Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Please help a lost soul

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Please help a lost soul

Unread postby nineinchheel » April 22nd, 2009, 1:54 pm

Hello, I believe my computer has Malware any help would be so greatly appreciated. Also, I think in your literature it says that I should let you know that I get my internet through a router. Regards, nineinchheel. Below is my HijackThis log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:49:51, on 22/04/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\FileZilla Server\FileZilla Server.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
c:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\TODDSrv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\Program Files\TOSHIBA\Tvs\TvsTray.exe
C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\ddwmon.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Documents and Settings\George\Application Data\pidle\pidle.exe
C:\Documents and Settings\George\Application Data\Twain\Twain.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\VideoLAN\VLC\vlc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {6596bbb4-9082-4777-82cd-333690824933} - c:\windows\system32\rspbewx.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {d7ff7b78-b293-42f8-965f-49b0708bb6c0} - C:\WINDOWS\system32\wivevevi.dll (file missing)
O2 - BHO: HelloWorldBHO - {d88e1558-7c2d-407a-953a-c044f5607cea} - C:\Program Files\Jcore\Jcore2.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [HWSetup] C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe hwSetUP
O4 - HKLM\..\Run: [SVPWUTIL] C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe SVPwUTIL
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [Tvs] C:\Program Files\TOSHIBA\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [DDWMon] C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [kohiwemuzi] Rundll32.exe "C:\WINDOWS\system32\sinahuti.dll",s
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [pidle] "C:\Documents and Settings\George\Application Data\pidle\pidle.exe" 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
O4 - HKCU\..\Run: [Twain] C:\Documents and Settings\George\Application Data\Twain\Twain.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{B98AAA0F-DE81-4AC5-B45A-FACC2E6BC232}: NameServer = 208.67.220.220,208.67.222.222
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\risojaro.dll (file missing)
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - C:\Program Files\FileZilla Server\FileZilla Server.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - c:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - c:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - c:\Program Files\Sophos\AutoUpdate\ALsvc.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\WINDOWS\system32\TODDSrv.exe

--
End of file - 7317 bytes
nineinchheel
Regular Member
 
Posts: 39
Joined: April 22nd, 2009, 5:04 am
Location: Coventry, West Midlands
Advertisement
Register to Remove

Re: Please help a lost soul

Unread postby dan12 » April 22nd, 2009, 6:05 pm

welcome to malwareremoval forums

My name is Dan, and I will be helping you to remove any infection(s) that you may have.

Please note! that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

Please observe these rules while we work:
  • Perform all actions in the order given.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
  • Stick with it till you're given the all clear.
  • REMEMBER, ABSENCE OF SYMPTOMS DOES NOT MEAN THE INFECTION IS ALL GONE.
If you can do these things, everything should go smoothly.
  • Please note you'll need to have Administrator priviledges to perform the fixes. (XP accounts are Administrator by default)
  • Please let me know if you are using a computer with multiple accounts, as this can affect the instructions given.

Unless informed of in advance, failure to post replies within 5 days will result in this thread being closed.


It may be helpful to you to print out or take a copy of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.


Installed Programs

Please could you give me a list of the programs that are installed.
  • Start HijackThis
  • Click on the Misc Tools button
  • Click on the Open Uninstall Manager button.
You will see a list with the programs installed in your computer.
Click on save list button and specify where you would like to save this file.
When you press Save button a notepad will open with the contents of that file.
Simply copy and paste the contents of that notepad into your next post.

I'm presently looking over your log and hope not to be too long.
Will be back with you as soon as I can.
Thanks dan
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Please help a lost soul

Unread postby nineinchheel » April 22nd, 2009, 8:06 pm

AC3Filter (remove only)
Adobe Flash Player 10 Plugin
Adobe Flash Player 9 ActiveX
Adobe Flash Player ActiveX
Adobe Reader 7.0.8
Adobe Shockwave Player
ALPS Touch Pad Driver
ANNO 1602 - Gold Edition
Apple Software Update
Atheros Client Utility
Atheros Wireless LAN MiniPCI/PCIe card Driver
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
Audacity 1.2.6
AutoImager
AutoImager
Bluesoleil2.6.0.1 Release 070402
BT Fabric Keyboard
CamStudio Lossless Codec
CD/DVD Drive Acoustic Silencer
Civ II : Test Of Time
Coda codec pack
Command & Conquer Tiberian Sun
CoreVorbis Audio Decoder (remove only)
DC++ 0.698
Direct Show Ogg Vorbis Filter (remove only)
DivX Codec
DivX Content Uploader
DivX Converter
DivX Player
DivX Plus DirectShow Filters
DivX Web Player
DOOM Collector's Edition
Dungeon Keeper Gold
eMusic Remote 1.0.0.2
ETHNIC CLEANSING
ffdshow [rev 2844] [2009-03-30]
FileZilla Client 3.2.0
FLV Player 1.3.3
Free M4a to MP3 Converter 6.0
GoldWave v5.23
Great Battles of WWII: Stalingrad (Demo)
GTK+ Runtime 2.6.9 rev a (remove only)
Hauppauge English Help Files and Resources
Heroes of Might and Magic II
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Windows XP (KB893357)
Hotfix for Windows XP (KB894871)
Hotfix for Windows XP (KB895200)
Hotfix for Windows XP (KB896243)
Hotfix for Windows XP (KB896256)
Huffyuv AVI lossless video codec (Remove Only)
Icewind Dale
Icewind Dale - Heart of Winter
IconXP
InternetPlayer
InterVideo FilterSDK for Hauppauge
InterVideo WinDVD Creator 2
InterVideo WinDVD for TOSHIBA
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Java(TM) 6 Update 11
Java(TM) 6 Update 7
LEGO Creator Knights' Kingdom
Macromedia Flash Player
Maxthon Browser (remove only)
McDonald's Fairies
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft .NET Framework 2.0
Microsoft Digital Image 2006 Starter Edition
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
Morgan Stream Switcher
Mozilla Firefox (3.0.8)
Mozilla Thunderbird (2.0.0.21)
MSXML 6.0 Parser (KB927977)
OpenOffice.org 3.0
Opera 9.63
Paint Shop Pro 7
PowerISO
Quick Death 2.1
QuickTime
QuickTime Alternative 1.66
RAMBooster.Net
Real Lives 2007
RealPlayer
REALTEK Gigabit and Fast Ethernet NIC Driver
Realtek High Definition Audio Driver
RPG Maker 2000 - Super Columbine Massacre RPG!
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB925486)
ShellExView
Skype™ 3.8
smartision ScreenCopy 2.3
Sophos Anti-Virus
Sophos AutoUpdate
Spybot - Search & Destroy
StarCraft
Stronghold
SUPER © Version 2009.bld.35 (Jan 5, 2009)
SurfOffline Professional 2
SWF & FLV Toolbox 3.5 (build 3.5.25.503)
Tag&Rename 3.2
Theme Hospital
Tom Clancy's Rainbow Six
TOSHIBA Accessibility
TOSHIBA Assist
TOSHIBA ConfigFree
TOSHIBA Direct Disc Writer
TOSHIBA Disc Creator
TOSHIBA Hardware Setup
TOSHIBA Hotkey Utility
TOSHIBA Manuals
TOSHIBA PC Diagnostic Tool
TOSHIBA Power Saver
TOSHIBA Software Modem
TOSHIBA Supervisor Password
TOSHIBA Virtual Sound
Touch and Launch
TouchPad On/Off Utility
Trillian
TuneUp Utilities 2007
Tweak UI
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB912945)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
VC80CRTRedist - 8.0.50727.762
VDMSound 2.0.4
VideoLAN VLC media player 0.8.1
Westwood Shared Internet Components
Winamp
Windows Installer 3.1 (KB893803)
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885855
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB888622
Windows XP Hotfix - KB889673
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893056
Windows XP Hotfix - KB896626
WinRAR archiver
XP Codec Pack
XviD MPEG-4 Video Codec
Zip Motion Block Video codec (Remove Only)
nineinchheel
Regular Member
 
Posts: 39
Joined: April 22nd, 2009, 5:04 am
Location: Coventry, West Midlands

Re: Please help a lost soul

Unread postby dan12 » April 22nd, 2009, 8:22 pm

Have you set this ip address?
O17 - HKLM\System\CCS\Services\Tcpip\..\{B98AAA0F-DE81-4AC5-B45A-FACC2E6BC232}: NameServer = 208.67.220.220,208.67.222.222

-------------

Run HijackThis, select Do a system scan only and place checks against the following entries (if they are still present)


O2 - BHO: (no name) - {6596bbb4-9082-4777-82cd-333690824933} - c:\windows\system32\rspbewx.dll (file missing)

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: (no name) - {d7ff7b78-b293-42f8-965f-49b0708bb6c0} - C:\WINDOWS\system32\wivevevi.dll (file missing)

O4 - HKLM\..\Run: [kohiwemuzi] Rundll32.exe "C:\WINDOWS\system32\sinahuti.dll",s

O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\risojaro.dll (file missing)

WITH ALL OTHER WINDOWS CLOSED Click on Fix Checked and exit



ATF Cleaner
Download ATF Cleaner here by Atribune.
    Double-click ATF-Cleaner.exe to run the program
    Under Main choose: Select All
    Click the Empty Selected button
If you use Firefox browser
    Click Firefox at the top and choose: Select All
    Click the Empty Selected button
    NOTE: If you would like to keep your saved passwords, please click No at the prompt
If you use Opera browser
    Click Opera at the top and choose: Select All
    Click the Empty Selected button
    NOTE: If you would like to keep your saved passwords, please click No at the prompt
Click Exit on the Main menu to close the program.





