Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Win32 ZBOT.E

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Win32 ZBOT.E

Unread postby Basacag » December 17th, 2010, 6:20 pm

Hi

I had an issue with my PC running so slow and locking up. I ran AVG antivirus in safe mode and it seems to have taken a ridiculous amount of files into the virus vault.
The virus was win32 zbot.e and generic trojan.

I also ran trojan remover and malware bytes.

My PC currently runs but often when I go to start something a .dll file is missing, located in the virus vault.

I had posted some additional files but they seem to ahve gone AWOL and my original post closed.

Please help.

Thanks
Ian


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 22:18:39, on 17/12/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\nvsvc32.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Windows\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Google\Update\1.2.183.39\GoogleCrashHandler.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\system32\NMSAccess.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\System32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Windows\system32\svchost.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\Program Files\AVG\AVG10\avgemcx.exe
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Windows\Explorer.EXE
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Windows\System32\spool\DRIVERS\W32X86\3\E_FATI9HE.EXE
C:\Windows\SOUNDMAN.EXE
C:\Windows\system32\RUNDLL32.EXE
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\AVG\AVG10\avgtray.exe
D:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\system32\ctfmon.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\Windows\system32\wscntfy.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Outlook Express\Msimn.exe
C:\PROGRA~1\AVG\AVG10\avgrsx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll
R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: Vuze Remote Toolbar - {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files\Vuze_Remote\tbVuz1.dll
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe,,c:\program files\microsoft\watermark.exe
O2 - BHO: ALOT Toolbar Helper - {14CEEAFF-96DD-4101-AE37-D5ECDC23C3F6} - C:\Program Files\alot\bin\BHO\alotBHO.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
O2 - BHO: Conduit Engine - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\ConduitEngin0.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG10\avgssie.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5805.1910\swg.dll
O2 - BHO: Vuze Remote Toolbar - {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files\Vuze_Remote\tbVuz1.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (file missing)
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll (file missing)
O2 - BHO: ChromeFrame BHO - {ECB3C477-1A0A-44BD-BB57-78F9EFE34FA7} - C:\Program Files\Google\Chrome Frame\Application\8.0.552.224\npchrome_frame.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll (file missing)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: Vuze Remote Toolbar - {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files\Vuze_Remote\tbVuz1.dll
O3 - Toolbar: Conduit Engine - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\ConduitEngin0.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll
O3 - Toolbar: ALOT Toolbar - {5AA2BA46-9913-4dc7-9620-69AB0FA17AE7} - C:\Program Files\alot\bin\alot.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [EPSON Stylus Photo RX620 Series] C:\Windows\System32\spool\DRIVERS\W32X86\3\E_FATI9HE.EXE /P31 "EPSON Stylus Photo RX620 Series" /O6 "USB001" /M "Stylus Photo RX620"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG10\avgtray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [RegistryBooster] "C:\Program Files\Uniblue\RegistryBooster\launcher.exe" delay 20000
O4 - HKCU\..\Run: [ctfmon.exe] C:\Windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-21-839522115-413027322-682003330-1008\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe (User '?')
O4 - HKUS\S-1-5-21-839522115-413027322-682003330-1008\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot (User '?')
O4 - HKUS\S-1-5-21-839522115-413027322-682003330-1008\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-839522115-413027322-682003330-1008\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\S-1-5-21-839522115-413027322-682003330-1008\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User '?')
O4 - HKUS\S-1-5-21-839522115-413027322-682003330-1008\..\Run: [Skype] "D:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized (User '?')
O4 - Global Startup: McAfee Security Scan Plus.lnk = ?
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: The Gaming Club Poker - {A18AC347-2CA3-4e5d-AB86-33BFC7EEB931} - C:\Program Files\gamingclubMPP\MPPoker.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm (file missing)
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://bt.yahoo.com
O15 - Trusted Zone: http://*.mcafee.com
O15 - Trusted Zone: http://www.photographersdirect.com
O16 - DPF: Garmin Communicator Plug-In - https://static.garmincdn.com/gcp/ie/2.9 ... ontrol.CAB
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b31267.cab
O16 - DPF: {0A43D7AC-D6C1-4622-B309-BF975F427C0E} (first direct internet banking plus digital safe) - https://internetbankingplus1.firstdirec ... doorFD.cab
O16 - DPF: {1B735B98-8010-11D5-AD0B-00500463D885} (SearchCD Control) - http://www.partsarena.com/baxi/Plugins/IMIESRCH.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/Mi ... b31267.cab
O16 - DPF: {36C17E9B-3354-11D1-95CF-0000B4530F04} (GrafixViewControl) - http://www.partsarena.com/baxi/Plugins/GFXVIEW.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/ ... .2.100.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/v ... .2.5.0.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/mci ... insctl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {97E71027-0BA2-44F2-97DB-F84D808ED0B6} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b55762.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/mcg ... cgdmgr.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll
O18 - Protocol: gcf - {9875BFAF-B04D-445E-8A69-BE36838CDE3E} - C:\Program Files\Google\Chrome Frame\Application\8.0.552.224\npchrome_frame.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG10\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\Windows\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\System32\browseui.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: AVG Security Toolbar Service - Unknown owner - C:\Program Files\AVG\AVG10\Toolbar\ToolbarBroker.exe
O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\avgwdsvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Google Update Service (gupdate1c9c1e1ceb09090) (gupdate1c9c1e1ceb09090) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe (file missing)
O23 - Service: Iomega App Services - Unknown owner - C:\PROGRA~1\Iomega\System32\AppServices.exe (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: McAfee Security Scan Component Host Service (McComponentHostService) - McAfee, Inc. - C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe
O23 - Service: NMSAccess - Unknown owner - C:\WINDOWS\system32\NMSAccess.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\Windows\system32\nvsvc32.exe
O23 - Service: Rapport Management Service (RapportMgmtService) - Trusteer Ltd. - C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Unknown owner - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe (file missing)
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe
O23 - Service: Windows Media Player Network Sharing Service (WMPNetworkSvc) - Unknown owner - C:\Program Files\Windows Media Player\WMPNetwk.exe (file missing)
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Unknown owner - C:\Program Files\Iomega\AutoDisk\ADService.exe (file missing)

--
End of file - 16833 bytes


7-Zip 4.65
Acrobat.com
Acrobat.com
Acronis True Image WD Edition
Active Disk
Adobe AIR
Adobe AIR
Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe Common File Installer
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Help Center 2.1
Adobe Photoshop Elements 5.0
Adobe Premiere Elements 3.0
Adobe Premiere Elements 3.0
Adobe Premiere Elements 3.0 Templates
Adobe Reader X
Adobe Shockwave Player 11
Adventure Tools
ALOT Toolbar
Amazon MP3 Downloader 1.0.8
Apple Application Support
Apple Software Update
ArcSoft TotalMedia
ATI Display Driver
AVG 2011
AVG 2011
AVG 2011
Azureus
CANON iMAGE GATEWAY Drag And Drop Upload Plugin
CC2-Pro
CCG Workshop's gatlingEngine for White Wolf
Chaos-League
Character Builder
Cheetah DVD Burner
City Designer Pro
C-Media 3D Audio
C-Media WDM Audio Driver
Combat Chess
Compatibility Pack for the 2007 Office system
Compete V2.2
Conduit Engine
Creative Jukebox Driver
Critical Update for Windows Media Player 11 (KB959772)
D-Fend v2
Dungeon Designer Pro
EPSON CardMonitor
EPSON Copy Utility 3
EPSON PhotoQuicker3.5
EPSON PhotoStarter3.1
EPSON PRINT Image Framer Tool2.1
EPSON Printer Software
EPSON Smart Panel
EPSON Web-To-Page
ESPRX620 Series Reference Guide
ESPRX620 Software Guide
eTools
Football Manager 2010
Form Fill (Windows Live Toolbar)
Freecycle Internet Explorer Plugin
Garmin City Navigator Europe NT 2010.20 Update
Garmin Communicator Plugin
Garmin POI Loader
Garmin USB Drivers
getPlus(R)_ocx
Gitarrero Beginner 1.1 Demo
Google Chrome
Google Chrome Frame
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
Google Update Helper
Guild Wars
Half-Life(R) 2
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HiJackThis
HOE Character Generator
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954708)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
IGN Download Manager 2.3.2
Intel(R) 536EP Modem
InterVideo WinDVD Media Center
IomegaWare 4.0.2
Jalbum
Java 2 SDK, SE v1.4.2_15
Java(TM) 6 Update 14
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Java(TM) SE Runtime Environment 6 Update 1
Junk Mail filter update
LaCie USB2 Storage Driver
Loco-Commotion
Logitech Legacy USB Camera Driver Package
Logitech QuickCam
Logitech QuickCam Driver Package
Logitech SetPoint
Logitech Updater
Magic DVD Ripper V5.5.0
Malwarebytes' Anti-Malware
Map Button (Windows Live Toolbar)
McAfee Security Scan Plus
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Choice Guard
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2000 Standard
Microsoft National Language Support Downlevel APIs
Microsoft Office Live Add-in 1.3
Microsoft Office XP Professional with FrontPage
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Monopoly 3
MSVCRT
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Music Manager
Napster for Windows Media Player
Nero - Burning Rom
Network Play System (Patching)
NVIDIA Drivers
NVIDIA Windows 2000/XP nForce Drivers
OneCare Advisor (Windows Live Toolbar)
OpenRPG (Remove Only)
ParetoLogic PC Health Advisor
PartyPoker
Paydirt
PC-Rail Didcot
PC-Rail Ely North Junction
PC-Rail Leicester
PC-Rail Liverpool Lime St
PC-Rail Liverpool Lime St
PC-Rail Reading
PC-Rail Reading
PC-Rail System Files
Plumbing Level 2 Revision
Popup Blocker (Windows Live Toolbar)
PowerDVD
PSP ISO Compressor
Python 2.5
QuickTime
Rapport
Rapport
Raptr
RealPlayer
RealUpgrade 1.0
RedShift 5
Registry Mechanic 6.0
ScanToWeb
SCRABBLE
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Segoe UI
Serif PagePlus 8.0
Sid Meier's Civilization 4
Sid Meier's Railroads!
SideWinder Game Pad Pro
SigmaTel MSCN Audio Player
Skype™ 4.0
slot-it 3D v2.0 RC2
Smart Menus (Windows Live Toolbar)
SpaceCAD 3.1.1
SpywareBlaster v3.5.1
Steam
Symbol Set 2 - Fantasy Floorplans
TeamViewer 4
TextPad 5
The Operational Art of War, Vol. I
The Sims Livin' it up
Tous les circuits
TRACKCreator3D v2.0.1
Trojan Remover 6.8.2
ubi.com
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB971930)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Uplink (remove only)
Ventrilo Client
VideoLAN VLC media player 0.8.6i
Vuze
War Room 1, 0, 1, 0
WD Align - Powered by Acronis
WIDCOMM Bluetooth Software
Windows Driver Package - Garmin (grmnusb) GARMIN Devices (06/03/2009 2.3.0.0)
Windows Imaging Component
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Essentials
Windows Live Family Safety
Windows Live Favorites for Windows Live Toolbar
Windows Live Mail
Windows Live Messenger
Windows Live Outlook Toolbar (Windows Live Toolbar)
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Toolbar
Windows Live Toolbar Extension (Windows Live Toolbar)
Windows Live Toolbar Feed Detector (Windows Live Toolbar)
Windows Live Upload Tool
Windows Live Writer
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 3
WinUAE 2.2.0
Worms World Party
wxPython 2.8.1.1 (unicode) for Python 2.5
Xfire (remove only)
XoftSpy
XviD 1.1 final uninstall
Basacag
Regular Member
 
Posts: 32
Joined: December 9th, 2010, 4:25 pm
Advertisement
Register to Remove

Re: Win32 ZBOT.E

Unread postby askey127 » December 20th, 2010, 2:11 pm

Hi Basacag,
Sorry for the delay.
If you still need help and are not receiving it elsewhere, please proceed as follows:
Quite a few tasks to do here, but just take them one at a time, in the order given.
-----------------------------------------------
Please Note Our Policy on the Use of P2P (Person to Person / Peer to Peer) file sharing programs
It is posted here: http://malwareremoval.com/forum/viewtopic.php?p=491394#p491394
As a condition of receiving our help, I have included the P2P programs Azureus and Vuze Toolbar in the removal instructions below, so we are not wasting our time.
If you have used these, you can be fairly confident this is a principal reason your computer is infected

It's really important, if you value your PC at all, to stay away from P2P file sharing programs, like utorrent, Bittorrent, Azureus, Frostwire, Limewire, Vuze, Shareaza, Bitlord.
(Limewire has just been shut down by the courts).
Criminals have "planted" thousands upon thousands of infections in the "free" shared files. Some of the recent infections can turn your machine into a doorstop.
---------------------------------------------------------
The analytical tools we use do not work properly with AVG installed.
For this reason and others, we will be Removing your AVG antivirus in the following instructions, and replacing it with something else.
-----------------------------------------------------------
We will be installing updates for other programs later.
-----------------------------------------------------------
Remove Registry items with HighjackThis. Start HijackThis.
Click Do System Scan Only. When the Scan is complete, Check the following entries:
(Some of these lines may be missing)
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: ALOT Toolbar Helper - {14CEEAFF-96DD-4101-AE37-D5ECDC23C3F6} - C:\Program Files\alot\bin\BHO\alotBHO.dll
O2 - BHO: Conduit Engine - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\ConduitEngin0.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Vuze Remote Toolbar - {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files\Vuze_Remote\tbVuz1.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (file missing)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: Vuze Remote Toolbar - {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files\Vuze_Remote\tbVuz1.dll
O3 - Toolbar: Conduit Engine - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\ConduitEngin0.dll
O3 - Toolbar: ALOT Toolbar - {5AA2BA46-9913-4dc7-9620-69AB0FA17AE7} - C:\Program Files\alot\bin\alot.dll
O4 - HKCU\..\Run: [RegistryBooster] "C:\Program Files\Uniblue\RegistryBooster\launcher.exe" delay 20000
O4 - Global Startup: McAfee Security Scan Plus.lnk = ?
O9 - Extra button: The Gaming Club Poker - {A18AC347-2CA3-4e5d-AB86-33BFC7EEB931} - C:\Program Files\gamingclubMPP\MPPoker.exe
O15 - Trusted Zone: http://*.mcafee.com
O15 - Trusted Zone: http://www.photographersdirect.com
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {97E71027-0BA2-44F2-97DB-F84D808ED0B6} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b55762.cab
O23 - Service: McAfee Security Scan Component Host Service (McComponentHostService) - McAfee, Inc. - C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe

Make sure Every other window except HJT is closed (No other tabs showing in the bottom tray), and Click Fix Checked
Click the "X" in the upper right corner of the HiJackThis window to close it.
-----------------------------------------------------------
REBOOT (RESTART) Your Machine
-----------------------------------------------
Download Antivir Free
This program is free for personal, non-business use.
Download AntiVir Free from here : http://www.softpedia.com/get/Antivirus/AntiVir-Personal-Edition.shtml
Save the Installer to your desktop, but don't run it yet.
-----------------------------------------------------------
Remove Programs Using Control Panel
From Start, Settings, Control Panel or Start, Control Panel, click Add/Remove Programs.
Highlight each Entry, as follows, one by one, if it exists, and choose Remove :

ALOT Toolbar
AVG 2011
Azureus
Conduit Engine
Java 2 SDK, SE v1.4.2_15
Java(TM) 6 Update 14
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Java(TM) SE Runtime Environment 6 Update 1
McAfee Security Scan Plus
ParetoLogic PC Health Advisor
PartyPoker
Registry Mechanic 6.0
Trojan Remover 6.8.2
XoftSpy

Take extra care in answering questions posed by any Uninstaller.
-----------------------------------------------
Install Antivir
Double Click the Avira Antivir Installer on your desktop, and Install the program.
-----------------------------------------------
Update and Scan with Antivir
Right click the red umbrella icon and choose Start Antivir.
When the window comes up click Start Update.
When the update is complete, click on Scan System Now.
This full scan could take a hour or more. Have it fix anything it finds.
-----------------------------------------------
Get Last Avira Report
Right click the red umbrella icon in the system tray and click Start Antivir
In the left pane, click Overview, then click Reports
There wil be reports titled Update and reports titled Scan. Find the most recent report in the list titled Scan
Click on the Report File button, or Right click the report and choose Display Report.
The report contents will come up in Notepad. Highlight the entire report (Ctrl+A) and copy to the clipboard (Ctrl+C).
Paste the contents (Ctrl+V) into your next reply.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Win32 ZBOT.E

Unread postby Basacag » December 21st, 2010, 12:06 pm

Hi askey127

the hijack this scan is complete. Items fixed OK. Reboot OK.

Antivar sits on my desktop in eager anticipation.

where it went wrong was in the removal process.

AVG 2011 - no reaction to the button click
Azureus - The JVM could not be started. The maximum heap size (-Xmx) might be too large or an antivirus or firwall tool could block the execution.

Conduit Engine - no reaction to the button click

All the below Java stuff gave me Fatal error during installation.

Java(TM) 6 Update 14
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Java(TM) SE Runtime Environment 6 Update 1


everything else on the list was removed successfully.

I have not installed antivar given the failures mentioned.

Cheers

Ian
Basacag
Regular Member
 
Posts: 32
Joined: December 9th, 2010, 4:25 pm

Re: Win32 ZBOT.E

Unread postby askey127 » December 21st, 2010, 12:53 pm

Basacag,
Your machine has serious problems. Try not to wait very long before responding.
------------------------------------------------
Download and Run Rkill
Please download and run the tool named Rkill, which may help in allowing other programs to run.
There are 4 different versions. If one of them won't run then download and try to run one of the other ones.
Vista and Win7 users need to right click Rkill and choose Run as Administrator
You only need to get ONE of these to run, not all of them. You may get warnings from your antivirus about any of these tools, ignore them or shutdown your antivirus.
Please download Rkill from one of the following links and save to your Desktop:
Rkill.exe
RKill.com
RKill.scr
Rkill.pif
  • Double-click on the Rkill desktop icon to run the tool.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If ir does not, delete the desktop entry. Then download and use the one provided in the next link.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • If the tool does not run from any of the links provided, please let me know.
--------------------------------------------
TDSSKiller - Rootkit Removal Tool
Please download the TDSSKiller.exe by Kaspersky... save it to your Desktop. <-Important!!!
  1. Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista - W7 users: Right-click and select "Run As Administrator".
    If TDSSKiller does not run... rename it. Right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. ektfhtw.com).
    If you don't see file extensions, please see: How to change the file extension.
  2. Click the Start Scan button. Do not use the computer during the scan!
  3. If the scan completes with nothing found, click Close to exit.
  4. If malicious objects are found, they will show in the "Scan results - Select action for found objects" and offer 3 options.
    • Ensure Cure (default) is selected... then click Continue > Reboot now to finish the cleaning process.
    • If Cure is not offered as an option, choose Skip.
  5. A log file named TDSSKiller_version_dd.mm.yyyy_hh.mm.ss_log.txt will be created and saved to the root directory. (usually Local Disk C:).
  6. Copy and paste the contents of that file in your next reply.
If, for some reason,you can't locate the text file to paste into your reply, just tell me, but DO NOT run the program a second time.
-----------------------------------------------------------
Download and Run ComboFix
IMPORTANT NOTE: ComboFix is a VERY POWERFUL tool. DO NOT use it without guidance.
ComboFix uses very forceful tactics to remove malware from your system. Your antivirus software may warn you about the file.
You will need to disable all your antivirus software after downloading but BEFORE running ComboFix.
.
  • Download ComboFix from here
  • Rename it while saving the download to zzz.exe and save it to your Desktop. Do not try to rename it after it has been saved to your desktop, or the infection may prevent you from using it.
    **Note: It is important that it is saved directly to your desktop and run from the desktop, not from any other folder on your computer**
  • DISABLE AVG
    Please open the AVG Control Center, by right clicking on the AVG icon in the task bar.
    • Click on Tools.
    • Select Advanced.
    • In the left hand pane, scroll down to "Resident Shield".
    • In the main pane, DESELECT the option to "Enable Resident Shield."
  • Now start ComboFix (zzz.exe)
  • The tool will check whether the Recovery Console is present on your system. If it is not, ComboFix will prompt you whether you would like to install it. (You would).
  • If it is not, make sure you are connected to the internet as ComboFix needs to download a file. When you are connected to the internet, click Yes and follow the prompts.
    When asked whether to continue scanning or to exit, click Yes to continue scanning (no need to disconnect from the internet as ComboFix breaks your internet connection for you).
  • It will run through about 50 procedures, then take a while to assemble its output log.
  • Do not touch the computer AT ALL while ComboFix is running.
  • When finished, the report will open. Post the log in your next reply, and then Reenable your AVG protection software
A copy of the log will be located here if you need it-> C:\ComboFix.txt
If you cannot connect to the internet after running ComboFix, unplug the cable you use to connect to the internet and plug it back in.

