.bat

c:\documents and settings\MCork\Application Data\1805.bat

c:\documents and settings\MCork\Application Data\1987.bat

c:\documents and settings\MCork\Application Data\1994.bat

c:\documents and settings\MCork\Application Data\2037.bat

c:\documents and settings\MCork\Application Data\2044.bat

c:\documents and settings\MCork\Application Data\206.bat

c:\documents and settings\MCork\Application Data\2159.bat

c:\documents and settings\MCork\Application Data\2367.bat

c:\documents and settings\MCork\Application Data\2451.bat

c:\documents and settings\MCork\Application Data\2486.bat

c:\documents and settings\MCork\Application Data\2617.bat

c:\documents and settings\MCork\Application Data\2723.bat

c:\documents and settings\MCork\Application Data\273.bat

c:\documents and settings\MCork\Application Data\2751.bat

c:\documents and settings\MCork\Application Data\2763.bat

c:\documents and settings\MCork\Application Data\2859.bat

c:\documents and settings\MCork\Application Data\2928.bat

c:\documents and settings\MCork\Application Data\2970.bat

c:\documents and settings\MCork\Application Data\3211.bat

c:\documents and settings\MCork\Application Data\3227.bat

c:\documents and settings\MCork\Application Data\3231.bat

c:\documents and settings\MCork\Application Data\3276.bat

c:\documents and settings\MCork\Application Data\3285.bat

c:\documents and settings\MCork\Application Data\3493.bat

c:\documents and settings\MCork\Application Data\3516.bat

c:\documents and settings\MCork\Application Data\352.bat

c:\documents and settings\MCork\Application Data\3556.bat

c:\documents and settings\MCork\Application Data\3557.bat

c:\documents and settings\MCork\Application Data\362.bat

c:\documents and settings\MCork\Application Data\3659.bat

c:\documents and settings\MCork\Application Data\3721.bat

c:\documents and settings\MCork\Application Data\3846.bat

c:\documents and settings\MCork\Application Data\4095.bat

c:\documents and settings\MCork\Application Data\4128.bat

c:\documents and settings\MCork\Application Data\4186.bat

c:\documents and settings\MCork\Application Data\429.bat

c:\documents and settings\MCork\Application Data\4742.bat

c:\documents and settings\MCork\Application Data\4756.bat

c:\documents and settings\MCork\Application Data\4878.bat

c:\documents and settings\MCork\Application Data\4890.bat

c:\documents and settings\MCork\Application Data\4910.bat

c:\documents and settings\MCork\Application Data\4962.bat

c:\documents and settings\MCork\Application Data\5021.bat

c:\documents and settings\MCork\Application Data\5048.bat

c:\documents and settings\MCork\Application Data\5100.bat

c:\documents and settings\MCork\Application Data\5103.bat

c:\documents and settings\MCork\Application Data\5110.bat

c:\documents and settings\MCork\Application Data\5135.bat

c:\documents and settings\MCork\Application Data\5201.bat

c:\documents and settings\MCork\Application Data\5315.bat

c:\documents and settings\MCork\Application Data\5434.bat

c:\documents and settings\MCork\Application Data\5799.bat

c:\documents and settings\MCork\Application Data\5805.bat

c:\documents and settings\MCork\Application Data\5883.bat

c:\documents and settings\MCork\Application Data\6200.bat

c:\documents and settings\MCork\Application Data\6213.bat

c:\documents and settings\MCork\Application Data\6266.bat

c:\documents and settings\MCork\Application Data\6383.bat

c:\documents and settings\MCork\Application Data\6418.bat

c:\documents and settings\MCork\Application Data\6468.bat

c:\documents and settings\MCork\Application Data\6531.bat

c:\documents and settings\MCork\Application Data\6767.bat

c:\documents and settings\MCork\Application Data\6787.bat

c:\documents and settings\MCork\Application Data\7158.bat

c:\documents and settings\MCork\Application Data\7272.bat

c:\documents and settings\MCork\Application Data\7392.bat

c:\documents and settings\MCork\Application Data\78.bat

c:\documents and settings\MCork\Application Data\7893.bat

c:\documents and settings\MCork\Application Data\8030.bat

c:\documents and settings\MCork\Application Data\809.bat