: Malwarebytes' Anti-Malware :

Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\\Documents and Settings\\Username\\Application Data\\Malwarebytes\\Malwarebytes' Anti-Malware\\Logs\\mbam-log-date (time).txt


Post malwarebytes report.
Dan
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Please help a lost soul

Unread postby nineinchheel » April 23rd, 2009, 5:25 am

Dan I certainly don't remember setting this IP address: O17 - HKLM\System\CCS\Services\Tcpip\..\{B98AAA0F-DE81-4AC5-B45A-FACC2E6BC232}: NameServer = 208.67.220.220,208.67.222.222

Malwarebytes' Anti-Malware report follows:

Malwarebytes' Anti-Malware 1.36
Database version: 2030
Windows 5.1.2600 Service Pack 2

23/04/2009 10:17:12
mbam-log-2009-04-23 (10-17-12).txt

Scan type: Full Scan (C:\|)
Objects scanned: 174446
Time elapsed: 44 minute(s), 19 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 0
Registry Keys Infected: 10
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 11

Memory Processes Infected:
C:\Documents and Settings\George\Application Data\pidle\pidle.exe (Trojan.Downloader) -> Unloaded process successfully.
C:\Documents and Settings\George\Application Data\Twain\Twain.exe (Trojan.Proxy) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\bho_myjavacore.mjcore (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{e0f01490-dcf3-4357-95aa-169a8c2b2190} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{17e44256-51e0-4d46-a0c8-44e80ab4ba5b} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{d88e1558-7c2d-407a-953a-c044f5607cea} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{d88e1558-7c2d-407a-953a-c044f5607cea} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d88e1558-7c2d-407a-953a-c044f5607cea} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bho_myjavacore.mjcore.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{80ef304a-b1c4-425c-8535-95ab6f1eefb8} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\BHO_MyJavaCore.DLL (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\AGprotect (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pidle (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\twain (Trojan.Proxy) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\George\Application Data\pidle (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Jcore (Trojan.BHO) -> Delete on reboot.

Files Infected:
C:\Documents and Settings\George\Application Data\pidle\pidle.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\George\Application Data\Twain\Twain.exe (Trojan.Proxy) -> Quarantined and deleted successfully.
C:\Program Files\Jcore\Jcore2.dll (Trojan.BHO) -> Delete on reboot.
C:\jjomgvxe.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsthcuotkquqgvoktbveimoklpiqfcnqufsy.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsthppbmofptxipgbaarogwaamrhbciwtrey.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\ovfsthqmomykyhsagvpcopwfoquvjigienqlwq.sys.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ak1.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hf873uwndf.dll (Trojan.Ertfor) -> Quarantined and deleted successfully.
C:\kvjkpsbk.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\mxntwq.exe (Trojan.Agent) -> Quarantined and deleted successfully.
nineinchheel
Regular Member
 
Posts: 39
Joined: April 22nd, 2009, 5:04 am
Location: Coventry, West Midlands

Re: Please help a lost soul

Unread postby dan12 » April 23rd, 2009, 6:21 am

Hi, Yes, looks like you have a rootkit going on.

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3

Image


Image
--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.
    When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a HijackThis log so we can continue cleaning the system.
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Please help a lost soul

Unread postby nineinchheel » April 23rd, 2009, 2:48 pm

ComboFix 09-04-23.A3 - George 23/04/2009 19:36.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.382.82 [GMT 1:00]
Running from: c:\documents and settings\George\Desktop\Combo-Fix.exe
AV: Sophos Anti-Virus *On-access scanning disabled* (Outdated)
FW: Norton Internet Worm Protection *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\George\Local Settings\Temporary Internet Files\fbk.sts
.
---- Previous Run -------
.
c:\documents and settings\George\Local Settings\Temporary Internet Files\fbk.sts
c:\windows\system32\drivers\ovfsthqmomykyhsagvpcopwfoquvjigienqlwq.sys
c:\windows\system32\dumphive.exe
c:\windows\system32\ovfsthcjxmxmhqloymqpualunooqbrmutuuhhp.dll
c:\windows\system32\ovfsthcuotkquqgvoktbveimoklpiqfcnqufsy.dll
c:\windows\system32\ovfsthjftdpxnmcaphvysvpjynamnuirxxplyf.dat
c:\windows\system32\ovfsthobkfdlloohjixiqarsipoimybanrakol.dat
c:\windows\system32\ovfsthppbmofptxipgbaarogwaamrhbciwtrey.dll
c:\windows\system32\Process.exe
c:\windows\system32\pthreadGC2.dll
c:\windows\system32\rspbewx.dll
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\Tasks\At1.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_ovfsthgwsyejkelxlppppjyojextxfeoyjeamt
-------\Legacy_qngubwfo
-------\Service_qngubwfo


((((((((((((((((((((((((( Files Created from 2009-05-23 to 2009-4-23 )))))))))))))))))))))))))))))))
.