The Recovery Console produces a brief (2 second) black screen at bootup which allows an additional technical resource for repair in case of a major failure. In regular operation, you can ignore it.

So we are looking for the log from TDSSKiller, and the log from Combofix (zzz.exe)
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Win32 ZBOT.E

Unread postby Basacag » December 21st, 2010, 4:44 pm

OK, that does not sound good. I am on it right now. I'll let you know how it goes.

If this proves to beyond help I do have two drives I copied onto these 1Gb drives a few months ago. I would probably lose some data but I can go back if necessary.
Basacag
Regular Member
 
Posts: 32
Joined: December 9th, 2010, 4:25 pm

Re: Win32 ZBOT.E

Unread postby Basacag » December 21st, 2010, 5:57 pm

rkill ran but did not find anything.

2010/12/21 20:51:38.0859 TDSS rootkit removing tool 2.4.12.0 Dec 16 2010 09:46:46
2010/12/21 20:51:38.0859 ================================================================================
2010/12/21 20:51:38.0859 SystemInfo:
2010/12/21 20:51:38.0859
2010/12/21 20:51:38.0859 OS Version: 5.1.2600 ServicePack: 3.0
2010/12/21 20:51:38.0859 Product type: Workstation
2010/12/21 20:51:38.0859 ComputerName: UPSTAIRS
2010/12/21 20:51:38.0859 UserName: Ian Hayward
2010/12/21 20:51:38.0859 Windows directory: C:\Windows
2010/12/21 20:51:38.0859 System windows directory: C:\Windows
2010/12/21 20:51:38.0859 Processor architecture: Intel x86
2010/12/21 20:51:38.0859 Number of processors: 1
2010/12/21 20:51:38.0859 Page size: 0x1000
2010/12/21 20:51:38.0859 Boot type: Normal boot
2010/12/21 20:51:38.0859 ================================================================================
2010/12/21 20:51:39.0625 Initialize success
2010/12/21 20:51:52.0203 ================================================================================
2010/12/21 20:51:52.0203 Scan started
2010/12/21 20:51:52.0203 Mode: Manual;
2010/12/21 20:51:52.0203 ================================================================================
2010/12/21 20:51:53.0781 ACPI (8fd99680a539792a30e97944fdaecf17) C:\Windows\system32\DRIVERS\ACPI.sys
2010/12/21 20:51:53.0859 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\Windows\system32\drivers\ACPIEC.sys
2010/12/21 20:51:53.0921 aec (8bed39e3c35d6a489438b8141717a557) C:\Windows\system32\drivers\aec.sys
2010/12/21 20:51:53.0984 AegisP (91f3df93f40a74d222cd166fe95db633) C:\Windows\system32\DRIVERS\AegisP.sys
2010/12/21 20:51:54.0046 Afc (a7b8a3a79d35215d798a300df49ed23f) C:\Windows\system32\drivers\Afc.sys
2010/12/21 20:51:54.0125 AFD (7e775010ef291da96ad17ca4b17137d7) C:\Windows\System32\drivers\afd.sys
2010/12/21 20:51:54.0296 alcan5ln (e8a3f72f644c0b57f8ab894d04b289d7) C:\Windows\system32\DRIVERS\alcan5ln.sys
2010/12/21 20:51:54.0406 alcaudsl (4c9577888c53243e2991456f510488a1) C:\Windows\system32\DRIVERS\alcaudsl.sys
2010/12/21 20:51:54.0515 ALCXWDM (a73c58f6214795044e49d4b120c89d9d) C:\Windows\system32\drivers\ALCXWDM.SYS
2010/12/21 20:51:54.0656 AmdK7 (8fce268cdbdd83b23419d1f35f42c7b1) C:\Windows\system32\DRIVERS\amdk7.sys
2010/12/21 20:51:54.0828 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\Windows\system32\DRIVERS\asyncmac.sys
2010/12/21 20:51:54.0859 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\Windows\system32\DRIVERS\atapi.sys
2010/12/21 20:51:54.0937 ati2mtaa (2d030c2f6b036ca0bc243e1b16d924d1) C:\Windows\system32\DRIVERS\ati2mtaa.sys
2010/12/21 20:51:55.0015 ati2mtag (cd35697cb6c7e081effa98f46023e10b) C:\Windows\system32\DRIVERS\ati2mtag.sys
2010/12/21 20:51:55.0109 Atmarpc (9916c1225104ba14794209cfa8012159) C:\Windows\system32\DRIVERS\atmarpc.sys
2010/12/21 20:51:55.0156 audstub (d9f724aa26c010a217c97606b160ed68) C:\Windows\system32\DRIVERS\audstub.sys
2010/12/21 20:51:55.0250 AVGIDSDriver (0c61f066f4d94bd67063dc6691935143) C:\Windows\system32\DRIVERS\AVGIDSDriver.Sys
2010/12/21 20:51:55.0281 AVGIDSEH (84853f800cd69252c3c764fe50d0346f) C:\Windows\system32\DRIVERS\AVGIDSEH.Sys
2010/12/21 20:51:55.0328 AVGIDSFilter (28d6adcd03e10f3838488b9b5d407dd4) C:\Windows\system32\DRIVERS\AVGIDSFilter.Sys
2010/12/21 20:51:55.0375 AVGIDSShim (0eb16f4dbbb946360af30d2b13a52d1d) C:\Windows\system32\DRIVERS\AVGIDSShim.Sys
2010/12/21 20:51:55.0421 Avgldx86 (1119e5bec6e749e0d292f0f84d48edba) C:\Windows\system32\DRIVERS\avgldx86.sys
2010/12/21 20:51:55.0453 Avgmfx86 (54f1a9b4c9b540c2d8ac4baa171696b1) C:\Windows\system32\DRIVERS\avgmfx86.sys
2010/12/21 20:51:55.0500 Avgrkx86 (8da3b77993c5f354cc2977b7ea06d03a) C:\Windows\system32\DRIVERS\avgrkx86.sys
2010/12/21 20:51:55.0546 Avgtdix (2fd3e3a57fb90679a3a83eeed0360cfd) C:\Windows\system32\DRIVERS\avgtdix.sys
2010/12/21 20:51:55.0593 BANTExt (5d7be7b19e827125e016325334e58ff1) C:\Windows\System32\Drivers\BANTExt.sys
2010/12/21 20:51:55.0671 BDA_Loader_225 (d6a7ba293c33b17a1173dde6a9574c03) C:\Windows\system32\Drivers\BDA_Loader_225.sys
2010/12/21 20:51:55.0703 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\Windows\system32\drivers\Beep.sys
2010/12/21 20:51:55.0765 BtAudio (db7e461605b3faf630f3ec268b66eb89) C:\Windows\system32\DRIVERS\btaudio.sys
2010/12/21 20:51:55.0796 BthEnum (b279426e3c0c344893ed78a613a73bde) C:\Windows\system32\DRIVERS\BthEnum.sys
2010/12/21 20:51:55.0843 BTHMODEM (fca6f069597b62d42495191ace3fc6c1) C:\Windows\system32\DRIVERS\bthmodem.sys
2010/12/21 20:51:55.0875 BthPan (80602b8746d3738f5886ce3d67ef06b6) C:\Windows\system32\DRIVERS\bthpan.sys
2010/12/21 20:51:55.0937 BTHPORT (662bfd909447dd9cc15b1a1c366583b4) C:\Windows\system32\Drivers\BTHport.sys
2010/12/21 20:51:55.0984 BTHUSB (61364cd71ef63b0f038b7e9df00f1efa) C:\Windows\system32\Drivers\BTHUSB.sys
2010/12/21 20:51:56.0046 BTKRNL (934ee1917aef78eca5cf942fa88e276f) C:\Windows\system32\drivers\btkrnl.sys
2010/12/21 20:51:56.0125 BTSERIAL (714eea676c397660f89eaf4da4d61223) C:\WINDOWS\system32\drivers\btserial.sys
2010/12/21 20:51:56.0171 BTSLBCSP (b9541fe11677fb625d3b63c761ac25b6) C:\WINDOWS\system32\drivers\btslbcsp.sys
2010/12/21 20:51:56.0234 BTWDNDIS (789852710f219a72d19ea97fa699dee5) C:\Windows\system32\DRIVERS\btwdndis.sys
2010/12/21 20:51:56.0343 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\Windows\system32\drivers\cbidf2k.sys
2010/12/21 20:51:56.0390 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\Windows\system32\DRIVERS\CCDECODE.sys
2010/12/21 20:51:56.0453 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\Windows\system32\drivers\Cdaudio.sys
2010/12/21 20:51:56.0500 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\Windows\system32\drivers\Cdfs.sys
2010/12/21 20:51:56.0546 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\Windows\system32\DRIVERS\cdrom.sys
2010/12/21 20:51:56.0671 cmuda (184e5a39186191b355d930029d30cd44) C:\Windows\system32\drivers\cmuda.sys
2010/12/21 20:51:56.0843 Disk (044452051f3e02e7963599fc8f4f3e25) C:\Windows\system32\DRIVERS\disk.sys
2010/12/21 20:51:56.0890 dmboot (d992fe1274bde0f84ad826acae022a41) C:\Windows\system32\drivers\dmboot.sys
2010/12/21 20:51:56.0953 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\Windows\system32\drivers\dmio.sys
2010/12/21 20:51:57.0000 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\Windows\system32\drivers\dmload.sys
2010/12/21 20:51:57.0046 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\Windows\system32\drivers\DMusic.sys
2010/12/21 20:51:57.0109 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\Windows\system32\drivers\drmkaud.sys
2010/12/21 20:51:57.0187 Fastfat (38d332a6d56af32635675f132548343e) C:\Windows\system32\drivers\Fastfat.sys
2010/12/21 20:51:57.0218 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\Windows\system32\DRIVERS\fdc.sys
2010/12/21 20:51:57.0265 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\Windows\system32\drivers\Fips.sys
2010/12/21 20:51:57.0281 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\Windows\system32\DRIVERS\flpydisk.sys
2010/12/21 20:51:57.0312 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\Windows\system32\drivers\fltmgr.sys
2010/12/21 20:51:57.0375 fssfltr (c6ee3a87fe609d3e1db9dbd072a248de) C:\Windows\system32\DRIVERS\fssfltr_tdi.sys
2010/12/21 20:51:57.0406 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\Windows\system32\drivers\Fs_Rec.sys
2010/12/21 20:51:57.0437 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\Windows\system32\DRIVERS\ftdisk.sys
2010/12/21 20:51:57.0500 gameenum (065639773d8b03f33577f6cdaea21063) C:\Windows\system32\DRIVERS\gameenum.sys
2010/12/21 20:51:57.0546 GcKernel (72fe2bea6863d4eb93442a1c4fb5ca48) C:\Windows\system32\DRIVERS\GcKernel.sys
2010/12/21 20:51:57.0625 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\Windows\system32\DRIVERS\msgpc.sys
2010/12/21 20:51:57.0734 HIDSwvd (bd205320308fb41c88a4049a2d1764b4) C:\Windows\system32\DRIVERS\HIDSwvd.sys
2010/12/21 20:51:57.0781 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\Windows\system32\DRIVERS\hidusb.sys
2010/12/21 20:51:57.0875 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\Windows\system32\Drivers\HTTP.sys
2010/12/21 20:51:57.0968 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\Windows\system32\DRIVERS\i8042prt.sys
2010/12/21 20:51:58.0015 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\Windows\system32\DRIVERS\imapi.sys
2010/12/21 20:51:58.0203 Intels51 (f61bd411a315b9721ddef61e44d34474) C:\Windows\system32\DRIVERS\Intels51.sys
2010/12/21 20:51:58.0281 iomdisk (75931ebd581b9f79010640f924085fd4) C:\Windows\system32\DRIVERS\iomdisk.sys
2010/12/21 20:51:58.0421 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\Windows\system32\drivers\ip6fw.sys
2010/12/21 20:51:58.0453 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\Windows\system32\DRIVERS\ipfltdrv.sys
2010/12/21 20:51:58.0531 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\Windows\system32\DRIVERS\ipinip.sys
2010/12/21 20:51:58.0578 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\Windows\system32\DRIVERS\ipnat.sys
2010/12/21 20:51:58.0640 IPSec (23c74d75e36e7158768dd63d92789a91) C:\Windows\system32\DRIVERS\ipsec.sys
2010/12/21 20:51:58.0703 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\Windows\system32\DRIVERS\irenum.sys
2010/12/21 20:51:58.0734 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\Windows\system32\DRIVERS\isapnp.sys
2010/12/21 20:51:58.0812 Iviaspi (4ac11b2250106774f694df2db4ffed61) C:\Windows\system32\drivers\iviaspi.sys
2010/12/21 20:51:58.0890 Jukebox3 (6c24d3878f44c271d94ea6cab1acd739) C:\Windows\system32\DRIVERS\ctpdusb.sys
2010/12/21 20:51:58.0953 k750bus (fe8300320281d658a7854d5cfc02a63f) C:\Windows\system32\DRIVERS\k750bus.sys
2010/12/21 20:51:59.0000 k750mdfl (f44521f63c0c00364fa3d59db980de6a) C:\Windows\system32\DRIVERS\k750mdfl.sys
2010/12/21 20:51:59.0093 k750mdm (e93323c3ed5e8923a177740a973c27b2) C:\Windows\system32\DRIVERS\k750mdm.sys
2010/12/21 20:51:59.0156 k750mgmt (9d5f5a70ca0b7c428efcd73db50e6ac7) C:\Windows\system32\DRIVERS\k750mgmt.sys
2010/12/21 20:51:59.0234 k750obex (81ca2d57b2c14f76f4ba80846784bb3d) C:\Windows\system32\DRIVERS\k750obex.sys
2010/12/21 20:51:59.0375 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\Windows\system32\DRIVERS\kbdclass.sys
2010/12/21 20:51:59.0437 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\Windows\system32\DRIVERS\kbdhid.sys
2010/12/21 20:51:59.0484 kmixer (692bcf44383d056aed41b045a323d378) C:\Windows\system32\drivers\kmixer.sys
2010/12/21 20:51:59.0531 KSecDD (b467646c54cc746128904e1654c750c1) C:\Windows\system32\drivers\KSecDD.sys
2010/12/21 20:51:59.0687 L8042Kbd (d65598fed75329dcb12dad5b37510d8e) C:\Windows\system32\DRIVERS\L8042Kbd.sys
2010/12/21 20:51:59.0718 L8042mou (fbd0899da522e895ef4044005ff64efc) C:\Windows\system32\DRIVERS\L8042mou.Sys
2010/12/21 20:51:59.0828 LMouKE (6c905f314648e77bea52cf1dda7082a9) C:\Windows\system32\DRIVERS\LMouKE.Sys
2010/12/21 20:51:59.0890 LVPr2Mon (a6919138f29ae45e90e99fa94737e04c) C:\Windows\system32\DRIVERS\LVPr2Mon.sys
2010/12/21 20:52:00.0046 LVRS (b895839b8743e400d7c7dae156f74e7e) C:\Windows\system32\DRIVERS\lvrs.sys
2010/12/21 20:52:00.0343 LVUSBSta (23f8ef78bb9553e465a476f3cee5ca18) C:\Windows\system32\drivers\LVUSBSta.sys
2010/12/21 20:52:00.0421 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\Windows\system32\drivers\mnmdd.sys
2010/12/21 20:52:00.0531 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\Windows\system32\drivers\Modem.sys
2010/12/21 20:52:00.0578 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\Windows\system32\drivers\MODEMCSA.sys
2010/12/21 20:52:00.0640 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\Windows\system32\DRIVERS\mouclass.sys
2010/12/21 20:52:00.0687 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\Windows\system32\DRIVERS\mouhid.sys
2010/12/21 20:52:00.0734 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\Windows\system32\drivers\MountMgr.sys
2010/12/21 20:52:00.0765 MPE (c0f8e0c2c3c0437cf37c6781896dc3ec) C:\Windows\system32\DRIVERS\MPE.sys
2010/12/21 20:52:00.0859 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\Windows\system32\DRIVERS\mrxdav.sys
2010/12/21 20:52:00.0906 MRxSmb (f3aefb11abc521122b67095044169e98) C:\Windows\system32\DRIVERS\mrxsmb.sys
2010/12/21 20:52:00.0953 Msfs (c941ea2454ba8350021d774daf0f1027) C:\Windows\system32\drivers\Msfs.sys
2010/12/21 20:52:01.0000 msgame (082a950191dde602bbea8ef4e5900251) C:\Windows\system32\DRIVERS\msgame.sys
2010/12/21 20:52:01.0046 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\Windows\system32\drivers\MSKSSRV.sys
2010/12/21 20:52:01.0109 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\Windows\system32\drivers\MSPCLOCK.sys
2010/12/21 20:52:01.0140 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\Windows\system32\drivers\MSPQM.sys
2010/12/21 20:52:01.0156 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\Windows\system32\DRIVERS\mssmbios.sys
2010/12/21 20:52:01.0218 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\Windows\system32\drivers\MSTEE.sys
2010/12/21 20:52:01.0250 ms_mpu401 (ca3e22598f411199adc2dfee76cd0ae0) C:\Windows\system32\drivers\msmpu401.sys
2010/12/21 20:52:01.0296 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\Windows\system32\drivers\Mup.sys
2010/12/21 20:52:01.0343 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\Windows\system32\DRIVERS\NABTSFEC.sys
2010/12/21 20:52:01.0390 NDIS (1df7f42665c94b825322fae71721130d) C:\Windows\system32\drivers\NDIS.sys
2010/12/21 20:52:01.0421 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\Windows\system32\DRIVERS\NdisIP.sys
2010/12/21 20:52:01.0484 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\Windows\system32\DRIVERS\ndistapi.sys
2010/12/21 20:52:01.0531 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\Windows\system32\DRIVERS\ndisuio.sys
2010/12/21 20:52:01.0546 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\Windows\system32\DRIVERS\ndiswan.sys
2010/12/21 20:52:01.0593 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\Windows\system32\drivers\NDProxy.sys
2010/12/21 20:52:01.0640 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\Windows\system32\DRIVERS\netbios.sys
2010/12/21 20:52:01.0703 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\Windows\system32\DRIVERS\netbt.sys
2010/12/21 20:52:01.0765 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\Windows\system32\drivers\Npfs.sys
2010/12/21 20:52:01.0796 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\Windows\system32\drivers\Ntfs.sys
2010/12/21 20:52:01.0859 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\Windows\system32\drivers\Null.sys
2010/12/21 20:52:02.0046 nv (4c3696c1ed1a36629ebb348bf745a328) C:\Windows\system32\DRIVERS\nv4_mini.sys
2010/12/21 20:52:02.0218 NVENET (c8400ca70bf8a30156487bf887886432) C:\Windows\system32\DRIVERS\NVENET.sys
2010/12/21 20:52:02.0265 NVENETFD (812f45da883bdb87c5960b25295a7e9c) C:\Windows\system32\DRIVERS\NVENETFD.sys
2010/12/21 20:52:02.0281 nvidesm (857acf58d21d6a7f2eab84fb54b4eda4) C:\Windows\system32\drivers\nvidesm.sys
2010/12/21 20:52:02.0328 nvnetbus (507b332b431392ed37c23b7cfb66dcf7) C:\Windows\system32\DRIVERS\nvnetbus.sys
2010/12/21 20:52:02.0359 nv_agp (db36442c20793c53b4128eb85f9a3d32) C:\Windows\system32\DRIVERS\nv_agp.sys
2010/12/21 20:52:02.0406 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\Windows\system32\DRIVERS\nwlnkflt.sys
2010/12/21 20:52:02.0437 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\Windows\system32\DRIVERS\nwlnkfwd.sys
2010/12/21 20:52:02.0500 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\Windows\system32\DRIVERS\parport.sys
2010/12/21 20:52:02.0515 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\Windows\system32\drivers\PartMgr.sys
2010/12/21 20:52:02.0562 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\Windows\system32\drivers\ParVdm.sys
2010/12/21 20:52:02.0593 PCI (a219903ccf74233761d92bef471a07b1) C:\Windows\system32\DRIVERS\pci.sys
2010/12/21 20:52:02.0640 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\Windows\system32\DRIVERS\pciide.sys
2010/12/21 20:52:02.0687 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\Windows\system32\drivers\Pcmcia.sys
2010/12/21 20:52:02.0843 pepifilter (a05f0d7419cf4680eedd5736e6549e7b) C:\Windows\system32\DRIVERS\lv302af.sys
2010/12/21 20:52:02.0968 PhilCam8116_XP (ecfbea72977cc8d2c11f74aa07d8e7d0) C:\Windows\system32\DRIVERS\CamDrL20.sys
2010/12/21 20:52:03.0078 PID_PEPI (4bb5ac2dd485b8eefccb977ee66a68ad) C:\Windows\system32\DRIVERS\LV302V32.SYS
2010/12/21 20:52:03.0234 ppa3 (c740d0cb238670629af1b740414a8f3c) C:\Windows\system32\DRIVERS\ppa3.sys
2010/12/21 20:52:03.0281 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\Windows\system32\DRIVERS\raspptp.sys
2010/12/21 20:52:03.0312 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\Windows\system32\DRIVERS\processr.sys
2010/12/21 20:52:03.0343 prodrv06 (f2e3c8f1eb6ba0733e0a1f6373df7957) C:\Windows\System32\drivers\prodrv06.sys
2010/12/21 20:52:03.0406 prohlp02 (150307b52807d0c493c605ab913038ad) C:\Windows\system32\drivers\prohlp02.sys
2010/12/21 20:52:03.0437 prosync1 (f3471e7971ee62420451d958da635064) C:\Windows\system32\drivers\prosync1.sys
2010/12/21 20:52:03.0484 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\Windows\system32\DRIVERS\ptilink.sys
2010/12/21 20:52:03.0515 PxHelp20 (86724469cd077901706854974cd13c3e) C:\Windows\system32\Drivers\PxHelp20.sys
2010/12/21 20:52:03.0718 RapportBuka (e2aa111b00f5205ffd52a57f48b4f642) C:\Windows\system32\drivers\RapportBuka.sys
2010/12/21 20:52:03.0906 RapportCerberus_19917 (539fbdcff37a24102c507092b333ec2b) C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\19917\RapportCerberus_19917.sys
2010/12/21 20:52:03.0953 RapportKELL (b64262f33c53d690ed662fde57102b10) C:\Windows\system32\Drivers\RapportKELL.sys
2010/12/21 20:52:04.0078 RapportPG (c9b8a131aaf77d969cbc3987537b319d) C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys
2010/12/21 20:52:04.0140 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\Windows\system32\DRIVERS\rasacd.sys
2010/12/21 20:52:04.0187 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\Windows\system32\DRIVERS\rasl2tp.sys
2010/12/21 20:52:04.0218 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\Windows\system32\DRIVERS\raspppoe.sys
2010/12/21 20:52:04.0250 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\Windows\system32\DRIVERS\raspti.sys
2010/12/21 20:52:04.0281 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\Windows\system32\DRIVERS\rdbss.sys
2010/12/21 20:52:04.0312 RDPCDD (4912d5b403614ce99c28420f75353332) C:\Windows\system32\DRIVERS\RDPCDD.sys
2010/12/21 20:52:04.0375 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\Windows\system32\drivers\RDPWD.sys
2010/12/21 20:52:04.0406 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\Windows\system32\DRIVERS\redbook.sys
2010/12/21 20:52:04.0468 RFCOMM (851c30df2807fcfa21e4c681a7d6440e) C:\Windows\system32\DRIVERS\rfcomm.sys
2010/12/21 20:52:04.0546 RT73 (1fa7a35149fc632eb65db2360de2b811) C:\Windows\system32\DRIVERS\rt73.sys
2010/12/21 20:52:04.0625 SE26bus (d12cd1cce29256af57b3a0a0a4eb4985) C:\Windows\system32\DRIVERS\SE26bus.sys
2010/12/21 20:52:04.0687 SE26mdfl (271e52ebe93af39d3410f5481f36202a) C:\Windows\system32\DRIVERS\SE26mdfl.sys
2010/12/21 20:52:04.0734 SE26mdm (c6b688bc8af4d2d384dbcb3fa4681fca) C:\Windows\system32\DRIVERS\SE26mdm.sys
2010/12/21 20:52:04.0765 SE26mgmt (046b56284d7c2cbf25d6edeefc74cab8) C:\Windows\system32\DRIVERS\SE26mgmt.sys
2010/12/21 20:52:04.0812 se26nd5 (4380ec5a1451e740c589c313cffd830e) C:\Windows\system32\DRIVERS\se26nd5.sys
2010/12/21 20:52:04.0859 SE26obex (e6a884ea26c38087a419c4221a354168) C:\Windows\system32\DRIVERS\SE26obex.sys
2010/12/21 20:52:04.0890 se26unic (4d3e5a8968ba82728bd4d352d12589f5) C:\Windows\system32\DRIVERS\se26unic.sys
2010/12/21 20:52:04.0953 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\DRIVERS\secdrv.sys
2010/12/21 20:52:05.0031 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\Windows\system32\DRIVERS\serenum.sys
2010/12/21 20:52:05.0125 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\Windows\system32\DRIVERS\serial.sys
2010/12/21 20:52:05.0312 sfhlp01 (462aee0ea0481ea8bd45cac876a4ccc4) C:\Windows\system32\drivers\sfhlp01.sys
2010/12/21 20:52:05.0375 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\Windows\system32\drivers\Sfloppy.sys
2010/12/21 20:52:05.0437 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\Windows\system32\DRIVERS\SLIP.sys
2010/12/21 20:52:05.0500 snapman (624f51c7c12b9aeec433a2dd9b43f90f) C:\Windows\system32\DRIVERS\snapman.sys
2010/12/21 20:52:05.0609 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\Windows\system32\drivers\splitter.sys
2010/12/21 20:52:05.0640 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\Windows\system32\DRIVERS\sr.sys
2010/12/21 20:52:05.0687 Srv (0f6aefad3641a657e18081f52d0c15af) C:\Windows\system32\DRIVERS\srv.sys
2010/12/21 20:52:05.0765 sscdbus (2d4027c46b4c6e45875e3c4ba3f67492) C:\Windows\system32\DRIVERS\sscdbus.sys
2010/12/21 20:52:05.0843 sscdmdfl (f548f1eba107bc19e91189e6a460bd0e) C:\Windows\system32\DRIVERS\sscdmdfl.sys
2010/12/21 20:52:05.0875 sscdmdm (71d348d53597379dfe1de255d70af13c) C:\Windows\system32\DRIVERS\sscdmdm.sys
2010/12/21 20:52:05.0937 streamip (77813007ba6265c4b6098187e6ed79d2) C:\Windows\system32\DRIVERS\StreamIP.sys
2010/12/21 20:52:05.0968 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\Windows\system32\DRIVERS\swenum.sys
2010/12/21 20:52:06.0000 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\Windows\system32\drivers\swmidi.sys
2010/12/21 20:52:06.0140 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\Windows\system32\drivers\sysaudio.sys
2010/12/21 20:52:06.0218 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\Windows\system32\DRIVERS\tcpip.sys
2010/12/21 20:52:06.0265 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\Windows\system32\drivers\TDPIPE.sys
2010/12/21 20:52:06.0312 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\Windows\system32\drivers\TDTCP.sys
2010/12/21 20:52:06.0359 TermDD (88155247177638048422893737429d9e) C:\Windows\system32\DRIVERS\termdd.sys
2010/12/21 20:52:06.0421 timounter (1dcf219ec8de87c99b5ad6216000f6d3) C:\Windows\system32\DRIVERS\timntr.sys
2010/12/21 20:52:06.0546 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\Windows\system32\drivers\Udfs.sys
2010/12/21 20:52:06.0656 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\Windows\system32\DRIVERS\update.sys
2010/12/21 20:52:06.0734 usbaudio (e919708db44ed8543a7c017953148330) C:\Windows\system32\drivers\usbaudio.sys
2010/12/21 20:52:06.0781 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\Windows\system32\DRIVERS\usbccgp.sys
2010/12/21 20:52:06.0843 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\Windows\system32\DRIVERS\usbehci.sys
2010/12/21 20:52:06.0875 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\Windows\system32\DRIVERS\usbhub.sys
2010/12/21 20:52:06.0906 usbohci (0daecce65366ea32b162f85f07c6753b) C:\Windows\system32\DRIVERS\usbohci.sys
2010/12/21 20:52:06.0937 usbprint (a717c8721046828520c9edf31288fc00) C:\Windows\system32\DRIVERS\usbprint.sys
2010/12/21 20:52:06.0968 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\Windows\system32\DRIVERS\usbscan.sys
2010/12/21 20:52:07.0000 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\Windows\system32\DRIVERS\USBSTOR.SYS
2010/12/21 20:52:07.0046 USB_RNDIS (bee793d4a059caea55d6ac20e19b3a8f) C:\Windows\system32\DRIVERS\usb8023.sys
2010/12/21 20:52:07.0109 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\Windows\System32\drivers\vga.sys
2010/12/21 20:52:07.0156 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\Windows\system32\drivers\VolSnap.sys
2010/12/21 20:52:07.0203 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\Windows\system32\DRIVERS\wanarp.sys
2010/12/21 20:52:07.0281 wceusbsh (dc7f91b2ed24a738c807ea07f298928c) C:\Windows\system32\DRIVERS\wceusbsh.sys
2010/12/21 20:52:07.0390 WDC_SAM (d6efaf429fd30c5df613d220e344cce7) C:\Windows\system32\DRIVERS\wdcsam.sys
2010/12/21 20:52:07.0437 wdmaud (6768acf64b18196494413695f0c3a00f) C:\Windows\system32\drivers\wdmaud.sys
2010/12/21 20:52:07.0578 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\Windows\system32\DRIVERS\wpdusb.sys
2010/12/21 20:52:07.0687 WscNetDr (2b45412df680a1896dd1f3948a350ecc) C:\Windows\system32\DRIVERS\WscNetDr.sys
2010/12/21 20:52:07.0734 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\Windows\system32\DRIVERS\WSTCODEC.SYS
2010/12/21 20:52:07.0781 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\Windows\system32\DRIVERS\WudfPf.sys
2010/12/21 20:52:07.0828 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\Windows\system32\DRIVERS\wudfrd.sys
2010/12/21 20:52:08.0156 ================================================================================
2010/12/21 20:52:08.0156 Scan finished
2010/12/21 20:52:08.0156 ================================================================================
2010/12/21 20:53:40.0203 Deinitialize success



ComboFix 10-12-21.01 - Ian Hayward 21/12/2010 21:28:09.5.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1023.500 [GMT 0:00]
Running from: c:\documents and settings\Ian Hayward\Desktop\zzz.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\NetworkService\Application Data\Owatup
c:\documents and settings\NetworkService\Application Data\Owatup\olviu.exe
c:\documents and settings\NetworkService\Application Data\Wikaup
c:\documents and settings\NetworkService\Application Data\Wikaup\ylin.teu
c:\windows\system32\dmlconf.dat
c:\windows\TEMP\logishrd\LVPrcInj01.dll

.
((((((((((((((((((((((((( Files Created from 2010-11-21 to 2010-12-21 )))))))))))))))))))))))))))))))
.

2010-12-19 14:20 . 2010-12-19 14:20 -------- d-----w- c:\documents and settings\Ian Hayward\Local Settings\Application Data\Unity
2010-12-15 05:04 . 2010-11-02 15:17 40960 ------w- c:\windows\system32\dllcache\ndproxy.sys
2010-12-15 05:02 . 2010-10-11 14:59 45568 ------w- c:\windows\system32\dllcache\wab.exe
2010-12-09 20:22 . 2010-12-09 20:22 388096 ----a-r- c:\documents and settings\Ian Hayward\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-12-09 20:22 . 2010-12-09 20:22 -------- d-----w- c:\program files\Trend Micro
2010-12-08 21:16 . 2010-12-08 21:16 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin7.dll
2010-12-08 21:16 . 2010-12-08 21:16 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin6.dll
2010-12-08 21:16 . 2010-12-08 21:16 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin5.dll
2010-12-08 21:16 . 2010-12-08 21:16 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin4.dll
2010-12-08 21:16 . 2010-12-08 21:16 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin3.dll
2010-12-08 21:16 . 2010-12-08 21:16 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin2.dll
2010-12-08 21:16 . 2010-12-08 21:16 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin.dll
2010-12-08 21:15 . 2010-12-08 21:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-12-01 15:32 . 2010-12-01 15:32 -------- d-----w- c:\documents and settings\Ian Hayward\Local Settings\Application Data\MagicSoftware
2010-12-01 15:32 . 2010-12-01 15:32 -------- d-----w- c:\documents and settings\All Users\Application Data\MagicSoftware
2010-12-01 15:32 . 2010-12-01 15:32 -------- d-----w- c:\program files\MagicDVDRipper
2010-12-01 15:28 . 2010-12-01 15:29 -------- d-----w- c:\program files\7-Zip
2010-12-01 14:42 . 2010-12-01 14:42 -------- d-----w- c:\documents and settings\Ian Hayward\.dvdcss
2010-12-01 14:41 . 2010-12-01 14:48 -------- d-----w- c:\documents and settings\Ian Hayward\Application Data\Digiarty
2010-12-01 14:41 . 2010-12-01 14:49 -------- d-----w- c:\program files\Digiarty
2010-12-01 14:22 . 2010-12-01 14:28 -------- d-----w- c:\program files\Raptr
2010-12-01 14:22 . 2010-12-01 14:22 -------- d-----w- c:\documents and settings\Ian Hayward\Application Data\Raptr
2010-11-29 17:38 . 2010-11-29 17:38 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-29 17:38 . 2010-11-29 17:38 69632 ----a-w- c:\windows\system32\QuickTime.qts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-18 18:12 . 2004-07-11 14:48 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-06 00:26 . 2004-07-11 14:35 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26 . 2004-07-11 14:35 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-06 00:26 . 2004-01-21 16:16 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-03 12:25 . 2004-09-09 21:03 385024 ----a-w- c:\windows\system32\html.iec
2010-11-02 15:17 . 2004-07-11 14:36 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2010-10-28 13:13 . 2004-07-11 14:34 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25 . 2004-07-11 14:37 1853312 ----a-w- c:\windows\system32\win32k.sys
2010-10-03 22:43 . 2010-10-03 22:43 59240 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll" [BU]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll" [BU]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll" [BU]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SlowFile Icon Overlay]
@="{7D688A77-C613-11D0-999B-00C04FD655E1}"
[HKEY_CLASSES_ROOT\CLSID\{7D688A77-C613-11D0-999B-00C04FD655E1}]
2010-07-27 06:30 8462336 ----a-w- c:\windows\SYSTEM32\shell32.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-08-16 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus Photo RX620 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9HE.EXE" [2004-05-19 98304]
"SoundMan"="SOUNDMAN.EXE" [2005-01-27 77824]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-09-27 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-09-27 13918208]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-04-01 202256]
"AVG_TRAY"="c:\program files\AVG\AVG10\avgtray.exe" [BU]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2010-11-10 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
"QuickTime Task"="d:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient]
2005-01-31 14:13 49152 ----a-w- c:\progra~1\COMMON~1\Stardock\MCPStub.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart

[HKLM\~\startupfolder\C:^Documents and Settings^Ian Hayward^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
backup=c:\windows\pss\MyWebSearch Email Plugin.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-11-10 12:49 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
2006-09-14 06:55 61440 ----a-w- d:\program files\Adobe\Photoshop Elements 5.0\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-07-26 16:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-04-01 19:08 202256 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"VSS"=3 (0x3)
"Themes"=2 (0x2)
"SysmonLog"=3 (0x3)
"SwPrv"=3 (0x3)
"SCardSvr"=3 (0x3)
"RSVP"=3 (0x3)
"RDSessMgr"=3 (0x3)
"RasMan"=3 (0x3)
"RasAuto"=3 (0x3)
"MDM"=2 (0x2)
"btwdins"=2 (0x2)
"BthServ"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\System32\\dplaysvr.exe"=
"d:\\Program Files\\Eden Studios\\Rail Empires\\re-id.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"d:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe"=
"c:\\Program Files\\ubi.com\\Core\\GS4.exe"=
"c:\\Program Files\\GameSpy Arcade\\Aphex.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Monopoly 3\\Monopoly.exe"=
"c:\\WINDOWS\\SYSTEM32\\usmt\\migwiz.exe"=
"c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Railroads!\\RailRoads.exe"=
"c:\\WINDOWS\\SYSTEM32\\javaw.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\WINDOWS\\SYSTEM32\\dpvsetup.exe"=
"c:\\Program Files\\Microsoft Office\\Office10\\FRONTPG.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Sports Interactive\\Football Manager 2010\\fm.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\football manager 2010\\fm.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\TeamViewer\\Version4\\TeamViewer.exe"=
"d:\\Program Files\\Azureus\\Azureus.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3783:TCP"= 3783:TCP:VCP
"28900:TCP"= 28900:TCP:MSLR
"29900:TCP"= 29900:TCP:GP Connect mgr
"29901:TCP"= 29901:TCP:GP Search mgr
"6515:UDP"= 6515:UDP:DPlay UDP
"6500:TCP"= 6500:TCP:Query
"13139:UDP"= 13139:UDP:Custom UDP pings
"27900:UDP"= 27900:UDP:UDP Heartbeat
"25057:TCP"= 25057:TCP:AZ

R0 AVGIDSEH;AVGIDSEH;c:\windows\SYSTEM32\DRIVERS\AVGIDSEH.sys [13/09/2010 15:27 25680]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\SYSTEM32\DRIVERS\avgrkx86.sys [07/09/2010 02:48 26064]
R0 RapportKELL;RapportKELL;c:\windows\SYSTEM32\DRIVERS\RapportKELL.sys [03/10/2010 22:43 59240]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [07/09/2010 02:48 249424]
R1 Avgtdix;AVG TDI Driver;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [07/09/2010 02:49 298448]
R1 RapportBuka;RapportBuka;c:\windows\SYSTEM32\DRIVERS\RapportBuka.sys [01/03/2010 16:34 390528]
R1 RapportCerberus_19917;RapportCerberus_19917;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\19917\RapportCerberus_19917.sys [03/10/2010 22:54 34792]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [03/10/2010 22:43 169320]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [03/10/2010 22:43 767208]
S2 gupdate1c9c1e1ceb09090;Google Update Service (gupdate1c9c1e1ceb09090);c:\program files\Google\Update\GoogleUpdate.exe [20/04/2009 17:59 133104]
S3 alcan5ln;SpeedTouch(tm) USB ADSL RFC1483 Networking Driver (NDIS);c:\windows\SYSTEM32\DRIVERS\alcan5ln.sys [17/09/2004 22:18 36256]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\SYSTEM32\DRIVERS\AVGIDSDriver.sys [19/08/2010 20:42 123472]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\SYSTEM32\DRIVERS\AVGIDSFilter.sys [19/08/2010 20:42 30288]
S3 AVGIDSShim;AVGIDSShim;c:\windows\SYSTEM32\DRIVERS\AVGIDSShim.sys [19/08/2010 20:42 26192]
S3 BDA_Capture_225;USB Digital-TV receiver Driver 2.0.1.8;c:\windows\system32\Drivers\BDA_Capture_225.sys --> c:\windows\system32\Drivers\BDA_Capture_225.sys [?]
S3 BDA_Loader_225;USB Digital-TV Receiver Firmware Loader 6.5.8.0;c:\windows\SYSTEM32\DRIVERS\BDA_Loader_225.sys [17/06/2008 22:47 18944]
S3 gUSBSTOi;gUSBSTOi;\??\c:\docume~1\IANHAY~1\LOCALS~1\Temp\gUSBSTOi.sys --> c:\docume~1\IANHAY~1\LOCALS~1\Temp\gUSBSTOi.sys [?]
S3 UMSSSTOR;C-Media Storage;c:\windows\system32\DRIVERS\UMSS.SYS --> c:\windows\system32\DRIVERS\UMSS.SYS [?]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\SYSTEM32\DRIVERS\wdcsam.sys [06/05/2008 15:06 11520]
S3 WPRO_40_1340;WinPcap Packet Driver (WPRO_40_1340);c:\windows\system32\drivers\WPRO_40_1340.sys --> c:\windows\system32\drivers\WPRO_40_1340.sys [?]
S4 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG10\Toolbar\ToolbarBroker.exe --> c:\program files\AVG\AVG10\Toolbar\ToolbarBroker.exe [?]
S4 AVGIDSAgent;AVGIDSAgent;"c:\program files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe" --> c:\program files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe [?]
S4 avgwd;AVG WatchDog;"c:\program files\AVG\AVG10\avgwdsvc.exe" --> c:\program files\AVG\AVG10\avgwdsvc.exe [?]
.
Contents of the 'Scheduled Tasks' folder

2010-12-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2010-12-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-20 17:59]

2010-12-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-20 17:59]

2010-12-21 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-839522115-413027322-682003330-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]

2010-12-21 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-839522115-413027322-682003330-1007.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]

2010-12-20 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-839522115-413027322-682003330-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]

2010-12-09 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-839522115-413027322-682003330-1007.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]

2010-12-21 c:\windows\Tasks\User_Feed_Synchronization-{E9B94A29-7FD1-4FBB-A04A-C738991B53D1}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 03:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
mStart Page = hxxp://www.google.co.uk/
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
Trusted Zone: internet
Trusted Zone: mcafee.com
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} -
DPF: DirectAnimation Java Classes - file://c:\windows\SYSTEM\dajava.cab
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9 ... ontrol.CAB
DPF: Internet Explorer Classes for Java - file://c:\windows\SYSTEM\iejava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {0A43D7AC-D6C1-4622-B309-BF975F427C0E} - hxxps://internetbankingplus1.firstdirec ... doorFD.cab
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{ba14329e-9550-4989-b3f2-9732e92d17cc} - (no file)
WebBrowser-{BA14329E-9550-4989-B3F2-9732E92D17CC} - (no file)
HKCU-Run-WMPNSCFG - c:\program files\Windows Media Player\WMPNSCFG.exe
MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-21 21:44
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Iomega Activity Disk2]
"ImagePath"="\"\""
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\$$$\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(536)
c:\windows\system32\Ati2evxx.dll
c:\progra~1\COMMON~1\Stardock\mcpstub.dll

- - - - - - - > 'explorer.exe'(11816)
c:\windows\system32\WININET.dll
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\program files\Trusteer\Rapport\bin\rooksbas.dll
c:\windows\system32\ieframe.dll
c:\progra~1\COMMON~1\Stardock\MCPCore.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Google\Update\1.2.183.39\GoogleCrashHandler.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\windows\system32\NMSAccess.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\system32\UAService7.exe
c:\windows\System32\wbem\wmiapsrv.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\progra~1\COMMON~1\Stardock\SDMCP.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\windows\system32\wscntfy.exe
c:\windows\SOUNDMAN.EXE
c:\windows\system32\RUNDLL32.EXE
.
**************************************************************************
.
Completion time: 2010-12-21 21:53:06 - machine was rebooted
ComboFix-quarantined-files.txt 2010-12-21 21:53
ComboFix2.txt 2010-11-15 02:35
ComboFix3.txt 2010-11-14 21:12
ComboFix4.txt 2010-11-10 22:59
ComboFix5.txt 2010-12-21 21:23

Pre-Run: 877,480,969,728 bytes free
Post-Run: 877,861,460,992 bytes free

- - End Of File - - D5BC4C8DEF5A04E9B67B78B1F91F252B
Basacag
Regular Member
 
Posts: 32
Joined: December 9th, 2010, 4:25 pm

Re: Win32 ZBOT.E

Unread postby askey127 » December 22nd, 2010, 8:33 am

Basacag,
First, I should mention this:
Doing banking on any machine that has P2P programs installed and used is not a good idea.
Rapport WILL NOT protect you and your bank account from that.
I am not certain whether Rapport is responsible for the system's improper behavior, either.
Rapport may need to be Uninstalled for this machine to be fixed, as it may interfere with the tools needed to repair the machine.
You should change your bank account(s) password(s) immediately.

Please attempt to do the following:
------------------------------------------------
Running things on your own does interfere with the ability to analyze what is happening on the machine.
Please attempt to locate these files. They are probably in the main directory of the C: drive
ComboFix5.txt
ComboFix4.txt
Please post the contents of each.
------------------------------------------------
Run Rkill
Double-click on the Rkill desktop icon to run the tool.
A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
-----------------------------------------------
Run Scan with the Eset Online Scanner
Note: You can use either Internet Explorer or Mozilla FireFox for this scan.

Note: If you are using Windows Vista or Win7, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • Please go Here then click on: Image
    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
  • Select the option YES, I accept the Terms of Use then click on: Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on: Image
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Win32 ZBOT.E

Unread postby Basacag » December 23rd, 2010, 2:18 pm

Sorry, mentioned the others forgot I had run combofix before.

ComboFix 10-11-10.01 - Ian Hayward 10/11/2010 22:03:34.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1023.419 [GMT 0:00]
Running from: c:\documents and settings\Ian Hayward\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2011 *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\TEMP\logishrd\LVPrcInj01.dll

.
((((((((((((((((((((((((( Files Created from 2010-10-10 to 2010-11-10 )))))))))))))))))))))))))))))))
.

2010-11-10 09:45 . 2010-11-10 09:45 -------- d-----w- c:\windows\system32\MpEngineStore
2010-11-03 19:46 . 2010-11-09 13:34 -------- d-----w- c:\documents and settings\Ian Hayward\Application Data\Veelb
2010-11-03 19:44 . 2010-11-09 16:22 -------- d-----w- c:\program files\windows
2010-10-31 18:54 . 2010-11-10 09:23 -------- d-----w- c:\documents and settings\Ian Hayward\Application Data\Amewo
2010-10-31 18:54 . 2010-10-31 18:54 -------- d-----w- c:\documents and settings\Ian Hayward\Application Data\Zaawq
2010-10-31 17:36 . 2010-10-31 17:36 -------- d-----w- c:\documents and settings\Ian Hayward\Application Data\DriverCure
2010-10-31 17:36 . 2010-10-31 17:36 -------- d-----w- c:\documents and settings\Ian Hayward\Application Data\ParetoLogic
2010-10-31 17:35 . 2010-10-31 17:35 -------- d-----w- c:\program files\Common Files\ParetoLogic
2010-10-31 17:35 . 2010-10-31 17:35 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic
2010-10-31 17:35 . 2010-10-31 17:35 -------- d-----w- c:\program files\ParetoLogic
2010-10-30 23:29 . 2010-10-31 00:14 -------- d-----w- c:\documents and settings\Ian Hayward\Application Data\Eruhke
2010-10-30 13:22 . 2010-10-30 13:22 -------- d-----w- c:\documents and settings\Ian Hayward\Application Data\Ezopa
2010-10-28 22:09 . 2010-10-29 08:30 -------- d-----w- c:\documents and settings\Ian Hayward\Application Data\Diyxo
2010-10-28 22:09 . 2010-10-28 22:11 -------- d-----w- c:\documents and settings\Ian Hayward\Application Data\Omiko
2010-10-28 17:04 . 2010-10-28 19:16 -------- d-----w- c:\documents and settings\Ian Hayward\Application Data\Oniry
2010-10-27 16:32 . 2010-11-09 16:19 -------- d-----w- c:\program files\temp
2010-10-26 22:09 . 2010-10-26 22:09 -------- d-----w- c:\documents and settings\Ian Hayward\Application Data\Malwarebytes
2010-10-26 22:09 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-26 22:09 . 2010-10-26 22:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-10-26 22:09 . 2010-10-26 22:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-26 22:09 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-26 22:06 . 2006-06-19 12:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2010-10-26 22:06 . 2006-05-25 14:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2010-10-26 22:06 . 2005-08-26 00:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2010-10-26 22:06 . 2002-03-06 00:00 75264 ----a-w- c:\windows\system32\unacev2.dll
2010-10-26 22:06 . 2003-02-02 19:06 153088 ----a-w- c:\windows\system32\UNRAR3.dll
2010-10-26 22:06 . 2010-10-26 22:06 -------- d-----w- c:\program files\Trojan Remover
2010-10-26 22:06 . 2010-10-26 22:06 -------- d-----w- c:\documents and settings\Ian Hayward\Application Data\Simply Super Software
2010-10-26 22:06 . 2010-10-26 22:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Simply Super Software
2010-10-26 19:00 . 2010-11-09 13:31 -------- d-----w- c:\documents and settings\Ian Hayward\Application Data\Avys
2010-10-26 13:54 . 2010-11-09 16:20 -------- d-----w- c:\program files\tmp
2010-10-20 09:45 . 2010-10-20 09:45 -------- d-----w- c:\documents and settings\Ian Hayward\Application Data\AVG10
2010-10-20 09:09 . 2010-10-20 09:09 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2010-10-20 09:08 . 2010-10-28 12:33 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2010-10-20 09:03 . 2010-11-10 09:26 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10
2010-10-20 09:03 . 2010-10-30 17:07 -------- d-----w- c:\windows\system32\drivers\AVG
2010-10-20 00:24 . 2010-10-20 00:31 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2010-10-14 20:16 . 2010-09-18 06:53 974848 ------w- c:\windows\system32\dllcache\mfc42.dll
2010-10-14 20:16 . 2010-09-18 06:53 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-14 20:15 . 2010-08-23 16:12 617472 ------w- c:\windows\system32\dllcache\comctl32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-03 22:43 . 2010-10-03 22:43 59240 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
2010-09-18 11:23 . 2004-07-11 14:35 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2004-07-11 14:35 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2004-07-11 14:35 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2004-07-11 14:35 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-13 15:27 . 2010-09-13 15:27 25680 ----a-w- c:\windows\system32\drivers\AVGIDSEH.sys
2010-09-10 05:58 . 2004-01-21 16:16 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58 . 2004-07-11 14:35 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58 . 2004-07-11 14:35 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-09-08 10:17 . 2010-09-08 10:17 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 10:17 . 2010-09-08 10:17 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-09-07 02:49 . 2010-09-07 02:49 298448 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-09-07 02:48 . 2010-09-07 02:48 34384 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-09-07 02:48 . 2010-09-07 02:48 249424 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-09-07 02:48 . 2010-09-07 02:48 26064 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2010-09-01 11:51 . 2004-07-11 14:34 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42 . 2004-07-11 14:37 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02 . 2004-07-11 14:37 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57 . 2004-07-11 14:37 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 13:39 . 2004-07-11 14:37 357248 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-26 12:52 . 2009-04-17 08:06 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12 . 2004-07-11 14:34 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-19 20:42 . 2010-08-19 20:42 30288 ----a-w- c:\windows\system32\drivers\AVGIDSFilter.sys
2010-08-19 20:42 . 2010-08-19 20:42 123472 ----a-w- c:\windows\system32\drivers\AVGIDSDriver.sys
2010-08-19 20:42 . 2010-08-19 20:42 26192 ----a-w- c:\windows\system32\drivers\AVGIDSShim.sys
2010-08-17 13:17 . 2004-07-11 14:37 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45 . 2004-08-14 09:45 590848 ----a-w- c:\windows\system32\rpcrt4.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{ba14329e-9550-4989-b3f2-9732e92d17cc}"= "c:\program files\Vuze_Remote\tbVuz1.dll" [2010-10-28 3908192]

[HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2010-10-28 11:52 3908192 ----a-w- c:\program files\ConduitEngine\ConduitEngin0.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
2010-10-28 11:52 3908192 ----a-w- c:\program files\Vuze_Remote\tbVuz1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{ba14329e-9550-4989-b3f2-9732e92d17cc}"= "c:\program files\Vuze_Remote\tbVuz1.dll" [2010-10-28 3908192]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\ConduitEngin0.dll" [2010-10-28 3908192]

[HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]

[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{BA14329E-9550-4989-B3F2-9732E92D17CC}"= "c:\program files\Vuze_Remote\tbVuz1.dll" [2010-10-28 3908192]

[HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SlowFile Icon Overlay]
@="{7D688A77-C613-11D0-999B-00C04FD655E1}"
[HKEY_CLASSES_ROOT\CLSID\{7D688A77-C613-11D0-999B-00C04FD655E1}]
2010-07-27 06:30 8462336 ----a-w- c:\windows\SYSTEM32\shell32.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-08-16 68856]
"Raptr"="c:\progra~1\Raptr\raptrstub.exe" [2010-10-12 52136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus Photo RX620 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9HE.EXE" [2004-05-19 98304]
"SoundMan"="SOUNDMAN.EXE" [2005-01-27 77824]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-09-27 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-09-27 13918208]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-04-01 202256]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
atdydu.exe [2010-10-29 153600]
erfyn.exe [2010-10-28 212992]
ixusri.exe [2010-10-27 212992]
paekix.exe [2010-10-27 212992]
tyem.exe [2010-10-28 212992]
ygodo.exe [2010-10-29 153600]

c:\documents and settings\Sue\Start Menu\Programs\Startup\
buqox.exe [2010-10-29 153600]
yvakyd.exe [2010-10-29 153600]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient]
2005-01-31 14:13 49152 ----a-w- c:\progra~1\COMMON~1\Stardock\MCPStub.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart

[HKLM\~\startupfolder\C:^Documents and Settings^Ian Hayward^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
backup=c:\windows\pss\MyWebSearch Email Plugin.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-20 22:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
2006-09-14 06:55 61440 ----a-w- d:\program files\Adobe\Photoshop Elements 5.0\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-09-23 03:47 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-07-26 16:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-04-01 19:08 202256 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"VSS"=3 (0x3)
"Themes"=2 (0x2)
"SysmonLog"=3 (0x3)
"SwPrv"=3 (0x3)
"SCardSvr"=3 (0x3)
"RSVP"=3 (0x3)
"RDSessMgr"=3 (0x3)
"RasMan"=3 (0x3)
"RasAuto"=3 (0x3)
"MDM"=2 (0x2)
"btwdins"=2 (0x2)
"BthServ"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\System32\\dplaysvr.exe"=
"d:\\Program Files\\Eden Studios\\Rail Empires\\re-id.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"d:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe"=
"c:\\Program Files\\ubi.com\\Core\\GS4.exe"=
"c:\\Program Files\\GameSpy Arcade\\Aphex.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Monopoly 3\\Monopoly.exe"=
"c:\\WINDOWS\\SYSTEM32\\usmt\\migwiz.exe"=
"c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Railroads!\\RailRoads.exe"=
"c:\\WINDOWS\\SYSTEM32\\javaw.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\WINDOWS\\SYSTEM32\\dpvsetup.exe"=
"c:\\Program Files\\Microsoft Office\\Office10\\FRONTPG.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Sports Interactive\\Football Manager 2010\\fm.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\football manager 2010\\fm.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"d:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\Raptr\\raptr.exe"=
"c:\\Program Files\\Raptr\\raptr_im.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\TeamViewer\\Version4\\TeamViewer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3783:TCP"= 3783:TCP:VCP
"28900:TCP"= 28900:TCP:MSLR
"29900:TCP"= 29900:TCP:GP Connect mgr
"29901:TCP"= 29901:TCP:GP Search mgr
"6515:UDP"= 6515:UDP:DPlay UDP
"6500:TCP"= 6500:TCP:Query
"13139:UDP"= 13139:UDP:Custom UDP pings
"27900:UDP"= 27900:UDP:UDP Heartbeat
"25057:TCP"= 25057:TCP:AZ

R0 AVGIDSEH;AVGIDSEH;c:\windows\SYSTEM32\DRIVERS\AVGIDSEH.sys [13/09/2010 15:27 25680]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\SYSTEM32\DRIVERS\avgrkx86.sys [07/09/2010 02:48 26064]
R0 RapportKELL;RapportKELL;c:\windows\SYSTEM32\DRIVERS\RapportKELL.sys [03/10/2010 22:43 59240]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [07/09/2010 02:48 249424]
R1 Avgtdix;AVG TDI Driver;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [07/09/2010 02:49 298448]
R1 RapportBuka;RapportBuka;c:\windows\SYSTEM32\DRIVERS\RapportBuka.sys [01/03/2010 16:34 390528]
R1 RapportCerberus_19917;RapportCerberus_19917;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\19917\RapportCerberus_19917.sys [03/10/2010 22:54 34792]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [03/10/2010 22:43 169320]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [03/10/2010 22:43 767208]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\SYSTEM32\DRIVERS\AVGIDSDriver.sys [19/08/2010 20:42 123472]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\SYSTEM32\DRIVERS\AVGIDSFilter.sys [19/08/2010 20:42 30288]
R3 AVGIDSShim;AVGIDSShim;c:\windows\SYSTEM32\DRIVERS\AVGIDSShim.sys [19/08/2010 20:42 26192]
S2 AVGIDSAgent;AVGIDSAgent;"c:\program files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe" --> c:\program files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe [?]
S2 avgwd;AVG WatchDog;"c:\program files\AVG\AVG10\avgwdsvc.exe" --> c:\program files\AVG\AVG10\avgwdsvc.exe [?]
S2 gupdate1c9c1e1ceb09090;Google Update Service (gupdate1c9c1e1ceb09090);c:\program files\Google\Update\GoogleUpdate.exe [20/04/2009 17:59 133104]
S3 alcan5ln;SpeedTouch(tm) USB ADSL RFC1483 Networking Driver (NDIS);c:\windows\SYSTEM32\DRIVERS\alcan5ln.sys [17/09/2004 22:18 36256]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG10\Toolbar\ToolbarBroker.exe --> c:\program files\AVG\AVG10\Toolbar\ToolbarBroker.exe [?]
S3 BDA_Capture_225;USB Digital-TV receiver Driver 2.0.1.8;c:\windows\system32\Drivers\BDA_Capture_225.sys --> c:\windows\system32\Drivers\BDA_Capture_225.sys [?]
S3 BDA_Loader_225;USB Digital-TV Receiver Firmware Loader 6.5.8.0;c:\windows\SYSTEM32\DRIVERS\BDA_Loader_225.sys [17/06/2008 22:47 18944]
S3 gUSBSTOi;gUSBSTOi;\??\c:\docume~1\IANHAY~1\LOCALS~1\Temp\gUSBSTOi.sys --> c:\docume~1\IANHAY~1\LOCALS~1\Temp\gUSBSTOi.sys [?]
S3 UMSSSTOR;C-Media Storage;c:\windows\system32\DRIVERS\UMSS.SYS --> c:\windows\system32\DRIVERS\UMSS.SYS [?]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\SYSTEM32\DRIVERS\wdcsam.sys [06/05/2008 15:06 11520]
S3 WPRO_40_1340;WinPcap Packet Driver (WPRO_40_1340);c:\windows\system32\drivers\WPRO_40_1340.sys --> c:\windows\system32\drivers\WPRO_40_1340.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2010-10-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2010-11-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-20 17:59]

2010-11-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-20 17:59]

2010-11-03 c:\windows\Tasks\PC Health Advisor Defrag.job
- c:\program files\ParetoLogic\PCHA\PCHA.exe [2010-09-30 21:40]

2010-11-03 c:\windows\Tasks\PC Health Advisor.job
- c:\program files\ParetoLogic\PCHA\PCHA.exe [2010-09-30 21:40]

2010-11-10 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-839522115-413027322-682003330-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]

2010-11-10 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-839522115-413027322-682003330-1007.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]

2010-10-28 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-839522115-413027322-682003330-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]

2010-10-28 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-839522115-413027322-682003330-1007.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]

2010-11-10 c:\windows\Tasks\User_Feed_Synchronization-{E9B94A29-7FD1-4FBB-A04A-C738991B53D1}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 03:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
mStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = 127.0.0.1
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: {{A18AC347-2CA3-4e5d-AB86-33BFC7EEB931} - c:\program files\gamingclubMPP\MPPoker.exe
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: photographersdirect.com\www
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} -
DPF: DirectAnimation Java Classes - file://c:\windows\SYSTEM\dajava.cab
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9 ... ontrol.CAB
DPF: Internet Explorer Classes for Java - file://c:\windows\SYSTEM\iejava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {0A43D7AC-D6C1-4622-B309-BF975F427C0E} - hxxps://internetbankingplus1.firstdirec ... doorFD.cab
.
.
------- File Associations -------
.
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-10 22:44
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Iomega Activity Disk2]
"ImagePath"="\"\""
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\$$$\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(536)
c:\windows\system32\Ati2evxx.dll
c:\progra~1\COMMON~1\Stardock\mcpstub.dll

- - - - - - - > 'explorer.exe'(11260)
c:\windows\system32\WININET.dll
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\program files\Trusteer\Rapport\bin\rooksbas.dll
c:\windows\system32\ieframe.dll
c:\progra~1\COMMON~1\Stardock\MCPCore.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
d:\program files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\windows\system32\NMSAccess.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\system32\UAService7.exe
c:\windows\System32\wbem\wmiapsrv.exe
c:\program files\Google\Update\1.2.183.39\GoogleCrashHandler.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\progra~1\COMMON~1\Stardock\SDMCP.exe
c:\windows\system32\wscntfy.exe
c:\windows\SOUNDMAN.EXE
c:\windows\system32\RUNDLL32.EXE
.
**************************************************************************
.
Completion time: 2010-11-10 22:59:44 - machine was rebooted
ComboFix-quarantined-files.txt 2010-11-10 22:59
ComboFix2.txt 2010-11-10 21:24

Pre-Run: 847,466,418,176 bytes free
Post-Run: 847,512,666,112 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[Boot Loader]
timeout=2
Default=multi(0)disk(0)rdisk(0)partition(1)\Windows
[Operating Systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\Windows="1ST TRY THIS seleccione esto primero" /fastdetect
multi(0)disk(0)rdisk(1)partition(1)\Windows="2ND TRY THIS essayez ceci en deuzieme" /fastdetect
multi(0)disk(0)rdisk(0)partition(2)\Windows="3RD TRY THIS wahlen Sie diesen Third" /fastdetect
multi(0)disk(0)rdisk(1)partition(2)\Windows="4TH TRY THIS selezioni questo fourth" /fastdetect
multi(0)disk(0)rdisk(0)partition(3)\Windows="5TH TRY THIS selecione este fifth" /fastdetect
multi(0)disk(0)rdisk(1)partition(3)\Windows="6TH TRY THIS seleccione este sexto" /fastdetect
multi(0)disk(0)rdisk(0)partition(4)\Windows="7TH TRY THIS essayez ceci en septieme" /fastdetect
multi(0)disk(0)rdisk(1)partition(4)\Windows="8TH TRY THIS wahlen Sie dieses achte" /fastdetect
C:\="9TH TRY THIS selezioni questo nono"
D:\="10TH TRY THIS selecione este decimo"

- - End Of File - - 09E72C885E4CC12AC2F42C076B796FE4


ComboFix 10-11-09.03 - Ian Hayward 10/11/2010 20:52:38.1.1 - x86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1023.763 [GMT 0:00]
Running from: c:\documents and settings\Ian Hayward\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2011 *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Carl.SNAKEY\err.log
c:\documents and settings\Ian Hayward\Application Data\Adla
c:\documents and settings\Ian Hayward\Application Data\Adla\tyyr.exe
c:\documents and settings\Ian Hayward\Application Data\Adobe\crc.dat
c:\documents and settings\Ian Hayward\Application Data\Azxuog
c:\documents and settings\Ian Hayward\Application Data\Azxuog\efyfs.gae
c:\documents and settings\Ian Hayward\Application Data\Bozau
c:\documents and settings\Ian Hayward\Application Data\Bozau\huhu.exe
c:\documents and settings\Ian Hayward\Application Data\Cytuqa
c:\documents and settings\Ian Hayward\Application Data\Cytuqa\obenk.olx
c:\documents and settings\Ian Hayward\Application Data\DriveCleaner 2006 Free
c:\documents and settings\Ian Hayward\Application Data\DriveCleaner 2006 Free\Logs\update.log
c:\documents and settings\Ian Hayward\Application Data\Dyoh
c:\documents and settings\Ian Hayward\Application Data\Dyoh\cuyqe.exe
c:\documents and settings\Ian Hayward\Application Data\Efos
c:\documents and settings\Ian Hayward\Application Data\Efos\etca.esu
c:\documents and settings\Ian Hayward\Application Data\Eful
c:\documents and settings\Ian Hayward\Application Data\Eful\izpo.exe
c:\documents and settings\Ian Hayward\Application Data\Etvawa
c:\documents and settings\Ian Hayward\Application Data\Etvawa\iryqc.adu
c:\documents and settings\Ian Hayward\Application Data\Ikfo
c:\documents and settings\Ian Hayward\Application Data\Ikfo\xisur.exe
c:\documents and settings\Ian Hayward\Application Data\Imgyku
c:\documents and settings\Ian Hayward\Application Data\Imgyku\asys.syk
c:\documents and settings\Ian Hayward\Application Data\Ipysg
c:\documents and settings\Ian Hayward\Application Data\Ipysg\azbeg.exe
c:\documents and settings\Ian Hayward\Application Data\Louggu
c:\documents and settings\Ian Hayward\Application Data\Louggu\yfumx.oki
c:\documents and settings\Ian Hayward\Application Data\Ofuq
c:\documents and settings\Ian Hayward\Application Data\Ofuq\givua.exe
c:\documents and settings\Ian Hayward\Application Data\Okug
c:\documents and settings\Ian Hayward\Application Data\Okug\wemuk.exe
c:\documents and settings\Ian Hayward\Application Data\Owgaul
c:\documents and settings\Ian Hayward\Application Data\Owgaul\figyh.exe
c:\documents and settings\Ian Hayward\Application Data\Ruvyhi
c:\documents and settings\Ian Hayward\Application Data\Ruvyhi\heak.exe
c:\documents and settings\Ian Hayward\Application Data\Rydi
c:\documents and settings\Ian Hayward\Application Data\Rydi\suuw.ywo
c:\documents and settings\Ian Hayward\Application Data\Taasdy
c:\documents and settings\Ian Hayward\Application Data\Taasdy\bocoz.okk
c:\documents and settings\Ian Hayward\Application Data\Uxyko
c:\documents and settings\Ian Hayward\Application Data\Uxyko\erxe.exe
c:\documents and settings\Ian Hayward\Application Data\Ypciy
c:\documents and settings\Ian Hayward\Application Data\Ypciy\nuysw.ycz
c:\documents and settings\Ian Hayward\Application Data\Yxeziz
c:\documents and settings\Ian Hayward\Application Data\Yxeziz\cibu.sei
c:\documents and settings\Ian Hayward\err.log
c:\documents and settings\Ian Hayward\GoToAssistDownloadHelper.exe
c:\documents and settings\Ian Hayward\Start Menu\Programs\Startup\logtec32.exe
c:\documents and settings\Sue\err.log
c:\program files\microsoft\watermark.exe
c:\windows\start.exe
c:\windows\system32\dmlconf.dat
c:\windows\system32\exec1.exe
c:\windows\system32\fhkmp.ini
c:\windows\system32\jpjxktks.ini
c:\windows\system32\knnmp.ini
c:\windows\system32\LUuFNqru.ini2
c:\windows\system32\tmp.reg
c:\windows\SYSTEM32\tstwa.bak1
c:\windows\SYSTEM32\tstwa.bak2
c:\windows\SYSTEM32\tstwa.ini
c:\windows\Web\default.htt

Infected copy of c:\windows\explorer.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\explorer.exe

Infected copy of c:\windows\SYSTEM32\winlogon.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\winlogon.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_WASFSD


((((((((((((((((((((((((( Files Created from 2010-10-10 to 2010-11-10 )))))))))))))))))))))))))))))))
.

2010-11-10 09:45 . 2010-11-10 09:45 -------- d-----w- c:\windows\system32\MpEngineStore
2010-11-03 19:46 . 2010-11-09 13:34 -------- d-----w- c:\documents and settings\Ian Hayward\Application Data\Veelb
2010-11-03 19:44 . 2010-11-09 16:22 -------- d-----w- c:\program files\windows
2010-10-31 18:54 . 2010-11-10 09:23 -------- d-----w- c:\documents and settings\Ian Hayward\Application Data\Amewo
2010-10-31 18:54 . 2010-10-31 18:54 -------- d-----w- c:\documents and settings\Ian Hayward\Application Data\Zaawq
2010-10-31 17:36 . 2010-10-31 17:36 -------- d-----w- c:\documents and settings\Ian Hayward\Application Data\DriverCure
2010-10-31 17:36 . 2010-10-31 17:36 -------- d-----w- c:\documents and settings\Ian Hayward\Application Data\ParetoLogic
2010-10-31 17:35 . 2010-10-31 17:35 -------- d-----w- c:\program files\Common Files\ParetoLogic
2010-10-31 17:35 . 2010-10-31 17:35 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic
2010-10-31 17:35 . 2010-10-31 17:35 -------- d-----w- c:\program files\ParetoLogic
2010-10-30 23:29 . 2010-10-31 00:14 -------- d-----w- c:\documents and settings\Ian Hayward\Application Data\Eruhke
2010-10-30 13:22 . 2010-10-30 13:22 -------- d-----w- c:\documents and settings\Ian Hayward\Application Data\Ezopa
2010-10-28 22:09 . 2010-10-29 08:30 -------- d-----w- c:\documents and settings\Ian Hayward\Application Data\Diyxo
2010-10-28 22:09 . 2010-10-28 22:11 -------- d-----w- c:\documents and settings\Ian Hayward\Application Data\Omiko
2010-10-28 17:04 . 2010-10-28 19:16 -------- d-----w- c:\documents and settings\Ian Hayward\Application Data\Oniry
2010-10-27 16:32 . 2010-11-09 16:19 -------- d-----w- c:\program files\temp
2010-10-26 22:09 . 2010-10-26 22:09 -------- d-----w- c:\documents and settings\Ian Hayward\Application Data\Malwarebytes
2010-10-26 22:09 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-26 22:09 . 2010-10-26 22:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-10-26 22:09 . 2010-10-26 22:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-26 22:09 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-26 22:06 . 2006-06-19 12:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2010-10-26 22:06 . 2006-05-25 14:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2010-10-26 22:06 . 2005-08-26 00:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2010-10-26 22:06 . 2002-03-06 00:00 75264 ----a-w- c:\windows\system32\unacev2.dll
2010-10-26 22:06 . 2003-02-02 19:06 153088 ----a-w- c:\windows\system32\UNRAR3.dll
2010-10-26 22:06 . 2010-10-26 22:06 -------- d-----w- c:\program files\Trojan Remover
2010-10-26 22:06 . 2010-10-26 22:06 -------- d-----w- c:\documents and settings\Ian Hayward\Application Data\Simply Super Software
2010-10-26 22:06 . 2010-10-26 22:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Simply Super Software
2010-10-26 19:00 . 2010-11-09 13:31 -------- d-----w- c:\documents and settings\Ian Hayward\Application Data\Avys
2010-10-26 13:54 . 2010-11-09 16:20 -------- d-----w- c:\program files\tmp
2010-10-20 09:45 . 2010-10-20 09:45 -------- d-----w- c:\documents and settings\Ian Hayward\Application Data\AVG10
2010-10-20 09:09 . 2010-10-20 09:09 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2010-10-20 09:08 . 2010-10-28 12:33 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2010-10-20 09:03 . 2010-11-10 09:26 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10
2010-10-20 09:03 . 2010-10-30 17:07 -------- d-----w- c:\windows\system32\drivers\AVG
2010-10-20 00:24 . 2010-10-20 00:31 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2010-10-14 20:16 . 2010-09-18 06:53 974848 ------w- c:\windows\system32\dllcache\mfc42.dll
2010-10-14 20:16 . 2010-09-18 06:53 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-14 20:15 . 2010-08-23 16:12 617472 ------w- c:\windows\system32\dllcache\comctl32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-03 22:43 . 2010-10-03 22:43 59240 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
2010-09-18 11:23 . 2004-07-11 14:35 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2004-07-11 14:35 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2004-07-11 14:35 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2004-07-11 14:35 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-13 15:27 . 2010-09-13 15:27 25680 ----a-w- c:\windows\system32\drivers\AVGIDSEH.sys
2010-09-10 05:58 . 2004-01-21 16:16 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58 . 2004-07-11 14:35 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58 . 2004-07-11 14:35 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-09-08 10:17 . 2010-09-08 10:17 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 10:17 . 2010-09-08 10:17 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-09-07 02:49 . 2010-09-07 02:49 298448 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-09-07 02:48 . 2010-09-07 02:48 34384 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-09-07 02:48 . 2010-09-07 02:48 249424 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-09-07 02:48 . 2010-09-07 02:48 26064 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2010-09-01 11:51 . 2004-07-11 14:34 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42 . 2004-07-11 14:37 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02 . 2004-07-11 14:37 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57 . 2004-07-11 14:37 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 13:39 . 2004-07-11 14:37 357248 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-26 12:52 . 2009-04-17 08:06 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12 . 2004-07-11 14:34 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-19 20:42 . 2010-08-19 20:42 30288 ----a-w- c:\windows\system32\drivers\AVGIDSFilter.sys
2010-08-19 20:42 . 2010-08-19 20:42 123472 ----a-w- c:\windows\system32\drivers\AVGIDSDriver.sys
2010-08-19 20:42 . 2010-08-19 20:42 26192 ----a-w- c:\windows\system32\drivers\AVGIDSShim.sys
2010-08-17 13:17 . 2004-07-11 14:37 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45 . 2004-08-14 09:45 590848 ----a-w- c:\windows\system32\rpcrt4.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{ba14329e-9550-4989-b3f2-9732e92d17cc}"= "c:\program files\Vuze_Remote\tbVuz1.dll" [2010-10-28 3908192]

[HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2010-10-28 11:52 3908192 ----a-w- c:\program files\ConduitEngine\ConduitEngin0.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
2010-10-28 11:52 3908192 ----a-w- c:\program files\Vuze_Remote\tbVuz1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{ba14329e-9550-4989-b3f2-9732e92d17cc}"= "c:\program files\Vuze_Remote\tbVuz1.dll" [2010-10-28 3908192]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\ConduitEngin0.dll" [2010-10-28 3908192]

[HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]

[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{BA14329E-9550-4989-B3F2-9732E92D17CC}"= "c:\program files\Vuze_Remote\tbVuz1.dll" [2010-10-28 3908192]

[HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SlowFile Icon Overlay]
@="{7D688A77-C613-11D0-999B-00C04FD655E1}"
[HKEY_CLASSES_ROOT\CLSID\{7D688A77-C613-11D0-999B-00C04FD655E1}]
2010-07-27 06:30 8462336 ----a-w- c:\windows\SYSTEM32\shell32.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-08-16 68856]
"Raptr"="c:\progra~1\Raptr\raptrstub.exe" [2010-10-12 52136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus Photo RX620 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9HE.EXE" [2004-05-19 98304]
"SoundMan"="SOUNDMAN.EXE" [2005-01-27 77824]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-09-27 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-09-27 13918208]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-04-01 202256]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
atdydu.exe [2010-10-29 153600]
erfyn.exe [2010-10-28 212992]
ixusri.exe [2010-10-27 212992]
paekix.exe [2010-10-27 212992]
tyem.exe [2010-10-28 212992]
ygodo.exe [2010-10-29 153600]

c:\documents and settings\Sue\Start Menu\Programs\Startup\
buqox.exe [2010-10-29 153600]
yvakyd.exe [2010-10-29 153600]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient]
2005-01-31 14:13 49152 ----a-w- c:\progra~1\COMMON~1\Stardock\MCPStub.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart

[HKLM\~\startupfolder\C:^Documents and Settings^Ian Hayward^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
backup=c:\windows\pss\MyWebSearch Email Plugin.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-20 22:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
2006-09-14 06:55 61440 ----a-w- d:\program files\Adobe\Photoshop Elements 5.0\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-09-23 03:47 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-07-26 16:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-04-01 19:08 202256 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"VSS"=3 (0x3)
"Themes"=2 (0x2)
"SysmonLog"=3 (0x3)
"SwPrv"=3 (0x3)
"SCardSvr"=3 (0x3)
"RSVP"=3 (0x3)
"RDSessMgr"=3 (0x3)
"RasMan"=3 (0x3)
"RasAuto"=3 (0x3)
"MDM"=2 (0x2)
"btwdins"=2 (0x2)
"BthServ"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\System32\\dplaysvr.exe"=
"d:\\Program Files\\Eden Studios\\Rail Empires\\re-id.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"d:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe"=
"c:\\Program Files\\ubi.com\\Core\\GS4.exe"=
"c:\\Program Files\\GameSpy Arcade\\Aphex.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Monopoly 3\\Monopoly.exe"=
"c:\\WINDOWS\\SYSTEM32\\usmt\\migwiz.exe"=
"c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Railroads!\\RailRoads.exe"=
"c:\\WINDOWS\\SYSTEM32\\javaw.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\WINDOWS\\SYSTEM32\\dpvsetup.exe"=
"c:\\Program Files\\Microsoft Office\\Office10\\FRONTPG.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Sports Interactive\\Football Manager 2010\\fm.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\football manager 2010\\fm.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"d:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\Raptr\\raptr.exe"=
"c:\\Program Files\\Raptr\\raptr_im.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\TeamViewer\\Version4\\TeamViewer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3783:TCP"= 3783:TCP:VCP
"28900:TCP"= 28900:TCP:MSLR
"29900:TCP"= 29900:TCP:GP Connect mgr
"29901:TCP"= 29901:TCP:GP Search mgr
"6515:UDP"= 6515:UDP:DPlay UDP
"6500:TCP"= 6500:TCP:Query
"13139:UDP"= 13139:UDP:Custom UDP pings
"27900:UDP"= 27900:UDP:UDP Heartbeat
"25057:TCP"= 25057:TCP:AZ

R0 AVGIDSEH;AVGIDSEH;c:\windows\SYSTEM32\DRIVERS\AVGIDSEH.sys [13/09/2010 15:27 25680]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\SYSTEM32\DRIVERS\avgrkx86.sys [07/09/2010 02:48 26064]
R0 RapportKELL;RapportKELL;c:\windows\SYSTEM32\DRIVERS\RapportKELL.sys [03/10/2010 22:43 59240]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [07/09/2010 02:48 249424]
R1 Avgtdix;AVG TDI Driver;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [07/09/2010 02:49 298448]
R1 RapportBuka;RapportBuka;c:\windows\SYSTEM32\DRIVERS\RapportBuka.sys [01/03/2010 16:34 390528]
R1 RapportCerberus_19917;RapportCerberus_19917;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\19917\RapportCerberus_19917.sys [03/10/2010 22:54 34792]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [03/10/2010 22:43 169320]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [03/10/2010 22:43 767208]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\SYSTEM32\DRIVERS\AVGIDSDriver.sys [19/08/2010 20:42 123472]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\SYSTEM32\DRIVERS\AVGIDSFilter.sys [19/08/2010 20:42 30288]
R3 AVGIDSShim;AVGIDSShim;c:\windows\SYSTEM32\DRIVERS\AVGIDSShim.sys [19/08/2010 20:42 26192]
S2 AVGIDSAgent;AVGIDSAgent;"c:\program files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe" --> c:\program files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe [?]
S2 avgwd;AVG WatchDog;"c:\program files\AVG\AVG10\avgwdsvc.exe" --> c:\program files\AVG\AVG10\avgwdsvc.exe [?]
S2 gupdate1c9c1e1ceb09090;Google Update Service (gupdate1c9c1e1ceb09090);c:\program files\Google\Update\GoogleUpdate.exe [20/04/2009 17:59 133104]
S3 alcan5ln;SpeedTouch(tm) USB ADSL RFC1483 Networking Driver (NDIS);c:\windows\SYSTEM32\DRIVERS\alcan5ln.sys [17/09/2004 22:18 36256]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG10\Toolbar\ToolbarBroker.exe --> c:\program files\AVG\AVG10\Toolbar\ToolbarBroker.exe [?]
S3 BDA_Capture_225;USB Digital-TV receiver Driver 2.0.1.8;c:\windows\system32\Drivers\BDA_Capture_225.sys --> c:\windows\system32\Drivers\BDA_Capture_225.sys [?]
S3 BDA_Loader_225;USB Digital-TV Receiver Firmware Loader 6.5.8.0;c:\windows\SYSTEM32\DRIVERS\BDA_Loader_225.sys [17/06/2008 22:47 18944]
S3 gUSBSTOi;gUSBSTOi;\??\c:\docume~1\IANHAY~1\LOCALS~1\Temp\gUSBSTOi.sys --> c:\docume~1\IANHAY~1\LOCALS~1\Temp\gUSBSTOi.sys [?]
S3 UMSSSTOR;C-Media Storage;c:\windows\system32\DRIVERS\UMSS.SYS --> c:\windows\system32\DRIVERS\UMSS.SYS [?]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\SYSTEM32\DRIVERS\wdcsam.sys [06/05/2008 15:06 11520]
S3 WPRO_40_1340;WinPcap Packet Driver (WPRO_40_1340);c:\windows\system32\drivers\WPRO_40_1340.sys --> c:\windows\system32\drivers\WPRO_40_1340.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2010-10-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2010-11-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-20 17:59]

2010-11-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-20 17:59]

2010-11-03 c:\windows\Tasks\PC Health Advisor Defrag.job
- c:\program files\ParetoLogic\PCHA\PCHA.exe [2010-09-30 21:40]

2010-11-03 c:\windows\Tasks\PC Health Advisor.job
- c:\program files\ParetoLogic\PCHA\PCHA.exe [2010-09-30 21:40]

2010-11-10 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-839522115-413027322-682003330-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]

2010-11-10 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-839522115-413027322-682003330-1007.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]

2010-10-28 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-839522115-413027322-682003330-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]

2010-10-28 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-839522115-413027322-682003330-1007.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]

2010-11-10 c:\windows\Tasks\User_Feed_Synchronization-{E9B94A29-7FD1-4FBB-A04A-C738991B53D1}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 03:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
mStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = 127.0.0.1
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: {{A18AC347-2CA3-4e5d-AB86-33BFC7EEB931} - c:\program files\gamingclubMPP\MPPoker.exe
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: photographersdirect.com\www
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} -
DPF: DirectAnimation Java Classes - file://c:\windows\SYSTEM\dajava.cab
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9 ... ontrol.CAB
DPF: Internet Explorer Classes for Java - file://c:\windows\SYSTEM\iejava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {0A43D7AC-D6C1-4622-B309-BF975F427C0E} - hxxps://internetbankingplus1.firstdirec ... doorFD.cab
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{A3BC75A2-1F87-4686-AA43-5347D756017C} - c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll
BHO-{7FB0B515-5C6C-4EA4-8E21-041E356A6A2B} - (no file)
BHO-{A3BC75A2-1F87-4686-AA43-5347D756017C} - c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll
HKCU-Run-Windows Registers - winservicess.exe
HKLM-Run-nwiz - c:\program files\NVIDIA Corporation\nView\nwiz.exe
HKLM-Run-AVG_TRAY - c:\program files\AVG\AVG10\avgtray.exe
SafeBoot-mcmscsvc
SafeBoot-MCODS
MSConfigStartUp-QuickTime Task - d:\program files\QuickTime\qttask.exe
AddRemove-Army Builder V3.2d - c:\armybu~2\UNWISE.EXE
AddRemove-AVG - c:\program files\AVG\AVG10\avgmfapx.exe
AddRemove-Belarc Advisor - c:\progra~1\Belarc\Advisor\Uninstall.exe
AddRemove-BT Home Hub - c:\program files\BT Home Hub\Uninstall.exe
AddRemove-BT Yahoo! Applications - c:\progra~1\Yahoo!\common\uninstall.exe
AddRemove-BT Yahoo! Broadband Help Guides - c:\progra~1\BTYAHO~2\UNWISE.EXE
AddRemove-CAL - c:\program files\Common Files\Canon\UIW\1.1.0.0\Uninst.exe
AddRemove-CameraWindowDVC5 - c:\program files\Common Files\Canon\UIW\1.1.0.0\Uninst.exe
AddRemove-CameraWindowDVC6 - c:\program files\Common Files\Canon\UIW\1.1.0.0\Uninst.exe
AddRemove-CameraWindowMC - c:\program files\Common Files\Canon\UIW\1.1.0.0\Uninst.exe
AddRemove-Coupon Printer2.0 - c:\program files\Coupon Printer\uninstall.exe
AddRemove-CSCLIB - c:\program files\Common Files\Canon\UIW\1.1.0.0\Uninst.exe
AddRemove-EOS Utility - c:\program files\Common Files\Canon\UIW\1.1.0.0\Uninst.exe
AddRemove-EPSON Scanner - c:\program files\epson\escndv\setup\setup.exe
AddRemove-Football Manager 2010 - c:\program files\Sports Interactive\Football Manager 2010\Uninstall_Football Manager 2010\Uninstall Football Manager 2010.exe
AddRemove-GameSpy Arcade - c:\progra~1\GAMESP~1\UNWISE.EXE
AddRemove-InstallShield_{1632FD86-1BA4-4FC4-8B25-A8C655D63F68} - c:\program files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe
AddRemove-InstallShield_{41979C2F-34B8-4F92-8111-B13C5864682D} - c:\program files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe
AddRemove-InstallShield_{77F09242-A107-4CB6-A295-D8656C2C3795} - c:\program files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe
AddRemove-InstallShield_{7B9CC60A-9B81-46A3-A953-76B6BF9EEC97} - c:\progra~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe
AddRemove-InstallShield_{82AF77BC-423D-42DA-BE5B-FFCA04752181} - c:\program files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe
AddRemove-InstallShield_{993A352A-2957-4661-A1EF-2D8F6F3C9234} - c:\program files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe
AddRemove-InstallShield_{D48C9BFC-FBCF-4F29-B97D-822ED6D497FE} - c:\progra~1\COMMON~1\INSTAL~1\Driver\8\INTEL3~1\IDriver.exe
AddRemove-Logitech Print Service - c:\progra~1\LOGITECH\PRINTS~1\UNWISE.EXE
AddRemove-NVIDIA nView Desktop Manager - c:\program files\NVIDIA Corporation\nView\nViewSetup.exe
AddRemove-PC-Rail Simulations - c:\program files\Pcrail\UnInstal.exe
AddRemove-Rail Empires : Iron Dragon - d:\progra~1\EDENST~1\RAILEM~1\UNWISE.EXE
AddRemove-RAW Image Task - c:\program files\Common Files\Canon\UIW\1.1.0.0\Uninst.exe
AddRemove-RemoteCaptureTask - c:\program files\Common Files\Canon\UIW\1.1.0.0\Uninst.exe
AddRemove-Stardock Central - d:\progra~1\Stardock\SDCENT~1\UNWISE.EXE
AddRemove-Vuze_Remote Toolbar - c:\progra~1\VUZE_R~1\UNWISE.EXE
AddRemove-WinRAR archiver - c:\program files\WinRAR\uninstall.exe
AddRemove-ZoomBrowser EX - c:\program files\Common Files\Canon\UIW\1.1.0.0\Uninst.exe
AddRemove-{6E7DD182-9FC6-4651-0095-2E666CC6AF35} - c:\program files\EA GAMES\The Sims 2\EAUninstall.exe
AddRemove-{8FD3F4BA-A4A6-4380-00A6-CC6853AB2DC2} - d:\program files\EA GAMES\The Sims 2 University\EAUninstall.exe
AddRemove-InstallShield_{69640730-B830-4C24-BB5C-222DA1260548} - c:\progra~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-10 21:16
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Iomega Activity Disk2]
"ImagePath"="\"\""
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\$$$\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(536)
c:\windows\system32\Ati2evxx.dll
c:\progra~1\COMMON~1\Stardock\mcpstub.dll

- - - - - - - > 'explorer.exe'(10892)
c:\windows\system32\WININET.dll
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\program files\Trusteer\Rapport\bin\rooksbas.dll
c:\windows\system32\ieframe.dll
c:\progra~1\COMMON~1\Stardock\MCPCore.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
d:\program files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Google\Update\1.2.183.39\GoogleCrashHandler.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\windows\system32\NMSAccess.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\system32\UAService7.exe
c:\windows\System32\wbem\wmiapsrv.exe
c:\progra~1\COMMON~1\Stardock\SDMCP.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\windows\SOUNDMAN.EXE
c:\windows\system32\RUNDLL32.EXE
.
**************************************************************************
.
Completion time: 2010-11-10 21:24:25 - machine was rebooted
ComboFix-quarantined-files.txt 2010-11-10 21:24

Pre-Run: 841,565,101,568 bytes free
Post-Run: 847,623,387,136 bytes free

- - End Of File - - 2154EB6F2BC3D8D7BDB8945A351FA78A



ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# IEXPLORE.EXE=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6419
# api_version=3.0.2
# EOSSerial=7ded32bb57800d4d990476d155b2a88f
# end=stopped
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-12-22 10:18:41
# local_time=2010-12-22 10:18:41 (+0000, GMT Standard Time)
# country="United Kingdom"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 1124428 1124428 0 0
# compatibility_mode=1032 16777214 100 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 3813 3813 0 0
# scanned=36748
# found=7
# cleaned=0
# scan_time=9330
C:\Documents and Settings\All Users\Documents\Server\hlp.dat Win32/Bamital.EQ trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\Ian Hayward\Application Data\Sun\Java\Deployment\cache\6.0\0\6fb283c0-7c13a04e Java/TrojanDownloader.Agent.NAM trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\Ian Hayward\Application Data\Sun\Java\Deployment\cache\6.0\12\1dd6a40c-6ae71b07 Java/TrojanDownloader.Agent.NBK trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\Ian Hayward\Application Data\Sun\Java\Deployment\cache\6.0\25\3ad8b099-4a094cb0 multiple threats (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\Ian Hayward\Application Data\Sun\Java\Deployment\cache\6.0\49\1eff1eb1-2a3c94c8 Java/TrojanDownloader.Agent.NBL trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\Ian Hayward\Desktop\msnVirusRemoval.zip BAT/Robobot.AE trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\Ian Hayward\Desktop\SmitfraudFix\restart.exe Win32/Shutdown.NAA application (unable to clean) 00000000000000000000000000000000 I
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6419
# api_version=3.0.2
# EOSSerial=7ded32bb57800d4d990476d155b2a88f
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-12-23 11:09:51
# local_time=2010-12-23 11:09:51 (+0000, GMT Standard Time)
# country="United Kingdom"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 1134951 1134951 0 0
# compatibility_mode=1032 16777214 100 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 14336 14336 0 0
# scanned=237653
# found=72
# cleaned=0
# scan_time=45078
C:\Documents and Settings\All Users\Documents\Server\hlp.dat Win32/Bamital.EQ trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\Ian Hayward\Application Data\Sun\Java\Deployment\cache\6.0\0\6fb283c0-7c13a04e Java/TrojanDownloader.Agent.NAM trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\Ian Hayward\Application Data\Sun\Java\Deployment\cache\6.0\12\1dd6a40c-6ae71b07 Java/TrojanDownloader.Agent.NBK trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\Ian Hayward\Application Data\Sun\Java\Deployment\cache\6.0\25\3ad8b099-4a094cb0 multiple threats (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\Ian Hayward\Application Data\Sun\Java\Deployment\cache\6.0\49\1eff1eb1-2a3c94c8 Java/TrojanDownloader.Agent.NBL trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\Ian Hayward\Desktop\msnVirusRemoval.zip BAT/Robobot.AE trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\Ian Hayward\Desktop\SmitfraudFix\restart.exe Win32/Shutdown.NAA application (unable to clean) 00000000000000000000000000000000 I
C:\Program Files\tmp\x64.exe a variant of Win32/Kryptik.IEE trojan (unable to clean) 00000000000000000000000000000000 I
C:\Program Files\win\x32.exe a variant of Win32/Kryptik.IMY trojan (unable to clean) 00000000000000000000000000000000 I
C:\Program Files\xAVGx\AVG10\Toolbar\Firefox\avg@igeared\chrome\content\html\26_tabswelcome_ie7footer.htm Win32/Ramnit.A virus (unable to clean) 00000000000000000000000000000000 I
C:\Program Files\xAVGx\AVG10\Toolbar\Firefox\avg@igeared\chrome\content\html\29_tabswelcome_ie7footer.htm Win32/Ramnit.A virus (unable to clean) 00000000000000000000000000000000 I
C:\Program Files\xAVGx\AVG10\Toolbar\Firefox\avg@igeared\chrome\content\html\41_tabswelcome_ie7footer.htm Win32/Ramnit.A virus (unable to clean) 00000000000000000000000000000000 I
C:\Program Files\xAVGx\AVG10\Toolbar\Firefox\avg@igeared\chrome\content\html\42_tabswelcome_ie7footer.htm Win32/Ramnit.A virus (unable to clean) 00000000000000000000000000000000 I
C:\Program Files\xAVGx\AVG10\Toolbar\Firefox\avg@igeared\chrome\content\html\45_tabswelcome_ie7footer.htm Win32/Ramnit.A virus (unable to clean) 00000000000000000000000000000000 I
C:\Program Files\xAVGx\AVG10\Toolbar\Firefox\avg@igeared\chrome\content\html\46_tabswelcome_ie7footer.htm Win32/Ramnit.A virus (unable to clean) 00000000000000000000000000000000 I
C:\Program Files\xAVGx\AVG10\Toolbar\Firefox\avg@igeared\chrome\content\html\49_tabswelcome_ie7footer.htm Win32/Ramnit.A virus (unable to clean) 00000000000000000000000000000000 I
C:\Program Files\xAVGx\AVG10\Toolbar\Firefox\avg@igeared\chrome\content\html\50_tabswelcome_ie7footer.htm Win32/Ramnit.A virus (unable to clean) 00000000000000000000000000000000 I
C:\Program Files\xAVGx\AVG10\Toolbar\Firefox\avg@igeared\chrome\content\html\58_tabswelcome_ie7footer.htm Win32/Ramnit.A virus (unable to clean) 00000000000000000000000000000000 I
C:\Program Files\xAVGx\AVG10\Toolbar\Firefox\avg@igeared\chrome\content\html\59_tabswelcome_ie7footer.htm Win32/Ramnit.A virus (unable to clean) 00000000000000000000000000000000 I
C:\Program Files\xAVGx\AVG10\Toolbar\Firefox\avg@igeared\chrome\content\html\bubble_general.htm Win32/Ramnit.A virus (unable to clean) 00000000000000000000000000000000 I
C:\Program Files\xAVGx\AVG10\Toolbar\Firefox\avg@igeared\chrome\content\html\Facebook_error.htm Win32/Ramnit.A virus (unable to clean) 00000000000000000000000000000000 I
C:\Program Files\xAVGx\AVG10\Toolbar\Firefox\avg@igeared\chrome\content\html\Facebook_notifier.htm Win32/Ramnit.A virus (unable to clean) 00000000000000000000000000000000 I
C:\Program Files\xAVGx\AVG10\Toolbar\Firefox\avg@igeared\chrome\content\html\Facebook_status.htm Win32/Ramnit.A virus (unable to clean) 00000000000000000000000000000000 I
C:\Program Files\xAVGx\AVG10\Toolbar\Firefox\avg@igeared\chrome\content\html\rssreader_simple.htm Win32/Ramnit.A virus (unable to clean) 00000000000000000000000000000000 I
C:\Program Files\xAVGx\AVG10\Toolbar\Firefox\avg@igeared\chrome\content\html\ssb_dangerous.html Win32/Ramnit.A virus (unable to clean) 00000000000000000000000000000000 I
C:\Program Files\xAVGx\AVG10\Toolbar\Firefox\avg@igeared\chrome\content\html\ssb_questionable.html Win32/Ramnit.A virus (unable to clean) 00000000000000000000000000000000 I
C:\Program Files\xAVGx\AVG10\Toolbar\Firefox\avg@igeared\chrome\content\html\ssb_risky.html Win32/Ramnit.A virus (unable to clean) 00000000000000000000000000000000 I
C:\Program Files\xAVGx\AVG10\Toolbar\Firefox\avg@igeared\chrome\content\html\ssb_safe.html Win32/Ramnit.A virus (unable to clean) 00000000000000000000000000000000 I
C:\Program Files\xAVGx\AVG10\Toolbar\Firefox\avg@igeared\chrome\content\html\ssb_unknown.html Win32/Ramnit.A virus (unable to clean) 00000000000000000000000000000000 I
C:\Program Files\xAVGx\AVG10\Toolbar\Firefox\avg@igeared\chrome\content\html\ssb_waiting.html Win32/Ramnit.A virus (unable to clean) 00000000000000000000000000000000 I
C:\Program Files\xAVGx\AVG10\Toolbar\Firefox\avg@igeared\chrome\content\html\tabswelcome_ie7footer.htm Win32/Ramnit.A virus (unable to clean) 00000000000000000000000000000000 I
C:\Program Files\xAVGx\AVG10\Toolbar\Firefox\avg@igeared\chrome\content\html\weather_error.htm Win32/Ramnit.A virus (unable to clean) 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Documents and Settings\Ian Hayward\Application Data\Adla\tyyr.exe.vir Win32/Spy.Zbot.YW trojan (unable to clean) 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Documents and Settings\Ian Hayward\Application Data\Ahovax\duhua.exe.vir a variant of Win32/Kryptik.IEM trojan (unable to clean) 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Documents and Settings\Ian Hayward\Application Data\Bozau\huhu.exe.vir Win32/Spy.Zbot.YW trojan (unable to clean) 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Documents and Settings\Ian Hayward\Application Data\Dyoh\cuyqe.exe.vir Win32/Spy.Zbot.YW trojan (unable to clean) 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Documents and Settings\Ian Hayward\Application Data\Eful\izpo.exe.vir a variant of Win32/Kryptik.HWP trojan (unable to clean) 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Documents and Settings\Ian Hayward\Application Data\Ikfo\xisur.exe.vir a variant of Win32/Kryptik.HWP trojan (unable to clean) 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Documents and Settings\Ian Hayward\Application Data\Ipysg\azbeg.exe.vir Win32/Spy.Zbot.YW trojan (unable to clean) 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Documents and Settings\Ian Hayward\Application Data\Ofuq\givua.exe.vir Win32/Spy.Zbot.YW trojan (unable to clean) 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Documents and Settings\Ian Hayward\Application Data\Okug\wemuk.exe.vir Win32/Spy.Zbot.YW trojan (unable to clean) 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Documents and Settings\Ian Hayward\Application Data\Owgaul\figyh.exe.vir a variant of Win32/Kryptik.HWP trojan (unable to clean) 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Documents and Settings\Ian Hayward\Application Data\Ruvyhi\heak.exe.vir a variant of Win32/Kryptik.HWP trojan (unable to clean) 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Documents and Settings\Ian Hayward\Application Data\Uxyko\erxe.exe.vir Win32/Spy.Zbot.YW trojan (unable to clean) 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Documents and Settings\Ian Hayward\Start Menu\Programs\Startup\logtec32.exe.vir a variant of Win32/Kryptik.HVT trojan (unable to clean) 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\Owatup\olviu.exe.vir a variant of Win32/Kryptik.IMY trojan (unable to clean) 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Program Files\Microsoft\_WaterMark_.exe.zip Win32/Ramnit.A virus (unable to clean) 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\explorer.exe.vir Win32/Bamital.EQ trojan (unable to clean) 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\ExplorerSrv.exe.vir Win32/Ramnit.A virus (unable to clean) 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\fhkmp.ini.vir Win32/Adware.Virtumonde.NEO application (unable to clean) 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\jpjxktks.ini.vir Win32/Adware.Virtumonde.NEO application (unable to clean) 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\knnmp.ini.vir Win32/Adware.Virtumonde.NEO application (unable to clean) 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\LUuFNqru.ini2.vir Win32/Adware.Virtumonde.NEO application (unable to clean) 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\tstwa.bak1.vir Win32/Adware.Virtumonde.NEO application (unable to clean) 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\tstwa.bak2.vir Win32/Adware.Virtumonde.NEO application (unable to clean) 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\tstwa.ini.vir Win32/Adware.Virtumonde.NEO application (unable to clean) 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\winlogon.exe.vir Win32/Bamital.EQ trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{BC751822-ABC9-4107-ABD9-DAD964703366}\RP1\A0001643.rbf Win32/RegistryBooster application (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{BC751822-ABC9-4107-ABD9-DAD964703366}\RP1\A0001644.rbf Win32/RegistryBooster application (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{BC751822-ABC9-4107-ABD9-DAD964703366}\RP1\A0001645.rbf Win32/RegistryBooster application (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{BC751822-ABC9-4107-ABD9-DAD964703366}\RP1\A0001646.rbf Win32/RegistryBooster application (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{BC751822-ABC9-4107-ABD9-DAD964703366}\RP1\A0001647.rbf Win32/RegistryBooster application (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{BC751822-ABC9-4107-ABD9-DAD964703366}\RP1\A0001648.rbf Win32/RegistryBooster application (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{BC751822-ABC9-4107-ABD9-DAD964703366}\RP1\A0004671.exe a variant of Win32/Kryptik.IEE trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{BC751822-ABC9-4107-ABD9-DAD964703366}\RP1\A0004672.exe a variant of Win32/Kryptik.IEE trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{BC751822-ABC9-4107-ABD9-DAD964703366}\RP18\A0026585.exe a variant of Win32/Kryptik.IEE trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{BC751822-ABC9-4107-ABD9-DAD964703366}\RP3\A0009627.exe Win32/Shutdown.NAA application (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{BC751822-ABC9-4107-ABD9-DAD964703366}\RP3\A0013002.exe a variant of Win32/Kryptik.IEE trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{BC751822-ABC9-4107-ABD9-DAD964703366}\RP3\A0013085.exe a variant of Win32/Kryptik.IEE trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{BC751822-ABC9-4107-ABD9-DAD964703366}\RP3\A0015747.exe a variant of Win32/Kryptik.IEE trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{BC751822-ABC9-4107-ABD9-DAD964703366}\RP3\A0015748.exe a variant of Win32/Kryptik.IEE trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{BC751822-ABC9-4107-ABD9-DAD964703366}\RP35\A0030838.exe a variant of Win32/Kryptik.IMY trojan (unable to clean) 00000000000000000000000000000000 I
Basacag
Regular Member
 
Posts: 32
Joined: December 9th, 2010, 4:25 pm

Re: Win32 ZBOT.E

Unread postby Basacag » December 23rd, 2010, 7:28 pm

Hi askey127 I am away tomorrow until Sunday evening. I will check in tomorrow before I leave in case there are fresh instructions. Have a great Christmas.

Ian
Basacag
Regular Member
 
Posts: 32
Joined: December 9th, 2010, 4:25 pm

Re: Win32 ZBOT.E

Unread postby askey127 » December 24th, 2010, 7:04 am

Basacag,
------------------------------------------------------
You have had an extremely dangerous infection on the machine. It is called Bamital.D
You may still have remnants.
Warning - Compromised Data
Because the infection has had remote control access to your Internet activities, you should assume that any data on it may have been stolen.
Take whatever precautions you think sensible about any financial (credit cards, banking, etc.), or other critical information that has been passed through or stored on the machine.
I would suggest changing all account names/numbers, and passwords for ANY accounts that have been used with the machine.
That includes not only banking, credit cards, and financial, but also website and e-mail accounts as well. Use a clean PC (not this one) to make the changes.

You most likely contracted it through the use of P2P programs, to get free downloads.

AVG does not handle this infection too intelligently, so in the process of detecting the infection it likely removed some of your critical System files.

---------------------------------------------
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code: Select all
    :filefind
    bwxkam.dll
    memory.tmp
    hlp.dat
    
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
-----------------------------------------------------------
Remove Programs Using Control Panel
From Start, Settings, Control Panel or Start, Control Panel, click Add/Remove Programs.
Highlight this Entry, if it exists, and choose Remove :
Rapport
Take extra care in answering questions posed by any Uninstaller.

If you can successfully remove Rapport, then please attempt to Uninstall AVG.
If AVG Uninstalls properly, run the Antivir installer on your desktop.
Let me know how it goes.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Win32 ZBOT.E

Unread postby Basacag » December 27th, 2010, 11:06 am

Rapport removed via the trusteer removal page.

AVG still not responding to removal from the add/remove programs app. Also when I try to uninstall from the Start menu I get

This application failed to start be cause the htmlayout.dll was not found. Re-installing the application may fix this problem.

Went to my sons PC to change passwords etc. Now my son's PC has no access to the internet via IE, it fails each time. (apparently since before Christmas) Guess I need to open a thread for that now...


SystemLook 04.09.10 by jpshortstuff
Log created at 14:38 on 27/12/2010 by Ian Hayward
Administrator - Elevation successful

========== filefind ==========

Searching for "bwxkam.dll"
No files found.

Searching for "memory.tmp"
No files found.

Searching for "hlp.dat"
C:\Documents and Settings\All Users\Documents\Server\hlp.dat --a---- 36740 bytes [14:37 11/07/2004] [09:31 10/11/2010] 4A7FF4BDA74F8A839FABF740BD124441

-= EOF =-
Basacag
Regular Member
 
Posts: 32
Joined: December 9th, 2010, 4:25 pm

Re: Win32 ZBOT.E

Unread postby askey127 » December 27th, 2010, 4:49 pm

Basacag,
Sorry for the delay. My ISP has been offline most of the day.
-------------------------------------------------------------
  • Open a new Notepad window (Start>All programs>accessories>notepad). Choose File, New.
  • Highlight the contents of the codebox below and press Ctrl+C to copy it to the clipboard. Do Not copy the word "Code".
    Code: Select all
    File::
    C:\Documents and Settings\All Users\Documents\Server\hlp.dat
    
    
  • Paste the contents of the clipboard into the Notepad window by pressing Ctrl+V or Edit, Paste
  • Save it to your desktop as CFScript.txt

    Image
  • Now drag and drop the CFScript.txt icon onto combofix.exe (zzz.exe) as in the picture above, and follow the prompts.
  • Then post the resultant log, C:\ComboFix.txt, in your next reply.

------------------------------------------------
Side Note:
If you use a router, wireless or wired, make sure that the administrator password for the router installation has been changed to one that you chose.
(This is not the password you may need to connect to your wireless network. It's the one you have to type in to the setup screen WHEN YOU SET UP the ROUTER.)
If the default password is retained, a remote attacker can install his own server address in between you and your Internet Provider. (The default passwords are published).
In case the router has been hacked, other machines connected to the same router will see the same type of redirect symptoms.
If you go into the router installation routine, you can take a quick look at the IP addresses in the router setup to make sure no extras have been added.
You may need Tech Help from your Internet Provider, or the original instructions, to make sure this is correct.
Is this something you can do?
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Win32 ZBOT.E

Unread postby Basacag » December 27th, 2010, 6:06 pm

No worries, i expect some delay anyhow just due to time difference - I am in the UK.

Router password is good. No rogue IP adresses.


ComboFix 10-12-26.01 - Ian Hayward 27/12/2010 21:42:43.6.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1023.550 [GMT 0:00]
Running from: c:\documents and settings\Ian Hayward\Desktop\zzz.exe
Command switches used :: c:\documents and settings\Ian Hayward\Desktop\CFScript.txt

FILE ::
"c:\documents and settings\All Users\Documents\Server\hlp.dat"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\TEMP\logishrd\LVPrcInj01.dll

.
((((((((((((((((((((((((( Files Created from 2010-11-27 to 2010-12-27 )))))))))))))))))))))))))))))))
.

2010-12-27 14:46 . 2010-12-27 14:46 339968 ----a-w- c:\windows\system32\RapportBuka.dll
2010-12-22 19:39 . 2010-12-22 19:39 -------- d-----w- c:\program files\ESET
2010-12-19 14:20 . 2010-12-19 14:20 -------- d-----w- c:\documents and settings\Ian Hayward\Local Settings\Application Data\Unity
2010-12-15 05:04 . 2010-11-02 15:17 40960 ------w- c:\windows\system32\dllcache\ndproxy.sys
2010-12-15 05:02 . 2010-10-11 14:59 45568 ------w- c:\windows\system32\dllcache\wab.exe
2010-12-09 20:22 . 2010-12-09 20:22 388096 ----a-r- c:\documents and settings\Ian Hayward\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-12-09 20:22 . 2010-12-09 20:22 -------- d-----w- c:\program files\Trend Micro
2010-12-08 21:16 . 2010-12-08 21:16 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin7.dll
2010-12-08 21:16 . 2010-12-08 21:16 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin6.dll
2010-12-08 21:16 . 2010-12-08 21:16 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin5.dll
2010-12-08 21:16 . 2010-12-08 21:16 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin4.dll
2010-12-08 21:16 . 2010-12-08 21:16 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin3.dll
2010-12-08 21:16 . 2010-12-08 21:16 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin2.dll
2010-12-08 21:16 . 2010-12-08 21:16 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin.dll
2010-12-08 21:15 . 2010-12-08 21:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-12-01 15:32 . 2010-12-01 15:32 -------- d-----w- c:\documents and settings\Ian Hayward\Local Settings\Application Data\MagicSoftware
2010-12-01 15:32 . 2010-12-01 15:32 -------- d-----w- c:\documents and settings\All Users\Application Data\MagicSoftware
2010-12-01 15:32 . 2010-12-01 15:32 -------- d-----w- c:\program files\MagicDVDRipper
2010-12-01 15:28 . 2010-12-01 15:29 -------- d-----w- c:\program files\7-Zip
2010-12-01 14:42 . 2010-12-01 14:42 -------- d-----w- c:\documents and settings\Ian Hayward\.dvdcss
2010-12-01 14:41 . 2010-12-01 14:48 -------- d-----w- c:\documents and settings\Ian Hayward\Application Data\Digiarty
2010-12-01 14:41 . 2010-12-01 14:49 -------- d-----w- c:\program files\Digiarty
2010-12-01 14:22 . 2010-12-01 14:28 -------- d-----w- c:\program files\Raptr
2010-12-01 14:22 . 2010-12-01 14:22 -------- d-----w- c:\documents and settings\Ian Hayward\Application Data\Raptr
2010-11-29 17:38 . 2010-11-29 17:38 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-29 17:38 . 2010-11-29 17:38 69632 ----a-w- c:\windows\system32\QuickTime.qts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-18 18:12 . 2004-07-11 14:48 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-06 00:26 . 2004-07-11 14:35 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26 . 2004-07-11 14:35 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-06 00:26 . 2004-01-21 16:16 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-03 12:25 . 2004-09-09 21:03 385024 ----a-w- c:\windows\system32\html.iec
2010-11-02 15:17 . 2004-07-11 14:36 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2010-10-28 13:13 . 2004-07-11 14:34 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25 . 2004-07-11 14:37 1853312 ----a-w- c:\windows\system32\win32k.sys
2010-10-03 22:43 . 2010-10-03 22:43 59240 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll" [BU]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll" [BU]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll" [BU]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SlowFile Icon Overlay]
@="{7D688A77-C613-11D0-999B-00C04FD655E1}"
[HKEY_CLASSES_ROOT\CLSID\{7D688A77-C613-11D0-999B-00C04FD655E1}]
2010-07-27 06:30 8462336 ----a-w- c:\windows\SYSTEM32\shell32.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-08-16 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus Photo RX620 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9HE.EXE" [2004-05-19 98304]
"SoundMan"="SOUNDMAN.EXE" [2005-01-27 77824]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-09-27 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-09-27 13918208]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-04-01 202256]
"AVG_TRAY"="c:\program files\AVG\AVG10\avgtray.exe" [BU]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2010-11-10 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
"QuickTime Task"="d:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient]
2005-01-31 14:13 49152 ----a-w- c:\progra~1\COMMON~1\Stardock\MCPStub.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart

[HKLM\~\startupfolder\C:^Documents and Settings^Ian Hayward^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
backup=c:\windows\pss\MyWebSearch Email Plugin.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-11-10 12:49 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
2006-09-14 06:55 61440 ----a-w- d:\program files\Adobe\Photoshop Elements 5.0\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-07-26 16:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-04-01 19:08 202256 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"VSS"=3 (0x3)
"Themes"=2 (0x2)
"SysmonLog"=3 (0x3)
"SwPrv"=3 (0x3)
"SCardSvr"=3 (0x3)
"RSVP"=3 (0x3)
"RDSessMgr"=3 (0x3)
"RasMan"=3 (0x3)
"RasAuto"=3 (0x3)
"MDM"=2 (0x2)
"btwdins"=2 (0x2)
"BthServ"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\System32\\dplaysvr.exe"=
"d:\\Program Files\\Eden Studios\\Rail Empires\\re-id.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"d:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe"=
"c:\\Program Files\\ubi.com\\Core\\GS4.exe"=
"c:\\Program Files\\GameSpy Arcade\\Aphex.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Monopoly 3\\Monopoly.exe"=
"c:\\WINDOWS\\SYSTEM32\\usmt\\migwiz.exe"=
"c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Railroads!\\RailRoads.exe"=
"c:\\WINDOWS\\SYSTEM32\\javaw.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\WINDOWS\\SYSTEM32\\dpvsetup.exe"=
"c:\\Program Files\\Microsoft Office\\Office10\\FRONTPG.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Sports Interactive\\Football Manager 2010\\fm.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\football manager 2010\\fm.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\TeamViewer\\Version4\\TeamViewer.exe"=
"d:\\Program Files\\Azureus\\Azureus.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3783:TCP"= 3783:TCP:VCP
"28900:TCP"= 28900:TCP:MSLR
"29900:TCP"= 29900:TCP:GP Connect mgr
"29901:TCP"= 29901:TCP:GP Search mgr
"6515:UDP"= 6515:UDP:DPlay UDP
"6500:TCP"= 6500:TCP:Query
"13139:UDP"= 13139:UDP:Custom UDP pings
"27900:UDP"= 27900:UDP:UDP Heartbeat
"25057:TCP"= 25057:TCP:AZ

R0 AVGIDSEH;AVGIDSEH;c:\windows\SYSTEM32\DRIVERS\AVGIDSEH.sys [13/09/2010 15:27 25680]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\SYSTEM32\DRIVERS\avgrkx86.sys [07/09/2010 02:48 26064]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [07/09/2010 02:48 249424]
R1 Avgtdix;AVG TDI Driver;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [07/09/2010 02:49 298448]
R1 RapportCerberus_19917;RapportCerberus_19917;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\19917\RapportCerberus_19917.sys [03/10/2010 22:54 34792]
S1 RapportBuka;RapportBuka;\??\c:\windows\system32\drivers\RapportBuka.sys --> c:\windows\system32\drivers\RapportBuka.sys [?]
S2 gupdate1c9c1e1ceb09090;Google Update Service (gupdate1c9c1e1ceb09090);c:\program files\Google\Update\GoogleUpdate.exe [20/04/2009 17:59 133104]
S3 alcan5ln;SpeedTouch(tm) USB ADSL RFC1483 Networking Driver (NDIS);c:\windows\SYSTEM32\DRIVERS\alcan5ln.sys [17/09/2004 22:18 36256]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\SYSTEM32\DRIVERS\AVGIDSDriver.sys [19/08/2010 20:42 123472]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\SYSTEM32\DRIVERS\AVGIDSFilter.sys [19/08/2010 20:42 30288]
S3 AVGIDSShim;AVGIDSShim;c:\windows\SYSTEM32\DRIVERS\AVGIDSShim.sys [19/08/2010 20:42 26192]
S3 BDA_Capture_225;USB Digital-TV receiver Driver 2.0.1.8;c:\windows\system32\Drivers\BDA_Capture_225.sys --> c:\windows\system32\Drivers\BDA_Capture_225.sys [?]
S3 BDA_Loader_225;USB Digital-TV Receiver Firmware Loader 6.5.8.0;c:\windows\SYSTEM32\DRIVERS\BDA_Loader_225.sys [17/06/2008 22:47 18944]
S3 gUSBSTOi;gUSBSTOi;\??\c:\docume~1\IANHAY~1\LOCALS~1\Temp\gUSBSTOi.sys --> c:\docume~1\IANHAY~1\LOCALS~1\Temp\gUSBSTOi.sys [?]
S3 UMSSSTOR;C-Media Storage;c:\windows\system32\DRIVERS\UMSS.SYS --> c:\windows\system32\DRIVERS\UMSS.SYS [?]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\SYSTEM32\DRIVERS\wdcsam.sys [06/05/2008 15:06 11520]
S3 WPRO_40_1340;WinPcap Packet Driver (WPRO_40_1340);c:\windows\system32\drivers\WPRO_40_1340.sys --> c:\windows\system32\drivers\WPRO_40_1340.sys [?]
S4 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG10\Toolbar\ToolbarBroker.exe --> c:\program files\AVG\AVG10\Toolbar\ToolbarBroker.exe [?]
S4 AVGIDSAgent;AVGIDSAgent;"c:\program files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe" --> c:\program files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe [?]
S4 avgwd;AVG WatchDog;"c:\program files\AVG\AVG10\avgwdsvc.exe" --> c:\program files\AVG\AVG10\avgwdsvc.exe [?]
.
Contents of the 'Scheduled Tasks' folder

2010-12-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2010-12-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-20 17:59]

2010-12-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-20 17:59]

2010-12-27 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-839522115-413027322-682003330-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]

2010-12-27 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-839522115-413027322-682003330-1007.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]

2010-12-27 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-839522115-413027322-682003330-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]

2010-12-23 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-839522115-413027322-682003330-1007.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]

2010-12-27 c:\windows\Tasks\User_Feed_Synchronization-{E9B94A29-7FD1-4FBB-A04A-C738991B53D1}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 03:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
mStart Page = hxxp://www.google.co.uk/
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
Trusted Zone: internet
Trusted Zone: mcafee.com
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} -
DPF: DirectAnimation Java Classes - file://c:\windows\SYSTEM\dajava.cab
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9 ... ontrol.CAB
DPF: Internet Explorer Classes for Java - file://c:\windows\SYSTEM\iejava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {0A43D7AC-D6C1-4622-B309-BF975F427C0E} - hxxps://internetbankingplus1.firstdirec ... doorFD.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-27 21:55
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Iomega Activity Disk2]
"ImagePath"="\"\""
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\$$$\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(560)
c:\windows\system32\Ati2evxx.dll
c:\progra~1\COMMON~1\Stardock\mcpstub.dll

- - - - - - - > 'explorer.exe'(7060)
c:\windows\system32\WININET.dll
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\windows\system32\ieframe.dll
c:\progra~1\COMMON~1\Stardock\MCPCore.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Malwarebytes' Anti-Malware\mbamext.dll
d:\program files\Acronis\TrueImageHome\tishell.dll
d:\program files\Acronis\TrueImageHome\timounter.dll
c:\program files\7-Zip\7-zip.dll
c:\windows\system32\CmdLineExt.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\Audiodev.dll
c:\windows\system32\WMVCore.DLL
c:\windows\system32\WMASF.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Google\Update\1.2.183.39\GoogleCrashHandler.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\windows\system32\NMSAccess.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\system32\UAService7.exe
c:\windows\System32\wbem\wmiapsrv.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\progra~1\COMMON~1\Stardock\SDMCP.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\windows\SOUNDMAN.EXE
c:\windows\system32\RUNDLL32.EXE
.
**************************************************************************
.
Completion time: 2010-12-27 22:03:54 - machine was rebooted
ComboFix-quarantined-files.txt 2010-12-27 22:03
ComboFix2.txt 2010-12-21 21:53
ComboFix3.txt 2010-11-15 02:35
ComboFix4.txt 2010-11-14 21:12
ComboFix5.txt 2010-12-27 21:38

Pre-Run: 877,627,800,576 bytes free
Post-Run: 877,730,400,768 bytes free

- - End Of File - - 4CD08698575512AC8A034FD8DF28431E
Basacag
Regular Member
 
Posts: 32
Joined: December 9th, 2010, 4:25 pm

Re: Win32 ZBOT.E

Unread postby askey127 » December 28th, 2010, 7:48 am

Basacag,
-------------------------------------------------------------
  • Open a new Notepad window (Start>All programs>accessories>notepad). Choose File, New.
  • Highlight the contents of the codebox below and press Ctrl+C to copy it to the clipboard. Do Not copy the word "Code".
    Code: Select all
    File::
    C:\Program Files\tmp\x64.exe 
    C:\Program Files\win\x32.exe
    C:\Documents and Settings\Ian Hayward\Application Data\Sun\Java\Deployment\cache
    
    Registry::
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "d:\\Program Files\\Azureus\\Azureus.exe"=-
    
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "25057:TCP"=-
    
    
  • Paste the contents of the clipboard into the Notepad window by pressing Ctrl+V or Edit, Paste
  • Save it to your desktop as CFScript.txt

    Image
  • Now drag and drop the CFScript.txt icon onto combofix.exe (zzz.exe) as in the picture above, and follow the prompts.
  • Then post the resultant log, C:\ComboFix.txt, in your next reply.
----------------------------------------------
You can download the free version of Revo Uninstaller from here: http://www.revouninstaller.com/revo_uni ... nload.html
I would attempt to use it to Uninstall the offending program(s) below.
It will succeed many times when regular methods fail.
These need to be removed:
Java 2 SDK, SE v1.4.2_15
Java(TM) 6 Update 14
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Java(TM) SE Runtime Environment 6 Update 1
Azureus
AVG 2011

-------------------------------------------------------------

If you are able to Uninstall AVG, you can run the Antivir installer. Let me know how it goes.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Win32 ZBOT.E

Unread postby Basacag » December 28th, 2010, 11:55 pm

hi askey127

The Revo removal seems to have worked.

Avira installed.

Cheers

Ian

ComboFix 10-12-26.01 - Ian Hayward 28/12/2010 18:26:14.7.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1023.497 [GMT 0:00]
Running from: c:\documents and settings\Ian Hayward\Desktop\zzz.exe
Command switches used :: c:\documents and settings\Ian Hayward\Desktop\CFScript.txt

FILE ::
"c:\documents and settings\Ian Hayward\Application Data\Sun\Java\Deployment\cache"
"c:\program files\tmp\x64.exe"
"c:\program files\win\x32.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\TEMP\logishrd\LVPrcInj01.dll

.
((((((((((((((((((((((((( Files Created from 2010-11-28 to 2010-12-28 )))))))))))))))))))))))))))))))
.

2010-12-27 14:46 . 2010-12-27 14:46 339968 ----a-w- c:\windows\system32\RapportBuka.dll
2010-12-22 19:39 . 2010-12-22 19:39 -------- d-----w- c:\program files\ESET
2010-12-19 14:20 . 2010-12-19 14:20 -------- d-----w- c:\documents and settings\Ian Hayward\Local Settings\Application Data\Unity
2010-12-15 05:04 . 2010-11-02 15:17 40960 ------w- c:\windows\system32\dllcache\ndproxy.sys
2010-12-15 05:02 . 2010-10-11 14:59 45568 ------w- c:\windows\system32\dllcache\wab.exe
2010-12-09 20:22 . 2010-12-09 20:22 388096 ----a-r- c:\documents and settings\Ian Hayward\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-12-09 20:22 . 2010-12-09 20:22 -------- d-----w- c:\program files\Trend Micro
2010-12-08 21:16 . 2010-12-08 21:16 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin7.dll
2010-12-08 21:16 . 2010-12-08 21:16 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin6.dll
2010-12-08 21:16 . 2010-12-08 21:16 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin5.dll
2010-12-08 21:16 . 2010-12-08 21:16 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin4.dll
2010-12-08 21:16 . 2010-12-08 21:16 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin3.dll
2010-12-08 21:16 . 2010-12-08 21:16 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin2.dll
2010-12-08 21:16 . 2010-12-08 21:16 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin.dll
2010-12-08 21:15 . 2010-12-08 21:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-12-01 15:32 . 2010-12-01 15:32 -------- d-----w- c:\documents and settings\Ian Hayward\Local Settings\Application Data\MagicSoftware
2010-12-01 15:32 . 2010-12-01 15:32 -------- d-----w- c:\documents and settings\All Users\Application Data\MagicSoftware
2010-12-01 15:32 . 2010-12-01 15:32 -------- d-----w- c:\program files\MagicDVDRipper
2010-12-01 15:28 . 2010-12-01 15:29 -------- d-----w- c:\program files\7-Zip
2010-12-01 14:42 . 2010-12-01 14:42 -------- d-----w- c:\documents and settings\Ian Hayward\.dvdcss
2010-12-01 14:41 . 2010-12-01 14:48 -------- d-----w- c:\documents and settings\Ian Hayward\Application Data\Digiarty
2010-12-01 14:41 . 2010-12-01 14:49 -------- d-----w- c:\program files\Digiarty
2010-12-01 14:22 . 2010-12-01 14:28 -------- d-----w- c:\program files\Raptr
2010-12-01 14:22 . 2010-12-01 14:22 -------- d-----w- c:\documents and settings\Ian Hayward\Application Data\Raptr
2010-11-29 17:38 . 2010-11-29 17:38 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-29 17:38 . 2010-11-29 17:38 69632 ----a-w- c:\windows\system32\QuickTime.qts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-18 18:12 . 2004-07-11 14:48 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-06 00:26 . 2004-07-11 14:35 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26 . 2004-07-11 14:35 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-06 00:26 . 2004-01-21 16:16 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-03 12:25 . 2004-09-09 21:03 385024 ----a-w- c:\windows\system32\html.iec
2010-11-02 15:17 . 2004-07-11 14:36 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2010-10-28 13:13 . 2004-07-11 14:34 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25 . 2004-07-11 14:37 1853312 ----a-w- c:\windows\system32\win32k.sys
2010-10-03 22:43 . 2010-10-03 22:43 59240 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll" [BU]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll" [BU]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll" [BU]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SlowFile Icon Overlay]
@="{7D688A77-C613-11D0-999B-00C04FD655E1}"
[HKEY_CLASSES_ROOT\CLSID\{7D688A77-C613-11D0-999B-00C04FD655E1}]
2010-07-27 06:30 8462336 ----a-w- c:\windows\SYSTEM32\shell32.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-08-16 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus Photo RX620 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9HE.EXE" [2004-05-19 98304]
"SoundMan"="SOUNDMAN.EXE" [2005-01-27 77824]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-09-27 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-09-27 13918208]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-04-01 202256]
"AVG_TRAY"="c:\program files\AVG\AVG10\avgtray.exe" [BU]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2010-11-10 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
"QuickTime Task"="d:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient]
2005-01-31 14:13 49152 ----a-w- c:\progra~1\COMMON~1\Stardock\MCPStub.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart

[HKLM\~\startupfolder\C:^Documents and Settings^Ian Hayward^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
backup=c:\windows\pss\MyWebSearch Email Plugin.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-11-10 12:49 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
2006-09-14 06:55 61440 ----a-w- d:\program files\Adobe\Photoshop Elements 5.0\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-07-26 16:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-04-01 19:08 202256 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"VSS"=3 (0x3)
"Themes"=2 (0x2)
"SysmonLog"=3 (0x3)
"SwPrv"=3 (0x3)
"SCardSvr"=3 (0x3)
"RSVP"=3 (0x3)
"RDSessMgr"=3 (0x3)
"RasMan"=3 (0x3)
"RasAuto"=3 (0x3)
"MDM"=2 (0x2)
"btwdins"=2 (0x2)
"BthServ"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\System32\\dplaysvr.exe"=
"d:\\Program Files\\Eden Studios\\Rail Empires\\re-id.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"d:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe"=
"c:\\Program Files\\ubi.com\\Core\\GS4.exe"=
"c:\\Program Files\\GameSpy Arcade\\Aphex.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Monopoly 3\\Monopoly.exe"=
"c:\\WINDOWS\\SYSTEM32\\usmt\\migwiz.exe"=
"c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Railroads!\\RailRoads.exe"=
"c:\\WINDOWS\\SYSTEM32\\javaw.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\WINDOWS\\SYSTEM32\\dpvsetup.exe"=
"c:\\Program Files\\Microsoft Office\\Office10\\FRONTPG.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Sports Interactive\\Football Manager 2010\\fm.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\football manager 2010\\fm.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\TeamViewer\\Version4\\TeamViewer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3783:TCP"= 3783:TCP:VCP
"28900:TCP"= 28900:TCP:MSLR
"29900:TCP"= 29900:TCP:GP Connect mgr
"29901:TCP"= 29901:TCP:GP Search mgr
"6515:UDP"= 6515:UDP:DPlay UDP
"6500:TCP"= 6500:TCP:Query
"13139:UDP"= 13139:UDP:Custom UDP pings
"27900:UDP"= 27900:UDP:UDP Heartbeat

R0 AVGIDSEH;AVGIDSEH;c:\windows\SYSTEM32\DRIVERS\AVGIDSEH.sys [13/09/2010 15:27 25680]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\SYSTEM32\DRIVERS\avgrkx86.sys [07/09/2010 02:48 26064]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [07/09/2010 02:48 249424]
R1 Avgtdix;AVG TDI Driver;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [07/09/2010 02:49 298448]
R1 RapportCerberus_19917;RapportCerberus_19917;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\19917\RapportCerberus_19917.sys [03/10/2010 22:54 34792]
S1 RapportBuka;RapportBuka;\??\c:\windows\system32\drivers\RapportBuka.sys --> c:\windows\system32\drivers\RapportBuka.sys [?]
S2 gupdate1c9c1e1ceb09090;Google Update Service (gupdate1c9c1e1ceb09090);c:\program files\Google\Update\GoogleUpdate.exe [20/04/2009 17:59 133104]
S3 alcan5ln;SpeedTouch(tm) USB ADSL RFC1483 Networking Driver (NDIS);c:\windows\SYSTEM32\DRIVERS\alcan5ln.sys [17/09/2004 22:18 36256]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\SYSTEM32\DRIVERS\AVGIDSDriver.sys [19/08/2010 20:42 123472]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\SYSTEM32\DRIVERS\AVGIDSFilter.sys [19/08/2010 20:42 30288]
S3 AVGIDSShim;AVGIDSShim;c:\windows\SYSTEM32\DRIVERS\AVGIDSShim.sys [19/08/2010 20:42 26192]
S3 BDA_Capture_225;USB Digital-TV receiver Driver 2.0.1.8;c:\windows\system32\Drivers\BDA_Capture_225.sys --> c:\windows\system32\Drivers\BDA_Capture_225.sys [?]
S3 BDA_Loader_225;USB Digital-TV Receiver Firmware Loader 6.5.8.0;c:\windows\SYSTEM32\DRIVERS\BDA_Loader_225.sys [17/06/2008 22:47 18944]
S3 gUSBSTOi;gUSBSTOi;\??\c:\docume~1\IANHAY~1\LOCALS~1\Temp\gUSBSTOi.sys --> c:\docume~1\IANHAY~1\LOCALS~1\Temp\gUSBSTOi.sys [?]
S3 UMSSSTOR;C-Media Storage;c:\windows\system32\DRIVERS\UMSS.SYS --> c:\windows\system32\DRIVERS\UMSS.SYS [?]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\SYSTEM32\DRIVERS\wdcsam.sys [06/05/2008 15:06 11520]
S3 WPRO_40_1340;WinPcap Packet Driver (WPRO_40_1340);c:\windows\system32\drivers\WPRO_40_1340.sys --> c:\windows\system32\drivers\WPRO_40_1340.sys [?]
S4 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG10\Toolbar\ToolbarBroker.exe --> c:\program files\AVG\AVG10\Toolbar\ToolbarBroker.exe [?]
S4 AVGIDSAgent;AVGIDSAgent;"c:\program files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe" --> c:\program files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe [?]
S4 avgwd;AVG WatchDog;"c:\program files\AVG\AVG10\avgwdsvc.exe" --> c:\program files\AVG\AVG10\avgwdsvc.exe [?]
.
Contents of the 'Scheduled Tasks' folder

2010-12-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2010-12-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-20 17:59]

2010-12-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-20 17:59]

2010-12-28 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-839522115-413027322-682003330-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]

2010-12-28 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-839522115-413027322-682003330-1007.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]

2010-12-27 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-839522115-413027322-682003330-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]

2010-12-23 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-839522115-413027322-682003330-1007.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]

2010-12-28 c:\windows\Tasks\User_Feed_Synchronization-{E9B94A29-7FD1-4FBB-A04A-C738991B53D1}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 03:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
mStart Page = hxxp://www.google.co.uk/
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
Trusted Zone: internet
Trusted Zone: mcafee.com
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} -
DPF: DirectAnimation Java Classes - file://c:\windows\SYSTEM\dajava.cab
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9 ... ontrol.CAB
DPF: Internet Explorer Classes for Java - file://c:\windows\SYSTEM\iejava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {0A43D7AC-D6C1-4622-B309-BF975F427C0E} - hxxps://internetbankingplus1.firstdirec ... doorFD.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-28 18:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Iomega Activity Disk2]
"ImagePath"="\"\""
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\$$$\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(564)
c:\windows\system32\Ati2evxx.dll
c:\progra~1\COMMON~1\Stardock\mcpstub.dll

- - - - - - - > 'explorer.exe'(8200)
c:\windows\system32\WININET.dll
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\windows\system32\ieframe.dll
c:\progra~1\COMMON~1\Stardock\MCPCore.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Google\Update\1.2.183.39\GoogleCrashHandler.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\windows\system32\NMSAccess.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\system32\UAService7.exe
c:\windows\System32\wbem\wmiapsrv.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\progra~1\COMMON~1\Stardock\SDMCP.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\windows\SOUNDMAN.EXE
c:\windows\system32\RUNDLL32.EXE
.
**************************************************************************
.
Completion time: 2010-12-28 18:49:33 - machine was rebooted
ComboFix-quarantined-files.txt 2010-12-28 18:49
ComboFix2.txt 2010-12-27 22:03
ComboFix3.txt 2010-12-21 21:53
ComboFix4.txt 2010-11-15 02:35
ComboFix5.txt 2010-12-28 18:13

Pre-Run: 877,718,776,832 bytes free
Post-Run: 877,694,026,752 bytes free

- - End Of File - - D51083390BD64D6EBC0E9E01E2823022
Basacag
Regular Member
 
Posts: 32
Joined: December 9th, 2010, 4:25 pm
Advertisement
Register to Remove

Next

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 303 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware