Jump to content

Recommended Posts

Firstly i would like to say hi to all,

and forum is great.

hoping someone is able to help.

i made the classic mistake of lending my laptop to my son, and now its infected.

running xp,

did have ESET on it (not up to date), was finally able to uninstall this now

and installed avast now, BUT cannot update it or run it fully ( being blocked)

Malwarebytes installed, was able to run it, but now it wont run at all (being blocked)

also tried the above in safe mode and normal mode..

got mbam running once so have included last log.

i have my laptop partitioned with a stand alone xp running on both..

do i need to apply any fixes to both drives or just one??

Thank you for looking at this topic, and hoping someone can help..

Ps. i will be away for 8 days..so if i dont reply that is why, not me being rude... :rolleyes:

ark.zip

Attach.zip

DDS.txt

mbam-log-2011-05-11 (02-50-29).txt

Link to post
Share on other sites

Hi julez and Welcome to Malwarebytes!

When you come back please do the following. By the way, we'll keep your topic open for the next 10 days... :)

Please download aswMBR from here

  • Save aswMBR.exe to your Desktop
  • Double click aswMBR.exe to run it
  • Click the Scan button to start the scan as illustrated below

aswMBR_Scan-1.jpg

Note: Do not take action against any **Rootkit** entries until I have reviewed the log.

  • Once the scan finishes click Save log to save the log to your Desktop
    aswMBR_SaveLog.png
  • Copy and paste the contents of aswMBR.txt back here for review

Link to post
Share on other sites

Hi Kenny

Thanks for helping, and leaving this open :D

i have included the log as asked,

i have only run this through C:\ and not on my other partition.

(dont know if its nessasary)

aswMBR version 0.9.5.256 Copyright© 2011 AVAST Software

Run date: 2011-05-21 21:42:53

-----------------------------

21:42:53.609 OS Version: Windows 5.1.2600 Service Pack 3

21:42:53.609 Number of processors: 2 586 0xE0C

21:42:53.609 ComputerName: DIAGNOSTIC UserName: Mobile

21:42:54.171 Initialize success

21:43:06.484 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3

21:43:06.484 Disk 0 Vendor: FUJITSU_MHW2120BH 00000012 Size: 114473MB BusType: 3

21:43:06.484 Device \Driver\atapi -> DriverStartIo 86e9957b

21:43:08.500 Disk 0 MBR read successfully

21:43:08.500 Disk 0 MBR scan

21:43:08.500 Disk 0 TDL4@MBR code has been found

21:43:08.500 Disk 0 Windows XP default MBR code found via API

21:43:08.500 Disk 0 MBR hidden

21:43:08.500 Disk 0 MBR [TDL4] **ROOTKIT**

21:43:08.500 Disk 0 trace - called modules:

21:43:08.500 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86e99730]<<

21:43:08.515 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86f4aab8]

21:43:08.515 3 CLASSPNP.SYS[f7684fd7] -> nt!IofCallDriver -> \Device\00000085[0x86f00968]

21:43:08.515 5 ACPI.sys[f75db620] -> nt!IofCallDriver -> [0x86eff940]

21:43:08.515 \Driver\atapi[0x86eda848] -> IRP_MJ_CREATE -> 0x86e99730

21:43:08.515 Scan finished successfully

21:47:48.359 Disk 0 MBR has been saved successfully to "E:\MBR.dat"

21:47:48.453 The log file has been saved successfully to "E:\aswMBR.txt"

Thank you..Kenny

Link to post
Share on other sites

No problem Jule... :) Just the C: drive is fine. At this point.

Re-Run aswMBR

Click Scan

On completion of the scan

Click the Fix for TDL4

aswMBR3.png

Save the log as before and post in your next reply.

Once you are done with that, please do the following:

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • Click the Report button and copy/paste the contents of it into your next reply

Note:It will also create a log in the C:\ directory.

In your next reply, please include these log(s):

1.aswMBR log

2.TDSSKiller log

Link to post
Share on other sites

Hi Kenny

Thanks for the quick reply,

And a BIG thanks for making your instructions, so easy to follow..

Firstly i re-ran aswMBR scan.

Then hit "Fix" button. ( i didnt note all actions as this would be included in log).

But it did say removal sucsesfull..

then when it started to "verify" the machine locked and i had to restart machine..

When i re-started machine i put into Safe Mode..But aswMBR.exe was missing.??

so still in safe mode i re-installed aswMBR.exe..and have included this log.

i then ran tdsskiller ( also in safe mode )

Just for info the machine is booting fast again..

aswMBR log

aswMBR version 0.9.5.256 Copyright© 2011 AVAST Software

Run date: 2011-05-22 00:14:02

-----------------------------

00:14:02.078 OS Version: Windows 5.1.2600 Service Pack 3

00:14:02.078 Number of processors: 2 586 0xE0C

00:14:02.078 ComputerName: DIAGNOSTIC UserName:

00:14:02.437 Initialize success

00:14:09.890 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3

00:14:09.921 Disk 0 Vendor: FUJITSU_MHW2120BH 00000012 Size: 114473MB BusType: 3

00:14:11.937 Disk 0 MBR read successfully

00:14:11.953 Disk 0 MBR scan

00:14:11.984 Disk 0 Windows XP default MBR code

00:14:14.000 Disk 0 scanning sectors +234436545

00:14:14.093 Disk 0 scanning C:\WINDOWS\system32\drivers

00:14:18.187 Service scanning

00:14:21.500 Disk 0 trace - called modules:

00:14:21.546 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS

00:14:21.578 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86f14ab8]

00:14:21.593 3 CLASSPNP.SYS[f7684fd7] -> nt!IofCallDriver -> \Device\00000084[0x86f153b8]

00:14:21.625 5 ACPI.sys[f75db620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x86f62940]

00:14:21.656 Scan finished successfully

00:14:42.156 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\MBR.dat"

00:14:42.187 The log file has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\aswMBR_2.txt"

tdsskiller log

2011/05/22 00:21:29.0734 1496 TDSS rootkit removing tool 2.5.1.0 May 13 2011 13:20:29

2011/05/22 00:21:29.0765 1496 ================================================================================

2011/05/22 00:21:29.0765 1496 SystemInfo:

2011/05/22 00:21:29.0765 1496

2011/05/22 00:21:29.0765 1496 OS Version: 5.1.2600 ServicePack: 3.0

2011/05/22 00:21:29.0765 1496 Product type: Workstation

2011/05/22 00:21:29.0765 1496 ComputerName: DIAGNOSTIC

2011/05/22 00:21:29.0765 1496 UserName: Administrator

2011/05/22 00:21:29.0765 1496 Windows directory: C:\WINDOWS

2011/05/22 00:21:29.0765 1496 System windows directory: C:\WINDOWS

2011/05/22 00:21:29.0765 1496 Processor architecture: Intel x86

2011/05/22 00:21:29.0765 1496 Number of processors: 2

2011/05/22 00:21:29.0765 1496 Page size: 0x1000

2011/05/22 00:21:29.0765 1496 Boot type: Safe boot with network

2011/05/22 00:21:29.0765 1496 ================================================================================

2011/05/22 00:21:30.0046 1496 Initialize success

2011/05/22 00:21:46.0843 1160 ================================================================================

2011/05/22 00:21:46.0843 1160 Scan started

2011/05/22 00:21:46.0843 1160 Mode: Manual;

2011/05/22 00:21:46.0843 1160 ================================================================================

2011/05/22 00:21:47.0875 1160 Aavmker4 (3f6884eff406238d39aaa892218f1df7) C:\WINDOWS\system32\drivers\Aavmker4.sys

2011/05/22 00:21:48.0046 1160 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

2011/05/22 00:21:48.0109 1160 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys

2011/05/22 00:21:48.0234 1160 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

2011/05/22 00:21:48.0281 1160 AFD (38d7b715504da4741df35e3594fe2099) C:\WINDOWS\System32\drivers\afd.sys

2011/05/22 00:21:48.0625 1160 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys

2011/05/22 00:21:48.0906 1160 aswFsBlk (7f08d9c504b015d81a8abd75c80028c5) C:\WINDOWS\system32\drivers\aswFsBlk.sys

2011/05/22 00:21:48.0968 1160 aswMon2 (c2181ef6b54752273a0759a968c59279) C:\WINDOWS\system32\drivers\aswMon2.sys

2011/05/22 00:21:49.0031 1160 aswRdr (ac48bdd4cd5d44af33087c06d6e9511c) C:\WINDOWS\system32\drivers\aswRdr.sys

2011/05/22 00:21:49.0156 1160 aswSnx (b64134316fcd1f20e0f10ef3e65bd522) C:\WINDOWS\system32\drivers\aswSnx.sys

2011/05/22 00:21:49.0234 1160 aswSP (d6788e3211afa9951ed7a4d617f68a4f) C:\WINDOWS\system32\drivers\aswSP.sys

2011/05/22 00:21:49.0281 1160 aswTdi (4d100c45517809439c7b6dd98997fa00) C:\WINDOWS\system32\drivers\aswTdi.sys

2011/05/22 00:21:49.0343 1160 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

2011/05/22 00:21:49.0406 1160 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

2011/05/22 00:21:49.0515 1160 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

2011/05/22 00:21:49.0578 1160 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

2011/05/22 00:21:49.0703 1160 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

2011/05/22 00:21:50.0046 1160 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

2011/05/22 00:21:50.0125 1160 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys

2011/05/22 00:21:50.0281 1160 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

2011/05/22 00:21:50.0359 1160 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

2011/05/22 00:21:50.0406 1160 Cdrom (4b0a100eaf5c49ef3cca8c641431eacc) C:\WINDOWS\system32\DRIVERS\cdrom.sys

2011/05/22 00:21:50.0593 1160 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys

2011/05/22 00:21:50.0671 1160 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys

2011/05/22 00:21:50.0890 1160 CYUSB (ec0cc1aa9abfe9a32daa66832cb06271) C:\WINDOWS\system32\Drivers\UPAUSB.sys

2011/05/22 00:21:51.0078 1160 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

2011/05/22 00:21:51.0203 1160 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

2011/05/22 00:21:51.0265 1160 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys

2011/05/22 00:21:51.0312 1160 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

2011/05/22 00:21:51.0390 1160 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

2011/05/22 00:21:51.0593 1160 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

2011/05/22 00:21:51.0718 1160 Epfwndis (52310e0e603d7da79ecca7d764937a91) C:\WINDOWS\system32\DRIVERS\Epfwndis.sys

2011/05/22 00:21:51.0781 1160 epmntdrv (f07ba56b0235f15eff8f10dc6389c42e) C:\WINDOWS\system32\epmntdrv.sys

2011/05/22 00:21:51.0843 1160 ethbsnyy (6ffdf384a4bdf080ef7983d312aef24b) C:\WINDOWS\system32\drivers\ethbsnyy.sys

2011/05/22 00:21:51.0937 1160 EuGdiDrv (1f2f4ab15ce03ecc257feb2f6dc5a013) C:\WINDOWS\system32\EuGdiDrv.sys

2011/05/22 00:21:52.0078 1160 evserial (0f7462479e41ef7ff9cf3fc428b17a22) C:\WINDOWS\system32\DRIVERS\evserial.sys

2011/05/22 00:21:52.0171 1160 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

2011/05/22 00:21:52.0250 1160 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys

2011/05/22 00:21:52.0296 1160 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

2011/05/22 00:21:52.0343 1160 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys

2011/05/22 00:21:52.0406 1160 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys

2011/05/22 00:21:52.0468 1160 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

2011/05/22 00:21:52.0531 1160 FTD2XX (07a83a2e070357075c2056810c67c9e4) C:\WINDOWS\system32\Drivers\FTD2XX.sys

2011/05/22 00:21:52.0625 1160 FTDIBUS (b7aa8283ec551d3a3b924e520e0621a7) C:\WINDOWS\system32\drivers\ftdibus.sys

2011/05/22 00:21:52.0656 1160 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

2011/05/22 00:21:52.0718 1160 FTSER2K (596d31583ce332b5514520d74837f434) C:\WINDOWS\system32\drivers\ftser2k.sys

2011/05/22 00:21:52.0875 1160 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

2011/05/22 00:21:53.0000 1160 HDAudBus (3fcc124b6e08ee0e9351f717dd136939) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys

2011/05/22 00:21:53.0093 1160 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys

2011/05/22 00:21:53.0250 1160 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys

2011/05/22 00:21:53.0406 1160 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

2011/05/22 00:21:53.0484 1160 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

2011/05/22 00:21:53.0796 1160 IntcAzAudAddService (8f924588c272fdaa28cf31a9bbc21a72) C:\WINDOWS\system32\drivers\RtkHDAud.sys

2011/05/22 00:21:54.0125 1160 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys

2011/05/22 00:21:54.0187 1160 io.sys (5e333b8c20fb4a48c8ca3cf3489cd235) C:\WINDOWS\system32\drivers\io.sys

2011/05/22 00:21:54.0234 1160 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys

2011/05/22 00:21:54.0296 1160 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

2011/05/22 00:21:54.0343 1160 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

2011/05/22 00:21:54.0421 1160 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

2011/05/22 00:21:54.0468 1160 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

2011/05/22 00:21:54.0531 1160 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

2011/05/22 00:21:54.0593 1160 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys

2011/05/22 00:21:54.0656 1160 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

2011/05/22 00:21:54.0734 1160 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

2011/05/22 00:21:54.0890 1160 KSecDD (c6ebf1d6ad71df30db49b8d3287e1368) C:\WINDOWS\system32\drivers\KSecDD.sys

2011/05/22 00:21:55.0156 1160 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

2011/05/22 00:21:55.0265 1160 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

2011/05/22 00:21:55.0343 1160 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

2011/05/22 00:21:55.0406 1160 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

2011/05/22 00:21:55.0468 1160 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

2011/05/22 00:21:55.0750 1160 MREMP50 (9bd4dcb5412921864a7aacdedfbd1923) C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS

2011/05/22 00:21:55.0906 1160 MRESP50 (07c02c892e8e1a72d6bf35004f0e9c5e) C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS

2011/05/22 00:21:55.0968 1160 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

2011/05/22 00:21:56.0093 1160 MRxSmb (fb7dfd15d760ad339837a470f0e780d3) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

2011/05/22 00:21:56.0171 1160 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

2011/05/22 00:21:56.0250 1160 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

2011/05/22 00:21:56.0296 1160 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

2011/05/22 00:21:56.0343 1160 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

2011/05/22 00:21:56.0421 1160 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

2011/05/22 00:21:56.0468 1160 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys

2011/05/22 00:21:56.0562 1160 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys

2011/05/22 00:21:56.0625 1160 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys

2011/05/22 00:21:56.0703 1160 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

2011/05/22 00:21:56.0765 1160 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys

2011/05/22 00:21:56.0812 1160 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

2011/05/22 00:21:56.0843 1160 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

2011/05/22 00:21:56.0906 1160 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

2011/05/22 00:21:56.0968 1160 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys

2011/05/22 00:21:57.0015 1160 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

2011/05/22 00:21:57.0109 1160 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

2011/05/22 00:21:57.0406 1160 NETw5x32 (ccdb8db66acd3c0a6c8e171b79f60ac4) C:\WINDOWS\system32\DRIVERS\NETw5x32.sys

2011/05/22 00:21:57.0656 1160 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys

2011/05/22 00:21:57.0750 1160 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

2011/05/22 00:21:57.0812 1160 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

2011/05/22 00:21:57.0937 1160 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

2011/05/22 00:21:58.0375 1160 nv (30913cbf518396912e54c2c9f1dd0f09) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys

2011/05/22 00:21:58.0765 1160 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

2011/05/22 00:21:58.0812 1160 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

2011/05/22 00:21:58.0859 1160 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys

2011/05/22 00:21:58.0984 1160 oreans32 (b99575d16f887883b821d372ff292c20) C:\WINDOWS\system32\drivers\oreans32.sys

2011/05/22 00:21:59.0078 1160 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys

2011/05/22 00:21:59.0109 1160 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

2011/05/22 00:21:59.0187 1160 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

2011/05/22 00:21:59.0234 1160 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys

2011/05/22 00:21:59.0328 1160 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

2011/05/22 00:21:59.0390 1160 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys

2011/05/22 00:21:59.0890 1160 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

2011/05/22 00:21:59.0937 1160 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

2011/05/22 00:22:00.0000 1160 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

2011/05/22 00:22:00.0296 1160 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

2011/05/22 00:22:00.0359 1160 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

2011/05/22 00:22:00.0421 1160 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

2011/05/22 00:22:00.0484 1160 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

2011/05/22 00:22:00.0546 1160 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

2011/05/22 00:22:00.0593 1160 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

2011/05/22 00:22:00.0656 1160 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

2011/05/22 00:22:00.0765 1160 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys

2011/05/22 00:22:00.0875 1160 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys

2011/05/22 00:22:01.0046 1160 RTLE8023xp (bb0ae2171f08129f4f3ff9df20ffbf89) C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys

2011/05/22 00:22:01.0140 1160 SCDEmu (23aa53256ce05b975398b78a33474265) C:\WINDOWS\system32\drivers\SCDEmu.sys

2011/05/22 00:22:01.0250 1160 sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINDOWS\system32\DRIVERS\sdbus.sys

2011/05/22 00:22:01.0296 1160 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

2011/05/22 00:22:01.0406 1160 Sentinel (da17773297995d1135dfd1aceef07d58) C:\WINDOWS\System32\Drivers\SENTINEL.SYS

2011/05/22 00:22:01.0453 1160 Serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys

2011/05/22 00:22:01.0515 1160 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys

2011/05/22 00:22:01.0609 1160 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys

2011/05/22 00:22:01.0843 1160 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys

2011/05/22 00:22:01.0906 1160 Sntnlusb (cff0eb1647b02e074be154dc03e02928) C:\WINDOWS\System32\Drivers\SNTNLUSB.SYS

2011/05/22 00:22:02.0046 1160 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

2011/05/22 00:22:02.0125 1160 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys

2011/05/22 00:22:02.0218 1160 Srv (9b390283569ea58d43d2586032b892f5) C:\WINDOWS\system32\DRIVERS\srv.sys

2011/05/22 00:22:02.0296 1160 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys

2011/05/22 00:22:02.0375 1160 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

2011/05/22 00:22:02.0421 1160 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

2011/05/22 00:22:02.0765 1160 SynTP (b02703203ff94cf4c785e1d8d6ee2596) C:\WINDOWS\system32\DRIVERS\SynTP.sys

2011/05/22 00:22:02.0875 1160 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

2011/05/22 00:22:03.0000 1160 Tcpip (ad978a1b783b5719720cff204b666c8e) C:\WINDOWS\system32\DRIVERS\tcpip.sys

2011/05/22 00:22:03.0078 1160 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

2011/05/22 00:22:03.0156 1160 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

2011/05/22 00:22:03.0250 1160 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

2011/05/22 00:22:03.0375 1160 tifm21 (e4c85c291ddb3dc5e4a2f227ca465ba6) C:\WINDOWS\system32\drivers\tifm21.sys

2011/05/22 00:22:03.0593 1160 TPwSav (9ffffb4c5b06c7b75e8159f1106006ac) C:\WINDOWS\system32\drivers\TPwSav.sys

2011/05/22 00:22:03.0718 1160 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

2011/05/22 00:22:03.0828 1160 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

2011/05/22 00:22:03.0921 1160 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

2011/05/22 00:22:03.0984 1160 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

2011/05/22 00:22:04.0046 1160 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

2011/05/22 00:22:04.0093 1160 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys

2011/05/22 00:22:04.0171 1160 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

2011/05/22 00:22:04.0281 1160 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

2011/05/22 00:22:04.0343 1160 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys

2011/05/22 00:22:04.0531 1160 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

2011/05/22 00:22:04.0656 1160 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys

2011/05/22 00:22:04.0703 1160 VSBC (8e9c7b68faec9e42f98be12d2e5fbf5e) C:\WINDOWS\system32\DRIVERS\evsbc.sys

2011/05/22 00:22:04.0796 1160 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

2011/05/22 00:22:05.0000 1160 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

2011/05/22 00:22:05.0281 1160 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS

2011/05/22 00:22:06.0828 1160 ================================================================================

2011/05/22 00:22:06.0828 1160 Scan finished

2011/05/22 00:22:06.0828 1160 ================================================================================

and again Thank You....... :blush:

Link to post
Share on other sites

We still have some work to do with your PC.

  1. Download ComboFix from below:
    Combofix download
    * IMPORTANT !!! Place combofix.exe on your Desktop
  2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  3. Double click on combofix.exe & follow the prompts.
  4. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    cfRC_screen_1.png
    The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.
    With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.
    Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.
    ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.
    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:
    The Recovery Console was successfully installed.
    cfRC_screen_2.png
    Click on Yes, to continue scanning for malware.
  5. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  6. When finished, it shall produce a log for you. Post that log in your next reply
    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
    ---------------------------------------------------------------------------------------------
  7. Ensure your AntiVirus and AntiSpyware applications are re-enabled.
    ---------------------------------------------------------------------------------------------

Link to post
Share on other sites

Hi Kenny

Thanks again for the help...

BUT i had a "Epic FAIL" moment whist carring out last instructios.. :o :o

combofix. run as you described above.

BUT BUT BUT..when i went to shrink the log window, i hit the "red x" and i lost the log. :blink:

i have not run combofix again, and will leave laptop "as is" untill, you have a chance to read this..

really hoping i havent made the situation bad now..

cheers Kenny..

Julez

Link to post
Share on other sites

Thanks Kenny.

I new you would, have an answere.... :rolleyes:

Thank you...

ComboFix 11-05-21.03 - Mobile 22/05/2011 13:54:06.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.490 [GMT 1:00]

Running from: c:\documents and settings\Mobile\Desktop\ComboFix.exe

AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\bmwscan140\BMWScan140.exe

c:\documents and settings\All Users\Application Data\xp

c:\documents and settings\Mobile\Application Data\Adobe\plugs

c:\documents and settings\Mobile\Application Data\Adobe\shed

c:\documents and settings\Mobile\Local Settings\Temporary Internet Files\mcc11.tmp

c:\documents and settings\Mobile\Local Settings\Temporary Internet Files\mcc126.tmp

c:\documents and settings\Mobile\Local Settings\Temporary Internet Files\mcc9.tmp

c:\documents and settings\Mobile\Local Settings\Temporary Internet Files\mccAC2.tmp

c:\documents and settings\Mobile\Local Settings\Temporary Internet Files\mccB3A.tmp

c:\documents and settings\Mobile\WINDOWS

c:\documents and settings\NetworkService\Local Settings\Application Data\refalag.dll

c:\program files\Microsoft ActiveSync\wcescomm.exe

c:\windows\system32\_000005_.tmp.dll

c:\windows\system32\ReadMe.txt

G:\autorun.inf

G:\Update.exe

.

c:\windows\system32\drivers\ntfs.sys . . . is infected!!

.

.

((((((((((((((((((((((((( Files Created from 2011-04-22 to 2011-05-22 )))))))))))))))))))))))))))))))

.

.

2011-05-10 22:14 . 2011-05-10 22:37 -------- d-----w- C:\SDFix

2011-05-10 21:55 . 2011-05-10 21:55 -------- d-----w- c:\windows\system32\xircom

2011-05-10 21:55 . 2011-05-10 21:55 -------- d-----w- c:\windows\system32\wbem\snmp

2011-05-10 21:55 . 2011-05-10 21:55 -------- d-----w- c:\windows\srchasst

2011-05-10 21:55 . 2011-05-10 21:55 -------- d-----w- c:\program files\microsoft frontpage

2011-05-10 21:43 . 2011-05-10 21:43 578560 ----a-w- c:\windows\system32\dllcache\user32.dll

2011-05-10 21:31 . 2011-05-10 21:32 -------- d-----w- c:\windows\ERUNT

2011-05-10 17:51 . 2011-05-11 00:28 -------- d-----w- c:\documents and settings\Administrator

2011-05-10 11:28 . 2011-05-10 12:03 307928 ----a-w- c:\windows\system32\drivers\aswSP.sys

2011-05-10 11:28 . 2011-05-10 11:59 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys

2011-05-10 11:28 . 2011-05-10 11:59 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys

2011-05-10 11:28 . 2011-05-10 12:03 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys

2011-05-10 11:28 . 2011-05-10 12:02 49240 ----a-w- c:\windows\system32\drivers\aswTdi.sys

2011-05-10 11:28 . 2011-05-10 12:02 102616 ----a-w- c:\windows\system32\drivers\aswmon2.sys

2011-05-10 11:28 . 2011-05-10 12:02 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys

2011-05-10 11:28 . 2011-05-10 11:59 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys

2011-05-10 11:28 . 2011-05-10 12:10 40112 ----a-w- c:\windows\avastSS.scr

2011-05-10 11:28 . 2011-05-10 12:10 199304 ----a-w- c:\windows\system32\aswBoot.exe

2011-05-10 11:27 . 2011-05-10 11:27 -------- d-----w- c:\program files\AVAST Software

2011-05-10 11:27 . 2011-05-10 11:27 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software

2011-05-09 19:55 . 2011-05-09 19:55 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Malwarebytes

2011-05-04 21:00 . 2011-05-04 21:00 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE

2011-05-04 20:31 . 2011-05-04 20:31 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE

2011-05-03 18:38 . 2011-05-03 18:38 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe

2011-05-03 16:16 . 2011-05-03 16:16 134144 ----a-w- c:\windows\system32\drivers\ethbsnyy.sys

2011-05-03 15:40 . 2011-05-03 15:40 148992 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\audiodebugmsg.exe

2011-05-03 13:12 . 2011-05-03 13:12 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

2011-05-03 11:19 . 2011-05-04 13:46 0 ----a-w- c:\windows\Ayojutilesolasiw.bin

2011-05-03 11:19 . 2011-05-03 11:19 -------- d-----w- c:\documents and settings\Mobile\Local Settings\Application Data\{2EFA6553-B308-4E43-AD7A-028C3F5E564A}

2011-05-02 22:03 . 2011-05-03 12:48 -------- d-----w- c:\documents and settings\Mobile\Application Data\2949CC0FA79A180594C05B9863D99BE0

2011-05-01 20:50 . 2008-12-13 15:56 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys

2011-05-01 20:50 . 2008-12-13 15:55 5632 ----a-w- c:\windows\system32\ptpusb.dll

2011-05-01 20:50 . 2008-12-13 15:56 159232 ----a-w- c:\windows\system32\ptpusd.dll

2011-04-27 22:05 . 2011-04-27 22:05 -------- d-----w- c:\program files\GM

2011-04-27 22:01 . 2011-04-27 22:07 -------- d-----w- c:\documents and settings\Mobile\sps

2011-04-27 22:00 . 2011-04-27 22:00 -------- d-----w- c:\documents and settings\Mobile\sas

2011-04-27 21:59 . 2011-04-27 21:59 -------- d-----w- c:\documents and settings\Mobile\snapshot

2011-04-27 21:00 . 2011-04-27 21:00 -------- d-----w- c:\documents and settings\Mobile\tech2view

2011-04-27 20:54 . 2011-04-27 20:54 -------- d-----w- c:\documents and settings\Mobile\diag

2011-04-27 20:40 . 2011-04-27 20:40 -------- d-----w- C:\PCMCIA_COPY

2011-04-27 20:40 . 2009-06-08 14:27 48832 ----a-w- c:\windows\system32\drivers\evserial.sys

2011-04-27 20:39 . 2011-04-27 20:39 -------- d-----w- c:\program files\General Motors

2011-04-27 20:38 . 2011-04-27 20:53 -------- d-----w- c:\documents and settings\Mobile\swdl

2011-04-27 20:35 . 2011-04-27 21:58 -------- d-----w- c:\documents and settings\Mobile\.rts

2011-04-27 20:31 . 2011-04-27 20:31 -------- d-----w- c:\documents and settings\All Users\.dls

2011-04-27 20:31 . 2011-04-27 20:33 -------- d-----w- c:\program files\GDS

2011-04-27 20:30 . 2011-04-27 20:31 -------- d-----w- c:\documents and settings\All Users\.t2web

2011-04-27 20:30 . 2011-04-27 20:30 -------- d-----w- c:\documents and settings\Mobile\.gdsweblaunch

2011-04-27 00:39 . 2001-10-22 02:20 126976 ----a-w- c:\windows\system32\spnsrvnt.exe

2011-04-27 00:39 . 2001-04-06 06:11 20288 ----a-w- c:\windows\system32\drivers\SNTNLUSB.SYS

2011-04-27 00:39 . 2001-04-06 06:11 73216 ----a-w- c:\windows\system32\drivers\SENTINEL.SYS

2011-04-27 00:39 . 2001-04-06 06:11 49152 ----a-w- c:\windows\system32\SNTI386.DLL

2011-04-27 00:39 . 2011-04-27 00:39 -------- d-----w- c:\windows\system32\RNBOSENT

2011-04-27 00:39 . 2011-04-27 00:54 -------- d-----w- c:\program files\GlobalTIS

2011-04-27 00:39 . 2011-04-27 00:46 -------- d--h--w- c:\program files\Zero G Registry

2011-04-27 00:37 . 2011-04-27 00:37 -------- d--h--w- c:\documents and settings\Mobile\InstallAnywhere

2011-04-23 13:07 . 2011-04-23 13:07 -------- d-----w- c:\program files\DIFX

2011-04-23 13:07 . 2010-07-02 12:25 61440 ----a-w- c:\windows\system32\FTChipID.dll

2011-04-23 13:04 . 2011-04-23 13:07 -------- d-----w- c:\program files\ABRITES software for ID 130115

2011-04-23 10:42 . 2011-04-23 10:42 -------- d-----w- C:\ARBRITES

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-03-07 05:31 . 2010-08-15 19:09 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-03-04 06:37 . 2008-12-13 15:53 420864 ----a-w- c:\windows\system32\vbscript.dll

2011-03-03 13:27 . 2008-12-13 15:53 1866880 ----a-w- c:\windows\system32\win32k.sys

2011-03-03 06:53 . 2011-03-03 06:53 149504 ----a-w- c:\windows\system32\SET1A.tmp

2011-02-22 23:06 . 2011-04-17 14:31 602112 ----a-w- c:\windows\system32\SET123.tmp

2011-02-22 23:06 . 2011-04-17 14:31 55296 ----a-w- c:\windows\system32\SET122.tmp

2011-02-22 23:06 . 2011-04-17 14:31 916480 ----a-w- c:\windows\system32\SET11C.tmp

2011-02-22 23:06 . 2011-04-17 14:31 1210880 ----a-w- c:\windows\system32\SET11D.tmp

2011-02-22 23:06 . 2011-04-17 14:31 5962240 ----a-w- c:\windows\system32\SET121.tmp

2011-02-22 23:06 . 2008-12-13 15:53 916480 ----a-w- c:\windows\system32\wininet.dll

2011-02-22 23:06 . 2008-12-13 15:52 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-02-22 23:06 . 2008-04-14 11:00 1469440 ------w- c:\windows\system32\inetcpl.cpl

2011-02-22 23:06 . 2011-04-17 14:31 1991680 ----a-w- c:\windows\system32\SET127.tmp

2011-02-22 23:06 . 2011-04-17 14:31 11080704 ----a-w- c:\windows\system32\SET129.tmp

2011-02-22 11:41 . 2008-04-14 11:00 385024 ----a-w- c:\windows\system32\html.iec

.

<pre>
c:\program files\Adobe\Reader 8.0\Reader\Reader_sl .exe
c:\program files\BT Broadband Desktop Help\btbb\BTHelpNotifier .exe
c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe
c:\program files\Common Files\Java\Java Update\jusched .exe
c:\program files\ESET\ESET Smart Security\egui .exe
c:\program files\Malwarebytes' Anti-Malware\mbam .exe
c:\program files\Microsoft ActiveSync\wcescomm .exe
c:\program files\PowerISO\PWRISOVM .exe
c:\program files\Synaptics\SynTP\SynTPEnh .exe
c:\windows\system32\rundll32 .exe
c:\windows\system32\TCtrlIOHook .exe
</pre>

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]

@="{472083B0-C522-11CF-8763-00608CC02F24}"

[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]

2011-05-10 12:10 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [2010-12-11 2610608]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RTHDCPL"="RTHDCPL.EXE" [2007-08-10 16384000]

"Conime"="c:\windows\system32\conime.exe" [2008-04-14 27648]

"nwiz"="nwiz.exe" [N/A]

"EKIJ5000StatusMonitor"="c:\windows\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2010-09-02 1638400]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-04-03 13670504]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

.

c:\documents and settings\Mobile\Start Menu\Programs\Startup\

TalkTalk Setup CD Reporting Tool.exe [2010-8-2 725768]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Bluetooth Monitor.lnk - c:\program files\TOSHIBA\Bluetooth Monitor\BtMon2.exe [2010-8-15 69632]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]

2010-12-01 18:17 16680 ----a-w- c:\program files\Citrix\GoToAssist\570\g2awinlogon.dll

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{36FC9E60-C465-1706-8086-444553544016}]

@="USB sChip"

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager

"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Kodak\\AiO\\Center\\AiOHomeCenter.exe"=

"c:\\Program Files\\Kodak\\AiO\\Center\\Kodak.Statistics.exe"=

"c:\\Program Files\\Kodak\\AiO\\Firmware\\KodakAiOUpdater.exe"=

"c:\\Documents and Settings\\All Users\\Application Data\\Kodak\\Installer\\Setup.exe"=

"c:\\Program Files\\Kodak\\AiO\\Center\\NetworkPrinterDiscovery.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

"9322:TCP"= 9322:TCP:EKDiscovery

"5353:UDP"= 5353:UDP:Bonjour Port 5353

.

R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [10/05/2011 12:28 441176]

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [10/05/2011 12:28 307928]

R1 oreans32;oreans32;c:\windows\system32\drivers\oreans32.sys [01/04/2010 00:11 33824]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [10/05/2011 12:28 19544]

R2 GLOBALTISTB;GLOBALTISTB;c:\progra~1\GLOBAL~1\TRANSB~1\tbmux32.exe [27/04/2011 01:39 413696]

R2 GlobalTISTC6;GlobalTIS_TC6;c:\program files\GlobalTIS\tomcat\bin\tomcat6.exe [27/04/2011 01:39 57344]

R2 io.sys;IO.DLL Driver;c:\windows\system32\drivers\io.sys [10/10/2010 22:33 5152]

R2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\Kodak\AiO\Center\ekdiscovery.exe [13/09/2010 18:18 308656]

R3 VSBC;Virtual Serial Bus Enumerator (Eltima Software);c:\windows\system32\drivers\evsbc.sys [08/06/2009 15:27 24768]

S1 ethbsnyy;ethbsnyy;c:\windows\system32\drivers\ethbsnyy.sys [03/05/2011 17:16 134144]

S1 vcdrom;Virtual CD-ROM Device Driver;\??\c:\program files\System\CPL Bonus\Vcdrom.sys --> c:\program files\System\CPL Bonus\Vcdrom.sys [?]

S3 CYUSB;UPA-USB Driver;c:\windows\system32\drivers\UPAUSB.sys [17/11/2010 03:45 39936]

S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [15/08/2010 22:48 13192]

S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [15/08/2010 22:48 8456]

S3 evserial;Virtual Serial Ports Driver (Eltima Softwate);c:\windows\system32\drivers\evserial.sys [27/04/2011 21:40 48832]

S3 FTD2XX;BMW Scanner SYS device driver;c:\windows\system32\drivers\FTD2XX.sys [15/12/2005 13:27 34639]

.

--- Other Services/Drivers In Memory ---

.

*Deregistered* - uphcleanhlp

.

Contents of the 'Scheduled Tasks' folder

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.digital-kaos.co.uk/forums/f149/

IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM

IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM

IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm

IE: Download FLV video content with IDM - c:\program files\Internet Download Manager\IEGetVL.htm

IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm

IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM

IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM

.

- - - - ORPHANS REMOVED - - - -

.

AddRemove-SLABCOMM&10C4&EA60 - c:\windows\system32\Silabs\DriverUninstaller.exe VCP CP210x Cardinal\SLABCOMM&10C4&EA60

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-05-22 14:09

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (LocalSystem)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,2d,7a,13,53,d0,8f,eb,4d,83,85,91,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,2d,7a,13,53,d0,8f,eb,4d,83,85,91,\

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5da136b2-e6e6-4560-8955-dfe1ddc75385}]

@Denied: (Full) (Everyone)

"Model"=dword:00000036

"Therad"=dword:00000011

"MData"=hex(0):cb,9b,ad,ef,27,7d,29,69,f5,02,f0,76,aa,4a,f1,7c,d3,d9,67,7f,6a,

4b,7b,ad,04,7a,b1,b5,76,9b,27,47,ad,91,56,c8,52,62,22,f2,a9,ac,3f,1d,1f,c8,\

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]

@Denied: (Full) (Everyone)

"scansk"=hex(0):7a,93,84,59,2c,f8,6d,7c,1c,c2,ff,43,0b,d1,a2,26,bd,16,a6,aa,ad,

c2,2b,bb,70,3e,b4,5e,3f,f8,7f,ef,be,59,37,b3,4c,b3,49,59,00,00,00,00,00,00,\

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(936)

c:\program files\Citrix\GoToAssist\570\G2AWinLogon.dll

.

- - - - - - - > 'explorer.exe'(2992)

c:\windows\system32\WININET.dll

c:\windows\system32\MSCTF.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\wpdshserviceobj.dll

c:\windows\system32\portabledevicetypes.dll

c:\windows\system32\portabledeviceapi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\nvsvc32.exe

c:\program files\AVAST Software\Avast\AvastSvc.exe

c:\windows\RTHDCPL.EXE

c:\program files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\Motive\McciCMService.exe

c:\windows\system32\spnsrvnt.exe

c:\program files\UPHClean\uphclean.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2011-05-22 14:16:19 - machine was rebooted

ComboFix-quarantined-files.txt 2011-05-22 13:16

.

Pre-Run: 23,464,706,048 bytes free

Post-Run: 24,316,047,360 bytes free

.

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="BMW DIAGNOSTICS" /noexecute=optin /fastdetect

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="DIAGNOSTICS" /noexecute=optin /fastdetect /usepmtimer

.

- - End Of File - - FEA170CF975CB00B390735A370897C8B

Link to post
Share on other sites

Regarding this entry in the log:

c:\windows\system32\drivers\ntfs.sys . . . is infected!!

There's a very good chance we'll need your Windows XP disc. ntfs.sys is a critical system core file. If we remove it, then your PC won't boot. So we need to replace this file with a clean copy. Let me know if you have Windows XP disc?

Use your browser to go here at Virustotal website

Click the Browse button and then navigate to

c:\windows\system32\epmntdrv.sys

then click the Submit button.

The various virus scanners will identify the file and if it is not identified, the AV vendors will then have a copy of it for analysis. Save the results, and post back here in a reply.

Next

Run CFScript

  • Close any open browsers.
  • Open Notepad by click start
  • Click Run
  • Type notepad into the box and click enter
  • Notepad will open
  • Copy and Paste everything from the Code box into Notepad:

KILLALL::
SRPeek::
c:\windows\system32\drivers\ndis.sys
TDL::
c:\windows\system32\drivers\ndis.sys
RenV::
c:\program files\Adobe\Reader 8.0\Reader\Reader_sl .exe
c:\program files\BT Broadband Desktop Help\btbb\BTHelpNotifier .exe
c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe
c:\program files\Common Files\Java\Java Update\jusched .exe
c:\program files\ESET\ESET Smart Security\egui .exe
c:\program files\Malwarebytes' Anti-Malware\mbam .exe
c:\program files\Microsoft ActiveSync\wcescomm .exe
c:\program files\PowerISO\PWRISOVM .exe
c:\program files\Synaptics\SynTP\SynTPEnh .exe
c:\windows\system32\rundll32 .exe
c:\windows\system32\TCtrlIOHook .exe

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.

Link to post
Share on other sites

Hi Kenny

i found 2 xp discs (back-ups) cant find originals

1 is sp3 dont know what other is..anyway yes i have disc..

i submitted file and pasted results

File already submitted: The file sent has already been analysed by VirusTotal in the past.

This is same basic info regarding the sample itself and its last analysis:

MD5: f07ba56b0235f15eff8f10dc6389c42e

Date first seen: 2009-11-08 23:27:04 (UTC)

Date last seen: 2011-05-21 08:44:24 (UTC)

Detection ratio: 0/42

What do you wish to do?

Reanalyse View last report

.............................................................................................

i reanalysed file and clicked the additional information...

Additional informationShow all

MD5 : f07ba56b0235f15eff8f10dc6389c42e

SHA1 : 67d4e043df4b8579bb36612ac396fcab964bdb8d

SHA256: a7202ccb418d03606a97679bcf166aca12f8341e8ab97df044ae00401b8496b4

ssdeep: 192:oJgR9fN2qBIf9pYf0mtq81NL3jMjGwP7oZgjl7Mcip+ebMZMEESF:oJg/N5Bi3Yf0oLpd6j

VQbA

File size : 13192 bytes

First seen: 2009-11-08 23:27:04

Last seen : 2011-05-22 16:19:41

TrID:

Win16/32 Executable Delphi generic (25.4%)

Clipper DOS Executable (24.8%)

Generic Win/DOS Executable (24.6%)

DOS Executable Generic (24.6%)

VXD Driver (0.3%)

sigcheck:

publisher....: n/a

copyright....: n/a

product......: n/a

description..: n/a

original name: n/a

internal name: n/a

file version.: n/a

comments.....: n/a

signers......: CHENGDU YIWO Tech Development Co., Ltd.