2009-04-23 08:15 . 2009-04-23 08:15 -------- d-----w c:\documents and settings\George\Application Data\Malwarebytes
2009-04-23 08:14 . 2009-04-06 14:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-23 08:14 . 2009-04-06 14:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-23 08:14 . 2009-04-23 08:14 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-23 00:06 . 2009-04-23 00:06 -------- d-s---w c:\windows\system32\config\systemprofile\UserData
2009-04-22 09:31 . 2009-04-23 09:17 -------- d-----w c:\documents and settings\George\Application Data\Twain
2009-04-22 00:26 . 2009-04-23 18:34 -------- d-----w C:\ComboFix
2009-04-22 00:23 . 2009-04-22 00:23 0 ----a-w c:\windows\TPTray.INI
2009-04-22 00:16 . 2009-04-22 00:16 -------- d-----w c:\documents and settings\NetworkService\Local Settings\Application Data\nyqrbapj
2009-04-22 00:16 . 2009-04-22 00:16 -------- d-----w c:\documents and settings\NetworkService\Application Data\nyqrbapj
2009-04-21 23:48 . 2009-04-21 23:48 577024 -c--a-w c:\windows\system32\dllcache\user32.dll
2009-04-21 23:45 . 2009-04-21 23:45 -------- d-----w c:\windows\ERUNT
2009-04-21 23:43 . 2009-04-22 00:22 -------- d-----w C:\SDFix
2009-04-21 16:18 . 2009-04-21 16:18 -------- d-----w c:\documents and settings\George\Application Data\nyqrbapj
2009-04-21 16:18 . 2009-04-21 16:18 -------- d-----w c:\documents and settings\George\Local Settings\Application Data\nyqrbapj
2009-04-21 13:37 . 2009-04-21 13:37 -------- d-----w C:\VundoFix Backups
2009-04-21 13:35 . 2009-04-21 13:35 213376 -c--a-w c:\windows\system32\dllcache\ndis.sys
2009-04-21 13:27 . 2009-04-23 18:43 113276 ----a-w c:\windows\system32\drivers\d83568e8.sys
2009-04-18 10:41 . 2003-06-25 15:05 266360 ----a-w c:\windows\system32\TweakUI.exe
2009-04-18 10:41 . 2002-06-21 14:09 160217 ----a-w c:\windows\system32\PowerToysLicense.rtf
2009-04-18 10:33 . 2006-07-13 13:33 8453632 ----a-w c:\windows\system32\shell32.backup
2009-04-17 00:19 . 2009-04-19 10:11 -------- d-----w c:\windows\Windows98_icons
2009-04-17 00:16 . 2009-04-17 00:17 -------- dc-h--w c:\documents and settings\All Users\Application Data\{E33597A3-E995-4DA4-A3A0-F1775979A8E0}
2009-04-16 23:55 . 2002-10-28 12:23 1662 ----a-w c:\windows\29_ico_5.ico
2009-04-16 23:48 . 2002-10-28 13:33 1662 ----a-w c:\windows\The Internet_ico_5.ico
2009-04-16 23:32 . 2002-10-28 13:17 766 ----a-w c:\windows\Hard Drive_ico_3.ico
2009-04-16 21:41 . 2004-08-04 12:00 1032192 ----a-w c:\windows\explorer.exebackup
2009-04-16 19:02 . 2007-05-17 16:30 318976 ----a-w c:\windows\system32\avisynth.dll
2009-04-16 19:02 . 2004-02-22 09:11 719872 ----a-w c:\windows\system32\devil.dll
2009-04-16 19:02 . 2005-07-14 11:31 27648 ----a-w c:\windows\system32\AVSredirect.dll
2009-04-16 19:02 . 2004-01-24 23:00 70656 ----a-w c:\windows\system32\yv12vfw.dll
2009-04-16 19:02 . 2004-01-24 23:00 70656 ----a-w c:\windows\system32\i420vfw.dll
2009-04-16 18:58 . 2009-04-16 18:58 -------- d-----w c:\windows\system32\languages
2009-04-15 15:13 . 2004-07-29 01:19 175104 ----a-w c:\windows\lame_enc.dll
2009-04-14 22:10 . 2009-04-14 22:10 0 ----a-w c:\windows\nsreg.dat
2009-04-14 22:09 . 2009-04-14 22:11 -------- d-----w c:\documents and settings\George\Local Settings\Application Data\Thunderbird
2009-04-14 22:09 . 2009-04-14 22:10 -------- d-----w c:\documents and settings\George\Application Data\Thunderbird
2009-04-12 16:41 . 2009-04-12 16:41 -------- d-----w c:\documents and settings\George\Bullfrog
2009-04-12 16:41 . 2009-04-12 16:41 -------- d-----w c:\windows\system\KEEPER
2009-04-05 17:48 . 1998-05-29 08:51 274432 ----a-w c:\windows\system32\VCT32150.dll
2009-04-05 17:48 . 1997-09-03 15:58 195584 ----a-w c:\windows\system32\MVoice.vxp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-23 18:34 . 2006-09-21 12:50 -------- d-----w c:\documents and settings\George\Application Data\Skype
2009-04-23 18:33 . 2008-12-30 13:32 -------- d-----w c:\documents and settings\George\Application Data\uTorrent
2009-04-23 18:30 . 2009-04-14 22:08 -------- d-----w c:\program files\Mozilla Thunderbird
2009-04-23 08:14 . 2009-04-23 08:14 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-22 17:49 . 2009-04-22 17:49 -------- d-----w c:\program files\Trend Micro
2009-04-21 23:43 . 2009-04-21 13:37 270 ----a-w C:\VundoFix.txt
2009-04-21 13:35 . 2006-05-22 07:36 213376 ----a-w c:\windows\system32\drivers\ndis.sys
2009-04-21 13:32 . 2009-01-21 13:31 50688 --sha-w c:\windows\system32\nonoleve.exe
2009-04-19 18:43 . 2007-08-05 00:11 -------- d-----w c:\program files\DOSBox-0.71
2009-04-18 10:34 . 2009-04-18 10:14 -------- d-----w c:\program files\iColorFolder
2009-04-18 10:18 . 2007-01-30 16:36 195 ----a-w C:\Delapp.bat
2009-04-18 09:58 . 2009-04-18 09:58 -------- d-----w c:\program files\IconXP
2009-04-17 00:23 . 2008-05-17 10:41 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-17 00:17 . 2009-04-17 00:17 -------- d-----w c:\program files\Mystik Media
2009-04-16 21:48 . 2006-09-03 14:31 66648 ----a-w c:\documents and settings\George\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-16 19:02 . 2009-04-16 19:02 -------- d-----w c:\program files\AviSynth 2.5
2009-04-16 19:01 . 2009-04-16 19:01 -------- d-----w c:\program files\eRightSoft
2009-04-16 18:58 . 2009-04-16 18:58 29910 ----a-w c:\windows\system32\unins000.dat
2009-04-16 18:57 . 2009-04-16 18:58 684636 ----a-w c:\windows\system32\unins000.exe
2009-04-15 23:30 . 2009-04-15 23:30 -------- d-----w c:\program files\XeroBank
2009-04-14 17:30 . 2009-03-15 18:23 244 ---ha-w C:\sqmnoopt18.sqm
2009-04-14 17:30 . 2009-03-15 18:23 232 ---ha-w C:\sqmdata18.sqm
2009-04-14 16:56 . 2009-03-13 09:42 244 ---ha-w C:\sqmnoopt17.sqm
2009-04-14 16:56 . 2009-03-13 09:42 232 ---ha-w C:\sqmdata17.sqm
2009-04-12 16:41 . 2007-07-03 00:13 -------- d-----w c:\program files\Bullfrog
2009-04-12 03:42 . 2009-04-12 03:42 -------- d-----w c:\program files\ebrary
2009-04-09 00:11 . 2006-10-03 16:22 -------- d-----w c:\program files\DivX
2009-04-09 00:10 . 2009-04-09 00:10 -------- d-----w c:\program files\Common Files\DivX Shared
2009-04-05 17:45 . 2009-04-05 17:45 -------- d-----w c:\program files\Red Storm Entertainment
2009-04-05 14:18 . 2007-02-01 20:38 -------- d-----w c:\documents and settings\George\Application Data\Lavasoft
2009-04-01 19:25 . 2009-04-01 19:25 -------- d-----w c:\program files\MySpace Grab
2009-03-31 19:55 . 2008-07-28 22:59 -------- d-----w c:\program files\StarCraft
2009-03-31 16:15 . 2008-11-11 14:17 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-31 16:11 . 2007-02-03 18:38 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-31 13:42 . 2009-03-12 13:11 244 ---ha-w C:\sqmnoopt16.sqm
2009-03-31 13:42 . 2009-03-12 13:11 232 ---ha-w C:\sqmdata16.sqm
2009-03-30 17:00 . 2009-03-11 10:37 244 ---ha-w C:\sqmnoopt15.sqm
2009-03-30 17:00 . 2009-03-11 10:37 232 ---ha-w C:\sqmdata15.sqm
2009-03-30 14:01 . 2009-03-10 10:28 244 ---ha-w C:\sqmnoopt14.sqm
2009-03-30 14:01 . 2009-03-10 10:28 232 ---ha-w C:\sqmdata14.sqm
2009-03-30 13:34 . 2009-03-10 01:43 244 ---ha-w C:\sqmnoopt13.sqm
2009-03-30 13:34 . 2009-03-10 01:43 232 ---ha-w C:\sqmdata13.sqm
2009-03-30 13:20 . 2009-03-09 22:14 244 ---ha-w C:\sqmnoopt12.sqm
2009-03-30 13:20 . 2009-03-09 22:14 232 ---ha-w C:\sqmdata12.sqm
2009-03-30 13:14 . 2009-03-09 18:21 244 ---ha-w C:\sqmnoopt11.sqm
2009-03-30 13:14 . 2009-03-09 18:21 232 ---ha-w C:\sqmdata11.sqm
2009-03-30 13:11 . 2009-03-09 18:17 244 ---ha-w C:\sqmnoopt10.sqm
2009-03-30 13:11 . 2009-03-09 18:17 232 ---ha-w C:\sqmdata10.sqm
2009-03-30 12:48 . 2009-03-08 15:31 244 ---ha-w C:\sqmnoopt09.sqm
2009-03-30 12:48 . 2009-03-08 15:31 232 ---ha-w C:\sqmdata09.sqm
2009-03-26 11:45 . 2009-02-22 12:03 244 ---ha-w C:\sqmnoopt08.sqm
2009-03-26 11:45 . 2009-02-22 12:03 232 ---ha-w C:\sqmdata08.sqm
2009-03-23 21:29 . 2009-02-21 16:44 244 ---ha-w C:\sqmnoopt07.sqm
2009-03-23 21:29 . 2009-02-21 16:44 232 ---ha-w C:\sqmdata07.sqm
2009-03-23 20:49 . 2009-02-01 14:06 244 ---ha-w C:\sqmnoopt06.sqm
2009-03-23 20:49 . 2009-02-01 14:06 232 ---ha-w C:\sqmdata06.sqm
2009-03-23 18:19 . 2009-02-01 13:40 244 ---ha-w C:\sqmnoopt05.sqm
2009-03-23 18:19 . 2009-02-01 13:40 232 ---ha-w C:\sqmdata05.sqm
2009-03-21 09:19 . 2009-02-01 03:33 244 ---ha-w C:\sqmnoopt04.sqm
2009-03-21 09:19 . 2009-02-01 03:33 232 ---ha-w C:\sqmdata04.sqm
2009-03-20 10:31 . 2009-01-31 23:41 244 ---ha-w C:\sqmnoopt03.sqm
2009-03-20 10:31 . 2009-01-31 23:41 232 ---ha-w C:\sqmdata03.sqm
2009-03-19 10:08 . 2009-01-31 21:34 244 ---ha-w C:\sqmnoopt02.sqm
2009-03-19 10:08 . 2009-01-31 21:34 232 ---ha-w C:\sqmdata02.sqm
2009-03-18 10:44 . 2009-01-31 13:07 244 ---ha-w C:\sqmnoopt01.sqm
2009-03-18 10:44 . 2009-01-31 13:07 232 ---ha-w C:\sqmdata01.sqm
2009-03-17 01:07 . 2008-12-05 00:39 244 ---ha-w C:\sqmnoopt00.sqm
2009-03-17 01:07 . 2008-12-05 00:39 232 ---ha-w C:\sqmdata00.sqm
2009-03-16 01:26 . 2009-03-16 01:26 244 ---ha-w C:\sqmnoopt19.sqm
2009-03-16 01:26 . 2009-03-16 01:26 232 ---ha-w C:\sqmdata19.sqm
2009-03-08 20:10 . 2008-10-30 00:57 -------- d-----w c:\documents and settings\George\Application Data\U3
2009-02-24 19:35 . 2006-10-03 16:23 120056 ------w c:\windows\system32\pxcpyi64.exe
2009-02-24 19:35 . 2006-10-02 11:36 129784 ------w c:\windows\system32\pxafs.dll
2009-02-24 19:35 . 2006-10-02 11:36 118520 ------w c:\windows\system32\pxinsi64.exe
2009-02-24 19:34 . 2009-02-24 19:34 90112 ----a-w c:\windows\system32\dpl100.dll
2009-02-24 19:34 . 2009-02-24 19:34 823296 ----a-w c:\windows\system32\divx_xx0c.dll
2009-02-24 19:34 . 2009-02-24 19:34 823296 ----a-w c:\windows\system32\divx_xx07.dll
2009-02-24 19:34 . 2009-02-24 19:34 815104 ----a-w c:\windows\system32\divx_xx0a.dll
2009-02-24 19:34 . 2009-02-24 19:34 802816 ----a-w c:\windows\system32\divx_xx11.dll
2009-02-24 19:34 . 2009-02-24 19:34 684032 ----a-w c:\windows\system32\DivX.dll
2009-02-23 02:03 . 2006-10-26 01:31 -------- d-----w c:\program files\AltoMP3 Gold
2009-02-23 02:02 . 2007-11-26 17:34 -------- d-----w c:\program files\WinTV
2009-02-23 01:59 . 2009-02-21 21:31 -------- d-----w c:\documents and settings\George\Application Data\FMZilla
2006-12-03 15:35 . 2006-12-03 15:35 0 ----a-w c:\documents and settings\George\Application Data\wklnhst.dat
2006-05-22 12:23 . 2007-02-03 22:50 12328 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-02-24 19:2009-02-24 19:34 34:32 . c:\program files\mozilla firefox\plugins\libdivx.dll
2009-02-24 19:2009-02-24 19:34 34:32 . c:\program files\mozilla firefox\plugins\ssldivx.dll
2009-02-24 19:2009-02-24 19:34 34:32 . c:\program files\opera\program\plugins\libdivx.dll
2009-02-24 19:2009-02-24 19:34 34:32 . c:\program files\opera\program\plugins\ssldivx.dll
2007-04-17 23:20 . 2007-04-17 23:20 56 --sh--r c:\windows\system32\512601FDB7.sys
2006-05-03 10:06 . 2009-04-16 19:01 163328 --sh--r c:\windows\system32\flvDX.dll
2007-04-17 23:20 . 2007-04-17 23:20 1890 --sha-w c:\windows\system32\KGyGaAvL.sys
2007-02-21 11:47 . 2009-04-16 19:01 31232 --sh--r c:\windows\system32\msfDX.dll
2008-03-16 13:30 . 2009-04-16 19:01 216064 --sh--r c:\windows\system32\nbDX.dll
.

------- Sigcheck -------

[-] 2009-04-21 13:35 213376 3D748D850B1C17C357C54BBFD4835F27 c:\windows\system32\dllcache\ndis.sys
[-] 2009-04-21 13:35 213376 3D748D850B1C17C357C54BBFD4835F27 c:\windows\system32\drivers\ndis.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2005-04-11 65536]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-04-23 22058792]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-09-18 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2004-03-23 196608]
"CeEKEY"="c:\program files\TOSHIBA\E-KEY\CeEKey.exe" [2006-03-16 634880]
"HWSetup"="c:\program files\TOSHIBA\TOSHIBA Applet\HWSetup.exe" [2004-05-01 28672]
"SVPWUTIL"="c:\program files\Toshiba\Windows Utilities\SVPWUTIL.exe" [2004-05-01 65536]
"TPNF"="c:\program files\TOSHIBA\TouchPad\TPTray.exe" [2006-04-04 53248]
"Tvs"="c:\program files\TOSHIBA\Tvs\TvsTray.exe" [2006-02-02 73728]
"DDWMon"="c:\program files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe" [2006-04-28 262144]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-18 136600]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-04-18 16143872]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\agrsmmsg.exe [2006-03-18 89541]
"TPSMain"="TPSMain.exe" - c:\windows\system32\TPSMain.exe [2005-08-11 266240]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2004-08-04 110592]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]
@="service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoUpdate Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AutoUpdate Monitor.lnk
backup=c:\windows\pss\AutoUpdate Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"BITS"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\WINDOWS\\inf\\explorer.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"22178:TCP"= 22178:TCP:BitComet 22178 TCP
"22178:UDP"= 22178:UDP:BitComet 22178 UDP

R3 CAM1690;USB 2.0 Compliance JPEG Video Camera; [x]
R3 Fadpu16E;Fadpu16E; [x]
R3 hcw95bda;Hauppauge MOD7700 Tuner Driver;c:\windows\system32\Drivers\hcw95bda.sys [2007-04-04 467456]
R3 hcw95rc;Hauppauge MOD7700 IR Driver;c:\windows\system32\DRIVERS\hcw95rc.sys [2007-04-04 15488]
S1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\DRIVERS\savonaccesscontrol.sys [2007-11-14 101120]
S1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\DRIVERS\savonaccessfilter.sys [2007-11-14 33408]
S2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\Sophos\Sophos Anti-Virus\SAVAdminService.exe [2007-11-14 69632]
S2 SAVService;Sophos Anti-Virus;c:\program files\Sophos\Sophos Anti-Virus\SavService.exe [2007-11-28 98304]
S2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\DRIVERS\tdudf.sys [2006-04-18 98816]


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6b5145fc-a40e-11dd-ad95-0009dd60b0c9}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-06-27 c:\windows\Tasks\shutdown.job
- c:\windows\system32\shutdown.exe [2006-05-22 12:00]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {B98AAA0F-DE81-4AC5-B45A-FACC2E6BC232} = 208.67.220.220,208.67.222.222
FF - ProfilePath - c:\documents and settings\George\Application Data\Mozilla\Firefox\Profiles\g3sq6njz.default\
FF - prefs.js: browser.startup.homepage - hxxp://vle.coventry.ac.uk/webct/entryPageIns.dowebct
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPInfotl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npsabffx.dll
FF - plugin: c:\program files\Opera\program\plugins\npdivx32.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin2.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin3.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin4.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin5.dll
FF - plugin: c:\windows\system32\SuperAdBlocker.com\npsabffx.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-23 19:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\d83568e8]
"ImagePath"="\SystemRoot\System32\drivers\d83568e8.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(708)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\l3codeca.acm
.
Completion time: 2009-04-23 19:46
ComboFix-quarantined-files.txt 2009-04-23 18:45

Pre-Run: 759,140,352 bytes free
Post-Run: 757,403,648 bytes free

281



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:47:05, on 23/04/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\FileZilla Server\FileZilla Server.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
c:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\TODDSrv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\Program Files\TOSHIBA\Tvs\TvsTray.exe
C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\ddwmon.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [HWSetup] C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe hwSetUP
O4 - HKLM\..\Run: [SVPWUTIL] C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe SVPwUTIL
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [Tvs] C:\Program Files\TOSHIBA\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [DDWMon] C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{B98AAA0F-DE81-4AC5-B45A-FACC2E6BC232}: NameServer = 208.67.220.220,208.67.222.222
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - C:\Program Files\FileZilla Server\FileZilla Server.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - c:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - c:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - c:\Program Files\Sophos\AutoUpdate\ALsvc.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\WINDOWS\system32\TODDSrv.exe

--
End of file - 5928 bytes
nineinchheel
Regular Member
 
Posts: 39
Joined: April 22nd, 2009, 5:04 am
Location: Coventry, West Midlands

Re: Please help a lost soul

Unread postby dan12 » April 23rd, 2009, 3:22 pm

I will be looking over returned logs soon. It's important you nly run the tools I ask for the duration of the fix as I can see several tools that have been used,you may well of tried before you asked for help.
catch you soon.
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Please help a lost soul

Unread postby dan12 » April 23rd, 2009, 4:01 pm

We have a bit to do yet, but getting there.


Please read this - viewtopic.php?t=550

If you want to continue, you have to remove DOSBox-0.71



IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

uTorrent

I'd like you to read the MRU policy for P2P Programs.

Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).

-------------------------

Submit a File For Analysis
We need to have the files below Scanned by Uploading them/it to Jotti

Please visit Jotti
Copy/paste the the following file path into the window
c:\windows\system32\drivers\d83568e8.sys

Click Submit/Send File
Please post back, to let me know the results.

Please do the same for the following file
c:\windows\system32\nonoleve.exe

If Jotti is too busy please try Virustotal

post jotti's results.
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Please help a lost soul

Unread postby nineinchheel » April 23rd, 2009, 8:31 pm

Uninstalled Utorrent and DOSBox as requested. Jotti reports follow:

When I try to submit d83568e8.sys I get the following error message:
"C:\WINDOWS\system32\drivers\d83568e8.sys" specified one or more files that could not be found.
This happens if I type the location and if I navigate to it (Choose...)
I also tried submitting it to VirusTotal to see if that would provide more joy, but when I choose the file I get a perpertual loading screen.