c:\documents and settings\MCork\Application Data\817.bat

c:\documents and settings\MCork\Application Data\825.bat

c:\documents and settings\MCork\Application Data\8455.bat

c:\documents and settings\MCork\Application Data\8522.bat

c:\documents and settings\MCork\Application Data\8532.bat

c:\documents and settings\MCork\Application Data\8613.bat

c:\documents and settings\MCork\Application Data\8922.bat

c:\documents and settings\MCork\Application Data\9003.bat

c:\documents and settings\MCork\Application Data\9059.bat

c:\documents and settings\MCork\Application Data\9093.bat

c:\documents and settings\MCork\Application Data\9095.bat

c:\documents and settings\MCork\Application Data\9279.bat

c:\documents and settings\MCork\Application Data\9313.bat

c:\documents and settings\MCork\Application Data\9371.bat

c:\documents and settings\MCork\Application Data\9383.bat

c:\documents and settings\MCork\Application Data\9391.bat

c:\documents and settings\MCork\Application Data\9449.bat

c:\documents and settings\MCork\Application Data\9495.bat

c:\documents and settings\MCork\Application Data\9510.bat

c:\documents and settings\MCork\Application Data\9521.bat

c:\documents and settings\MCork\Application Data\965.bat

c:\documents and settings\MCork\Application Data\976.bat

c:\documents and settings\MCork\Application Data\9822.bat

c:\documents and settings\MCork\Application Data\9863.bat

c:\documents and settings\MCork\Application Data\9955.bat

c:\documents and settings\NetworkService\Application Data\1332.bat

c:\documents and settings\NetworkService\Application Data\1759.bat

c:\documents and settings\NetworkService\Application Data\2279.bat

c:\documents and settings\NetworkService\Application Data\2657.bat

c:\documents and settings\NetworkService\Application Data\3763.bat

c:\documents and settings\NetworkService\Application Data\3787.bat

c:\documents and settings\NetworkService\Application Data\4532.bat

c:\documents and settings\NetworkService\Application Data\7384.bat

c:\documents and settings\NetworkService\Application Data\7972.bat

c:\documents and settings\NetworkService\Application Data\8207.bat

c:\documents and settings\NetworkService\Application Data\8665.bat

c:\documents and settings\NetworkService\Application Data\9444.bat

.

((((((((((((((((((((((((( Files Created from 2011-01-11 to 2011-02-11 )))))))))))))))))))))))))))))))

.

2011-02-10 06:37 . 2011-02-10 06:37 16856 ----a-w- c:\program files\Mozilla Firefox\plugin-container.exe

2011-02-10 06:37 . 2011-02-10 06:37 719832 ----a-w- c:\program files\Mozilla Firefox\mozcpp19.dll

2011-02-09 23:48 . 2011-02-09 23:48 -------- d-----w- C:\$AVG

2011-02-09 14:05 . 2011-02-09 14:14 -------- d-----w- c:\program files\NSM_Enhanced_7_CB

2011-02-09 06:18 . 2011-02-09 06:18 -------- d-----w- c:\documents and settings\MCork\Application Data\AVG10

2011-02-09 06:17 . 2011-02-09 06:17 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files

2011-02-09 06:16 . 2011-02-11 14:42 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10

2011-02-09 04:37 . 2011-02-09 04:45 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData

2011-02-09 03:55 . 2011-02-09 03:55 185 ----a-w- c:\documents and settings\NetworkService\Application Data\4388.bat

2011-02-09 03:55 . 2011-02-09 03:55 165 ----a-w- c:\documents and settings\MCork\Application Data\164.bat

2011-02-09 03:55 . 2011-02-09 03:55 161 ----a-w- c:\documents and settings\MCork\Application Data\2474.bat

2011-02-09 03:55 . 2011-02-09 03:55 169 ----a-w- c:\documents and settings\MCork\Application Data\4956.bat

2011-02-09 03:47 . 2011-02-09 03:47 171 ----a-w- c:\documents and settings\MCork\Application Data\2245.bat

2011-02-09 03:47 . 2011-02-09 03:47 167 ----a-w- c:\documents and settings\MCork\Application Data\3215.bat

2011-02-09 03:47 . 2011-02-09 03:47 165 ----a-w- c:\documents and settings\MCork\Application Data\1093.bat

2011-02-09 03:41 . 2011-02-09 03:41 167 ----a-w- c:\documents and settings\MCork\Application Data\6431.bat

2011-02-09 03:41 . 2011-02-09 03:41 165 ----a-w- c:\documents and settings\MCork\Application Data\6816.bat

2011-02-08 10:00 . 2011-02-08 10:00 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2011-02-08 09:48 . 2011-02-08 15:25 -------- d-----w- c:\documents and settings\Administrator

2011-02-05 09:07 . 2011-02-05 09:07 -------- d-----w- c:\documents and settings\MCork\Application Data\Malwarebytes

2011-02-05 09:07 . 2010-12-20 10:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-02-05 09:07 . 2011-02-05 09:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2011-02-05 09:07 . 2011-02-05 09:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-02-05 09:07 . 2010-12-20 10:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-01-21 14:44 . 2011-01-21 14:44 439296 -c----w- c:\windows\system32\dllcache\shimgvw.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-01-21 14:44 . 2006-02-28 12:00 439296 ----a-w- c:\windows\system32\shimgvw.dll

2011-01-07 14:09 . 2006-02-28 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll

2010-12-31 13:10 . 2006-02-28 12:00 1854976 ----a-w- c:\windows\system32\win32k.sys

2010-12-22 12:34 . 2006-02-28 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll

2010-12-20 23:59 . 2006-02-28 12:00 916480 ----a-w- c:\windows\system32\wininet.dll

2010-12-20 23:59 . 2006-02-28 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll

2010-12-20 23:59 . 2006-02-28 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2010-12-20 17:26 . 2006-02-28 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll

2010-12-20 12:55 . 2006-02-28 12:00 385024 ----a-w- c:\windows\system32\html.iec

2010-12-09 15:15 . 2006-02-28 12:00 718336 ----a-w- c:\windows\system32\ntdll.dll

2010-12-09 14:30 . 2006-02-28 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll

2010-12-09 13:42 . 2006-02-28 12:00 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe

2010-12-09 13:07 . 2004-08-03 22:59 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe

2010-11-18 18:12 . 2008-02-21 06:37 81920 ----a-w- c:\windows\system32\isign32.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-09-29 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SoundMan"="SOUNDMAN.EXE" [2005-08-16 90112]

"SiSPower"="SiSPower.dll" [2005-07-13 49152]

"SpeedTouch USB Diagnostics"="c:\program files\Alcatel\SpeedTouch USB\Dragdiag.exe" [2002-06-06 861184]

"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2006-06-12 127036]

"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]

"ESDUSBMon.exe"="c:\windows\system32\ESDUSBMon.exe" [2005-05-26 188416]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-06-17 40368]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-06-23 1043968]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-23 421160]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-10-08 47904]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

"PcSync"="c:\program files\Samsung\Samsung PC Studio 7\PcSync2.exe" [2006-06-27 1449984]

c:\documents and settings\MCork\Start Menu\Programs\Startup\

Picture Motion Browser Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe [2009-6-29 380928]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

LaunchU3.exe.lnk - c:\windows\Installer\{D8E363A7-88B7-446D-B2C0-E26CE4DC8E54}\_2cd672ae.exe [2008-4-1 1078]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk

backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2010-06-17 06:24 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]

2004-05-12 07:18 241664 ----a-w- c:\program files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

2003-08-04 08:28 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2010-09-23 18:10 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]

2007-02-07 08:21 54832 ----a-w- c:\program files\CyberLink\PowerDVD\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2010-09-08 03:17 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]

2007-02-07 08:24 71216 ------w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 EPSON ESCPOS Status Service;EPSON ESC/POS Status Service;EpStsSrv.exe --> EpStsSrv.exe [?]

R2 Esdpdx01;Esdpdx01;c:\windows\system32\drivers\ESDPDX01.SYS [25/12/2003 11:00 AM 95485]

R3 alcan5ln;Alcatel SpeedTouch USB ADSL RFC1483 Networking Driver (NDIS);c:\windows\system32\drivers\alcan5ln.sys [21/02/2008 10:19 PM 36048]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [22/12/2009 9:13 AM 135664]

S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [18/03/2009 9:02 PM 16512]

S3 nmwcdsa;Samsung USB Phone Parent;c:\windows\system32\drivers\nmwcdsa.sys [4/08/2008 6:09 PM 135680]

S3 nmwcdsac;Samsung USB Generic;c:\windows\system32\drivers\nmwcdsac.sys [4/08/2008 6:09 PM 8320]

S3 nmwcdsacj;Samsung USB Port;c:\windows\system32\drivers\nmwcdsacj.sys [4/08/2008 6:09 PM 12288]

S3 nmwcdsacm;Samsung USB Modem;c:\windows\system32\drivers\nmwcdsacm.sys [4/08/2008 6:09 PM 12288]

.

Contents of the 'Scheduled Tasks' folder

2011-02-05 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 04:34]

2010-10-05 c:\windows\Tasks\expressburnSevenDays.job

- c:\program files\NCH Swift Sound\ExpressBurn\expressburn.exe [2010-10-05 02:16]

2010-10-08 c:\windows\Tasks\expressburnShakeIcon.job

- c:\program files\NCH Swift Sound\ExpressBurn\expressburn.exe [2010-10-05 02:16]

2011-02-11 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-09-12 07:43]

2011-02-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-22 01:13]

2011-02-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-22 01:13]

2011-02-11 c:\windows\Tasks\WGASetup.job

- c:\windows\system32\KB905474\wgasetup.exe [2009-04-01 14:18]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com.au/

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html

FF - ProfilePath - c:\documents and settings\MCork\Application Data\Mozilla\Firefox\Profiles\kcy1ubnp.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2405280&SearchSource=3&q={searchTerms}

FF - prefs.js: browser.search.selectedEngine - AVG Secure Search

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/

FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4d52318a&v=6.011.025.001&i=23&tp=ab&iy=&ychte=au&lng=en-US&q=

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: Softonic-Eng7 Toolbar: {414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3} - %profile%\extensions\{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}

.

- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-02-11 23:01

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]

"ImagePath"="\??\c:\program files\CyberLink\PowerDVD\000.fcl"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1008)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\program files\Samsung\Samsung PC Studio 7\PhoneBrowser.dll

c:\program files\Samsung\Samsung PC Studio 7\PCSCM.dll

c:\windows\system32\ConnAPI.DLL

c:\program files\Samsung\Samsung PC Studio 7\Lang\PhoneBrowser_eng.nlr

c:\program files\Samsung\Samsung PC Studio 7\Resource\PhoneBrowser_S60.ngr

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Google\Update\1.2.183.39\GoogleCrashHandler.exe

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\windows\system32\EpStsSrv.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\program files\CyberLink\Shared files\RichVideo.exe

c:\windows\system32\wscntfy.exe

c:\windows\SOUNDMAN.EXE

c:\progra~1\Samsung\SAMSUN~1\LAUNCH~1.EXE

c:\progra~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE

c:\program files\Common Files\PCSuite\Services\ServiceLayer.exe

c:\documents and settings\All Users\Application Data\U3\U3Launcher\LaunchU3.exe

c:\program files\iPod\bin\iPodService.exe

.

**************************************************************************

.

Completion time: 2011-02-11 23:07:13 - machine was rebooted

ComboFix-quarantined-files.txt 2011-02-11 15:07

ComboFix2.txt 2011-02-09 04:20

Pre-Run: 50,074,017,792 bytes free

Post-Run: 50,198,986,752 bytes free

- - End Of File - - C5DD8139F3633F2CD8FF904FA3079ED3

Link to post
Share on other sites

Copy/paste the text in the Codebox below into notepad:

Here's how to do that:

Click Start > Run type Notepad click OK.

This will open an empty notepad file:

Take your mouse, and place your cursor at the beginning of the text in the box below, then click and hold the left mouse button, while pulling your mouse over the text. This should highlight the text. Now release the left mouse button. Now, with the cursor over the highlighted text, right click the mouse for options, and select 'copy'. Now over the empty Notepad box, right click your mouse again, and select 'paste' and you will have copied and pasted the text.

KillAll::

File::
c:\documents and settings\NetworkService\Application Data\4388.bat
c:\documents and settings\MCork\Application Data\164.bat
c:\documents and settings\MCork\Application Data\2474.bat
c:\documents and settings\MCork\Application Data\4956.bat
c:\documents and settings\MCork\Application Data\2245.bat
c:\documents and settings\MCork\Application Data\3215.bat
c:\documents and settings\MCork\Application Data\1093.bat
c:\documents and settings\MCork\Application Data\6431.bat
c:\documents and settings\MCork\Application Data\6816.bat

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;

2.Click Save As... Change the directory to your desktop;

3.Change the Save as type to "All Files";

4.Type in the file name: CFScript

5.Click Save ...

CFScriptB-4.gif

Drag CFScript.txt into ComboFix.exe

Then post the results log using Copy / Paste

Also please describe how your computer behaves at the moment.

Link to post
Share on other sites

Hi report as follows no more BAT files in created section this time

ComboFix 11-02-11.01 - MCork 12/02/2011 8:48.3.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1983.1419 [GMT 8:00]

Running from: c:\documents and settings\MCork\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\MCork\Desktop\cfscript.txt

FW: ZoneAlarm Firewall *Enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

FILE ::

"c:\documents and settings\MCork\Application Data\1093.bat"

"c:\documents and settings\MCork\Application Data\164.bat"

"c:\documents and settings\MCork\Application Data\2245.bat"

"c:\documents and settings\MCork\Application Data\2474.bat"

"c:\documents and settings\MCork\Application Data\3215.bat"

"c:\documents and settings\MCork\Application Data\4956.bat"

"c:\documents and settings\MCork\Application Data\6431.bat"

"c:\documents and settings\MCork\Application Data\6816.bat"

"c:\documents and settings\NetworkService\Application Data\4388.bat"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\MCork\Application Data\1093.bat

c:\documents and settings\MCork\Application Data\164.bat

c:\documents and settings\MCork\Application Data\2245.bat

c:\documents and settings\MCork\Application Data\2474.bat

c:\documents and settings\MCork\Application Data\3215.bat

c:\documents and settings\MCork\Application Data\4956.bat

c:\documents and settings\MCork\Application Data\6431.bat

c:\documents and settings\MCork\Application Data\6816.bat

c:\documents and settings\NetworkService\Application Data\4388.bat

.

((((((((((((((((((((((((( Files Created from 2011-01-12 to 2011-02-12 )))))))))))))))))))))))))))))))

.

2011-02-10 06:37 . 2011-02-10 06:37 16856 ----a-w- c:\program files\Mozilla Firefox\plugin-container.exe

2011-02-10 06:37 . 2011-02-10 06:37 719832 ----a-w- c:\program files\Mozilla Firefox\mozcpp19.dll

2011-02-09 23:48 . 2011-02-09 23:48 -------- d-----w- C:\$AVG

2011-02-09 14:05 . 2011-02-09 14:14 -------- d-----w- c:\program files\NSM_Enhanced_7_CB

2011-02-09 06:18 . 2011-02-09 06:18 -------- d-----w- c:\documents and settings\MCork\Application Data\AVG10

2011-02-09 06:17 . 2011-02-09 06:17 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files

2011-02-09 06:16 . 2011-02-11 14:42 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10

2011-02-09 04:37 . 2011-02-09 04:45 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData

2011-02-08 10:00 . 2011-02-08 10:00 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2011-02-08 09:48 . 2011-02-08 15:25 -------- d-----w- c:\documents and settings\Administrator

2011-02-05 09:07 . 2011-02-05 09:07 -------- d-----w- c:\documents and settings\MCork\Application Data\Malwarebytes

2011-02-05 09:07 . 2010-12-20 10:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-02-05 09:07 . 2011-02-05 09:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2011-02-05 09:07 . 2011-02-05 09:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-02-05 09:07 . 2010-12-20 10:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-01-21 14:44 . 2011-01-21 14:44 439296 -c----w- c:\windows\system32\dllcache\shimgvw.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-01-21 14:44 . 2006-02-28 12:00 439296 ----a-w- c:\windows\system32\shimgvw.dll

2011-01-07 14:09 . 2006-02-28 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll

2010-12-31 13:10 . 2006-02-28 12:00 1854976 ----a-w- c:\windows\system32\win32k.sys

2010-12-22 12:34 . 2006-02-28 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll

2010-12-20 23:59 . 2006-02-28 12:00 916480 ----a-w- c:\windows\system32\wininet.dll

2010-12-20 23:59 . 2006-02-28 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll

2010-12-20 23:59 . 2006-02-28 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2010-12-20 17:26 . 2006-02-28 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll

2010-12-20 12:55 . 2006-02-28 12:00 385024 ----a-w- c:\windows\system32\html.iec

2010-12-09 15:15 . 2006-02-28 12:00 718336 ----a-w- c:\windows\system32\ntdll.dll

2010-12-09 14:30 . 2006-02-28 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll

2010-12-09 13:42 . 2006-02-28 12:00 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe

2010-12-09 13:07 . 2004-08-03 22:59 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe

2010-11-18 18:12 . 2008-02-21 06:37 81920 ----a-w- c:\windows\system32\isign32.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-09-29 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SoundMan"="SOUNDMAN.EXE" [2005-08-16 90112]

"SiSPower"="SiSPower.dll" [2005-07-13 49152]

"SpeedTouch USB Diagnostics"="c:\program files\Alcatel\SpeedTouch USB\Dragdiag.exe" [2002-06-06 861184]

"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2006-06-12 127036]

"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]

"ESDUSBMon.exe"="c:\windows\system32\ESDUSBMon.exe" [2005-05-26 188416]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-06-17 40368]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-06-23 1043968]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-23 421160]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-10-08 47904]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

"PcSync"="c:\program files\Samsung\Samsung PC Studio 7\PcSync2.exe" [2006-06-27 1449984]

c:\documents and settings\MCork\Start Menu\Programs\Startup\

Picture Motion Browser Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe [2009-6-29 380928]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

LaunchU3.exe.lnk - c:\windows\Installer\{D8E363A7-88B7-446D-B2C0-E26CE4DC8E54}\_2cd672ae.exe [2008-4-1 1078]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk

backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2010-06-17 06:24 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]

2004-05-12 07:18 241664 ----a-w- c:\program files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

2003-08-04 08:28 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2010-09-23 18:10 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]

2007-02-07 08:21 54832 ----a-w- c:\program files\CyberLink\PowerDVD\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2010-09-08 03:17 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]

2007-02-07 08:24 71216 ------w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 EPSON ESCPOS Status Service;EPSON ESC/POS Status Service;EpStsSrv.exe --> EpStsSrv.exe [?]

R2 Esdpdx01;Esdpdx01;c:\windows\system32\drivers\ESDPDX01.SYS [25/12/2003 11:00 AM 95485]

R3 alcan5ln;Alcatel SpeedTouch USB ADSL RFC1483 Networking Driver (NDIS);c:\windows\system32\drivers\alcan5ln.sys [21/02/2008 10:19 PM 36048]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [22/12/2009 9:13 AM 135664]

S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [18/03/2009 9:02 PM 16512]

S3 nmwcdsa;Samsung USB Phone Parent;c:\windows\system32\drivers\nmwcdsa.sys [4/08/2008 6:09 PM 135680]

S3 nmwcdsac;Samsung USB Generic;c:\windows\system32\drivers\nmwcdsac.sys [4/08/2008 6:09 PM 8320]

S3 nmwcdsacj;Samsung USB Port;c:\windows\system32\drivers\nmwcdsacj.sys [4/08/2008 6:09 PM 12288]

S3 nmwcdsacm;Samsung USB Modem;c:\windows\system32\drivers\nmwcdsacm.sys [4/08/2008 6:09 PM 12288]

.

Contents of the 'Scheduled Tasks' folder

2011-02-05 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 04:34]

2010-10-05 c:\windows\Tasks\expressburnSevenDays.job

- c:\program files\NCH Swift Sound\ExpressBurn\expressburn.exe [2010-10-05 02:16]

2010-10-08 c:\windows\Tasks\expressburnShakeIcon.job

- c:\program files\NCH Swift Sound\ExpressBurn\expressburn.exe [2010-10-05 02:16]

2011-02-12 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-09-12 07:43]

2011-02-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-22 01:13]

2011-02-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-22 01:13]

2011-02-12 c:\windows\Tasks\WGASetup.job

- c:\windows\system32\KB905474\wgasetup.exe [2009-04-01 14:18]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com.au/

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html

FF - ProfilePath - c:\documents and settings\MCork\Application Data\Mozilla\Firefox\Profiles\kcy1ubnp.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2405280&SearchSource=3&q={searchTerms}

FF - prefs.js: browser.search.selectedEngine - AVG Secure Search

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/

FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4d52318a&v=6.011.025.001&i=23&tp=ab&iy=&ychte=au&lng=en-US&q=

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: Softonic-Eng7 Toolbar: {414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3} - %profile%\extensions\{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-02-12 08:55

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]

"ImagePath"="\??\c:\program files\CyberLink\PowerDVD\000.fcl"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3696)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\program files\Samsung\Samsung PC Studio 7\PhoneBrowser.dll

c:\program files\Samsung\Samsung PC Studio 7\PCSCM.dll

c:\windows\system32\ConnAPI.DLL

c:\program files\Samsung\Samsung PC Studio 7\Lang\PhoneBrowser_eng.nlr

c:\program files\Samsung\Samsung PC Studio 7\Resource\PhoneBrowser_S60.ngr

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Google\Update\1.2.183.39\GoogleCrashHandler.exe

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\windows\system32\EpStsSrv.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\program files\CyberLink\Shared files\RichVideo.exe

c:\windows\system32\wscntfy.exe

c:\windows\SOUNDMAN.EXE

c:\progra~1\Samsung\SAMSUN~1\LAUNCH~1.EXE

c:\progra~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE

c:\program files\Common Files\PCSuite\Services\ServiceLayer.exe

c:\documents and settings\All Users\Application Data\U3\U3Launcher\LaunchU3.exe

c:\program files\iPod\bin\iPodService.exe

.

**************************************************************************

.

Completion time: 2011-02-12 09:00:40 - machine was rebooted

ComboFix-quarantined-files.txt 2011-02-12 01:00

ComboFix2.txt 2011-02-11 15:07

ComboFix3.txt 2011-02-09 04:20

Pre-Run: 49,268,281,344 bytes free

Post-Run: 49,242,845,184 bytes free

- - End Of File - - 887A91C031955D373635E8B06C99153B

Link to post
Share on other sites

Good job thumbup.gif

The following will implement some cleanup procedures as well as reset System Restore points:

For XP:

  • Click START run
  • Now type ComboFix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

For Vista / Windows 7

  • Click START Search
  • Now type ComboFix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

If you used DeFogger

To re-enable your Emulation drivers, double click DeFogger to run the tool.

  • The application window will appear
  • Click the Re-enable button to re-enable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_enable which will appear on your desktop.

Your Emulation drivers are now re-enabled.

Here's my usual all clean post

To be on the safe side, I would also change all my passwords.

This infection appears to have been cleaned, but as the malware could be configured to run any program a remote attacker requires, it's impossible to be 100% sure that any machine is clean.

Log looks good :)

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    1. From within Internet Explorer click on the Tools menu and then click on Options.
    2. Click once on the Security tab
    3. Click once on the Internet icon so it becomes highlighted.
    4. Click once on the Custom Level button.
    5. Change the Download signed ActiveX controls to Prompt
    6. Change the Download unsigned ActiveX controls to Disable
    7. Change the Initialize and script ActiveX controls not marked as safe to Disable
    8. Change the Installation of desktop items to Prompt
    9. Change the Launching programs and files in an IFRAME to Prompt
    10. Change the Navigate sub-frames across different domains to Prompt
    11. When all these settings have been made, click on the OK button.
    12. If it prompts you as to whether or not you want to save the settings, press the Yes button.
    13. Next press the Apply button and then the OK to exit the Internet Properties page.

    [*]Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week

    (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

    [*]Use a Firewall - I can not stress how important it is that you use a Firewall on your computer.

    Without a firewall your computer is succeptible to being hacked and taken over.

    I am very serious about this and see it happen almost every day with my clients.

    Simply using a Firewall in its default configuration can lower your risk greatly.

    [*] WOT , Web of Trust, As 'Googling' is such an integral part of internet life, this free browser add on warns you about risky websites that try to scam visitors, deliver malware or send spam. It is especially helpful when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:

    Green to go

    Yellow for caution

    Red to stop

    WOT has an addon available for both Firefox and IE.

    [*] JAVA Click this link and click on the Free JAVA Download

    [*]Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly.

    This will ensure your computer has always the latest security updates available installed on your computer.

    If there are new updates to install, install them immediately, reboot your computer, and revisit the site

    until there are no more critical updates.

Only run one Anti-Virus and Firewall program.

I would suggest you read:

PC Safety and Security--What Do I Need?.

How to Prevent Malware:

Link to post
Share on other sites

Great thank you so much. I never used Defogger but do have OTL, Goored fix, TDSSkiller and App remover left on my system from this process. Should they be removed also? I have no money to donate currently I am though a chef and would happily help you with any cooking / recipie issues you are need help with. Not sure of the forum process for that. If I can help or give something from my professional knowledge base to you please let me know

Kind Regards

Link to post
Share on other sites

Don't worry about a donation

Clean up with OTL:

  • Double-click OTL.exe to start the program.
  • Close all other programs apart from OTL as this step will require a reboot
  • On the OTL main screen, press the CLEANUP button
  • Say Yes to the prompt and then allow the program to reboot your computer.

You can delete whatever OTL doesn't.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.