VeriSign Class 3 Code Signing 2004 CA

Class 3 Public Primary Certification Authority

signing date.: 6:36 PM 5/22/2011

verified.....: -

PEInfo: PE structure information

[[ basic data ]]

entrypointaddress: 0x1D05

timedatestamp....: 0x4897E6B0 (Tue Aug 05 05:35:44 2008)

machinetype......: 0x14c (I386)

[[ 5 section(s) ]]

name, viradd, virsiz, rawdsiz, ntropy, md5

.text, 0x480, 0x15CE, 0x1600, 6.26, 68c84af2632118f2fd70196641c7b92a

.rdata, 0x1A80, 0x1D5, 0x200, 4.74, a088f3513b68ed63036d47e4eae5b847

.data, 0x1C80, 0x60, 0x80, 1.27, e27918cd4bc6289095f759fcf3c65f72

INIT, 0x1D00, 0x352, 0x380, 5.20, 6a966a3c841ac34cf9732bfe06224601

.reloc, 0x2080, 0x15E, 0x180, 4.14, 3b178276205d421cad26b943ca2a438d

[[ 1 import(s) ]]

ntoskrnl.exe: DbgPrint, IoDeleteDevice, IoDeleteSymbolicLink, ObfReferenceObject, IoGetDeviceObjectPointer,

RtlInitUnicodeString, memset, IoFreeIrp, KeSetEvent, IoFreeMdl, MmUnlockPages, ExFreePoolWithTag,

KeWaitForSingleObject, IofCallDriver, KeInitializeEvent, IoBuildAsynchronousFsdRequest, IofCompleteRequest,

MmMapLockedPagesSpecifyCache, ObfDereferenceObject, IoGetAttachedDeviceReference, RtlUnicodeStringToInteger,

ExAllocatePoolWithTag, memcpy, IoBuildDeviceIoControlRequest, IoCreateSymbolicLink, IoCreateDevice, KeTickCount,

KeBugCheckEx, RtlAnsiCharToUnicodeChar

END OF FILE SUBMITTED.............

PLEASE NOTE whilst combofix was running a

windows file protection window popped up and i have included

a photo of pop-up as attachment at the end of this post

ComboFix 11-05-21.03 - Mobile 22/05/2011 17:56:30.2.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.470 [GMT 1:00]

Running from: c:\documents and settings\Mobile\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Mobile\Desktop\CFScript.txt

AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\Mobile\Local Settings\Application Data\{2EFA6553-B308-4E43-AD7A-028C3F5E564A}

c:\documents and settings\Mobile\Local Settings\Application Data\{2EFA6553-B308-4E43-AD7A-028C3F5E564A}\chrome.manifest

c:\documents and settings\Mobile\Local Settings\Application Data\{2EFA6553-B308-4E43-AD7A-028C3F5E564A}\chrome\content\_cfg.js

c:\documents and settings\Mobile\Local Settings\Application Data\{2EFA6553-B308-4E43-AD7A-028C3F5E564A}\chrome\content\overlay.xul

c:\documents and settings\Mobile\Local Settings\Application Data\{2EFA6553-B308-4E43-AD7A-028C3F5E564A}\install.rdf

.

.

((((((((((((((((((((((((( Files Created from 2011-04-22 to 2011-05-22 )))))))))))))))))))))))))))))))

.

.

2011-05-10 22:14 . 2011-05-10 22:37 -------- d-----w- C:\SDFix

2011-05-10 21:55 . 2011-05-10 21:55 -------- d-----w- c:\windows\system32\xircom

2011-05-10 21:55 . 2011-05-10 21:55 -------- d-----w- c:\windows\system32\wbem\snmp

2011-05-10 21:55 . 2011-05-10 21:55 -------- d-----w- c:\windows\srchasst

2011-05-10 21:55 . 2011-05-10 21:55 -------- d-----w- c:\program files\microsoft frontpage

2011-05-10 21:43 . 2011-05-10 21:43 578560 ----a-w- c:\windows\system32\dllcache\user32.dll

2011-05-10 21:31 . 2011-05-10 21:32 -------- d-----w- c:\windows\ERUNT

2011-05-10 17:51 . 2011-05-11 00:28 -------- d-----w- c:\documents and settings\Administrator

2011-05-10 11:28 . 2011-05-10 12:03 307928 ----a-w- c:\windows\system32\drivers\aswSP.sys

2011-05-10 11:28 . 2011-05-10 11:59 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys

2011-05-10 11:28 . 2011-05-10 11:59 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys

2011-05-10 11:28 . 2011-05-10 12:03 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys

2011-05-10 11:28 . 2011-05-10 12:02 49240 ----a-w- c:\windows\system32\drivers\aswTdi.sys

2011-05-10 11:28 . 2011-05-10 12:02 102616 ----a-w- c:\windows\system32\drivers\aswmon2.sys

2011-05-10 11:28 . 2011-05-10 12:02 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys

2011-05-10 11:28 . 2011-05-10 11:59 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys

2011-05-10 11:28 . 2011-05-10 12:10 40112 ----a-w- c:\windows\avastSS.scr

2011-05-10 11:28 . 2011-05-10 12:10 199304 ----a-w- c:\windows\system32\aswBoot.exe

2011-05-10 11:27 . 2011-05-10 11:27 -------- d-----w- c:\program files\AVAST Software

2011-05-10 11:27 . 2011-05-10 11:27 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software

2011-05-09 19:55 . 2011-05-09 19:55 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Malwarebytes

2011-05-04 21:00 . 2011-05-04 21:00 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE

2011-05-04 20:31 . 2011-05-04 20:31 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE

2011-05-03 18:38 . 2011-05-03 18:38 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe

2011-05-03 16:16 . 2011-05-03 16:16 134144 ----a-w- c:\windows\system32\drivers\ethbsnyy.sys

2011-05-03 15:40 . 2011-05-03 15:40 148992 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\audiodebugmsg.exe

2011-05-03 13:12 . 2011-05-03 13:12 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

2011-05-03 11:19 . 2011-05-04 13:46 0 ----a-w- c:\windows\Ayojutilesolasiw.bin

2011-05-02 22:03 . 2011-05-03 12:48 -------- d-----w- c:\documents and settings\Mobile\Application Data\2949CC0FA79A180594C05B9863D99BE0

2011-05-01 20:50 . 2008-12-13 15:56 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys

2011-05-01 20:50 . 2008-12-13 15:55 5632 ----a-w- c:\windows\system32\ptpusb.dll

2011-05-01 20:50 . 2008-12-13 15:56 159232 ----a-w- c:\windows\system32\ptpusd.dll

2011-04-27 22:05 . 2011-04-27 22:05 -------- d-----w- c:\program files\GM

2011-04-27 22:01 . 2011-04-27 22:07 -------- d-----w- c:\documents and settings\Mobile\sps

2011-04-27 22:00 . 2011-04-27 22:00 -------- d-----w- c:\documents and settings\Mobile\sas

2011-04-27 21:59 . 2011-04-27 21:59 -------- d-----w- c:\documents and settings\Mobile\snapshot

2011-04-27 21:00 . 2011-04-27 21:00 -------- d-----w- c:\documents and settings\Mobile\tech2view

2011-04-27 20:54 . 2011-04-27 20:54 -------- d-----w- c:\documents and settings\Mobile\diag

2011-04-27 20:40 . 2011-04-27 20:40 -------- d-----w- C:\PCMCIA_COPY

2011-04-27 20:40 . 2009-06-08 14:27 48832 ----a-w- c:\windows\system32\drivers\evserial.sys

2011-04-27 20:39 . 2011-04-27 20:39 -------- d-----w- c:\program files\General Motors

2011-04-27 20:38 . 2011-04-27 20:53 -------- d-----w- c:\documents and settings\Mobile\swdl

2011-04-27 20:35 . 2011-04-27 21:58 -------- d-----w- c:\documents and settings\Mobile\.rts

2011-04-27 20:31 . 2011-04-27 20:31 -------- d-----w- c:\documents and settings\All Users\.dls

2011-04-27 20:31 . 2011-04-27 20:33 -------- d-----w- c:\program files\GDS

2011-04-27 20:30 . 2011-04-27 20:31 -------- d-----w- c:\documents and settings\All Users\.t2web

2011-04-27 20:30 . 2011-04-27 20:30 -------- d-----w- c:\documents and settings\Mobile\.gdsweblaunch

2011-04-27 00:39 . 2001-10-22 02:20 126976 ----a-w- c:\windows\system32\spnsrvnt.exe

2011-04-27 00:39 . 2001-04-06 06:11 20288 ----a-w- c:\windows\system32\drivers\SNTNLUSB.SYS

2011-04-27 00:39 . 2001-04-06 06:11 73216 ----a-w- c:\windows\system32\drivers\SENTINEL.SYS

2011-04-27 00:39 . 2001-04-06 06:11 49152 ----a-w- c:\windows\system32\SNTI386.DLL

2011-04-27 00:39 . 2011-04-27 00:39 -------- d-----w- c:\windows\system32\RNBOSENT

2011-04-27 00:39 . 2011-04-27 00:54 -------- d-----w- c:\program files\GlobalTIS

2011-04-27 00:39 . 2011-04-27 00:46 -------- d--h--w- c:\program files\Zero G Registry

2011-04-27 00:37 . 2011-04-27 00:37 -------- d--h--w- c:\documents and settings\Mobile\InstallAnywhere

2011-04-23 13:07 . 2011-04-23 13:07 -------- d-----w- c:\program files\DIFX

2011-04-23 13:07 . 2010-07-02 12:25 61440 ----a-w- c:\windows\system32\FTChipID.dll

2011-04-23 13:04 . 2011-04-23 13:07 -------- d-----w- c:\program files\ABRITES software for ID 130115

2011-04-23 10:42 . 2011-04-23 10:42 -------- d-----w- C:\ARBRITES

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-03-07 05:31 . 2010-08-15 19:09 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-03-04 06:37 . 2008-12-13 15:53 420864 ----a-w- c:\windows\system32\vbscript.dll

2011-03-03 13:27 . 2008-12-13 15:53 1866880 ----a-w- c:\windows\system32\win32k.sys

2011-03-03 06:53 . 2011-03-03 06:53 149504 ----a-w- c:\windows\system32\SET1A.tmp

2011-02-22 23:06 . 2011-04-17 14:31 602112 ----a-w- c:\windows\system32\SET123.tmp

2011-02-22 23:06 . 2011-04-17 14:31 55296 ----a-w- c:\windows\system32\SET122.tmp

2011-02-22 23:06 . 2011-04-17 14:31 916480 ----a-w- c:\windows\system32\SET11C.tmp

2011-02-22 23:06 . 2011-04-17 14:31 1210880 ----a-w- c:\windows\system32\SET11D.tmp

2011-02-22 23:06 . 2011-04-17 14:31 5962240 ----a-w- c:\windows\system32\SET121.tmp

2011-02-22 23:06 . 2008-12-13 15:53 916480 ----a-w- c:\windows\system32\wininet.dll

2011-02-22 23:06 . 2008-12-13 15:52 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-02-22 23:06 . 2008-04-14 11:00 1469440 ------w- c:\windows\system32\inetcpl.cpl

2011-02-22 23:06 . 2011-04-17 14:31 1991680 ----a-w- c:\windows\system32\SET127.tmp

2011-02-22 23:06 . 2011-04-17 14:31 11080704 ----a-w- c:\windows\system32\SET129.tmp

2011-02-22 11:41 . 2008-04-14 11:00 385024 ----a-w- c:\windows\system32\html.iec

.

.

(((((((((((((((((((((((((((((((((((((((((( SR_Search ))))))))))))))))))))))))))))))))))))))))))))))))))))))))

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]

@="{472083B0-C522-11CF-8763-00608CC02F24}"

[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]

2011-05-10 12:10 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [2010-12-11 2610608]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RTHDCPL"="RTHDCPL.EXE" [2007-08-10 16384000]

"Conime"="c:\windows\system32\conime.exe" [2008-04-14 27648]

"EKIJ5000StatusMonitor"="c:\windows\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2010-09-02 1638400]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-04-03 13670504]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

.

c:\documents and settings\Mobile\Start Menu\Programs\Startup\

TalkTalk Setup CD Reporting Tool.exe [2010-8-2 725768]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Bluetooth Monitor.lnk - c:\program files\TOSHIBA\Bluetooth Monitor\BtMon2.exe [2010-8-15 69632]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]

2010-12-01 18:17 16680 ----a-w- c:\program files\Citrix\GoToAssist\570\g2awinlogon.dll

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{36FC9E60-C465-1706-8086-444553544016}]

@="USB sChip"

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager

"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Kodak\\AiO\\Center\\AiOHomeCenter.exe"=

"c:\\Program Files\\Kodak\\AiO\\Center\\Kodak.Statistics.exe"=

"c:\\Program Files\\Kodak\\AiO\\Firmware\\KodakAiOUpdater.exe"=

"c:\\Documents and Settings\\All Users\\Application Data\\Kodak\\Installer\\Setup.exe"=

"c:\\Program Files\\Kodak\\AiO\\Center\\NetworkPrinterDiscovery.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

"9322:TCP"= 9322:TCP:EKDiscovery

"5353:UDP"= 5353:UDP:Bonjour Port 5353

.

R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [10/05/2011 12:28 441176]

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [10/05/2011 12:28 307928]

R1 oreans32;oreans32;c:\windows\system32\drivers\oreans32.sys [01/04/2010 00:11 33824]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [10/05/2011 12:28 19544]

R2 GLOBALTISTB;GLOBALTISTB;c:\progra~1\GLOBAL~1\TRANSB~1\tbmux32.exe [27/04/2011 01:39 413696]

R2 GlobalTISTC6;GlobalTIS_TC6;c:\program files\GlobalTIS\tomcat\bin\tomcat6.exe [27/04/2011 01:39 57344]

R2 io.sys;IO.DLL Driver;c:\windows\system32\drivers\io.sys [10/10/2010 22:33 5152]

R2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\Kodak\AiO\Center\ekdiscovery.exe [13/09/2010 18:18 308656]

R3 VSBC;Virtual Serial Bus Enumerator (Eltima Software);c:\windows\system32\drivers\evsbc.sys [08/06/2009 15:27 24768]

S1 ethbsnyy;ethbsnyy;c:\windows\system32\drivers\ethbsnyy.sys [03/05/2011 17:16 134144]

S1 vcdrom;Virtual CD-ROM Device Driver;\??\c:\program files\System\CPL Bonus\Vcdrom.sys --> c:\program files\System\CPL Bonus\Vcdrom.sys [?]

S3 CYUSB;UPA-USB Driver;c:\windows\system32\drivers\UPAUSB.sys [17/11/2010 03:45 39936]

S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [15/08/2010 22:48 13192]

S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [15/08/2010 22:48 8456]

S3 evserial;Virtual Serial Ports Driver (Eltima Softwate);c:\windows\system32\drivers\evserial.sys [27/04/2011 21:40 48832]

S3 FTD2XX;BMW Scanner SYS device driver;c:\windows\system32\drivers\FTD2XX.sys [15/12/2005 13:27 34639]

.

--- Other Services/Drivers In Memory ---

.

*Deregistered* - uphcleanhlp

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.digital-kaos.co.uk/forums/f149/

IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM

IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM

IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm

IE: Download FLV video content with IDM - c:\program files\Internet Download Manager\IEGetVL.htm

IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm

IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM

IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM

.

- - - - ORPHANS REMOVED - - - -

.

HKLM-Run-nwiz - nwiz.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-05-22 18:09

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (LocalSystem)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,2d,7a,13,53,d0,8f,eb,4d,83,85,91,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,2d,7a,13,53,d0,8f,eb,4d,83,85,91,\

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5da136b2-e6e6-4560-8955-dfe1ddc75385}]

@Denied: (Full) (Everyone)

"Model"=dword:00000036

"Therad"=dword:00000011

"MData"=hex(0):cb,9b,ad,ef,27,7d,29,69,f5,02,f0,76,aa,4a,f1,7c,d3,d9,67,7f,6a,

4b,7b,ad,04,7a,b1,b5,76,9b,27,47,ad,91,56,c8,52,62,22,f2,a9,ac,3f,1d,1f,c8,\

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]

@Denied: (Full) (Everyone)

"scansk"=hex(0):7a,93,84,59,2c,f8,6d,7c,1c,c2,ff,43,0b,d1,a2,26,bd,16,a6,aa,ad,

c2,2b,bb,70,3e,b4,5e,3f,f8,7f,ef,be,59,37,b3,4c,b3,49,59,00,00,00,00,00,00,\

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(936)

c:\program files\Citrix\GoToAssist\570\G2AWinLogon.dll

.

- - - - - - - > 'explorer.exe'(3700)

c:\windows\system32\WININET.dll

c:\windows\system32\MSCTF.dll

c:\program files\Internet Download Manager\idmmkb.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\wpdshserviceobj.dll

c:\windows\system32\portabledevicetypes.dll

c:\windows\system32\portabledeviceapi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\nvsvc32.exe

c:\program files\AVAST Software\Avast\AvastSvc.exe

c:\windows\RTHDCPL.EXE

c:\program files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\Motive\McciCMService.exe

c:\windows\system32\spnsrvnt.exe

c:\program files\UPHClean\uphclean.exe

c:\windows\system32\wscntfy.exe

c:\program files\Internet Download Manager\IEMonitor.exe

.

**************************************************************************

.

Completion time: 2011-05-22 18:14:23 - machine was rebooted

ComboFix-quarantined-files.txt 2011-05-22 17:14

ComboFix2.txt 2011-05-22 13:16

.

Pre-Run: 24,324,780,032 bytes free

Post-Run: 24,258,072,576 bytes free

.

- - End Of File - - 2187A7858757F52AD95F4F1B53514E21

Thanks Kenny

Pop-up.rar

Link to post
Share on other sites

DeFogger

Download DeFogger by jpshortstuff from here & save it to your desktop.

  • Right click DeFogger then choose Run as Administrator Or you can double-click to run the tool
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A Finished! message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK. If not reboot your PC

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.

Next

Run ComboFix as you did the first time. Allow it to update if it requests to do so.

When finished, it shall produce a log for you. Post that log in your next reply.

Link to post
Share on other sites

Hi Kenny

after installing windows recovery cosole earlier, my boot has now been modified for recovery purpose

but it is also the place where i tell my machine which partition to boot from, but the timeframe of 30 seconds

to change boot sequence, has been changed to 2 seconds,

i thought that the file was boot.ini but its not on the machine anymore, has recovery console changed name of file??

not a great problem as i can google at a later date, just thought you may have a idea, what and where boot file is

Thanks Kenny

ComboFix 11-05-21.03 - Mobile 22/05/2011 21:59:12.3.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.532 [GMT 1:00]

Running from: c:\documents and settings\Mobile\Desktop\ComboFix\ComboFix.exe

AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

.

.

((((((((((((((((((((((((( Files Created from 2011-04-22 to 2011-05-22 )))))))))))))))))))))))))))))))

.

.

2011-05-10 22:14 . 2011-05-10 22:37 -------- d-----w- C:\SDFix

2011-05-10 21:55 . 2011-05-10 21:55 -------- d-----w- c:\windows\system32\xircom

2011-05-10 21:55 . 2011-05-10 21:55 -------- d-----w- c:\windows\system32\wbem\snmp

2011-05-10 21:55 . 2011-05-10 21:55 -------- d-----w- c:\windows\srchasst

2011-05-10 21:55 . 2011-05-10 21:55 -------- d-----w- c:\program files\microsoft frontpage

2011-05-10 21:43 . 2011-05-10 21:43 578560 ----a-w- c:\windows\system32\dllcache\user32.dll

2011-05-10 21:31 . 2011-05-10 21:32 -------- d-----w- c:\windows\ERUNT

2011-05-10 17:51 . 2011-05-11 00:28 -------- d-----w- c:\documents and settings\Administrator

2011-05-10 11:28 . 2011-05-10 12:03 307928 ----a-w- c:\windows\system32\drivers\aswSP.sys

2011-05-10 11:28 . 2011-05-10 11:59 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys

2011-05-10 11:28 . 2011-05-10 11:59 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys

2011-05-10 11:28 . 2011-05-10 12:03 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys

2011-05-10 11:28 . 2011-05-10 12:02 49240 ----a-w- c:\windows\system32\drivers\aswTdi.sys

2011-05-10 11:28 . 2011-05-10 12:02 102616 ----a-w- c:\windows\system32\drivers\aswmon2.sys

2011-05-10 11:28 . 2011-05-10 12:02 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys

2011-05-10 11:28 . 2011-05-10 11:59 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys

2011-05-10 11:28 . 2011-05-10 12:10 40112 ----a-w- c:\windows\avastSS.scr

2011-05-10 11:28 . 2011-05-10 12:10 199304 ----a-w- c:\windows\system32\aswBoot.exe

2011-05-10 11:27 . 2011-05-10 11:27 -------- d-----w- c:\program files\AVAST Software

2011-05-10 11:27 . 2011-05-10 11:27 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software

2011-05-09 19:55 . 2011-05-09 19:55 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Malwarebytes

2011-05-04 21:00 . 2011-05-04 21:00 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE

2011-05-04 20:31 . 2011-05-04 20:31 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE

2011-05-03 18:38 . 2011-05-03 18:38 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe

2011-05-03 16:16 . 2011-05-03 16:16 134144 ----a-w- c:\windows\system32\drivers\ethbsnyy.sys

2011-05-03 15:40 . 2011-05-03 15:40 148992 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\audiodebugmsg.exe

2011-05-03 13:12 . 2011-05-03 13:12 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

2011-05-03 11:19 . 2011-05-04 13:46 0 ----a-w- c:\windows\Ayojutilesolasiw.bin

2011-05-02 22:03 . 2011-05-03 12:48 -------- d-----w- c:\documents and settings\Mobile\Application Data\2949CC0FA79A180594C05B9863D99BE0

2011-05-01 20:50 . 2008-12-13 15:56 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys

2011-05-01 20:50 . 2008-12-13 15:55 5632 ----a-w- c:\windows\system32\ptpusb.dll

2011-05-01 20:50 . 2008-12-13 15:56 159232 ----a-w- c:\windows\system32\ptpusd.dll

2011-04-27 22:05 . 2011-04-27 22:05 -------- d-----w- c:\program files\GM

2011-04-27 22:01 . 2011-04-27 22:07 -------- d-----w- c:\documents and settings\Mobile\sps

2011-04-27 22:00 . 2011-04-27 22:00 -------- d-----w- c:\documents and settings\Mobile\sas

2011-04-27 21:59 . 2011-04-27 21:59 -------- d-----w- c:\documents and settings\Mobile\snapshot

2011-04-27 21:00 . 2011-04-27 21:00 -------- d-----w- c:\documents and settings\Mobile\tech2view

2011-04-27 20:54 . 2011-04-27 20:54 -------- d-----w- c:\documents and settings\Mobile\diag

2011-04-27 20:40 . 2011-04-27 20:40 -------- d-----w- C:\PCMCIA_COPY

2011-04-27 20:40 . 2009-06-08 14:27 48832 ----a-w- c:\windows\system32\drivers\evserial.sys

2011-04-27 20:39 . 2011-04-27 20:39 -------- d-----w- c:\program files\General Motors

2011-04-27 20:38 . 2011-04-27 20:53 -------- d-----w- c:\documents and settings\Mobile\swdl

2011-04-27 20:35 . 2011-04-27 21:58 -------- d-----w- c:\documents and settings\Mobile\.rts

2011-04-27 20:31 . 2011-04-27 20:31 -------- d-----w- c:\documents and settings\All Users\.dls

2011-04-27 20:31 . 2011-04-27 20:33 -------- d-----w- c:\program files\GDS

2011-04-27 20:30 . 2011-04-27 20:31 -------- d-----w- c:\documents and settings\All Users\.t2web

2011-04-27 20:30 . 2011-04-27 20:30 -------- d-----w- c:\documents and settings\Mobile\.gdsweblaunch

2011-04-27 00:39 . 2001-10-22 02:20 126976 ----a-w- c:\windows\system32\spnsrvnt.exe

2011-04-27 00:39 . 2001-04-06 06:11 20288 ----a-w- c:\windows\system32\drivers\SNTNLUSB.SYS

2011-04-27 00:39 . 2001-04-06 06:11 73216 ----a-w- c:\windows\system32\drivers\SENTINEL.SYS

2011-04-27 00:39 . 2001-04-06 06:11 49152 ----a-w- c:\windows\system32\SNTI386.DLL

2011-04-27 00:39 . 2011-04-27 00:39 -------- d-----w- c:\windows\system32\RNBOSENT

2011-04-27 00:39 . 2011-04-27 00:54 -------- d-----w- c:\program files\GlobalTIS

2011-04-27 00:39 . 2011-04-27 00:46 -------- d--h--w- c:\program files\Zero G Registry

2011-04-27 00:37 . 2011-04-27 00:37 -------- d--h--w- c:\documents and settings\Mobile\InstallAnywhere

2011-04-23 13:07 . 2011-04-23 13:07 -------- d-----w- c:\program files\DIFX

2011-04-23 13:07 . 2010-07-02 12:25 61440 ----a-w- c:\windows\system32\FTChipID.dll

2011-04-23 13:04 . 2011-04-23 13:07 -------- d-----w- c:\program files\ABRITES software for ID 130115

2011-04-23 10:42 . 2011-04-23 10:42 -------- d-----w- C:\ARBRITES

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-03-07 05:31 . 2010-08-15 19:09 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-03-04 06:37 . 2008-12-13 15:53 420864 ----a-w- c:\windows\system32\vbscript.dll

2011-03-03 13:27 . 2008-12-13 15:53 1866880 ----a-w- c:\windows\system32\win32k.sys

2011-03-03 06:53 . 2011-03-03 06:53 149504 ----a-w- c:\windows\system32\SET1A.tmp

2011-02-22 23:06 . 2011-04-17 14:31 602112 ----a-w- c:\windows\system32\SET123.tmp

2011-02-22 23:06 . 2011-04-17 14:31 55296 ----a-w- c:\windows\system32\SET122.tmp

2011-02-22 23:06 . 2011-04-17 14:31 916480 ----a-w- c:\windows\system32\SET11C.tmp

2011-02-22 23:06 . 2011-04-17 14:31 1210880 ----a-w- c:\windows\system32\SET11D.tmp

2011-02-22 23:06 . 2011-04-17 14:31 5962240 ----a-w- c:\windows\system32\SET121.tmp

2011-02-22 23:06 . 2008-12-13 15:53 916480 ----a-w- c:\windows\system32\wininet.dll

2011-02-22 23:06 . 2008-12-13 15:52 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-02-22 23:06 . 2008-04-14 11:00 1469440 ------w- c:\windows\system32\inetcpl.cpl

2011-02-22 23:06 . 2011-04-17 14:31 1991680 ----a-w- c:\windows\system32\SET127.tmp

2011-02-22 23:06 . 2011-04-17 14:31 11080704 ----a-w- c:\windows\system32\SET129.tmp

2011-02-22 11:41 . 2008-04-14 11:00 385024 ----a-w- c:\windows\system32\html.iec

.

.

((((((((((((((((((((((((((((( SnapShot@2011-05-22_13.10.29 )))))))))))))))))))))))))))))))))))))))))

.

+ 2011-05-22 20:55 . 2011-05-22 20:55 16384 c:\windows\temp\Perflib_Perfdata_650.dat

+ 2007-06-30 07:18 . 2007-06-30 07:18 28672 c:\windows\system32\TCtrlIOHook.exe

+ 2008-04-14 11:00 . 2008-04-14 11:00 33280 c:\windows\system32\rundll32.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]

@="{472083B0-C522-11CF-8763-00608CC02F24}"

[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]

2011-05-10 12:10 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [2010-12-11 2610608]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RTHDCPL"="RTHDCPL.EXE" [2007-08-10 16384000]

"Conime"="c:\windows\system32\conime.exe" [2008-04-14 27648]

"EKIJ5000StatusMonitor"="c:\windows\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2010-09-02 1638400]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-04-03 13670504]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

.

c:\documents and settings\Mobile\Start Menu\Programs\Startup\

TalkTalk Setup CD Reporting Tool.exe [2010-8-2 725768]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Bluetooth Monitor.lnk - c:\program files\TOSHIBA\Bluetooth Monitor\BtMon2.exe [2010-8-15 69632]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]

2010-12-01 18:17 16680 ----a-w- c:\program files\Citrix\GoToAssist\570\g2awinlogon.dll

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{36FC9E60-C465-1706-8086-444553544016}]

@="USB sChip"

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager

"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Kodak\\AiO\\Center\\AiOHomeCenter.exe"=

"c:\\Program Files\\Kodak\\AiO\\Center\\Kodak.Statistics.exe"=

"c:\\Program Files\\Kodak\\AiO\\Firmware\\KodakAiOUpdater.exe"=

"c:\\Documents and Settings\\All Users\\Application Data\\Kodak\\Installer\\Setup.exe"=

"c:\\Program Files\\Kodak\\AiO\\Center\\NetworkPrinterDiscovery.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

"9322:TCP"= 9322:TCP:EKDiscovery

"5353:UDP"= 5353:UDP:Bonjour Port 5353

.

R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [10/05/2011 12:28 441176]

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [10/05/2011 12:28 307928]

R1 oreans32;oreans32;c:\windows\system32\drivers\oreans32.sys [01/04/2010 00:11 33824]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [10/05/2011 12:28 19544]

R2 GlobalTISTC6;GlobalTIS_TC6;c:\program files\GlobalTIS\tomcat\bin\tomcat6.exe [27/04/2011 01:39 57344]

R2 io.sys;IO.DLL Driver;c:\windows\system32\drivers\io.sys [10/10/2010 22:33 5152]

R2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\Kodak\AiO\Center\ekdiscovery.exe [13/09/2010 18:18 308656]

R3 VSBC;Virtual Serial Bus Enumerator (Eltima Software);c:\windows\system32\drivers\evsbc.sys [08/06/2009 15:27 24768]

S1 ethbsnyy;ethbsnyy;c:\windows\system32\drivers\ethbsnyy.sys [03/05/2011 17:16 134144]

S1 vcdrom;Virtual CD-ROM Device Driver;\??\c:\program files\System\CPL Bonus\Vcdrom.sys --> c:\program files\System\CPL Bonus\Vcdrom.sys [?]

S2 GLOBALTISTB;GLOBALTISTB;c:\progra~1\GLOBAL~1\TRANSB~1\tbmux32.exe [27/04/2011 01:39 413696]

S3 CYUSB;UPA-USB Driver;c:\windows\system32\drivers\UPAUSB.sys [17/11/2010 03:45 39936]

S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [15/08/2010 22:48 13192]

S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [15/08/2010 22:48 8456]

S3 evserial;Virtual Serial Ports Driver (Eltima Softwate);c:\windows\system32\drivers\evserial.sys [27/04/2011 21:40 48832]

S3 FTD2XX;BMW Scanner SYS device driver;c:\windows\system32\drivers\FTD2XX.sys [15/12/2005 13:27 34639]

.

--- Other Services/Drivers In Memory ---

.

*Deregistered* - uphcleanhlp

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.digital-kaos.co.uk/forums/f149/

IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM

IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM

IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm

IE: Download FLV video content with IDM - c:\program files\Internet Download Manager\IEGetVL.htm

IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm

IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM

IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-05-22 22:08

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (LocalSystem)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,2d,7a,13,53,d0,8f,eb,4d,83,85,91,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,2d,7a,13,53,d0,8f,eb,4d,83,85,91,\

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5da136b2-e6e6-4560-8955-dfe1ddc75385}]

@Denied: (Full) (Everyone)

"Model"=dword:00000036

"Therad"=dword:00000011

"MData"=hex(0):cb,9b,ad,ef,27,7d,29,69,f5,02,f0,76,aa,4a,f1,7c,d3,d9,67,7f,6a,

4b,7b,ad,04,7a,b1,b5,76,9b,27,47,ad,91,56,c8,52,62,22,f2,a9,ac,3f,1d,1f,c8,\

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]

@Denied: (Full) (Everyone)

"scansk"=hex(0):7a,93,84,59,2c,f8,6d,7c,1c,c2,ff,43,0b,d1,a2,26,bd,16,a6,aa,ad,

c2,2b,bb,70,3e,b4,5e,3f,f8,7f,ef,be,59,37,b3,4c,b3,49,59,00,00,00,00,00,00,\

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(936)

c:\program files\Citrix\GoToAssist\570\G2AWinLogon.dll

.

- - - - - - - > 'explorer.exe'(3712)

c:\windows\system32\WININET.dll

c:\windows\system32\MSCTF.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\wpdshserviceobj.dll

c:\windows\system32\portabledevicetypes.dll

c:\windows\system32\portabledeviceapi.dll

.

Completion time: 2011-05-22 22:10:46

ComboFix-quarantined-files.txt 2011-05-22 21:10

ComboFix2.txt 2011-05-22 17:14

ComboFix3.txt 2011-05-22 13:16

.

Pre-Run: 24,257,888,256 bytes free

Post-Run: 24,244,228,096 bytes free

.

- - End Of File - - C14E50D4F09209CF67E9A8D8E6E9D297

Link to post
Share on other sites

As for the boot file? I have no ideal why it change the time frame.

There are some older versions of Java and Adobe Acrobat Reader on your computer. These can be a source of the infection/infections.

Go to Start > Control Panel > Add/Remove Programs.

Please remove these entries from Add/Remove Programs in the Control Panel

Adobe Reader 8.2.5

Java 6 Update 22

Restart your computer.

  • Please go to the link below to update.
  • Adobe Reader
  • Uncheck Include in your download (optional Free McAfee Security Scan Plus or any other program. )

Next

[javaicon.gif

  • Download the latest version of Java Runtime Environment (JRE) 6 and save it to your desktop.
  • Scroll down to where it says Java SE Runtime Environment (JRE) - JRE 6 Update 25 -
  • Click the Download button to the right.
  • Select the Windows platform from the dropdown menu.
  • Read the License Agreement and then check the box that says: I agree to the Java SE Runtime Environment 6u16 with JavaFX 1 License Agreement. Click on Continue.The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Then from your desktop double-click on jre-6u125 -windows-i586-p.exe to install the newest version.

  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
      • Applications and Applets
        Trace and Log Files

      [*]Click OK on Delete Temporary Files Window

      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.

      [*]Click OK to leave the Temporary Files Window

      [*]Click OK to leave the Java Control Panel.

To test your Java Run-time, you may go to this page http://www.java.com/en/download/help/testvm.xml

When all is well, you should see Java Version: 1.6.0_25 from Sun Microsystems Inc.

-------------------------------------------------------------------

Malwarebytes should update and run now. That the infection is gone.

Update Run Malwarebytes

  • Launch Malwarebytes' Anti-Malware
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Link to post
Share on other sites

Hi Thanks Kenny

i removed old versions of reader and java

insatalled java ok

but new version of reader just wont install, (which i think is why i had old version)..

i will have to try a work out why, reader is doing this..

as soon as i went online with the machine, i firstly updated avast, which went as it should.

after this machines infection, Mbam and Avast desktop icons had turned to white boxes,

after the work you had kindly done for me, Avast returned but Mbam never did.

so before i ran the program, i uninstalled Mbam and downloaded, installed and updated clean version,

which all went ok.

once this was complete i turned off contection to the internet.

i ran Mbam and its first run, ran for 1 min 5 secs, then stalled and did not resume.

used windows task manager to quit Mbam, then ran again, which completed as it should.

log included at end of this post.

Whilst Mbam was running, Avast kept poping up say "threat found--moved to virus chest".

avast found (i think) 24 threats..

Avast found these threats in sync with Mbam scaning "that" file

i then ran quick scan with Avast which found 3 threats, which it also placed in virus chest.

avast recomended i carry out "boot scan" which i did and found 1 threat.

If there is a way of coping / paste from avast logs i could not find it, so in order to

show what avast found, i have had to take screen shot and post these..

sorry Kenny if thats a pain, i just dont know of a simplier way.

Please note..all noticeable rouge activity has now stopped on this machine..

Thank you....Julez

....................................................................................

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6644

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

23/05/2011 02:11:35

mbam-log-2011-05-23 (02-11-35).txt

Scan type: Full scan (C:\|G:\|)

Objects scanned: 275397

Time elapsed: 1 hour(s), 15 minute(s), 45 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

AV_Photo.rar

Link to post
Share on other sites

No concerns for these. As they are in the chest. Most of the object is in Combofix quarantine, the other in system restore, so none of them is active.

ESET Online Scanner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however may need to disable your current installed Anti-Virus, how to do so can be read here.

  • Please go here then click on: EOLS1.gif
  • Select the option YES, I accept the Terms of Use then click on: EOLS2.gif
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:

    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology

[*]Now click on: EOLS3.gif

[*]The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.

[*]When completed the Online Scan will begin automatically.

[*]Do not touch either the Mouse or keyboard during the scan otherwise it may stall.

[*]When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!

[*]Now click on: EOLS4.gif

[*]Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.

[*]Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

Link to post
Share on other sites

Hi

Thanks Kenny

this the log from eset online scan

3 threats found

C:\SDFix\apps\Process.exe Win32/PrcView application

C:\WINDOWS\erukukasegadav.dll a variant of Win32/Kryptik.NMN trojan

C:\WINDOWS\system32\cmdow.exe Win32/CMDOW.143 application

.................................................................................

Kenny combofix

has identified this file as a threat.

C:\Qoobox\Quarantine\C\BMWScan140\BMWScan140.exe.vir

BUT this is a little soft that i used ( and liked )

do you know if is possible to have this file repaired.

as it was identified as a threat i havent posted the file, just its description.

or a safe way of running this application, without it contaminating the pc..

The reason i would like to keep the software, is because it can get access to

a vehicles electronics, and change the parameters within...

Many Thanks

Julez

Link to post
Share on other sites

We'll Dequarantine that file in ComboFix. In the next post. We're almost done here... :)

Please download the OTM by OldTimer.

  • Save it to your desktop.
  • Please double-click OTM.exe to run it. (Vista users, please right click on OTM.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    :Services

    :Reg

    :Files
    ipconfig /flushdns /c
    C:\SDFix\apps\Process.exe
    C:\WINDOWS\erukukasegadav.dll
    C:\WINDOWS\system32\cmdow.exe
    :Commands
    [purity]
    [resethosts]
    [emptytemp]
    [CREATERESTOREPOINT]
    [EMPTYFLASH]
    [Reboot]


  • Return to OTM, right click in the "Paste instructions for items to be Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTM\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTM

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Link to post
Share on other sites

Hi Kenny

i had a BIG TIME loss of consetration whislt reading youre last instructions..

i carried out instructions for OTC and log included below...

.....................................................................................................

All processes killed

========== SERVICES/DRIVERS ==========

========== REGISTRY ==========

========== FILES ==========

< ipconfig /flushdns /c >

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

C:\Documents and Settings\Mobile\Desktop\cmd.bat deleted successfully.

C:\Documents and Settings\Mobile\Desktop\cmd.txt deleted successfully.

C:\SDFix\apps\Process.exe moved successfully.

DllUnregisterServer procedure not found in C:\WINDOWS\erukukasegadav.dll

C:\WINDOWS\erukukasegadav.dll moved successfully.

File/Folder C:\WINDOWS\system32\cmdow.exe :Commands not found.

File/Folder [purity] not found.

File/Folder [resethosts] not found.

File/Folder [emptytemp] not found.

File/Folder [CREATERESTOREPOINT] not found.

File/Folder [EMPTYFLASH] not found.

File/Folder [Reboot] not found.

OTM by OldTimer - Version 3.1.18.0 log created on 05232011_211051

...............................................................................

BUT this is where it all when wrong............

We'll Dequarantine that file in ComboFix. In the next post. We're almost done here... :)

in a lack of consetration i read the above quote incorrectly...

i read it as "WELL" not "WE WILL" so i ran combofix thinking it may give me an option to "Dequarantine" that file...

i-am really sorry if i have put us back many steps SORRY, just was not thinking at the time.. :(

here is the log just to prove how dumb i am......and any damage i may have caused.. :(

ComboFix 11-05-21.03 - Mobile 23/05/2011 21:24:10.4.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.399 [GMT 1:00]

Running from: c:\documents and settings\Mobile\Desktop\ComboFix\ComboFix.exe

AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

Infected copy of c:\windows\system32\drivers\ntfs.sys was found and disinfected

Restored copy from - c:\windows\ERDNT\cache\ntfs.sys

.

.

((((((((((((((((((((((((( Files Created from 2011-04-23 to 2011-05-23 )))))))))))))))))))))))))))))))

.

.

2011-05-23 20:10 . 2011-05-23 20:10 -------- d-----w- C:\_OTM

2011-05-22 23:47 . 2010-12-20 17:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-05-22 23:47 . 2010-12-20 17:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-05-22 23:47 . 2011-05-22 23:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-05-22 23:35 . 2011-05-22 23:35 -------- d-----w- c:\program files\Common Files\Java

2011-05-22 23:35 . 2011-05-22 23:34 73728 ----a-w- c:\windows\system32\javacpl.cpl

2011-05-22 23:18 . 2011-05-23 12:13 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS

2011-05-22 22:33 . 2011-05-22 22:33 -------- d-----w- c:\documents and settings\Mobile\Local Settings\Application Data\MigWiz

2011-05-10 22:14 . 2011-05-10 22:37 -------- d-----w- C:\SDFix

2011-05-10 21:55 . 2011-05-10 21:55 -------- d-----w- c:\windows\system32\xircom

2011-05-10 21:55 . 2011-05-10 21:55 -------- d-----w- c:\windows\system32\wbem\snmp

2011-05-10 21:55 . 2011-05-10 21:55 -------- d-----w- c:\windows\srchasst

2011-05-10 21:55 . 2011-05-10 21:55 -------- d-----w- c:\program files\microsoft frontpage

2011-05-10 21:43 . 2011-05-10 21:43 578560 ----a-w- c:\windows\system32\dllcache\user32.dll

2011-05-10 21:31 . 2011-05-10 21:32 -------- d-----w- c:\windows\ERUNT

2011-05-10 17:51 . 2011-05-11 00:28 -------- d-----w- c:\documents and settings\Administrator

2011-05-10 11:28 . 2011-05-10 12:03 307928 ----a-w- c:\windows\system32\drivers\aswSP.sys

2011-05-10 11:28 . 2011-05-10 11:59 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys

2011-05-10 11:28 . 2011-05-10 11:59 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys

2011-05-10 11:28 . 2011-05-10 12:03 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys

2011-05-10 11:28 . 2011-05-10 12:02 49240 ----a-w- c:\windows\system32\drivers\aswTdi.sys

2011-05-10 11:28 . 2011-05-10 12:02 102616 ----a-w- c:\windows\system32\drivers\aswmon2.sys

2011-05-10 11:28 . 2011-05-10 12:02 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys

2011-05-10 11:28 . 2011-05-10 11:59 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys

2011-05-10 11:28 . 2011-05-10 12:10 40112 ----a-w- c:\windows\avastSS.scr

2011-05-10 11:28 . 2011-05-10 12:10 199304 ----a-w- c:\windows\system32\aswBoot.exe

2011-05-10 11:27 . 2011-05-10 11:27 -------- d-----w- c:\program files\AVAST Software

2011-05-10 11:27 . 2011-05-10 11:27 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software

2011-05-09 19:55 . 2011-05-09 19:55 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Malwarebytes

2011-05-04 21:00 . 2011-05-04 21:00 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE

2011-05-04 20:31 . 2011-05-04 20:31 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE

2011-05-03 18:38 . 2011-05-03 18:38 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe

2011-05-03 13:12 . 2011-05-03 13:12 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

2011-05-03 11:19 . 2011-05-04 13:46 0 ----a-w- c:\windows\Ayojutilesolasiw.bin

2011-05-02 22:03 . 2011-05-03 12:48 -------- d-----w- c:\documents and settings\Mobile\Application Data\2949CC0FA79A180594C05B9863D99BE0

2011-05-01 20:50 . 2008-12-13 15:56 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys

2011-05-01 20:50 . 2008-12-13 15:55 5632 ----a-w- c:\windows\system32\ptpusb.dll

2011-05-01 20:50 . 2008-12-13 15:56 159232 ----a-w- c:\windows\system32\ptpusd.dll

2011-04-27 22:05 . 2011-04-27 22:05 -------- d-----w- c:\program files\GM

2011-04-27 22:01 . 2011-04-27 22:07 -------- d-----w- c:\documents and settings\Mobile\sps

2011-04-27 22:00 . 2011-04-27 22:00 -------- d-----w- c:\documents and settings\Mobile\sas

2011-04-27 21:59 . 2011-04-27 21:59 -------- d-----w- c:\documents and settings\Mobile\snapshot

2011-04-27 21:00 . 2011-04-27 21:00 -------- d-----w- c:\documents and settings\Mobile\tech2view

2011-04-27 20:54 . 2011-04-27 20:54 -------- d-----w- c:\documents and settings\Mobile\diag

2011-04-27 20:40 . 2011-04-27 20:40 -------- d-----w- C:\PCMCIA_COPY

2011-04-27 20:40 . 2009-06-08 14:27 48832 ----a-w- c:\windows\system32\drivers\evserial.sys

2011-04-27 20:39 . 2011-04-27 20:39 -------- d-----w- c:\program files\General Motors

2011-04-27 20:38 . 2011-04-27 20:53 -------- d-----w- c:\documents and settings\Mobile\swdl

2011-04-27 20:35 . 2011-04-27 21:58 -------- d-----w- c:\documents and settings\Mobile\.rts

2011-04-27 20:31 . 2011-04-27 20:31 -------- d-----w- c:\documents and settings\All Users\.dls

2011-04-27 20:31 . 2011-04-27 20:33 -------- d-----w- c:\program files\GDS

2011-04-27 20:30 . 2011-04-27 20:31 -------- d-----w- c:\documents and settings\All Users\.t2web

2011-04-27 20:30 . 2011-04-27 20:30 -------- d-----w- c:\documents and settings\Mobile\.gdsweblaunch

2011-04-27 00:39 . 2001-10-22 02:20 126976 ----a-w- c:\windows\system32\spnsrvnt.exe

2011-04-27 00:39 . 2001-04-06 06:11 20288 ----a-w- c:\windows\system32\drivers\SNTNLUSB.SYS

2011-04-27 00:39 . 2001-04-06 06:11 73216 ----a-w- c:\windows\system32\drivers\SENTINEL.SYS

2011-04-27 00:39 . 2001-04-06 06:11 49152 ----a-w- c:\windows\system32\SNTI386.DLL

2011-04-27 00:39 . 2011-04-27 00:39 -------- d-----w- c:\windows\system32\RNBOSENT

2011-04-27 00:39 . 2011-04-27 00:54 -------- d-----w- c:\program files\GlobalTIS

2011-04-27 00:39 . 2011-04-27 00:46 -------- d--h--w- c:\program files\Zero G Registry

2011-04-27 00:37 . 2011-04-27 00:37 -------- d--h--w- c:\documents and settings\Mobile\InstallAnywhere

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-05-22 23:34 . 2010-11-11 18:24 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-03-07 05:31 . 2010-08-15 19:09 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-03-04 06:37 . 2008-12-13 15:53 420864 ----a-w- c:\windows\system32\vbscript.dll

2011-03-03 13:27 . 2008-12-13 15:53 1866880 ----a-w- c:\windows\system32\win32k.sys

2011-03-03 06:53 . 2011-03-03 06:53 149504 ----a-w- c:\windows\system32\SET1A.tmp

2011-02-22 23:06 . 2011-04-17 14:31 602112 ----a-w- c:\windows\system32\SET123.tmp

2011-02-22 23:06 . 2011-04-17 14:31 55296 ----a-w- c:\windows\system32\SET122.tmp

2011-02-22 23:06 . 2011-04-17 14:31 916480 ----a-w- c:\windows\system32\SET11C.tmp

2011-02-22 23:06 . 2011-04-17 14:31 1210880 ----a-w- c:\windows\system32\SET11D.tmp

2011-02-22 23:06 . 2011-04-17 14:31 5962240 ----a-w- c:\windows\system32\SET121.tmp

2011-02-22 23:06 . 2008-12-13 15:53 916480 ----a-w- c:\windows\system32\wininet.dll

2011-02-22 23:06 . 2008-12-13 15:52 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-02-22 23:06 . 2008-04-14 11:00 1469440 ------w- c:\windows\system32\inetcpl.cpl

2011-02-22 23:06 . 2011-04-17 14:31 1991680 ----a-w- c:\windows\system32\SET127.tmp

2011-02-22 23:06 . 2011-04-17 14:31 11080704 ----a-w- c:\windows\system32\SET129.tmp

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]

@="{472083B0-C522-11CF-8763-00608CC02F24}"

[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]

2011-05-10 12:10 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [2010-12-11 2610608]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RTHDCPL"="RTHDCPL.EXE" [2007-08-10 16384000]

"Conime"="c:\windows\system32\conime.exe" [2008-04-14 27648]

"EKIJ5000StatusMonitor"="c:\windows\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2010-09-02 1638400]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-04-03 13670504]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-01-07 253672]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

.

c:\documents and settings\Mobile\Start Menu\Programs\Startup\

TalkTalk Setup CD Reporting Tool.exe [2010-8-2 725768]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Bluetooth Monitor.lnk - c:\program files\TOSHIBA\Bluetooth Monitor\BtMon2.exe [2010-8-15 69632]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]

2010-12-01 18:17 16680 ----a-w- c:\program files\Citrix\GoToAssist\570\g2awinlogon.dll

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{36FC9E60-C465-1706-8086-444553544016}]

@="USB sChip"

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager

"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Kodak\\AiO\\Center\\AiOHomeCenter.exe"=

"c:\\Program Files\\Kodak\\AiO\\Center\\Kodak.Statistics.exe"=

"c:\\Program Files\\Kodak\\AiO\\Firmware\\KodakAiOUpdater.exe"=

"c:\\Documents and Settings\\All Users\\Application Data\\Kodak\\Installer\\Setup.exe"=

"c:\\Program Files\\Kodak\\AiO\\Center\\NetworkPrinterDiscovery.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

"9322:TCP"= 9322:TCP:EKDiscovery

"5353:UDP"= 5353:UDP:Bonjour Port 5353

.

R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [10/05/2011 12:28 441176]

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [10/05/2011 12:28 307928]

R1 oreans32;oreans32;c:\windows\system32\drivers\oreans32.sys [01/04/2010 00:11 33824]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [10/05/2011 12:28 19544]

R2 GLOBALTISTB;GLOBALTISTB;c:\progra~1\GLOBAL~1\TRANSB~1\tbmux32.exe [27/04/2011 01:39 413696]

R2 GlobalTISTC6;GlobalTIS_TC6;c:\program files\GlobalTIS\tomcat\bin\tomcat6.exe [27/04/2011 01:39 57344]

R2 io.sys;IO.DLL Driver;c:\windows\system32\drivers\io.sys [10/10/2010 22:33 5152]

R2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\Kodak\AiO\Center\ekdiscovery.exe [13/09/2010 18:18 308656]

R3 VSBC;Virtual Serial Bus Enumerator (Eltima Software);c:\windows\system32\drivers\evsbc.sys [08/06/2009 15:27 24768]

S1 vcdrom;Virtual CD-ROM Device Driver;\??\c:\program files\System\CPL Bonus\Vcdrom.sys --> c:\program files\System\CPL Bonus\Vcdrom.sys [?]

S3 CYUSB;UPA-USB Driver;c:\windows\system32\drivers\UPAUSB.sys [17/11/2010 03:45 39936]

S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [15/08/2010 22:48 13192]

S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [15/08/2010 22:48 8456]

S3 evserial;Virtual Serial Ports Driver (Eltima Softwate);c:\windows\system32\drivers\evserial.sys [27/04/2011 21:40 48832]

S3 FTD2XX;BMW Scanner SYS device driver;c:\windows\system32\drivers\FTD2XX.sys [15/12/2005 13:27 34639]

.

--- Other Services/Drivers In Memory ---

.

*Deregistered* - uphcleanhlp

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.digital-kaos.co.uk/forums/f149/

IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM

IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM

IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm

IE: Download FLV video content with IDM - c:\program files\Internet Download Manager\IEGetVL.htm

IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm

IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM

IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-05-23 21:36

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (LocalSystem)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,2d,7a,13,53,d0,8f,eb,4d,83,85,91,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,2d,7a,13,53,d0,8f,eb,4d,83,85,91,\

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5da136b2-e6e6-4560-8955-dfe1ddc75385}]

@Denied: (Full) (Everyone)

"Model"=dword:00000036

"Therad"=dword:00000011

"MData"=hex(0):cb,9b,ad,ef,27,7d,29,69,f5,02,f0,76,aa,4a,f1,7c,d3,d9,67,7f,6a,

4b,7b,ad,04,7a,b1,b5,76,9b,27,47,ad,91,56,c8,52,62,22,f2,a9,ac,3f,1d,1f,c8,\

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]

@Denied: (Full) (Everyone)

"scansk"=hex(0):7a,93,84,59,2c,f8,6d,7c,1c,c2,ff,43,0b,d1,a2,26,bd,16,a6,aa,ad,

c2,2b,bb,70,3e,b4,5e,3f,f8,7f,ef,be,59,37,b3,4c,b3,49,59,00,00,00,00,00,00,\

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(916)

c:\program files\Citrix\GoToAssist\570\G2AWinLogon.dll

.

- - - - - - - > 'explorer.exe'(2660)

c:\windows\system32\WININET.dll

c:\windows\system32\MSCTF.dll

c:\program files\Internet Download Manager\idmmkb.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\wpdshserviceobj.dll

c:\windows\system32\portabledevicetypes.dll

c:\windows\system32\portabledeviceapi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\nvsvc32.exe

c:\program files\AVAST Software\Avast\AvastSvc.exe

c:\program files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\windows\RTHDCPL.EXE

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\Motive\McciCMService.exe

c:\windows\system32\spnsrvnt.exe

c:\program files\UPHClean\uphclean.exe

c:\windows\system32\wscntfy.exe

c:\program files\Internet Download Manager\IEMonitor.exe

.

**************************************************************************

.

Completion time: 2011-05-23 21:42:56 - machine was rebooted

ComboFix-quarantined-files.txt 2011-05-23 20:42

ComboFix2.txt 2011-05-22 21:10

ComboFix3.txt 2011-05-22 17:14

ComboFix4.txt 2011-05-22 13:16

.

Pre-Run: 23,908,245,504 bytes free

Post-Run: 23,900,852,224 bytes free

.

- - End Of File - - 2A3A23EFDA3027C225AC0829983AE804

Link to post
Share on other sites

Running ComboFix was a good thing. As it disinfected one more driver. Okay, If you want that file back. For BMW Scanner and so forth. Please do the following

Run CFScript

  • Close any open browsers.
  • Open Notepad by click start
  • Click Run
  • Type notepad into the box and click enter
  • Notepad will open
  • Copy and Paste everything from the Code box into Notepad:

KILLALL::
Dequarantine::
C:\Qoobox\Quarantine\c:\bmwscan140\BMWScan140.exe
Quit::

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.

Link to post
Share on other sites

Hi Kenny

glad i hadn't given load more work, after my last post..

just for info:...after i ran OTC a lot of files reappeared in c:/root including my boot.ini file,

and was finally able to reset my 30 second boot timout... :rolleyes: :rolleyes:

now i followed the instructions clearly this time..

and here is the log..

ComboFix 11-05-21.03 - Mobile 23/05/2011 22:32:34.5.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.479 [GMT 1:00]

Running from: c:\documents and settings\Mobile\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Mobile\Desktop\CFScript_2.txt

AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

.

.

((((((((((((((((((((((((( Files Created from 2011-04-23 to 2011-05-23 )))))))))))))))))))))))))))))))

.

.

2011-05-23 20:10 . 2011-05-23 20:10 -------- d-----w- C:\_OTM

2011-05-22 23:47 . 2010-12-20 17:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-05-22 23:47 . 2010-12-20 17:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-05-22 23:47 . 2011-05-22 23:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-05-22 23:35 . 2011-05-22 23:35 -------- d-----w- c:\program files\Common Files\Java

2011-05-22 23:35 . 2011-05-22 23:34 73728 ----a-w- c:\windows\system32\javacpl.cpl

2011-05-22 23:18 . 2011-05-23 12:13 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS

2011-05-22 22:33 . 2011-05-22 22:33 -------- d-----w- c:\documents and settings\Mobile\Local Settings\Application Data\MigWiz

2011-05-10 22:14 . 2011-05-10 22:37 -------- d-----w- C:\SDFix

2011-05-10 21:55 . 2011-05-10 21:55 -------- d-----w- c:\windows\system32\xircom

2011-05-10 21:55 . 2011-05-10 21:55 -------- d-----w- c:\windows\system32\wbem\snmp

2011-05-10 21:55 . 2011-05-10 21:55 -------- d-----w- c:\windows\srchasst

2011-05-10 21:55 . 2011-05-10 21:55 -------- d-----w- c:\program files\microsoft frontpage

2011-05-10 21:43 . 2011-05-10 21:43 578560 ----a-w- c:\windows\system32\dllcache\user32.dll

2011-05-10 21:31 . 2011-05-10 21:32 -------- d-----w- c:\windows\ERUNT

2011-05-10 17:51 . 2011-05-11 00:28 -------- d-----w- c:\documents and settings\Administrator

2011-05-10 11:28 . 2011-05-10 12:03 307928 ----a-w- c:\windows\system32\drivers\aswSP.sys

2011-05-10 11:28 . 2011-05-10 11:59 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys

2011-05-10 11:28 . 2011-05-10 11:59 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys

2011-05-10 11:28 . 2011-05-10 12:03 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys

2011-05-10 11:28 . 2011-05-10 12:02 49240 ----a-w- c:\windows\system32\drivers\aswTdi.sys

2011-05-10 11:28 . 2011-05-10 12:02 102616 ----a-w- c:\windows\system32\drivers\aswmon2.sys

2011-05-10 11:28 . 2011-05-10 12:02 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys

2011-05-10 11:28 . 2011-05-10 11:59 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys

2011-05-10 11:28 . 2011-05-10 12:10 40112 ----a-w- c:\windows\avastSS.scr

2011-05-10 11:28 . 2011-05-10 12:10 199304 ----a-w- c:\windows\system32\aswBoot.exe

2011-05-10 11:27 . 2011-05-10 11:27 -------- d-----w- c:\program files\AVAST Software

2011-05-10 11:27 . 2011-05-10 11:27 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software

2011-05-09 19:55 . 2011-05-09 19:55 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Malwarebytes

2011-05-04 21:00 . 2011-05-04 21:00 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE

2011-05-04 20:31 . 2011-05-04 20:31 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE

2011-05-03 18:38 . 2011-05-03 18:38 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe

2011-05-03 13:12 . 2011-05-03 13:12 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

2011-05-03 11:19 . 2011-05-04 13:46 0 ----a-w- c:\windows\Ayojutilesolasiw.bin

2011-05-02 22:03 . 2011-05-03 12:48 -------- d-----w- c:\documents and settings\Mobile\Application Data\2949CC0FA79A180594C05B9863D99BE0

2011-05-01 20:50 . 2008-12-13 15:56 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys

2011-05-01 20:50 . 2008-12-13 15:55 5632 ----a-w- c:\windows\system32\ptpusb.dll

2011-05-01 20:50 . 2008-12-13 15:56 159232 ----a-w- c:\windows\system32\ptpusd.dll

2011-04-27 22:05 . 2011-04-27 22:05 -------- d-----w- c:\program files\GM

2011-04-27 22:01 . 2011-04-27 22:07 -------- d-----w- c:\documents and settings\Mobile\sps

2011-04-27 22:00 . 2011-04-27 22:00 -------- d-----w- c:\documents and settings\Mobile\sas

2011-04-27 21:59 . 2011-04-27 21:59 -------- d-----w- c:\documents and settings\Mobile\snapshot

2011-04-27 21:00 . 2011-04-27 21:00 -------- d-----w- c:\documents and settings\Mobile\tech2view

2011-04-27 20:54 . 2011-04-27 20:54 -------- d-----w- c:\documents and settings\Mobile\diag

2011-04-27 20:40 . 2011-04-27 20:40 -------- d-----w- C:\PCMCIA_COPY

2011-04-27 20:40 . 2009-06-08 14:27 48832 ----a-w- c:\windows\system32\drivers\evserial.sys

2011-04-27 20:39 . 2011-04-27 20:39 -------- d-----w- c:\program files\General Motors

2011-04-27 20:38 . 2011-04-27 20:53 -------- d-----w- c:\documents and settings\Mobile\swdl

2011-04-27 20:35 . 2011-04-27 21:58 -------- d-----w- c:\documents and settings\Mobile\.rts

2011-04-27 20:31 . 2011-04-27 20:31 -------- d-----w- c:\documents and settings\All Users\.dls

2011-04-27 20:31 . 2011-04-27 20:33 -------- d-----w- c:\program files\GDS

2011-04-27 20:30 . 2011-04-27 20:31 -------- d-----w- c:\documents and settings\All Users\.t2web

2011-04-27 20:30 . 2011-04-27 20:30 -------- d-----w- c:\documents and settings\Mobile\.gdsweblaunch

2011-04-27 00:39 . 2001-10-22 02:20 126976 ----a-w- c:\windows\system32\spnsrvnt.exe

2011-04-27 00:39 . 2001-04-06 06:11 20288 ----a-w- c:\windows\system32\drivers\SNTNLUSB.SYS

2011-04-27 00:39 . 2001-04-06 06:11 73216 ----a-w- c:\windows\system32\drivers\SENTINEL.SYS

2011-04-27 00:39 . 2001-04-06 06:11 49152 ----a-w- c:\windows\system32\SNTI386.DLL

2011-04-27 00:39 . 2011-04-27 00:39 -------- d-----w- c:\windows\system32\RNBOSENT

2011-04-27 00:39 . 2011-04-27 00:54 -------- d-----w- c:\program files\GlobalTIS

2011-04-27 00:39 . 2011-04-27 00:46 -------- d--h--w- c:\program files\Zero G Registry

2011-04-27 00:37 . 2011-04-27 00:37 -------- d--h--w- c:\documents and settings\Mobile\InstallAnywhere

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-05-22 23:34 . 2010-11-11 18:24 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-03-07 05:31 . 2010-08-15 19:09 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-03-04 06:37 . 2008-12-13 15:53 420864 ----a-w- c:\windows\system32\vbscript.dll

2011-03-03 13:27 . 2008-12-13 15:53 1866880 ----a-w- c:\windows\system32\win32k.sys

2011-03-03 06:53 . 2011-03-03 06:53 149504 ----a-w- c:\windows\system32\SET1A.tmp

2011-02-22 23:06 . 2011-04-17 14:31 602112 ----a-w- c:\windows\system32\SET123.tmp

2011-02-22 23:06 . 2011-04-17 14:31 55296 ----a-w- c:\windows\system32\SET122.tmp

2011-02-22 23:06 . 2011-04-17 14:31 916480 ----a-w- c:\windows\system32\SET11C.tmp

2011-02-22 23:06 . 2011-04-17 14:31 1210880 ----a-w- c:\windows\system32\SET11D.tmp

2011-02-22 23:06 . 2011-04-17 14:31 5962240 ----a-w- c:\windows\system32\SET121.tmp

2011-02-22 23:06 . 2008-12-13 15:53 916480 ----a-w- c:\windows\system32\wininet.dll

2011-02-22 23:06 . 2008-12-13 15:52 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-02-22 23:06 . 2008-04-14 11:00 1469440 ------w- c:\windows\system32\inetcpl.cpl

2011-02-22 23:06 . 2011-04-17 14:31 1991680 ----a-w- c:\windows\system32\SET127.tmp

2011-02-22 23:06 . 2011-04-17 14:31 11080704 ----a-w- c:\windows\system32\SET129.tmp

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]

@="{472083B0-C522-11CF-8763-00608CC02F24}"

[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]

2011-05-10 12:10 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [2010-12-11 2610608]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RTHDCPL"="RTHDCPL.EXE" [2007-08-10 16384000]

"Conime"="c:\windows\system32\conime.exe" [2008-04-14 27648]

"EKIJ5000StatusMonitor"="c:\windows\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2010-09-02 1638400]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-04-03 13670504]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-01-07 253672]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

.

c:\documents and settings\Mobile\Start Menu\Programs\Startup\

TalkTalk Setup CD Reporting Tool.exe [2010-8-2 725768]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Bluetooth Monitor.lnk - c:\program files\TOSHIBA\Bluetooth Monitor\BtMon2.exe [2010-8-15 69632]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]

2010-12-01 18:17 16680 ----a-w- c:\program files\Citrix\GoToAssist\570\g2awinlogon.dll

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{36FC9E60-C465-1706-8086-444553544016}]

@="USB sChip"

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager

"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Kodak\\AiO\\Center\\AiOHomeCenter.exe"=

"c:\\Program Files\\Kodak\\AiO\\Center\\Kodak.Statistics.exe"=

"c:\\Program Files\\Kodak\\AiO\\Firmware\\KodakAiOUpdater.exe"=

"c:\\Documents and Settings\\All Users\\Application Data\\Kodak\\Installer\\Setup.exe"=

"c:\\Program Files\\Kodak\\AiO\\Center\\NetworkPrinterDiscovery.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

"9322:TCP"= 9322:TCP:EKDiscovery

"5353:UDP"= 5353:UDP:Bonjour Port 5353

.

R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [10/05/2011 12:28 441176]

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [10/05/2011 12:28 307928]

R1 oreans32;oreans32;c:\windows\system32\drivers\oreans32.sys [01/04/2010 00:11 33824]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [10/05/2011 12:28 19544]

R2 GLOBALTISTB;GLOBALTISTB;c:\progra~1\GLOBAL~1\TRANSB~1\tbmux32.exe [27/04/2011 01:39 413696]

R2 GlobalTISTC6;GlobalTIS_TC6;c:\program files\GlobalTIS\tomcat\bin\tomcat6.exe [27/04/2011 01:39 57344]

R2 io.sys;IO.DLL Driver;c:\windows\system32\drivers\io.sys [10/10/2010 22:33 5152]

R2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\Kodak\AiO\Center\ekdiscovery.exe [13/09/2010 18:18 308656]

R3 VSBC;Virtual Serial Bus Enumerator (Eltima Software);c:\windows\system32\drivers\evsbc.sys [08/06/2009 15:27 24768]

S1 vcdrom;Virtual CD-ROM Device Driver;\??\c:\program files\System\CPL Bonus\Vcdrom.sys --> c:\program files\System\CPL Bonus\Vcdrom.sys [?]

S3 CYUSB;UPA-USB Driver;c:\windows\system32\drivers\UPAUSB.sys [17/11/2010 03:45 39936]

S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [15/08/2010 22:48 13192]

S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [15/08/2010 22:48 8456]

S3 evserial;Virtual Serial Ports Driver (Eltima Softwate);c:\windows\system32\drivers\evserial.sys [27/04/2011 21:40 48832]

S3 FTD2XX;BMW Scanner SYS device driver;c:\windows\system32\drivers\FTD2XX.sys [15/12/2005 13:27 34639]

.

--- Other Services/Drivers In Memory ---

.

*Deregistered* - uphcleanhlp

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.digital-kaos.co.uk/forums/f149/

IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM

IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM

IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm

IE: Download FLV video content with IDM - c:\program files\Internet Download Manager\IEGetVL.htm

IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm

IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM

IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-05-23 22:44

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (LocalSystem)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,2d,7a,13,53,d0,8f,eb,4d,83,85,91,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,2d,7a,13,53,d0,8f,eb,4d,83,85,91,\

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5da136b2-e6e6-4560-8955-dfe1ddc75385}]

@Denied: (Full) (Everyone)

"Model"=dword:00000036

"Therad"=dword:00000011

"MData"=hex(0):cb,9b,ad,ef,27,7d,29,69,f5,02,f0,76,aa,4a,f1,7c,d3,d9,67,7f,6a,

4b,7b,ad,04,7a,b1,b5,76,9b,27,47,ad,91,56,c8,52,62,22,f2,a9,ac,3f,1d,1f,c8,\

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]

@Denied: (Full) (Everyone)

"scansk"=hex(0):7a,93,84,59,2c,f8,6d,7c,1c,c2,ff,43,0b,d1,a2,26,bd,16,a6,aa,ad,

c2,2b,bb,70,3e,b4,5e,3f,f8,7f,ef,be,59,37,b3,4c,b3,49,59,00,00,00,00,00,00,\

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(916)

c:\program files\Citrix\GoToAssist\570\G2AWinLogon.dll

.

- - - - - - - > 'explorer.exe'(3924)

c:\windows\system32\WININET.dll

c:\windows\system32\MSCTF.dll

c:\program files\Internet Download Manager\idmmkb.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\wpdshserviceobj.dll

c:\windows\system32\portabledevicetypes.dll

c:\windows\system32\portabledeviceapi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\nvsvc32.exe

c:\program files\AVAST Software\Avast\AvastSvc.exe

c:\windows\RTHDCPL.EXE

c:\program files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\Motive\McciCMService.exe

c:\windows\system32\spnsrvnt.exe

c:\program files\UPHClean\uphclean.exe

c:\windows\system32\wscntfy.exe

c:\program files\Internet Download Manager\IEMonitor.exe

.

**************************************************************************

.

Completion time: 2011-05-23 22:49:45 - machine was rebooted

ComboFix-quarantined-files.txt 2011-05-23 21:49

ComboFix2.txt 2011-05-23 20:42

ComboFix3.txt 2011-05-22 21:10

ComboFix4.txt 2011-05-22 17:14

ComboFix5.txt 2011-05-23 21:30

.

Pre-Run: 23,902,949,376 bytes free

Post-Run: 23,896,240,128 bytes free

.

- - End Of File - - 29BD362025313DE1F16AD6F450CC6C46

Link to post
Share on other sites

I'm sorry Jule. I left out vir in the CFScript. Let's do it one more and the last time.... :D..... :)

Run CFScript

  • Close any open browsers.
  • Open Notepad by click start
  • Click Run
  • Type notepad into the box and click enter
  • Notepad will open
  • Copy and Paste everything from the Code box into Notepad:

KILLALL:: 
Dequarantine::
C:\Qoobox\Quarantine\C\BMWScan140\BMWScan140.exe.vir
Quit::

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

Link to post
Share on other sites

HI

First a Massive Thanks to you Kenny. :D

Every thing seems perfect..even bmwscan..

i have to be honost and say that untill now my view of Infections was a little bit relaxed,

yes they were a pain, but with the aid of a good AV, Malwarebytes, watching processes in task manager and google

all helped in cleaning pc's of these anoying little things..

but i think i need to pay a little bit more attention to pc housekeeping nowadays

But i was absolutly stuck on this one, and without your kind assistance, i would have had too format the machine..

THANK YOU KENNY

Regards Julez...................

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.