File: nonoleve.exe
Status: INFECTED/MALWARE
MD5: 8ae2444561a449e4a84c3f1d901e36c0
Packers detected: -

Scanner results
Scan taken on 24 Apr 2009 00:19:58 (GMT)
A-Squared Found Trojan.Vundo!IK
AntiVir Found TR/Vundo.Gen
ArcaVir Found Heur.W32
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found Trojan-Downloader:W32/Agent.KCW
Ikarus Found Trojan.Vundo
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Quick Heal Found nothing
Sophos Antivirus Found Troj/Virtum-Gen
VirusBuster Found nothing
VBA32 Found nothing
nineinchheel
Regular Member
 
Posts: 39
Joined: April 22nd, 2009, 5:04 am
Location: Coventry, West Midlands

Re: Please help a lost soul

Unread postby dan12 » April 23rd, 2009, 8:42 pm

Don't worry about jotti's with that file.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Code: Select all
File::
c:\windows\system32\nonoleve.exe 
C:\sqmnoopt18.sqm
C:\sqmdata18.sqm
C:\sqmnoopt17.sqm
C:\sqmdata17.sqm
C:\sqmnoopt16.sqm
C:\sqmdata16.sqm
C:\sqmnoopt15.sqm
C:\sqmdata15.sqm
C:\sqmnoopt14.sqm
C:\sqmdata14.sqm
C:\sqmnoopt13.sqm
C:\sqmdata13.sqm
C:\sqmnoopt12.sqm
C:\sqmdata12.sqm
C:\sqmnoopt11.sqm
C:\sqmdata11.sqm
C:\sqmnoopt10.sqm
C:\sqmdata10.sqm
C:\sqmnoopt09.sqm
C:\sqmdata09.sqm
C:\sqmnoopt08.sqm
C:\sqmdata08.sqm
C:\sqmnoopt07.sqm
C:\sqmdata07.sqm
C:\sqmnoopt06.sqm
C:\sqmdata06.sqm
C:\sqmnoopt05.sqm
C:\sqmdata05.sqm
C:\sqmnoopt04.sqm
C:\sqmdata04.sqm
C:\sqmnoopt03.sqm
C:\sqmdata03.sqm
C:\sqmnoopt02.sqm
C:\sqmdata02.sqm
C:\sqmnoopt01.sqm
C:\sqmdata01.sqm
C:\sqmnoopt00.sqm
C:\sqmdata00.sqm
C:\sqmnoopt19.sqm
C:\sqmdata19.sqm
C:\Delapp.bat
C:\VundoFix.txt
FileLook::
c:\windows\system32\drivers\d83568e8.sys
Folder::
c:\documents and settings\George\Application Data\uTorrent
c:\program files\DOSBox-0.71
c:\documents and settings\NetworkService\Local Settings\Application Data\nyqrbapj
c:\documents and settings\NetworkService\Application Data\nyqrbapj
C:\SDFix
c:\documents and settings\George\Application Data\nyqrbapj
c:\documents and settings\George\Local Settings\Application Data\nyqrbapj
C:\VundoFix Backups
Driver::
CAM1690
 Fadpu16E
hcw95bda
hcw95rc
Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6b5145fc-a40e-11dd-ad95-0009dd60b0c9}]

    


Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe


Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


update malwarebytes do a full scan.
let me see the combofix txt and malwarebytes report and a fresh HJT log.
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Please help a lost soul

Unread postby nineinchheel » April 24th, 2009, 7:07 am

ComboFix 09-04-23.A3 - George 24/04/2009 2:02.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.382.141 [GMT 1:00]
Running from: c:\documents and settings\George\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\George\Desktop\cfscript.txt
AV: Sophos Anti-Virus *On-access scanning disabled* (Outdated)
FW: Norton Internet Worm Protection *disabled*
* Created a new restore point

