InterviewSolution
Saved Bookmarks
InterviewSolution
| 1. |
Solve : I've got a trojan hourse (or two) and can't get shot of it. "psw.generic7.bemv"? |
|
Answer» Quote PS I'm stll geting the ocational website loading up unrequested any ideas ( didn't get this before the malware problem)Which browser are you using?Hi SD, I'm using FireFox v3.6 with add-ons Adblock Plus, AVG Safe Guard ColorfulTabs, NoScript, Personas, Skype, WOT, plus some Java Console This Morning I got this message: see attached:- I've checked Task Manager "Services" and Process ID 816 is PlugPlay and DcomLaunch again! I'm suspecting I'm going to have to go down the clean install route. Is there a good/safe way of partitioning my C: drive with out losing the data and then moving my data across to the new drive without bring the infection across. [Saving space, attachment deleted by admin]Update and run SAS and MBAM again. Just hold off on the re-format. I'm going to check with Evil about this new problem. Do you visit the website 'samdadsupport.com'?Nope I've not clicked on samdadsupport.com. I've tried leaving firefox open and not using the computer for say 45mins and nothing happens but within 5mins of using it I get a new tab load up with various websites (that either NoScript or WOT warns me of danger.) this only happens once a secsion. I know its not the end of the world compared to the mess I was in when I first contacted you guys (thanks again for the help) but I'm still a bit woried that I have a problem. I've not been clicking on anything and websites like this try and open. ___NO_CLICK_____http://www.ukprizedraw.co.uk/default.aspx?campid=105&affid=2741&subid=2284 I have already run SAS but it did not find any thing I will run MBAM again this weekend. Delete ComboFix and download a new copy. Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop. Link #1 Link #2 **Note: It is important that it is saved directly to your Desktop DO NOT run it yet! Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system Temporarily disable your ANTIVIRUS and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them. Delete these files/folders, as follows: 1. Go to Start > Run > type Notepad.exe and click OK to open Notepad. It must be Notepad, not Wordpad. 2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C Code: [Select]KillAll:: DDS:: DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} Folder:: c:\users\Jamie\AppData\Roaming\lowsec RegLockDel:: [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\Default_Monitor\5&14c66cf6&0&12345678&02&01\Properties\{83da6326-97a6-4088-9453-a1923f573b29}] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\Default_Monitor\5&14c66cf6&0&12345678&02&01\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\HWP26CE\4&211ab9e2&0&UID16843008\Properties\{83da6326-97a6-4088-9453-a1923f573b29}] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\HWP26CE\4&211ab9e2&0&UID16843008\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\TEO6770\4&211ab9e2&0&UID16843008\Properties\{83da6326-97a6-4088-9453-a1923f573b29}] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\TEO6770\4&211ab9e2&0&UID16843008\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\TEO6770\5&14c66cf6&0&12345678&02&01\Properties\{83da6326-97a6-4088-9453-a1923f573b29}] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\TEO6770\5&14c66cf6&0&12345678&02&01\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}] 3. Go to the Notepad window and click Edit > Paste 4. Then click File > Save 5. Name the file CFScript.txt - Save the file to your Desktop 6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully! ComboFix will begin to execute, just follow the prompts. After reboot (in case it asks to reboot), it will produce a log for you. Post that log (Combofix.txt) in your next reply. Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze ---------- Download GooredFix from one of the locations below and save it to your desktop Download Mirror #1 Download Mirror #2 * Ensure all Firefox windows are closed. * To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista). * When prompted to run the scan, click Yes. * GooredFix will check for INFECTIONS, and then a log will appear. Post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt). ---------- Download Rooter.exe to your desktop. * Double click Rooter.exe to start the tool. * A DOS window will appear and show the scan progress. * Once complete a notepad file containing the report will open. * Copy & paste the results in your next reply. * Close notepad and Rooter will close. A log will also save at C:\Rooter.txt ---------- Next post please add:
ComboFix 10-02-07.06 - Jamie 08/02/2010 9:27.4.2 - x86 Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2036.1111 [GMT 0:00] Running from: c:\users\Jamie\Desktop\ComboFix.exe Command switches used :: c:\users\Jamie\Desktop\CFScript.txt FW: Sunbelt Personal Firewall *disabled* {82B1150E-9B37-49FC-83EB-D52197D900D0} SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7} SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\users\Jamie\AppData\Roaming\lowsec c:\users\Jamie\AppData\Roaming\lowsec\local.ds c:\users\Jamie\AppData\Roaming\lowsec\user.ds Infected copy of c:\windows\system32\drivers\atapi.sys was found and disinfected Restored copy from - Kitty ate it :p . ((((((((((((((((((((((((( Files Created from 2010-01-08 to 2010-02-08 ))))))))))))))))))))))))))))))) . 2010-02-08 09:33 . 2010-02-08 09:33--------d-----w-c:\users\Public\AppData\Local\temp 2010-02-08 09:33 . 2010-02-08 09:33--------d-----w-c:\users\IUSR_NMPR\AppData\Local\temp 2010-02-08 09:33 . 2010-02-08 09:33--------d-----w-c:\users\Default\AppData\Local\temp 2010-02-04 16:25 . 2010-02-05 17:48--------d-----w-c:\program files\SpywareBlaster 2010-02-02 15:11 . 2010-02-08 09:53--------d-----w-c:\users\Jamie\AppData\Local\temp 2010-01-29 15:23 . 2010-01-27 17:1915880----a-w-c:\windows\system32\lsdelete.exe 2010-01-28 14:10 . 2010-01-28 14:10--------d-----w-c:\program files\DiskCheckup 2010-01-28 14:10 . 2010-01-28 14:10--------d-----w-c:\windows\Sun 2010-01-27 16:44 . 2009-07-16 13:33157696----a-w-c:\users\Jamie\JavaRa.exe 2010-01-26 15:15 . 2010-02-04 16:28--------d-----w-c:\programdata\Spybot - Search & Destroy 2010-01-26 15:15 . 2010-01-26 15:18--------d-----w-c:\program files\Spybot - Search & Destroy 2010-01-26 10:23 . 2010-01-26 10:28--------d-----w-c:\program files\a-squared Free 2010-01-25 21:08 . 2010-01-25 21:08--------d-----w-c:\users\Jamie\AppData\Roaming\Malwarebytes 2010-01-25 21:08 . 2010-01-07 16:0738224----a-w-c:\windows\system32\drivers\mbamswissarmy.sys 2010-01-25 21:08 . 2010-01-25 21:08--------d-----w-c:\program files\Malwarebytes' Anti-Malware 2010-01-25 21:08 . 2010-01-25 21:08--------d-----w-c:\programdata\Malwarebytes 2010-01-25 21:08 . 2010-01-07 16:0719160----a-w-c:\windows\system32\drivers\mbam.sys 2010-01-25 20:45 . 2010-01-25 20:45--------d-----w-c:\programdata\SUPERAntiSpyware.com 2010-01-25 20:45 . 2010-01-25 20:45--------d-----w-c:\users\Jamie\AppData\Roaming\SUPERAntiSpyware.com 2010-01-25 20:45 . 2010-01-25 20:45--------d-----w-c:\program files\SUPERAntiSpyware 2010-01-25 20:44 . 2010-01-25 20:44--------d-----w-c:\program files\Common Files\Wise Installation Wizard 2010-01-25 17:17 . 2009-12-02 13:1964288----a-w-c:\windows\system32\drivers\Lbd.sys 2010-01-25 16:58 . 2010-01-25 16:59--------dc-h--w-c:\programdata\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9} 2010-01-25 16:58 . 2010-01-25 16:58--------d-----w-c:\program files\Lavasoft 2010-01-21 16:57 . 2010-01-21 16:57--------d-----w-c:\users\Jamie\AppData\Local\HandBrake 2010-01-21 16:57 . 2010-01-21 16:57--------d-----w-c:\users\Jamie\AppData\Roaming\HandBrake 2010-01-20 00:52 . 2010-01-20 00:54--------d-----w-C:\ConverterOutput 2010-01-20 00:52 . 2004-10-12 14:42262144----a-w-c:\windows\system32\TomsMoComp_ff.dll 2010-01-20 00:52 . 2004-10-12 14:402255360----a-w-c:\windows\system32\libavcodec.dll 2010-01-20 00:52 . 2004-10-05 16:16395776----a-w-c:\windows\system32\libmplayer.dll 2010-01-20 00:52 . 2004-10-04 01:50112640----a-w-c:\windows\system32\libmpeg2_ff.dll 2010-01-20 00:52 . 2004-09-10 13:5034820----a-w-c:\windows\system32\ffdshow.reg 2010-01-20 00:52 . 2010-01-20 00:52--------d-----w-c:\program files\Cucusoft 2010-01-19 22:36 . 2010-02-04 17:10--------d-----w-c:\users\Jamie\AppData\Roaming\Auslogics 2010-01-19 22:36 . 2010-02-04 17:09--------d-----w-c:\program files\Auslogics 2010-01-14 16:20 . 2009-10-19 13:38156672----a-w-c:\windows\system32\t2embed.dll 2010-01-14 16:20 . 2009-10-19 13:3572704----a-w-c:\windows\system32\fontsub.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-02-08 09:55 . 2008-05-15 22:40--------d-----w-c:\programdata\Kontiki 2010-02-06 00:34 . 2009-11-24 16:04--------d-----w-c:\users\Jamie\AppData\Roaming\vlc 2010-02-05 13:55 . 2009-09-24 09:1519944----a-w-c:\windows\system32\drivers\atapi.sys 2010-02-05 09:19 . 2010-01-25 20:45117760----a-w-c:\users\Jamie\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL 2010-02-04 17:17 . 2010-01-25 17:16389784----a-w-c:\programdata\Lavasoft\Ad-Aware\Update\UpdateManager.dll 2010-02-04 17:17 . 2010-01-25 17:093803208----a-w-c:\programdata\Lavasoft\Ad-Aware\Update\AutoLaunch.exe 2010-02-04 17:17 . 2010-01-25 17:08823928----a-w-c:\programdata\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe 2010-02-04 17:17 . 2010-01-25 17:061181328----a-w-c:\programdata\Lavasoft\Ad-Aware\Update\AAWService.exe 2010-02-04 16:11 . 2008-04-29 17:0275912----a-w-c:\users\Jamie\AppData\Local\GDIPFONTCACHEV1.DAT 2010-02-02 14:10 . 2009-06-03 17:06--------d-----w-c:\users\Jamie\AppData\Roaming\uTorrent 2010-01-29 16:22 . 2008-04-10 16:32--------d-----w-c:\program files\Google 2010-01-28 14:03 . 2008-12-15 09:38411368----a-w-c:\windows\system32\deploytk.dll 2010-01-27 16:38 . 2008-04-10 16:26--------d-----w-c:\program files\Java 2010-01-27 16:37 . 2008-04-10 16:26--------d-----w-c:\program files\Common Files\Java 2010-01-25 20:45 . 2010-01-25 20:4552224----a-w-c:\users\Jamie\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll 2010-01-25 16:58 . 2009-11-05 09:53--------d-----w-c:\programdata\Lavasoft 2010-01-22 11:28 . 2008-11-10 22:391----a-w-c:\users\Jamie\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\stamp.sys 2010-01-21 17:38 . 2008-04-29 17:18--------d-----w-c:\program files\Mozilla Thunderbird 2010-01-21 16:57 . 2009-03-05 23:05--------d-----w-c:\program files\HandBrake 2010-01-21 16:01 . 2009-08-12 19:27--------d-----w-c:\program files\Microsoft Silverlight 2010-01-19 23:59 . 2009-07-20 09:22--------d-----w-c:\program files\Common Files\Adobe 2010-01-14 16:57 . 2006-11-02 11:18--------d-----w-c:\program files\Windows Mail 2010-01-14 11:12 . 2009-10-02 17:01181120------w-c:\windows\system32\MpSigStub.exe 2010-01-12 22:27 . 2009-09-18 11:45--------d-----w-c:\users\Jamie\AppData\Roaming\Skype 2010-01-12 22:20 . 2009-09-18 11:47--------d-----w-c:\users\Jamie\AppData\Roaming\skypePM 2010-01-09 20:12 . 2008-05-05 14:00--------d-----w-c:\users\Jamie\AppData\Roaming\dvdcss 2010-01-02 06:38 . 2010-01-22 11:18916480----a-w-c:\windows\system32\wininet.dll 2010-01-02 06:32 . 2010-01-22 11:1871680----a-w-c:\windows\system32\iesetup.dll 2010-01-02 06:32 . 2010-01-22 11:18109056----a-w-c:\windows\system32\iesysprep.dll 2010-01-02 04:57 . 2010-01-22 11:18133632----a-w-c:\windows\system32\ieUnatt.exe 2009-12-29 13:39 . 2009-12-29 13:39--------d-----w-c:\program files\QuickTime 2009-12-29 13:39 . 2009-12-29 13:39--------d-----w-c:\programdata\Apple Computer 2009-12-29 13:37 . 2009-12-29 13:37--------d-----w-c:\program files\Common Files\Apple 2009-12-29 13:37 . 2009-12-29 13:37--------d-----w-c:\program files\Apple Software Update 2009-12-29 13:37 . 2009-12-29 13:37--------d-----w-c:\programdata\Apple 2009-12-29 13:22 . 2009-09-18 11:44--------d-----r-c:\program files\Skype 2009-12-29 13:14 . 2009-12-29 13:14--------d-----w-c:\program files\Secunia 2009-12-14 20:56 . 2008-06-28 11:05--------d-----w-c:\programdata\Roxio 2009-12-10 17:35 . 2009-12-10 17:35--------d-----w-c:\program files\Stardock 2009-12-10 17:35 . 2009-12-10 17:35--------d-----w-c:\program files\Common Files\Stardock 2009-12-10 17:31 . 2008-04-29 17:18--------d-----w-c:\users\Jamie\AppData\Roaming\Thunderbird 2009-12-07 14:10 . 2010-01-25 16:582953352-c--a-w-c:\programdata\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}\Ad-AwareInstallation.exe 2009-12-04 10:34 . 2009-12-04 10:34784136----a-w-c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll 2009-11-25 17:42 . 2009-11-25 17:42291696----a-w-c:\users\Jamie\AppData\Roaming\Juniper Networks\Setup Client\x86_Microsoft.VC80.CRTR_8.0.50727.762.exe 2009-11-17 13:33 . 2009-07-28 09:28319456----a-w-c:\windows\DIFxAPI.dll 2009-11-10 10:33 . 2009-06-03 15:51360584----a-w-c:\windows\system32\drivers\avgtdix.sys 2009-12-24 16:07 . 2008-12-22 09:46119808----a-w-c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll 2009-09-25 16:41 . 2009-09-25 16:411044480----a-w-c:\program files\mozilla firefox\plugins\libdivx.dll 2009-09-25 16:41 . 2009-09-25 16:41200704----a-w-c:\program files\mozilla firefox\plugins\ssldivx.dll 2008-04-11 00:11 . 2008-04-10 23:588192--sha-w-c:\windows\Users\Default\NTUSER.DAT . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952] "DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064] "TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2009-11-13 247144] "Window Washer"="c:\program files\Webroot\Washer\wwDisp.exe" [2007-11-26 1206600] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792] "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-01-05 2002160] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184] "ECenter"="c:\dell\E-Center\EULALauncher.exe" [2008-01-18 17920] "NMSSupport"="c:\program files\Common Files\INTEL\IntelDH\NMS\Support\IntelHCTAgent.exe" [2007-06-27 439512] "CCUTRAYICON"="c:\program files\Intel\IntelDH\CCU\CCU_TrayIcon.exe" [2007-06-27 215256] "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-12-24 30192] "dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-02-13 16384] "Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdSync.exe" [2006-11-02 215552] "DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064] "PivotSoftware"="c:\program files\Portrait Displays\Pivot Software\wpctrl.exe" [2007-02-09 694008] "DT HPW"="c:\program files\Portrait Displays\HP My Display\DTHtml.exe" [2007-04-25 280064] "RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-04-27 7420448] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-03-05 141848] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-03-05 173592] "Persistence"="c:\windows\system32\igfxpers.exe" [2009-03-05 150552] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672] "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0\bin\jusched.exe" [2008-04-10 77824] c:\users\Jamie\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ Broadband Download Monitor.lnk - c:\program files\Broadband Download Monitor\bdm.exe [2008-3-7 688128] Stardock ObjectDock.lnk - c:\program files\Stardock\ObjectDock\ObjectDock.exe [2009-12-10 3444008] c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ Software Director Scheduler.lnk - c:\program files\Common Files\Cloanto\Software Director\softdir.exe [2009-8-11 288328] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "EnableSecureUIAPaths"= 0 (0x0) "EnableVirtualization"= 0 (0x0) "EnableUIADesktopToggle"= 0 (0x0) [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2009-09-03 14:21548352----a-w-c:\program files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sr.sys] @="FSFilter System Recovery" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend] @="Service" [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc] "VistaSp2"=hex(b):78,da,8f,f3,df,3d,ca,01 R0 Lbd;Lbd;c:\windows\System32\drivers\Lbd.sys [25/01/2010 17:17 64288] R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [03/06/2009 15:51 333192] R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\drivers\avgtdix.sys [03/06/2009 15:51 360584] R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [05/01/2010 07:56 9968] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [05/01/2010 07:56 74480] R2 a2free;a-squared Free Service;c:\program files\a-squared Free\a2service.exe [26/01/2010 10:23 1858144] R2 AERTFilters;Andrea RT FILTERS Service;c:\program files\Realtek\Audio\HDA\AERTSrv.exe [17/11/2009 13:33 81920] R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [27/10/2009 16:44 906520] R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [27/10/2009 16:43 285392] R2 DQLWinService;DQLWinService;c:\program files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe [12/02/2007 10:46 208896] R2 NMSCore;Intel(R) NMSCore;c:\program files\Common Files\Intel\IntelDH\NMS\NMSCore\NMSCore.exe [27/06/2007 09:14 317656] R2 nmsunidr;UniDriver for NMS;c:\windows\System32\drivers\nmsunidr.sys [18/02/2007 19:34 5376] R2 QualityManager;Intel(R) Quality Manager;c:\program files\Intel\IntelDH\Intel Media Server\Media Server\bin\QualityManager.exe [27/06/2007 09:17 272600] R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [13/11/2009 11:31 92008] R2 wwEngineSvc;Window Washer Engine;c:\program files\Webroot\Washer\WasherSvc.exe [28/05/2009 08:12 598856] R3 IntelDH;IntelDH Driver;c:\windows\System32\drivers\IntelDH.sys [10/04/2008 16:29 5632] R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [05/01/2010 07:56 7408] S2 gupdate1c9f354452512a9;Google Update Service (gupdate1c9f354452512a9);c:\program files\Google\Update\GoogleUpdate.exe [22/06/2009 16:12 133104] S3 DHTRACE;Intel(R) DHTrace Controller;c:\program files\Common Files\Intel\IntelDH\bin\DHTraceController.exe [27/06/2007 09:15 39640] S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [30/09/2008 07:30 21504] S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\System32\drivers\ggflt.sys [09/06/2009 16:58 13224] S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [10/04/2008 16:32 30192] S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [02/12/2009 13:19 1181328] S3 PSI;PSI;c:\windows\System32\drivers\psi_mf.sys [17/06/2009 12:20 12648] S3 s3017bus;Sony Ericsson Device 3017 driver (WDM);c:\windows\System32\drivers\s3017bus.sys [09/01/2009 10:42 83880] S3 s3017mdfl;Sony Ericsson Device 3017 USB WMC Modem Filter;c:\windows\System32\drivers\s3017mdfl.sys [09/01/2009 10:44 15016] S3 s3017mdm;Sony Ericsson Device 3017 USB WMC Modem Driver;c:\windows\System32\drivers\s3017mdm.sys [09/01/2009 10:44 110632] S3 s3017mgmt;Sony Ericsson Device 3017 USB WMC Device Management Drivers (WDM);c:\windows\System32\drivers\s3017mgmt.sys [09/01/2009 10:50 104616] S3 s3017nd5;Sony Ericsson Device 3017 USB Ethernet Emulation SEMC3017 (NDIS);c:\windows\System32\drivers\s3017nd5.sys [09/01/2009 10:54 25512] S3 s3017obex;Sony Ericsson Device 3017 USB WMC OBEX Interface;c:\windows\System32\drivers\s3017obex.sys [09/01/2009 10:49 100648] S3 s3017unic;Sony Ericsson Device 3017 USB Ethernet Emulation SEMC3017 (WDM);c:\windows\System32\drivers\s3017unic.sys [09/01/2009 10:51 110120] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] WindowsMobileREG_MULTI_SZ wcescomm rapimgr LocalServiceRestrictedREG_MULTI_SZ WcesComm RapiMgr LocalServiceAndNoImpersonationREG_MULTI_SZ FontCache . Contents of the 'Scheduled Tasks' folder 2010-02-08 c:\windows\Tasks\AutoSmartDefrag.job - c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe [2010-01-19 15:30] 2010-02-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-06-22 16:12] 2010-02-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-06-22 16:12] 2010-02-02 c:\windows\Tasks\SmartDefrag.job - c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe [2010-01-19 15:30] 2010-02-08 c:\windows\Tasks\User_Feed_Synchronization-{FA4F8ED9-C3D2-43A5-B120-BB37897806F4}.job - c:\windows\system32\msfeedssync.exe [2010-01-22 04:56] . . ------- Supplementary Scan ------- . uStart Page = hxxp://google.atcomet.com/b/ uSearchURL,(Default) = hxxp://uk.search.yahoo.com/search?fr=mcafee&p=%s IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000 DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://connect2.pb.com/dana-cached/sc/JuniperSetupClient.cab FF - ProfilePath - c:\users\Jamie\AppData\Roaming\Mozilla\Firefox\Profiles\tga7fkpk.default\ FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ ---- FIREFOX POLICIES ---- FF - user.js: browser.cache.memory.capacity - 65536 FF - user.js: browser.chrome.favicons - fales FF - user.js: browser.display.show_image_placeholders - true FF - user.js: browser.turbo.enabled - true FF - user.js: browser.urlbar.autocomplete.enabled - true FF - user.js: browser.urlbar.autofill - true FF - user.js: content.interrupt.parsing - true FF - user.js: content.max.tokenizing.time - 2250000 FF - user.js: content.notify.backoffcount - 5 FF - user.js: content.notify.interval - 750000 FF - user.js: content.notify.ontimer - true FF - user.js: content.switch.threshold - 750000 FF - user.js: network.http.max-connections - 48 FF - user.js: network.http.max-connections-per-server - 16 FF - user.js: network.http.max-persistent-connections-per-proxy - 16 FF - user.js: network.http.max-persistent-connections-per-server - 8 FF - user.js: network.http.pipelining - true FF - user.js: network.http.pipelining.firstrequest - true FF - user.js: network.http.pipelining.maxrequests - 8 FF - user.js: network.http.proxy.pipelining - true FF - user.js: network.http.request.max-start-delay - 0 FF - user.js: nglayout.initialpaint.delay - 0 FF - user.js: plugin.expose_full_path - true FF - user.js: ui.submenuDelay - 0 FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut. enabled", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32); c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5); c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false); c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600); c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com"); c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugi n", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20); . - - - - ORPHANS REMOVED - - - - SafeBoot-dmboot.sys SafeBoot-dmio.sys SafeBoot-dmload.sys SafeBoot-dmadmin SafeBoot-dmserver SafeBoot-SRService ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-02-08 09:53 Windows 6.0.6002 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... c:\users\Jamie\AppData\Local\Temp\Cab18FC.tmp 29771 bytes c:\users\Jamie\AppData\Local\Temp\Tar18FD.tmp 77580 bytes scan completed successfully hidden files: 2 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\Default_Monitor\5&14c66cf6&0&12345678&02&01\Properties\{83da6326-97a6-4088-9453-a1923f573b29}] @DACL=(02 0000) [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\Default_Monitor\5&14c66cf6&0&12345678&02&01\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}] @DACL=(02 0000) [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\HWP26CE\4&211ab9e2&0&UID16843008\Properties\{83da6326-97a6-4088-9453-a1923f573b29}] @DACL=(02 0000) [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\HWP26CE\4&211ab9e2&0&UID16843008\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}] @DACL=(02 0000) [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\TEO6770\4&211ab9e2&0&UID16843008\Properties\{83da6326-97a6-4088-9453-a1923f573b29}] @DACL=(02 0000) [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\TEO6770\4&211ab9e2&0&UID16843008\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}] @DACL=(02 0000) [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\TEO6770\5&14c66cf6&0&12345678&02&01\Properties\{83da6326-97a6-4088-9453-a1923f573b29}] @DACL=(02 0000) [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\TEO6770\5&14c66cf6&0&12345678&02&01\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}] @DACL=(02 0000) . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'Explorer.exe'(4896) c:\program files\Stardock\ObjectDock\DockShellHook.dll c:\program files\Portrait Displays\Pivot Software\winphook.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Intel\IntelDH\CCU\AlertService.exe c:\program files\Common Files\Portrait Displays\Shared\DTSRVC.exe c:\program files\Kontiki\KService.exe c:\program files\AVG\AVG9\avgnsx.exe c:\program files\Dell Support Center\bin\sprtsvc.exe c:\program files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe c:\program files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe c:\program files\AVG\AVG9\avgcsrvx.exe c:\program files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe c:\program files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe c:\program files\AVG\AVG9\avgchsvx.exe c:\program files\AVG\AVG9\avgrsx.exe c:\program files\AVG\AVG9\avgcsrvx.exe c:\windows\system32\conime.exe c:\windows\system32\igfxsrvc.exe c:\program files\Common Files\Portrait Displays\Shared\HookManager.exe c:\windows\ehome\ehmsas.exe c:\program files\Portrait Displays\Pivot Software\floater.exe c:\program files\Intel\IntelDH\CCU\CCU_Engine.exe c:\program files\Secunia\PSI\psi.exe . ************************************************************************** . Completion time: 2010-02-08 09:58:36 - machine was rebooted ComboFix-quarantined-files.txt 2010-02-08 09:58 Pre-Run: 193,404,383,232 bytes free Post-Run: 193,377,882,112 bytes free - - End Of File - - AC84C96F6CA637E54AFB508ABA734AEE GooredFix by jpshortstuff (08.01.10.1) Log created at 10:12 on 08/02/2010 (Jamie) Firefox version 3.6 (en-GB) ========== GooredScan ========== ========== GooredLog ========== C:\Program Files\Mozilla Firefox\extensions\ {972ce4c6-7e08-4474-a285-3208198ce6fd} [17:15 29/04/2008] {B13721C7-F507-4982-B2E5-502A71474FED} [11:45 18/09/2009] {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} [10:30 05/03/2009] {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} [17:21 26/03/2009] {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} [07:40 31/08/2009] {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} [14:04 28/01/2010] C:\Users\Jamie\Application Data\Mozilla\Firefox\Profiles\tga7fkpk.default\extensions\ [emailprotected] [08:42 18/01/2010] {0545b830-f0aa-4d7e-8820-50a4629a56fe} [16:47 04/02/2010] {20a82645-c095-46ed-80e3-08825760534b} [07:31 11/07/2009] {73a6fe31-595d-460b-a920-fcc0f8843232} [10:17 05/02/2010] {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} [13:13 26/01/2010] {B042753D-F57E-4e8e-A01B-7379A6D4CEFB}-trash [10:22 10/12/2009] {b9db16a4-6edc-47ec-a1f4-b86292ed211d} [08:42 18/01/2010] {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} [20:12 09/01/2010] [HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions] "{ABDE892B-13A8-4d1b-88E6-365A6E755758}"="C:\Program Files\Real\RealPlayer\browserrecord" [17:18 09/05/2008] "{3f963a5b-e555-4543-90e2-c3908898db71}"="C:\Program Files\AVG\AVG9\Firefox" [16:43 27/10/2009] "{20a82645-c095-46ed-80e3-08825760534b}"="c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [15:53 09/06/2009] -=E.O.F=- Rooter.exe (v1.0.2) by Eric_71 . SeDebugPrivilege granted successfully ... . Windows Vista Home Edition (6.0.6002) Service Pack 2 [32_bits] - x86 Family 6 Model 15 Stepping 13, GenuineIntel . [wscsvc] (Security Center) RUNNING (state:4) [MpsSvc] RUNNING (state:4) Windows Firewall -> Enabled Windows Defender -> Disabled ! User Account Control (UAC) -> Enabled . Internet Explorer 8.0.6001.18882 Mozilla Firefox 3.6 (en-GB) . C:\ [Fixed-NTFS] .. ( Total:288 Go - Free:180 Go ) D:\ [Fixed-NTFS] .. ( Total:9 Go - Free:6 Go ) E:\ [CD_Rom] F:\ [Fixed-FAT32] .. ( Total:232 Go - Free:30 Go ) G:\ [CD_Rom] . Scan : 10:13.27 Path : C:\Users\Jamie\Desktop\Rooter.exe User : Jamie ( Administrator -> YES ) . ----------------------\\ Processes . Locked [System Process] (0) Locked System (4) ______ \SystemRoot\System32\smss.exe (424) ______ C:\Windows\system32\csrss.exe (500) ______ C:\Windows\system32\wininit.exe (544) ______ C:\Windows\system32\csrss.exe (556) ______ C:\Windows\system32\services.exe (588) ______ C:\Windows\system32\lsass.exe (604) ______ C:\Windows\system32\lsm.exe (612) ______ C:\Windows\system32\winlogon.exe (656) ______ C:\Windows\system32\svchost.exe (816) ______ C:\Windows\system32\svchost.exe (880) ______ C:\Windows\System32\svchost.exe (1012) ______ C:\Windows\System32\svchost.exe (1044) ______ C:\Windows\system32\svchost.exe (1060) Locked audiodg.exe (1168) ______ C:\Windows\system32\svchost.exe (1192) ______ C:\Windows\system32\SLsvc.exe (1212) ______ C:\Windows\system32\svchost.exe (1244) ______ C:\Windows\system32\svchost.exe (1424) ______ C:\Windows\System32\spoolsv.exe (1628) ______ C:\Windows\system32\svchost.exe (1652) ______ C:\Program Files\a-squared Free\a2service.exe (1804) ______ C:\Program Files\Realtek\Audio\HDA\AERTSrv.exe (1860) ______ C:\Program Files\Intel\IntelDH\CCU\AlertService.exe (1880) ______ C:\Program Files\AVG\AVG9\avgwdsvc.exe (1896) ______ C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe (1920) ______ C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe (1948) ______ C:\Program Files\Kontiki\KService.exe (260) ______ C:\Program Files\AVG\AVG9\avgnsx.exe (1000) ______ C:\Program Files\Common Files\Intel\IntelDH\NMS\NMSCore\NMSCore.exe (972) ______ C:\Windows\system32\svchost.exe (464) ______ C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\qualitymanager.exe (1732) ______ C:\Program Files\Dell Support Center\bin\sprtsvc.exe (688) ______ C:\Windows\system32\svchost.exe (2060) ______ C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe (2088) ______ C:\Windows\System32\svchost.exe (2120) ______ C:\Windows\system32\SearchIndexer.exe (2204) ______ C:\Program Files\Webroot\Washer\WasherSvc.exe (2240) ______ C:\Program Files\AVG\AVG9\avgemc.exe (2316) ______ C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe (2348) ______ C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe (2368) ______ C:\Windows\system32\taskeng.exe (2520) ______ C:\Program Files\AVG\AVG9\avgcsrvx.exe (2528) ______ C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe (2852) ______ C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe (2896) ______ C:\Program Files\AVG\AVG9\avgchsvx.exe (2984) ______ C:\Program Files\AVG\AVG9\avgrsx.exe (2992) ______ C:\Program Files\AVG\AVG9\avgcsrvx.exe (3020) ______ C:\Windows\system32\svchost.exe (3756) ______ C:\Windows\system32\Dwm.exe (156) ______ C:\Windows\system32\taskeng.exe (1724) ______ C:\Windows\Explorer.EXE (3904) ______ C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe (732) ______ C:\Windows\system32\taskeng.exe (720) ______ C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe (3388) ______ C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exe (1980) ______ C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe (3700) ______ C:\Windows\WindowsMobile\wmdSync.exe (2232) ______ C:\Program Files\Dell Support Center\bin\sprtcmd.exe (2676) ______ C:\Program Files\Portrait Displays\Pivot Software\wpCtrl.exe (2912) ______ C:\Program Files\Portrait Displays\HP My Display\dthtml.exe (1828) ______ C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe (3516) ______ C:\Windows\System32\igfxtray.exe (608) ______ C:\Windows\System32\hkcmd.exe (2592) ______ C:\Windows\System32\igfxpers.exe (3988) ______ C:\Program Files\Java\jre1.6.0\bin\jusched.exe (2804) ______ C:\Windows\ehome\ehtray.exe (476) ______ C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe (3964) ______ C:\Program Files\Webroot\Washer\wwDisp.exe (1132) ______ C:\Windows\system32\igfxsrvc.exe (3900) ______ C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (4208) ______ C:\Program Files\Common Files\Cloanto\Software Director\softdir.exe (4216) ______ C:\Program Files\Broadband Download Monitor\bdm.exe (4224) ______ C:\Program Files\Stardock\ObjectDock\ObjectDock.exe (4232) ______ C:\Windows\ehome\ehmsas.exe (4404) ______ C:\Program Files\Portrait Displays\Pivot Software\floater.exe (4620) ______ C:\Program Files\Common Files\Portrait Displays\Shared\HookManager.exe (4716) ______ C:\Program Files\Intel\IntelDH\CCU\CCU_Engine.exe (4752) ______ C:\Program Files\Secunia\PSI\psi.exe (5008) ______ C:\Windows\system32\conime.exe (5112) ______ C:\Users\Jamie\Desktop\Rooter.exe (5096) . ----------------------\\ Device\Harddisk0\ . \Device\Harddisk0 [Sectors : 63 x 512 Bytes] . \Device\Harddisk0\Partition1 (Start_Offset:32256 | Length:57544704) \Device\Harddisk0\Partition2 (Start_Offset:57671680 | Length:10737418240) \Device\Harddisk0\Partition3 --[ MBR ]-- (Start_Offset:10795089920 | Length:309276442624) . ----------------------\\ Scheduled Tasks . C:\Windows\Tasks\AutoSmartDefrag.job C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job C:\Windows\Tasks\SA.DAT C:\Windows\Tasks\SCHEDLGU.TXT C:\Windows\Tasks\SmartDefrag.job C:\Windows\Tasks\User_Feed_Synchronization-{FA4F8ED9-C3D2-43A5-B120-BB37897806F4}.job . ----------------------\\ Registry . . ----------------------\\ Files & Folders . ----------------------\\ Scan completed at 10:13.36 . C:\Rooter$\Rooter_1.txt - (08/02/2010 | 10:13.36) atapi.sys Please download SystemLook from one of the below links and save it to your desktop. Link #1 Link #2 Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them. * Double-click SystemLook.exe to run it. * Copy the contents of the following codebox into the main textfield. Code: [Select]:filefind *atapi* * Click the Look button to start the scan. * Note: The scan may take some time so please just let it do its work and be patient (or do something else unrelated to the computer). * When finished, a notepad window will open with the results of the scan. Please post the log. The log can also be found on your desktop entitled SystemLook.txtDisabled AVG, Spybot, Adaware, and SAS Ran System look as requested. Switch back on AVG, Spybot, Adaware, and SAS SystemLook v1.0 by jpshortstuff (11.01.10) Log created at 11:34 on 09/02/2010 by Jamie (Administrator - Elevation successful) ========== filefind ========== Searching for "*atapi*" C:\Qoobox\Quarantine\C\Windows\System32\drivers\atapi.sys.vir--a--- 19944 bytes[09:15 24/09/2009][13:55 05/02/2010] F0CE0B2BD34E63C0D57139F0AE1C6747 C:\Users\Public\Documents\Amiga Files\System\dir\System\Devs\atapi.device--a--- 13172 bytes[17:29 11/08/2009][04:16 23/09/2003] D0396596015EAC86FB19552FE356F691 C:\Windows\ERDNT\cache\atapi.sys--a--- 19944 bytes[11:04 01/02/2010][13:55 05/02/2010] 1F05B78AB91C9075565A9D8A4B880BC4 C:\Windows\inf\iteatapi.inf--a--- 33660 bytes[10:25 02/11/2006][10:25 02/11/2006] E4EB9FDA7CA1965653EAB8C109CCE546 C:\Windows\inf\iteatapi.PNF--a--- 17916 bytes[10:25 02/11/2006][12:51 02/11/2006] 73DF176A398D10A2338BBD40B56EF72E C:\Windows\System32\DriverStore\en-US\iteatapi.inf_loc--a--- 308 bytes[12:40 02/11/2006][12:40 02/11/2006] DBC002F0F2C65A0519A1BD24D84B22C2 C:\Windows\System32\DriverStore\FileRepository\iteatapi.inf_431397fb\iteatapi.inf--a--- 33660 bytes[10:25 02/11/2006][06:35 02/11/2006] E4EB9FDA7CA1965653EAB8C109CCE546 C:\Windows\System32\DriverStore\FileRepository\iteatapi.inf_431397fb\iteatapi.sys--a--- 35944 bytes[10:25 02/11/2006][09:50 02/11/2006] BCED60D16156E428F8DF8CF27B0DF150 C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_5a9555b4\atapi.sys--a--- 21688 bytes[23:58 10/04/2008][23:58 10/04/2008] 9E7E85EC61D1C9C3171CC08427108863 C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_5da5d093\atapi.sys--a--- 21688 bytes[00:11 11/04/2008][00:11 11/04/2008] 61CA2C1E145809813C28752298CF9843 C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_64dfd8ea\atapi.sys--a--- 21560 bytes[21:48 30/04/2008][21:48 30/04/2008] E03E8C99D15D0381E02743C36AFC7C6F C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_6c3af7d3\atapi.sys--a--- 21688 bytes[00:11 11/04/2008][00:11 11/04/2008] 7EB55F6BEFB392BD312CD0CD5263305D C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_7de13c21\atapi.sys--a--- 21560 bytes[21:48 30/04/2008][21:48 30/04/2008] B35CFCEF838382AB6490B321C87EDF17 C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_82339ef2\atapi.sys--a--- 19048 bytes[23:58 10/04/2008][23:58 10/04/2008] A779CA2C76DA4FCB595E692C05E8E4EB C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_b12d8e84\atapi.sys--a--- 19944 bytes[09:15 24/09/2009][06:32 11/04/2009] 1F05B78AB91C9075565A9D8A4B880BC4 C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_c6c2e699\atapi.sys--a--- 19048 bytes[10:25 02/11/2006][09:49 02/11/2006] 4F4FCB8B6EA06784FB6D475B7EC7300F C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_cc18792d\atapi.sys--a--- 21560 bytes[07:30 30/09/2008][07:41 19/01/2008] 2D9C903DC76A66813D350A562DE40ED9 C:\Windows\System32\drivers\atapi.sys------ 19944 bytes[09:15 24/09/2009][13:55 05/02/2010] 1F05B78AB91C9075565A9D8A4B880BC4 C:\Windows\System32\drivers\iteatapi.sys--a--- 35944 bytes[07:36 02/11/2006][09:50 02/11/2006] BCED60D16156E428F8DF8CF27B0DF150 C:\Windows\System32\en-US\WinSATAPI.dll.mui--a--- 6144 bytes[12:41 02/11/2006][12:41 02/11/2006] 64BDEA749C5954CECAB7EC5E9CC24D39 C:\Windows\System32\WinSATAPI.dll--a--- 383488 bytes[07:31 30/09/2008][07:36 19/01/2008] 3FCB7347D2DE38488C85A31EA7838A3C C:\Windows\winsxs\Manifests\x86_iteatapi.inf.resources_31bf3856ad364e35_6.0.6000.16386_en-us_20cdea2c37532736.manifest--a--- 1913 bytes[12:39 02/11/2006][12:39 02/11/2006] 99D99FA87B40A9FB8F9284AD0D7A71C9 C:\Windows\winsxs\x86_iteatapi.inf.resources_31bf3856ad364e35_6.0.6000.16386_en-us_20cdea2c37532736\iteatapi.inf_loc--a--- 308 bytes[12:40 02/11/2006][12:40 02/11/2006] DBC002F0F2C65A0519A1BD24D84B22C2 C:\Windows\winsxs\x86_microsoft-windows-w..emassessmenttoolapi_31bf3856ad364e35_6.0.6000.16386_none_e167a01dfaaf52f2\WinSATAPI.dll--a--- 382976 bytes[12:34 02/11/2006][12:34 02/11/2006] D5289700FAD39825C8A7BB20B7FC0A0D C:\Windows\winsxs\x86_microsoft-windows-w..emassessmenttoolapi_31bf3856ad364e35_6.0.6001.18000_none_e39e6219f79a63c6\WinSATAPI.dll--a--- 383488 bytes[07:31 30/09/2008][07:36 19/01/2008] 3FCB7347D2DE38488C85A31EA7838A3C C:\Windows\winsxs\x86_microsoft-windows-w..nttoolapi.resources_31bf3856ad364e35_6.0.6000.16386_en-us_86f384ab3e5358a7\WinSATAPI.dll.mui--a--- 6144 bytes[12:41 02/11/2006][12:41 02/11/2006] 64BDEA749C5954CECAB7EC5E9CC24D39 C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.16391_none_daf194c024ab5b06\atapi.sys--a--- 19048 bytes[23:58 10/04/2008][23:58 10/04/2008] A779CA2C76DA4FCB595E692C05E8E4EB C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.16470_none_db063634249c06f4\atapi.sys--a--- 21688 bytes[00:11 11/04/2008][00:11 11/04/2008] 7EB55F6BEFB392BD312CD0CD5263305D C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.16632_none_db337a442479c42c\atapi.sys--a--- 21560 bytes[21:48 30/04/2008][21:48 30/04/2008] B35CFCEF838382AB6490B321C87EDF17 C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.20485_none_db8a029f3dbd443b\atapi.sys--a--- 19048 bytes[23:58 10/04/2008][23:58 10/04/2008] 5653737BAD8C6C10136451C195C19881 C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.20509_none_dbe4850d3d78c736\atapi.sys--a--- 21688 bytes[23:58 10/04/2008][23:58 10/04/2008] 9E7E85EC61D1C9C3171CC08427108863 C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.20580_none_db8503133dc1c2af\atapi.sys--a--- 21688 bytes[00:11 11/04/2008][00:11 11/04/2008] 61CA2C1E145809813C28752298CF9843 C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.20757_none_dbac78a93da31a8b\atapi.sys--a--- 21560 bytes[21:48 30/04/2008][21:48 30/04/2008] E03E8C99D15D0381E02743C36AFC7C6F C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6001.18000_none_dd38281a2189ce9c\atapi.sys--a--- 21560 bytes[07:30 30/09/2008][07:41 19/01/2008] 2D9C903DC76A66813D350A562DE40ED9 C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6002.18005_none_df23a1261eab99e8\atapi.sys--a--- 19944 bytes[09:15 24/09/2009][06:32 11/04/2009] 1F05B78AB91C9075565A9D8A4B880BC4 -=End Of File=-* Click START then RUN - Vista users press the Windows Key and the R keys for the Run box. * Now type Combofix /Uninstall in the runbox * Make sure there's a space between Combofix and /Uninstall * Then hit Enter * The above procedure will: * Delete the following: * ComboFix and its associated files and folders. * Reset the clock settings. * Hide file extensions, if required. * Hide System/Hidden files, if required. * Set a new, clean Restore Point. ---------- Clean out your temporary internet files and temp files. Download TFC by OldTimer to your desktop. Double-click TFC.exe to run it. Note: If you are running on Vista, right-click on the file and choose Run As Administrator TFC will close all programs when run, so make sure you have saved all your work before you begin. * Click the Start button to begin the cleaning process. * Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. * Please let TFC run uninterrupted until it is finished. Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning. ---------- ESET Online Scan Scan your computer with the ESET FREE Online Virus Scan * Click the ESET Online Scanner button. * For alternate browsers only: (Microsoft Internet Explorer users can skip these steps) * Click on the esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop * Double click on the esetsmartinstaller_enu.exe icon on your desktop. * Place a check mark next to YES, I accept the Terms of Use. * Click the Start button. * Accept any security warnings from your browser. * Leave the check mark next to Remove found threats and place a check next to Scan archives. * Click the Start button. * ESET will then download updates, install, and begin scanning your computer. Please be patient as this can take some time. * When the scan completes, click List of found threats. * Next click Export to text file and save the file to your desktop using a name such as ESETScan. Include the contents of this report in your next reply. * Click the <<Back button then click Finish. In your next reply please include the ESET Online Scan Log F:\My docs backup 2008 04 29\Programs\files\click_me_insults.htmlprobably a variant of JS/Seeker.AF trojancleaned by deleting - quarantined F: is my external USB backup drive that was thankfully not connected when all this trouble started.If there are no more malware issues we can finish up now. Use the Secunia Software Inspector to check for out of date software. * Click Start Now * Check the box next to Enable thorough system inspection. * Click Start * Allow the scan to finish and scroll down to see if any updates are needed. * Update anything listed. ---------- Go to Microsoft Windows Update and get all critical updates. ---------- If you are using or have installed IE6 you are using an outdated and soon to be unsupported version of Internet Explorer and I strongly suggest you update to the latest version directly from Microsoft Internet Explorer 8: Home page. ---------- I recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no realtime protection so will not interfere with each other. They do not use any significant amount of resources (except a little disk space) until you run a scan. I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free. SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox. * Using SpywareBlaster to protect your computer from Spyware and Malware * If you don't know what ActiveX controls are, see here Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future. Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.Cheers for all the help guys.Your welcome. Safe surfing... |
|