FILE ::
C:\Delapp.bat
C:\sqmdata00.sqm
C:\sqmdata01.sqm
C:\sqmdata02.sqm
C:\sqmdata03.sqm
C:\sqmdata04.sqm
C:\sqmdata05.sqm
C:\sqmdata06.sqm
C:\sqmdata07.sqm
C:\sqmdata08.sqm
C:\sqmdata09.sqm
C:\sqmdata10.sqm
C:\sqmdata11.sqm
C:\sqmdata12.sqm
C:\sqmdata13.sqm
C:\sqmdata14.sqm
C:\sqmdata15.sqm
C:\sqmdata16.sqm
C:\sqmdata17.sqm
C:\sqmdata18.sqm
C:\sqmdata19.sqm
C:\sqmnoopt00.sqm
C:\sqmnoopt01.sqm
C:\sqmnoopt02.sqm
C:\sqmnoopt03.sqm
C:\sqmnoopt04.sqm
C:\sqmnoopt05.sqm
C:\sqmnoopt06.sqm
C:\sqmnoopt07.sqm
C:\sqmnoopt08.sqm
C:\sqmnoopt09.sqm
C:\sqmnoopt10.sqm
C:\sqmnoopt11.sqm
C:\sqmnoopt12.sqm
C:\sqmnoopt13.sqm
C:\sqmnoopt14.sqm
C:\sqmnoopt15.sqm
C:\sqmnoopt16.sqm
C:\sqmnoopt17.sqm
C:\sqmnoopt18.sqm
C:\sqmnoopt19.sqm
C:\VundoFix.txt
c:\windows\system32\nonoleve.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Delapp.bat
c:\documents and settings\George\Application Data\nyqrbapj
c:\documents and settings\George\Application Data\nyqrbapj\profiles.ini
c:\documents and settings\George\Application Data\nyqrbapj\Profiles\xxi6gshc.default\cert8.db
c:\documents and settings\George\Application Data\nyqrbapj\Profiles\xxi6gshc.default\compatibility.ini
c:\documents and settings\George\Application Data\nyqrbapj\Profiles\xxi6gshc.default\compreg.dat
c:\documents and settings\George\Application Data\nyqrbapj\Profiles\xxi6gshc.default\cookies.sqlite
c:\documents and settings\George\Application Data\nyqrbapj\Profiles\xxi6gshc.default\formhistory.sqlite
c:\documents and settings\George\Application Data\nyqrbapj\Profiles\xxi6gshc.default\key3.db
c:\documents and settings\George\Application Data\nyqrbapj\Profiles\xxi6gshc.default\localstore.rdf
c:\documents and settings\George\Application Data\nyqrbapj\Profiles\xxi6gshc.default\permissions.sqlite
c:\documents and settings\George\Application Data\nyqrbapj\Profiles\xxi6gshc.default\places.sqlite-journal
c:\documents and settings\George\Application Data\nyqrbapj\Profiles\xxi6gshc.default\places.sqlite
c:\documents and settings\George\Application Data\nyqrbapj\Profiles\xxi6gshc.default\pluginreg.dat
c:\documents and settings\George\Application Data\nyqrbapj\Profiles\xxi6gshc.default\prefs.js
c:\documents and settings\George\Application Data\nyqrbapj\Profiles\xxi6gshc.default\secmod.db
c:\documents and settings\George\Application Data\nyqrbapj\Profiles\xxi6gshc.default\webappsstore.sqlite
c:\documents and settings\George\Application Data\nyqrbapj\Profiles\xxi6gshc.default\xpti.dat
c:\documents and settings\George\Application Data\uTorrent
c:\documents and settings\George\Application Data\uTorrent\51-100.torrent
c:\documents and settings\George\Application Data\uTorrent\dht.dat
c:\documents and settings\George\Application Data\uTorrent\dht.dat.old
c:\documents and settings\George\Application Data\uTorrent\resume.dat
c:\documents and settings\George\Application Data\uTorrent\resume.dat.old
c:\documents and settings\George\Application Data\uTorrent\rss.dat
c:\documents and settings\George\Application Data\uTorrent\rss.dat.old
c:\documents and settings\George\Application Data\uTorrent\settings.dat
c:\documents and settings\George\Application Data\uTorrent\settings.dat.old
c:\documents and settings\George\Application Data\uTorrent\utorrent.lng
c:\documents and settings\George\Local Settings\Application Data\nyqrbapj
c:\documents and settings\George\Local Settings\Application Data\nyqrbapj\Profiles\xxi6gshc.default\urlclassifier3.sqlite
c:\documents and settings\George\Local Settings\Application Data\nyqrbapj\Profiles\xxi6gshc.default\XPC.mfl
c:\documents and settings\NetworkService\Application Data\nyqrbapj
c:\documents and settings\NetworkService\Application Data\nyqrbapj\profiles.ini
c:\documents and settings\NetworkService\Application Data\nyqrbapj\Profiles\eyjepn2p.default\cert8.db
c:\documents and settings\NetworkService\Application Data\nyqrbapj\Profiles\eyjepn2p.default\compatibility.ini
c:\documents and settings\NetworkService\Application Data\nyqrbapj\Profiles\eyjepn2p.default\compreg.dat
c:\documents and settings\NetworkService\Application Data\nyqrbapj\Profiles\eyjepn2p.default\cookies.sqlite
c:\documents and settings\NetworkService\Application Data\nyqrbapj\Profiles\eyjepn2p.default\formhistory.sqlite
c:\documents and settings\NetworkService\Application Data\nyqrbapj\Profiles\eyjepn2p.default\key3.db
c:\documents and settings\NetworkService\Application Data\nyqrbapj\Profiles\eyjepn2p.default\localstore.rdf
c:\documents and settings\NetworkService\Application Data\nyqrbapj\Profiles\eyjepn2p.default\permissions.sqlite
c:\documents and settings\NetworkService\Application Data\nyqrbapj\Profiles\eyjepn2p.default\places.sqlite-journal
c:\documents and settings\NetworkService\Application Data\nyqrbapj\Profiles\eyjepn2p.default\places.sqlite
c:\documents and settings\NetworkService\Application Data\nyqrbapj\Profiles\eyjepn2p.default\pluginreg.dat
c:\documents and settings\NetworkService\Application Data\nyqrbapj\Profiles\eyjepn2p.default\prefs.js
c:\documents and settings\NetworkService\Application Data\nyqrbapj\Profiles\eyjepn2p.default\secmod.db
c:\documents and settings\NetworkService\Application Data\nyqrbapj\Profiles\eyjepn2p.default\webappsstore.sqlite
c:\documents and settings\NetworkService\Application Data\nyqrbapj\Profiles\eyjepn2p.default\xpti.dat
c:\documents and settings\NetworkService\Local Settings\Application Data\nyqrbapj
c:\documents and settings\NetworkService\Local Settings\Application Data\nyqrbapj\Profiles\eyjepn2p.default\urlclassifier3.sqlite
c:\documents and settings\NetworkService\Local Settings\Application Data\nyqrbapj\Profiles\eyjepn2p.default\XPC.mfl
C:\SDFix
c:\sdfix\Add_DBFix_RunOnce_key.inf
c:\sdfix\apps\assosfix.reg
c:\sdfix\apps\Cghtme.exe
c:\sdfix\apps\cliptext.exe
c:\sdfix\apps\DBFix.inf
c:\sdfix\apps\download.exe
c:\sdfix\apps\dummy.sys
c:\sdfix\apps\Enable_Command_Prompt.inf
c:\sdfix\apps\Enable_Command_Prompt.reg
c:\sdfix\apps\ERDNT.E_E
c:\sdfix\apps\ERDNTDOS.LOC
c:\sdfix\apps\ERDNTWIN.LOC
c:\sdfix\apps\ERUNT.EXE
c:\sdfix\apps\ERUNT.LOC
c:\sdfix\apps\fix.reg
c:\sdfix\apps\FixBeep.reg
c:\sdfix\apps\FixBH.reg
c:\sdfix\apps\FixComponents.reg
c:\sdfix\apps\FIXCU.reg
c:\sdfix\apps\FIXLM.reg
c:\sdfix\apps\FixPath.exe
c:\sdfix\apps\FixRedir.reg
c:\sdfix\apps\FixSchedule.reg
c:\sdfix\apps\FixWebCheck.reg
c:\sdfix\apps\fixXP.reg
c:\sdfix\apps\FixXPsp2.reg
c:\sdfix\apps\grep.exe
c:\sdfix\apps\HaxdFix.reg
c:\sdfix\apps\HPFix.reg
c:\sdfix\apps\HPFix2.reg
c:\sdfix\apps\HPFix3.reg
c:\sdfix\apps\HPFix4.reg
c:\sdfix\apps\HPFix5.reg
c:\sdfix\apps\HPFix6.reg
c:\sdfix\apps\HPFix7.reg
c:\sdfix\apps\HPFix8.reg
c:\sdfix\apps\HPFix9.reg
c:\sdfix\apps\Installed.txt
c:\sdfix\apps\isadmin.exe
c:\sdfix\apps\leg2.txt
c:\sdfix\apps\legacy.txt
c:\sdfix\apps\legacybk.txt
c:\sdfix\apps\locate.com
c:\sdfix\apps\LS.exe
c:\sdfix\apps\MD5File.exe
c:\sdfix\apps\moveex.exe
c:\sdfix\apps\MyGcpvFix.reg
c:\sdfix\apps\MyGkFix2.reg
c:\sdfix\apps\Process.exe
c:\sdfix\apps\procs.exe
c:\sdfix\apps\psservice.exe
c:\sdfix\apps\Rem.txt
c:\sdfix\apps\Rem2.txt
c:\sdfix\apps\Replace\regedit.exe
c:\sdfix\apps\Replace\w2k\AUTOEXEC.NT
c:\sdfix\apps\Replace\w2k\beep.sys
c:\sdfix\apps\Replace\w2k\command.com
c:\sdfix\apps\Replace\w2k\command.PIF
c:\sdfix\apps\Replace\w2k\CONFIG.NT
c:\sdfix\apps\Replace\w2k\null.sys
c:\sdfix\apps\Replace\xp\AUTOEXEC.NT
c:\sdfix\apps\Replace\xp\beep.sys
c:\sdfix\apps\Replace\xp\command.com
c:\sdfix\apps\Replace\xp\command.PIF
c:\sdfix\apps\Replace\xp\CONFIG.NT
c:\sdfix\apps\Replace\xp\null.sys
c:\sdfix\apps\Reset_AppInit_DLLs.reg
c:\sdfix\apps\RestartIt!.exe
c:\sdfix\apps\Restore_SafeBoot_Windows2000.reg
c:\sdfix\apps\Restore_SafeBoot_WindowsXP.reg
c:\sdfix\apps\Restore_SafeBoot_WindowsXP_SP2.reg
c:\sdfix\apps\Restore_SafeBoot_WindowsXP_SP3.reg
c:\sdfix\apps\Restore_SecurityCenter.reg
c:\sdfix\apps\Restore_SharedAccess.reg
c:\sdfix\apps\sc.exe
c:\sdfix\apps\sed.exe
c:\sdfix\apps\SF.exe
c:\sdfix\apps\shutdown.exe
c:\sdfix\apps\srv2.txt
c:\sdfix\apps\srv2bk.txt
c:\sdfix\apps\svc.txt
c:\sdfix\apps\svcbk.txt
c:\sdfix\apps\Swreg.exe
c:\sdfix\apps\swsc.exe
c:\sdfix\apps\UnRAR.exe
c:\sdfix\apps\unzip.exe
c:\sdfix\apps\vfind.exe
c:\sdfix\apps\WINMSG.EXE
c:\sdfix\apps\winsec.reg
c:\sdfix\apps\zip.exe
c:\sdfix\backups\backupreg.zip
c:\sdfix\backups\backups.zip
c:\sdfix\backups\catchme.log
c:\sdfix\backups\HOSTS
c:\sdfix\catchme.exe
c:\sdfix\DBFix.bat
c:\sdfix\dummy.sys
c:\sdfix\Report.txt
c:\sdfix\RunThis.bat
c:\sdfix\SDFIX_ReadMe_Online.url
c:\sdfix\W2K_VirusAlert_Repair.inf
c:\sdfix\XP_VirusAlert_Repair.inf
C:\sqmdata00.sqm
C:\sqmdata01.sqm
C:\sqmdata02.sqm
C:\sqmdata03.sqm
C:\sqmdata04.sqm
C:\sqmdata05.sqm
C:\sqmdata06.sqm
C:\sqmdata07.sqm
C:\sqmdata08.sqm
C:\sqmdata09.sqm
C:\sqmdata10.sqm
C:\sqmdata11.sqm
C:\sqmdata12.sqm
C:\sqmdata13.sqm
C:\sqmdata14.sqm
C:\sqmdata15.sqm
C:\sqmdata16.sqm
C:\sqmdata17.sqm
C:\sqmdata18.sqm
C:\sqmdata19.sqm
C:\sqmnoopt00.sqm
C:\sqmnoopt01.sqm
C:\sqmnoopt02.sqm
C:\sqmnoopt03.sqm
C:\sqmnoopt04.sqm
C:\sqmnoopt05.sqm
C:\sqmnoopt06.sqm
C:\sqmnoopt07.sqm
C:\sqmnoopt08.sqm
C:\sqmnoopt09.sqm
C:\sqmnoopt10.sqm
C:\sqmnoopt11.sqm
C:\sqmnoopt12.sqm
C:\sqmnoopt13.sqm
C:\sqmnoopt14.sqm
C:\sqmnoopt15.sqm
C:\sqmnoopt16.sqm
C:\sqmnoopt17.sqm
C:\sqmnoopt18.sqm
C:\sqmnoopt19.sqm
C:\VundoFix Backups
C:\VundoFix.txt
c:\windows\system32\nonoleve.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_FADPU16E
-------\Service_CAM1690
-------\Service_Fadpu16E
-------\Service_hcw95bda
-------\Service_hcw95rc


((((((((((((((((((((((((( Files Created from 2009-05-24 to 2009-4-24 )))))))))))))))))))))))))))))))
.

2009-04-23 08:15 . 2009-04-23 08:15 -------- d-----w c:\documents and settings\George\Application Data\Malwarebytes
2009-04-23 08:14 . 2009-04-06 14:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-23 08:14 . 2009-04-06 14:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-23 08:14 . 2009-04-23 08:14 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-23 00:06 . 2009-04-23 00:06 -------- d-s---w c:\windows\system32\config\systemprofile\UserData
2009-04-22 09:31 . 2009-04-23 09:17 -------- d-----w c:\documents and settings\George\Application Data\Twain
2009-04-22 00:26 . 2009-04-23 18:34 -------- d-----w C:\ComboFix
2009-04-22 00:23 . 2009-04-22 00:23 0 ----a-w c:\windows\TPTray.INI
2009-04-21 23:48 . 2009-04-21 23:48 577024 -c--a-w c:\windows\system32\dllcache\user32.dll
2009-04-21 23:45 . 2009-04-21 23:45 -------- d-----w c:\windows\ERUNT
2009-04-21 13:35 . 2009-04-21 13:35 213376 -c--a-w c:\windows\system32\dllcache\ndis.sys
2009-04-21 13:27 . 2009-04-24 01:12 113276 ----a-w c:\windows\system32\drivers\d83568e8.sys
2009-04-18 10:41 . 2003-06-25 15:05 266360 ----a-w c:\windows\system32\TweakUI.exe
2009-04-18 10:41 . 2002-06-21 14:09 160217 ----a-w c:\windows\system32\PowerToysLicense.rtf
2009-04-18 10:33 . 2006-07-13 13:33 8453632 ----a-w c:\windows\system32\shell32.backup
2009-04-17 00:19 . 2009-04-19 10:11 -------- d-----w c:\windows\Windows98_icons
2009-04-17 00:16 . 2009-04-17 00:17 -------- dc-h--w c:\documents and settings\All Users\Application Data\{E33597A3-E995-4DA4-A3A0-F1775979A8E0}
2009-04-16 23:55 . 2002-10-28 12:23 1662 ----a-w c:\windows\29_ico_5.ico
2009-04-16 23:48 . 2002-10-28 13:33 1662 ----a-w c:\windows\The Internet_ico_5.ico
2009-04-16 23:32 . 2002-10-28 13:17 766 ----a-w c:\windows\Hard Drive_ico_3.ico
2009-04-16 21:41 . 2004-08-04 12:00 1032192 ----a-w c:\windows\explorer.exebackup
2009-04-16 19:02 . 2007-05-17 16:30 318976 ----a-w c:\windows\system32\avisynth.dll
2009-04-16 19:02 . 2004-02-22 09:11 719872 ----a-w c:\windows\system32\devil.dll
2009-04-16 19:02 . 2005-07-14 11:31 27648 ----a-w c:\windows\system32\AVSredirect.dll
2009-04-16 19:02 . 2004-01-24 23:00 70656 ----a-w c:\windows\system32\yv12vfw.dll
2009-04-16 19:02 . 2004-01-24 23:00 70656 ----a-w c:\windows\system32\i420vfw.dll
2009-04-16 18:58 . 2009-04-16 18:58 -------- d-----w c:\windows\system32\languages
2009-04-15 15:13 . 2004-07-29 01:19 175104 ----a-w c:\windows\lame_enc.dll
2009-04-14 22:10 . 2009-04-14 22:10 0 ----a-w c:\windows\nsreg.dat
2009-04-14 22:09 . 2009-04-14 22:11 -------- d-----w c:\documents and settings\George\Local Settings\Application Data\Thunderbird
2009-04-14 22:09 . 2009-04-14 22:10 -------- d-----w c:\documents and settings\George\Application Data\Thunderbird
2009-04-12 16:41 . 2009-04-12 16:41 -------- d-----w c:\documents and settings\George\Bullfrog
2009-04-12 16:41 . 2009-04-12 16:41 -------- d-----w c:\windows\system\KEEPER
2009-04-05 17:48 . 1998-05-29 08:51 274432 ----a-w c:\windows\system32\VCT32150.dll
2009-04-05 17:48 . 1997-09-03 15:58 195584 ----a-w c:\windows\system32\MVoice.vxp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-24 01:12 . 2006-09-21 12:50 -------- d-----w c:\documents and settings\George\Application Data\Skype
2009-04-23 20:06 . 2009-04-14 22:08 -------- d-----w c:\program files\Mozilla Thunderbird
2009-04-23 08:14 . 2009-04-23 08:14 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-22 17:49 . 2009-04-22 17:49 -------- d-----w c:\program files\Trend Micro
2009-04-21 13:35 . 2006-05-22 07:36 213376 ----a-w c:\windows\system32\drivers\ndis.sys
2009-04-18 10:34 . 2009-04-18 10:14 -------- d-----w c:\program files\iColorFolder
2009-04-18 09:58 . 2009-04-18 09:58 -------- d-----w c:\program files\IconXP
2009-04-17 00:23 . 2008-05-17 10:41 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-17 00:17 . 2009-04-17 00:17 -------- d-----w c:\program files\Mystik Media
2009-04-16 21:48 . 2006-09-03 14:31 66648 ----a-w c:\documents and settings\George\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-16 19:02 . 2009-04-16 19:02 -------- d-----w c:\program files\AviSynth 2.5
2009-04-16 19:01 . 2009-04-16 19:01 -------- d-----w c:\program files\eRightSoft
2009-04-16 18:58 . 2009-04-16 18:58 29910 ----a-w c:\windows\system32\unins000.dat
2009-04-16 18:57 . 2009-04-16 18:58 684636 ----a-w c:\windows\system32\unins000.exe
2009-04-15 23:30 . 2009-04-15 23:30 -------- d-----w c:\program files\XeroBank
2009-04-12 16:41 . 2007-07-03 00:13 -------- d-----w c:\program files\Bullfrog
2009-04-12 03:42 . 2009-04-12 03:42 -------- d-----w c:\program files\ebrary
2009-04-09 00:11 . 2006-10-03 16:22 -------- d-----w c:\program files\DivX
2009-04-09 00:10 . 2009-04-09 00:10 -------- d-----w c:\program files\Common Files\DivX Shared
2009-04-05 17:45 . 2009-04-05 17:45 -------- d-----w c:\program files\Red Storm Entertainment
2009-04-05 14:18 . 2007-02-01 20:38 -------- d-----w c:\documents and settings\George\Application Data\Lavasoft
2009-04-01 19:25 . 2009-04-01 19:25 -------- d-----w c:\program files\MySpace Grab
2009-03-31 19:55 . 2008-07-28 22:59 -------- d-----w c:\program files\StarCraft
2009-03-31 16:15 . 2008-11-11 14:17 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-31 16:11 . 2007-02-03 18:38 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-08 20:10 . 2008-10-30 00:57 -------- d-----w c:\documents and settings\George\Application Data\U3
2009-02-24 19:35 . 2006-10-03 16:23 120056 ------w c:\windows\system32\pxcpyi64.exe
2009-02-24 19:35 . 2006-10-02 11:36 129784 ------w c:\windows\system32\pxafs.dll
2009-02-24 19:35 . 2006-10-02 11:36 118520 ------w c:\windows\system32\pxinsi64.exe
2009-02-24 19:34 . 2009-02-24 19:34 90112 ----a-w c:\windows\system32\dpl100.dll
2009-02-24 19:34 . 2009-02-24 19:34 823296 ----a-w c:\windows\system32\divx_xx0c.dll
2009-02-24 19:34 . 2009-02-24 19:34 823296 ----a-w c:\windows\system32\divx_xx07.dll
2009-02-24 19:34 . 2009-02-24 19:34 815104 ----a-w c:\windows\system32\divx_xx0a.dll
2009-02-24 19:34 . 2009-02-24 19:34 802816 ----a-w c:\windows\system32\divx_xx11.dll
2009-02-24 19:34 . 2009-02-24 19:34 684032 ----a-w c:\windows\system32\DivX.dll
2009-02-23 02:03 . 2006-10-26 01:31 -------- d-----w c:\program files\AltoMP3 Gold
2009-02-23 02:02 . 2007-11-26 17:34 -------- d-----w c:\program files\WinTV
2009-02-23 01:59 . 2009-02-21 21:31 -------- d-----w c:\documents and settings\George\Application Data\FMZilla
2006-12-03 15:35 . 2006-12-03 15:35 0 ----a-w c:\documents and settings\George\Application Data\wklnhst.dat
2006-05-22 12:23 . 2007-02-03 22:50 12328 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-02-24 19:2009-02-24 19:34 34:32 . c:\program files\mozilla firefox\plugins\libdivx.dll
2009-02-24 19:2009-02-24 19:34 34:32 . c:\program files\mozilla firefox\plugins\ssldivx.dll
2009-02-24 19:2009-02-24 19:34 34:32 . c:\program files\opera\program\plugins\libdivx.dll
2009-02-24 19:2009-02-24 19:34 34:32 . c:\program files\opera\program\plugins\ssldivx.dll
2007-04-17 23:20 . 2007-04-17 23:20 56 --sh--r c:\windows\system32\512601FDB7.sys
2006-05-03 10:06 . 2009-04-16 19:01 163328 --sh--r c:\windows\system32\flvDX.dll
2007-04-17 23:20 . 2007-04-17 23:20 1890 --sha-w c:\windows\system32\KGyGaAvL.sys
2007-02-21 11:47 . 2009-04-16 19:01 31232 --sh--r c:\windows\system32\msfDX.dll
2008-03-16 13:30 . 2009-04-16 19:01 216064 --sh--r c:\windows\system32\nbDX.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\d83568e8.sys -- Not a PE file.
File Size: 113276
Created Time: 2009-04-21 13:27
Modified Time: 2009-04-24 01:02
Accessed Time: 2009-04-24 01:02
MD5: !MD5: COULD NOT OPEN FILE !
SHA: !SHA1: COULD NOT OPEN FILE !


------- Sigcheck -------

[-] 2009-04-21 13:35 213376 3D748D850B1C17C357C54BBFD4835F27 c:\windows\system32\dllcache\ndis.sys
[-] 2009-04-21 13:35 213376 3D748D850B1C17C357C54BBFD4835F27 c:\windows\system32\drivers\ndis.sys
.
((((((((((((((((((((((((((((( SnapShot@2009-04-23_18.43.06 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-24 01:11 . 2007-06-20 09:59 73728 c:\windows\Temp\sophos_autoupdate1.dir\xmltok.dll
+ 2009-04-24 01:11 . 2007-06-20 09:59 57344 c:\windows\Temp\sophos_autoupdate1.dir\xmlparse.dll
+ 2009-04-24 01:11 . 2007-06-20 09:59 14336 c:\windows\Temp\sophos_autoupdate1.dir\xmlcpp.dll
+ 2009-04-24 01:11 . 2008-04-15 08:54 18432 c:\windows\Temp\sophos_autoupdate1.dir\SharedRes.dll
+ 2009-04-24 01:11 . 2007-06-20 09:59 20480 c:\windows\Temp\sophos_autoupdate1.dir\crypto.dll
+ 2009-04-24 01:11 . 2008-02-08 09:47 94208 c:\windows\Temp\sophos_autoupdate1.dir\ChannelUpdater.dll
+ 2009-04-24 01:11 . 2007-06-20 09:59 45056 c:\windows\Temp\sophos_autoupdate1.dir\boost_date_time-vc71-mt-1_32.dll
+ 2009-04-24 01:11 . 2009-04-24 01:11 16384 c:\windows\Temp\Perflib_Perfdata_6ac.dat
+ 2009-04-24 01:11 . 2008-04-15 08:54 2970 c:\windows\Temp\sophos_autoupdate1.dir\scf.dat
+ 2009-04-24 01:11 . 2007-08-22 11:36 208896 c:\windows\Temp\sophos_autoupdate1.dir\retailer.dll
+ 2009-04-24 01:11 . 2004-03-17 18:06 348160 c:\windows\Temp\sophos_autoupdate1.dir\MSVCR71.DLL
+ 2009-04-24 01:11 . 2004-03-17 18:06 499712 c:\windows\Temp\sophos_autoupdate1.dir\MSVCP71.DLL
+ 2009-04-24 01:11 . 2007-06-20 09:59 745472 c:\windows\Temp\sophos_autoupdate1.dir\libeay32.dll
+ 2009-04-24 01:11 . 2006-05-05 17:29 159744 c:\windows\Temp\sophos_autoupdate1.dir\libcurl.dll
+ 2009-04-24 01:11 . 2007-06-20 09:59 176128 c:\windows\Temp\sophos_autoupdate1.dir\CidSync.dll
+ 2009-04-24 01:11 . 2008-04-15 08:54 610304 c:\windows\Temp\sophos_autoupdate1.dir\ALUpdate.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2005-04-11 65536]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-04-23 22058792]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-09-18 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2004-03-23 196608]
"CeEKEY"="c:\program files\TOSHIBA\E-KEY\CeEKey.exe" [2006-03-16 634880]
"HWSetup"="c:\program files\TOSHIBA\TOSHIBA Applet\HWSetup.exe" [2004-05-01 28672]
"SVPWUTIL"="c:\program files\Toshiba\Windows Utilities\SVPWUTIL.exe" [2004-05-01 65536]
"TPNF"="c:\program files\TOSHIBA\TouchPad\TPTray.exe" [2006-04-04 53248]
"Tvs"="c:\program files\TOSHIBA\Tvs\TvsTray.exe" [2006-02-02 73728]
"DDWMon"="c:\program files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe" [2006-04-28 262144]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-18 136600]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-04-18 16143872]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\agrsmmsg.exe [2006-03-18 89541]
"TPSMain"="TPSMain.exe" - c:\windows\system32\TPSMain.exe [2005-08-11 266240]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2004-08-04 110592]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]
@="service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoUpdate Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AutoUpdate Monitor.lnk
backup=c:\windows\pss\AutoUpdate Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"BITS"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\inf\\explorer.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"22178:TCP"= 22178:TCP:BitComet 22178 TCP
"22178:UDP"= 22178:UDP:BitComet 22178 UDP

S1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\DRIVERS\savonaccesscontrol.sys [2007-11-14 101120]
S1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\DRIVERS\savonaccessfilter.sys [2007-11-14 33408]
S2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\Sophos\Sophos Anti-Virus\SAVAdminService.exe [2007-11-14 69632]
S2 SAVService;Sophos Anti-Virus;c:\program files\Sophos\Sophos Anti-Virus\SavService.exe [2007-11-28 98304]
S2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\DRIVERS\tdudf.sys [2006-04-18 98816]


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2008-06-27 c:\windows\Tasks\shutdown.job
- c:\windows\system32\shutdown.exe [2006-05-22 12:00]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {B98AAA0F-DE81-4AC5-B45A-FACC2E6BC232} = 208.67.220.220,208.67.222.222
FF - ProfilePath - c:\documents and settings\George\Application Data\Mozilla\Firefox\Profiles\g3sq6njz.default\
FF - prefs.js: browser.startup.homepage - hxxp://vle.coventry.ac.uk/webct/entryPageIns.dowebct
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPInfotl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npsabffx.dll
FF - plugin: c:\program files\Opera\program\plugins\npdivx32.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin2.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin3.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin4.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin5.dll
FF - plugin: c:\windows\system32\SuperAdBlocker.com\npsabffx.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-24 02:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\d83568e8]
"ImagePath"="\SystemRoot\System32\drivers\d83568e8.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(700)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\l3codeca.acm

- - - - - - - > 'explorer.exe'(1388)
c:\windows\system32\TPwrCfg.DLL
c:\windows\system32\TPwrReg.dll
c:\windows\system32\TPSTrace.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\acs.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\program files\FileZilla Server\FileZilla server.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Sophos\AutoUpdate\ALsvc.exe
c:\program files\TOSHIBA\TOSHIBA Direct Disc Writer\DDWMon.exe
c:\windows\system32\TODDSrv.exe
c:\windows\system32\TPSBattM.exe
c:\program files\Apoint2K\ApntEx.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-04-24 2:17 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-24 01:16
ComboFix2.txt 2009-04-23 18:46

Pre-Run: 739,647,488 bytes free
Post-Run: 720,785,408 bytes free

501

Malwarebytes' Anti-Malware 1.36
Database version: 2034
Windows 5.1.2600 Service Pack 2

24/04/2009 12:04:41
mbam-log-2009-04-24 (12-04-41).txt

Scan type: Full Scan (C:\|)
Objects scanned: 173373
Time elapsed: 43 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:05:31, on 24/04/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\FileZilla Server\FileZilla Server.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
c:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\Program Files\TOSHIBA\Tvs\TvsTray.exe
C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\ddwmon.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\TODDSrv.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Opera\opera.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [HWSetup] C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe hwSetUP
O4 - HKLM\..\Run: [SVPWUTIL] C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe SVPwUTIL
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [Tvs] C:\Program Files\TOSHIBA\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [DDWMon] C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{B98AAA0F-DE81-4AC5-B45A-FACC2E6BC232}: NameServer = 208.67.220.220,208.67.222.222
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - C:\Program Files\FileZilla Server\FileZilla Server.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - c:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - c:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - c:\Program Files\Sophos\AutoUpdate\ALsvc.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\WINDOWS\system32\TODDSrv.exe

--
End of file - 6105 bytes
nineinchheel
Regular Member
 
Posts: 39
Joined: April 22nd, 2009, 5:04 am
Location: Coventry, West Midlands

Re: Please help a lost soul

Unread postby dan12 » April 24th, 2009, 4:25 pm

Ok, can you run me an online scan as I need to look over your returned combo log.
Please go to Kaspersky website and perform an online antivirus scan.

  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply.

Let me know how things are.
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Please help a lost soul

Unread postby nineinchheel » April 24th, 2009, 8:50 pm

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Saturday, April 25, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Friday, April 24, 2009 09:11:47
Records in database: 2074498
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 100998
Threat name: 10
Infected objects: 13
Suspicious objects: 0
Duration of the scan: 02:59:56


File name / Threat name / Threats count
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0F7E788C.exe Infected: Trojan-Proxy.Win32.Horst.kc 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\53EC35CF.exe Infected: P2P-Worm.Win32.VB.dw 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\63614470.par Infected: EICAR-Test-File 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\67177E5A.txt Infected: EICAR-Test-File 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\694C5DED.txt Infected: EICAR-Test-File 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6E117B68.exe Infected: Trojan-Proxy.Win32.Horst.pg 1
C:\Documents and Settings\George\My Documents\My Received Files\img.zip Infected: Backdoor.Win32.SdBot.cwm 1
C:\Documents and Settings\George\My Documents\Real Lives 2007.rar Infected: not-a-virus:AdWare.Win32.Rabio.nh 1
C:\Qoobox\Quarantine\C\SDFix\backups\backups.zip.vir Infected: Backdoor.Win32.HacDef.tpko 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsthcjxmxmhqloymqpualunooqbrmutuuhhp.dll.vir Infected: Trojan.Win32.Tdss.aalc 1
C:\WINDOWS\system32\dllcache\ndis.sys Infected: Rootkit.Win32.Agent.iou 1
C:\WINDOWS\system32\drivers\ndis.sys Infected: Rootkit.Win32.Agent.iou 1
C:\WINDOWS\system32\oobe\ISPSoftware\BTYahoo\BroadbandFromBT.exe Infected: not-a-virus:Dialer.Win32.BT.g 1

The selected area was scanned.
nineinchheel
Regular Member
 
Posts: 39
Joined: April 22nd, 2009, 5:04 am
Location: Coventry, West Midlands

Re: Please help a lost soul

Unread postby dan12 » April 25th, 2009, 5:43 am

Hi,
Open up Norton and delete quarantined items.



1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Code: Select all
File::
C:\Documents and Settings\George\My Documents\My Received Files\img.zip 
C:\Documents and Settings\George\My Documents\Real Lives 2007.rar 
C:\WINDOWS\system32\oobe\ISPSoftware\BTYahoo\BroadbandFromBT.exe 
FCOPY::
c:\windows\$NtServicePackUninstall$\ndis.sys | c:\windows\system32\dllcache\ndis.sys
c:\windows\$NtServicePackUninstall$\ndis.sys | c:\windows\system32\drivers\ndis.sys

    


Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe


Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Post combofix report and let me know how things are!!!!
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 484 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware