Welcome guest. Before posting on our computer help forum, you must register. Click here it's easy and free.

« previous next »
Pages: 1 [2]  All   Go Down

Author Topic: I've got a trojan hourse (or two) and can't get shot of it. "psw.generic7.bemv"  (Read 12265 times)

0 Members and 1 Guest are viewing this topic.

SuperDave

  • Malware Removal Specialist
  • Moderator


    • Genius
    • Thanked: 1020
  • Certifications: List
  • Experience: Expert
  • OS: Windows 10
Re: I've got a trojan hourse (or two) and can't get shot of it. "psw.generic7.bemv"
« Reply #15 on: February 04, 2010, 01:21:44 PM »
Quote
PS I'm stll geting the ocational website loading up unrequested any ideas ( didn't get this before the malware problem)
Which browser are you using?
Logged
Windows 8 and Windows 10 dual boot with two SSD's

macca614

    Topic Starter


    Rookie

    Re: I've got a trojan hourse (or two) and can't get shot of it. "psw.generic7.bemv"
    « Reply #16 on: February 05, 2010, 03:17:04 AM »
    Hi SD, I'm using FireFox v3.6 with add-ons Adblock Plus, AVG Safe Guard ColorfulTabs, NoScript, Personas, Skype, WOT, plus some Java Console

    This Morning I got this message:
        see attached:-

    I've checked Task Manager "Services" and Process ID 816 is PlugPlay and DcomLaunch again!

    I'm suspecting I'm going to have to go down the clean install route.  Is there a good/safe way of partitioning my C: drive with out losing the data and then moving my data across to the new drive without bring the infection across.


    [Saving space, attachment deleted by admin]
    Logged

    SuperDave

    • Malware Removal Specialist
    • Moderator


      • Genius
      • Thanked: 1020
    • Certifications: List
    • Experience: Expert
    • OS: Windows 10
    Re: I've got a trojan hourse (or two) and can't get shot of it. "psw.generic7.bemv"
    « Reply #17 on: February 05, 2010, 11:24:24 AM »
    Update and run SAS and MBAM again. Just hold off on the re-format. I'm going to check with Evil about this new problem.
    Logged
    Windows 8 and Windows 10 dual boot with two SSD's

    evilfantasy

    • Malware Removal Specialist
    • Moderator


      • Genius
    • Calm like a bomb
      • Thanked: 493
    • Experience: Experienced
    • OS: Windows 11
    Re: I've got a trojan hourse (or two) and can't get shot of it. "psw.generic7.bemv"
    « Reply #18 on: February 05, 2010, 12:02:56 PM »
    Do you visit the website 'samdadsupport.com'?
    Logged

    macca614

      Topic Starter


      Rookie

      Re: I've got a trojan hourse (or two) and can't get shot of it. "psw.generic7.bemv"
      « Reply #19 on: February 05, 2010, 03:16:48 PM »
      Nope I've not clicked on samdadsupport.com.

      I've tried leaving firefox open and not using the computer for say 45mins and nothing happens but within 5mins of using it I get a new tab load up with various websites (that either NoScript or WOT warns me of danger.) this only happens once a secsion.  I know its not the end of the world compared to the mess I was in when I first contacted you guys (thanks again for the help) but I'm still a bit woried that I have a problem.

      I've not been clicking on anything and websites like this try and open.

      ___NO_CLICK_____http://www.ukprizedraw.co.uk/default.aspx?campid=105&affid=2741&subid=2284

      I have already run SAS but it did not find any thing I will run MBAM again this weekend.
      Logged

      evilfantasy

      • Malware Removal Specialist
      • Moderator


        • Genius
      • Calm like a bomb
        • Thanked: 493
      • Experience: Experienced
      • OS: Windows 11
      Re: I've got a trojan hourse (or two) and can't get shot of it. "psw.generic7.bemv"
      « Reply #20 on: February 05, 2010, 04:15:31 PM »
      Delete ComboFix and download a new copy.

      Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

      Link #1
      Link #2

      **Note:  It is important that it is saved directly to your Desktop

      DO NOT run it yet!

      Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

      Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

      Delete these files/folders, as follows:

      1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
      It must be Notepad, not Wordpad.
      2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

      Code: [Select]
      KillAll::

      DDS::
      DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

      Folder::
      c:\users\Jamie\AppData\Roaming\lowsec

      RegLockDel::
      [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\Default_Monitor\5&14c66cf6&0&12345678&02&01\Properties\{83da6326-97a6-4088-9453-a1923f573b29}]

      [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\Default_Monitor\5&14c66cf6&0&12345678&02&01\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}]

      [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\HWP26CE\4&211ab9e2&0&UID16843008\Properties\{83da6326-97a6-4088-9453-a1923f573b29}]

      [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\HWP26CE\4&211ab9e2&0&UID16843008\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}]

      [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\TEO6770\4&211ab9e2&0&UID16843008\Properties\{83da6326-97a6-4088-9453-a1923f573b29}]

      [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\TEO6770\4&211ab9e2&0&UID16843008\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}]

      [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\TEO6770\5&14c66cf6&0&12345678&02&01\Properties\{83da6326-97a6-4088-9453-a1923f573b29}]

      [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\TEO6770\5&14c66cf6&0&12345678&02&01\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}]


      3. Go to the Notepad window and click Edit > Paste
      4. Then click File > Save
      5. Name the file CFScript.txt - Save the file to your Desktop
      6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



      ComboFix will begin to execute, just follow the prompts.
      After reboot (in case it asks to reboot), it will produce a log for you.
      Post that log (Combofix.txt) in your next reply.

      Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

      ----------

      Download GooredFix from one of the locations below and save it to your desktop

      Download Mirror #1
      Download Mirror #2

      * Ensure all Firefox windows are closed.
      * To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
      * When prompted to run the scan, click Yes.
      * GooredFix will check for infections, and then a log will appear.

      Post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).

      ----------

      Download Rooter.exe to your desktop.

      * Double click Rooter.exe to start the tool.
      * A DOS window will appear and show the scan progress.
      * Once complete a notepad file containing the report will open.
      * Copy & paste the results in your next reply.
      * Close notepad and Rooter will close.

      A log will also save at C:\Rooter.txt

      ----------

      Next post please add:

      • ComboFix log
      • GooredFix log
      • Rooter log
      Logged

      macca614

        Topic Starter


        Rookie

        Re: I've got a trojan hourse (or two) and can't get shot of it. "psw.generic7.bemv"
        « Reply #21 on: February 08, 2010, 03:41:47 AM »
        Followed your instructions to the letter.  I have now turned back-on, AVG, AdAware and Spybot.




        ComboFix 10-02-07.06 - Jamie 08/02/2010   9:27.4.2 - x86
        Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.44.1033.18.2036.1111 [GMT 0:00]
        Running from: c:\users\Jamie\Desktop\ComboFix.exe
        Command switches used :: c:\users\Jamie\Desktop\CFScript.txt
        FW: Sunbelt Personal Firewall *disabled* {82B1150E-9B37-49FC-83EB-D52197D900D0}
        SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
        SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
        .

        (((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
        .

        c:\users\Jamie\AppData\Roaming\lowsec
        c:\users\Jamie\AppData\Roaming\lowsec\local.ds
        c:\users\Jamie\AppData\Roaming\lowsec\user.ds

        Infected copy of c:\windows\system32\drivers\atapi.sys was found and disinfected
        Restored copy from - Kitty ate it :p
        .
        (((((((((((((((((((((((((   Files Created from 2010-01-08 to 2010-02-08  )))))))))))))))))))))))))))))))
        .

        2010-02-08 09:33 . 2010-02-08 09:33   --------   d-----w-   c:\users\Public\AppData\Local\temp
        2010-02-08 09:33 . 2010-02-08 09:33   --------   d-----w-   c:\users\IUSR_NMPR\AppData\Local\temp
        2010-02-08 09:33 . 2010-02-08 09:33   --------   d-----w-   c:\users\Default\AppData\Local\temp
        2010-02-04 16:25 . 2010-02-05 17:48   --------   d-----w-   c:\program files\SpywareBlaster
        2010-02-02 15:11 . 2010-02-08 09:53   --------   d-----w-   c:\users\Jamie\AppData\Local\temp
        2010-01-29 15:23 . 2010-01-27 17:19   15880   ----a-w-   c:\windows\system32\lsdelete.exe
        2010-01-28 14:10 . 2010-01-28 14:10   --------   d-----w-   c:\program files\DiskCheckup
        2010-01-28 14:10 . 2010-01-28 14:10   --------   d-----w-   c:\windows\Sun
        2010-01-27 16:44 . 2009-07-16 13:33   157696   ----a-w-   c:\users\Jamie\JavaRa.exe
        2010-01-26 15:15 . 2010-02-04 16:28   --------   d-----w-   c:\programdata\Spybot - Search & Destroy
        2010-01-26 15:15 . 2010-01-26 15:18   --------   d-----w-   c:\program files\Spybot - Search & Destroy
        2010-01-26 10:23 . 2010-01-26 10:28   --------   d-----w-   c:\program files\a-squared Free
        2010-01-25 21:08 . 2010-01-25 21:08   --------   d-----w-   c:\users\Jamie\AppData\Roaming\Malwarebytes
        2010-01-25 21:08 . 2010-01-07 16:07   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
        2010-01-25 21:08 . 2010-01-25 21:08   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
        2010-01-25 21:08 . 2010-01-25 21:08   --------   d-----w-   c:\programdata\Malwarebytes
        2010-01-25 21:08 . 2010-01-07 16:07   19160   ----a-w-   c:\windows\system32\drivers\mbam.sys
        2010-01-25 20:45 . 2010-01-25 20:45   --------   d-----w-   c:\programdata\SUPERAntiSpyware.com
        2010-01-25 20:45 . 2010-01-25 20:45   --------   d-----w-   c:\users\Jamie\AppData\Roaming\SUPERAntiSpyware.com
        2010-01-25 20:45 . 2010-01-25 20:45   --------   d-----w-   c:\program files\SUPERAntiSpyware
        2010-01-25 20:44 . 2010-01-25 20:44   --------   d-----w-   c:\program files\Common Files\Wise Installation Wizard
        2010-01-25 17:17 . 2009-12-02 13:19   64288   ----a-w-   c:\windows\system32\drivers\Lbd.sys
        2010-01-25 16:58 . 2010-01-25 16:59   --------   dc-h--w-   c:\programdata\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
        2010-01-25 16:58 . 2010-01-25 16:58   --------   d-----w-   c:\program files\Lavasoft
        2010-01-21 16:57 . 2010-01-21 16:57   --------   d-----w-   c:\users\Jamie\AppData\Local\HandBrake
        2010-01-21 16:57 . 2010-01-21 16:57   --------   d-----w-   c:\users\Jamie\AppData\Roaming\HandBrake
        2010-01-20 00:52 . 2010-01-20 00:54   --------   d-----w-   C:\ConverterOutput
        2010-01-20 00:52 . 2004-10-12 14:42   262144   ----a-w-   c:\windows\system32\TomsMoComp_ff.dll
        2010-01-20 00:52 . 2004-10-12 14:40   2255360   ----a-w-   c:\windows\system32\libavcodec.dll
        2010-01-20 00:52 . 2004-10-05 16:16   395776   ----a-w-   c:\windows\system32\libmplayer.dll
        2010-01-20 00:52 . 2004-10-04 01:50   112640   ----a-w-   c:\windows\system32\libmpeg2_ff.dll
        2010-01-20 00:52 . 2004-09-10 13:50   34820   ----a-w-   c:\windows\system32\ffdshow.reg
        2010-01-20 00:52 . 2010-01-20 00:52   --------   d-----w-   c:\program files\Cucusoft
        2010-01-19 22:36 . 2010-02-04 17:10   --------   d-----w-   c:\users\Jamie\AppData\Roaming\Auslogics
        2010-01-19 22:36 . 2010-02-04 17:09   --------   d-----w-   c:\program files\Auslogics
        2010-01-14 16:20 . 2009-10-19 13:38   156672   ----a-w-   c:\windows\system32\t2embed.dll
        2010-01-14 16:20 . 2009-10-19 13:35   72704   ----a-w-   c:\windows\system32\fontsub.dll

        .
        ((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
        .
        2010-02-08 09:55 . 2008-05-15 22:40   --------   d-----w-   c:\programdata\Kontiki
        2010-02-06 00:34 . 2009-11-24 16:04   --------   d-----w-   c:\users\Jamie\AppData\Roaming\vlc
        2010-02-05 13:55 . 2009-09-24 09:15   19944   ----a-w-   c:\windows\system32\drivers\atapi.sys
        2010-02-05 09:19 . 2010-01-25 20:45   117760   ----a-w-   c:\users\Jamie\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
        2010-02-04 17:17 . 2010-01-25 17:16   389784   ----a-w-   c:\programdata\Lavasoft\Ad-Aware\Update\UpdateManager.dll
        2010-02-04 17:17 . 2010-01-25 17:09   3803208   ----a-w-   c:\programdata\Lavasoft\Ad-Aware\Update\AutoLaunch.exe
        2010-02-04 17:17 . 2010-01-25 17:08   823928   ----a-w-   c:\programdata\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
        2010-02-04 17:17 . 2010-01-25 17:06   1181328   ----a-w-   c:\programdata\Lavasoft\Ad-Aware\Update\AAWService.exe
        2010-02-04 16:11 . 2008-04-29 17:02   75912   ----a-w-   c:\users\Jamie\AppData\Local\GDIPFONTCACHEV1.DAT
        2010-02-02 14:10 . 2009-06-03 17:06   --------   d-----w-   c:\users\Jamie\AppData\Roaming\uTorrent
        2010-01-29 16:22 . 2008-04-10 16:32   --------   d-----w-   c:\program files\Google
        2010-01-28 14:03 . 2008-12-15 09:38   411368   ----a-w-   c:\windows\system32\deploytk.dll
        2010-01-27 16:38 . 2008-04-10 16:26   --------   d-----w-   c:\program files\Java
        2010-01-27 16:37 . 2008-04-10 16:26   --------   d-----w-   c:\program files\Common Files\Java
        2010-01-25 20:45 . 2010-01-25 20:45   52224   ----a-w-   c:\users\Jamie\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
        2010-01-25 16:58 . 2009-11-05 09:53   --------   d-----w-   c:\programdata\Lavasoft
        2010-01-22 11:28 . 2008-11-10 22:39   1   ----a-w-   c:\users\Jamie\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
        2010-01-21 17:38 . 2008-04-29 17:18   --------   d-----w-   c:\program files\Mozilla Thunderbird
        2010-01-21 16:57 . 2009-03-05 23:05   --------   d-----w-   c:\program files\HandBrake
        2010-01-21 16:01 . 2009-08-12 19:27   --------   d-----w-   c:\program files\Microsoft Silverlight
        2010-01-19 23:59 . 2009-07-20 09:22   --------   d-----w-   c:\program files\Common Files\Adobe
        2010-01-14 16:57 . 2006-11-02 11:18   --------   d-----w-   c:\program files\Windows Mail
        2010-01-14 11:12 . 2009-10-02 17:01   181120   ------w-   c:\windows\system32\MpSigStub.exe
        2010-01-12 22:27 . 2009-09-18 11:45   --------   d-----w-   c:\users\Jamie\AppData\Roaming\Skype
        2010-01-12 22:20 . 2009-09-18 11:47   --------   d-----w-   c:\users\Jamie\AppData\Roaming\skypePM
        2010-01-09 20:12 . 2008-05-05 14:00   --------   d-----w-   c:\users\Jamie\AppData\Roaming\dvdcss
        2010-01-02 06:38 . 2010-01-22 11:18   916480   ----a-w-   c:\windows\system32\wininet.dll
        2010-01-02 06:32 . 2010-01-22 11:18   71680   ----a-w-   c:\windows\system32\iesetup.dll
        2010-01-02 06:32 . 2010-01-22 11:18   109056   ----a-w-   c:\windows\system32\iesysprep.dll
        2010-01-02 04:57 . 2010-01-22 11:18   133632   ----a-w-   c:\windows\system32\ieUnatt.exe
        2009-12-29 13:39 . 2009-12-29 13:39   --------   d-----w-   c:\program files\QuickTime
        2009-12-29 13:39 . 2009-12-29 13:39   --------   d-----w-   c:\programdata\Apple Computer
        2009-12-29 13:37 . 2009-12-29 13:37   --------   d-----w-   c:\program files\Common Files\Apple
        2009-12-29 13:37 . 2009-12-29 13:37   --------   d-----w-   c:\program files\Apple Software Update
        2009-12-29 13:37 . 2009-12-29 13:37   --------   d-----w-   c:\programdata\Apple
        2009-12-29 13:22 . 2009-09-18 11:44   --------   d-----r-   c:\program files\Skype
        2009-12-29 13:14 . 2009-12-29 13:14   --------   d-----w-   c:\program files\Secunia
        2009-12-14 20:56 . 2008-06-28 11:05   --------   d-----w-   c:\programdata\Roxio
        2009-12-10 17:35 . 2009-12-10 17:35   --------   d-----w-   c:\program files\Stardock
        2009-12-10 17:35 . 2009-12-10 17:35   --------   d-----w-   c:\program files\Common Files\Stardock
        2009-12-10 17:31 . 2008-04-29 17:18   --------   d-----w-   c:\users\Jamie\AppData\Roaming\Thunderbird
        2009-12-07 14:10 . 2010-01-25 16:58   2953352   -c--a-w-   c:\programdata\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}\Ad-AwareInstallation.exe
        2009-12-04 10:34 . 2009-12-04 10:34   784136   ----a-w-   c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
        2009-11-25 17:42 . 2009-11-25 17:42   291696   ----a-w-   c:\users\Jamie\AppData\Roaming\Juniper Networks\Setup Client\x86_Microsoft.VC80.CRTR_8.0.50727.762.exe
        2009-11-17 13:33 . 2009-07-28 09:28   319456   ----a-w-   c:\windows\DIFxAPI.dll
        2009-11-10 10:33 . 2009-06-03 15:51   360584   ----a-w-   c:\windows\system32\drivers\avgtdix.sys
        2009-12-24 16:07 . 2008-12-22 09:46   119808   ----a-w-   c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
        2009-09-25 16:41 . 2009-09-25 16:41   1044480   ----a-w-   c:\program files\mozilla firefox\plugins\libdivx.dll
        2009-09-25 16:41 . 2009-09-25 16:41   200704   ----a-w-   c:\program files\mozilla firefox\plugins\ssldivx.dll
        2008-04-11 00:11 . 2008-04-10 23:58   8192   --sha-w-   c:\windows\Users\Default\NTUSER.DAT
        .

        (((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
        .
        .
        *Note* empty entries & legit default entries are not shown
        REGEDIT4

        [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
        "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
        "DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
        "TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2009-11-13 247144]
        "Window Washer"="c:\program files\Webroot\Washer\wwDisp.exe" [2007-11-26 1206600]
        "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
        "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-01-05 2002160]

        [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
        "Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
        "ECenter"="c:\dell\E-Center\EULALauncher.exe" [2008-01-18 17920]
        "NMSSupport"="c:\program files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe" [2007-06-27 439512]
        "CCUTRAYICON"="c:\program files\Intel\IntelDH\CCU\CCU_TrayIcon.exe" [2007-06-27 215256]
        "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-12-24 30192]
        "dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-02-13 16384]
        "Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdSync.exe" [2006-11-02 215552]
        "DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
        "PivotSoftware"="c:\program files\Portrait Displays\Pivot Software\wpctrl.exe" [2007-02-09 694008]
        "DT HPW"="c:\program files\Portrait Displays\HP My Display\DTHtml.exe" [2007-04-25 280064]
        "RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-04-27 7420448]
        "IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-03-05 141848]
        "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-03-05 173592]
        "Persistence"="c:\windows\system32\igfxpers.exe" [2009-03-05 150552]
        "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
        "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
        "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
        "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0\bin\jusched.exe" [2008-04-10 77824]

        c:\users\Jamie\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
        Broadband Download Monitor.lnk - c:\program files\Broadband Download Monitor\bdm.exe [2008-3-7 688128]
        Stardock ObjectDock.lnk - c:\program files\Stardock\ObjectDock\ObjectDock.exe [2009-12-10 3444008]

        c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
        Software Director Scheduler.lnk - c:\program files\Common Files\Cloanto\Software Director\softdir.exe [2009-8-11 288328]

        [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
        "EnableSecureUIAPaths"= 0 (0x0)
        "EnableVirtualization"= 0 (0x0)
        "EnableUIADesktopToggle"= 0 (0x0)

        [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
        "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

        [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
        2009-09-03 14:21   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.dll

        [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
        @="Service"

        [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sr.sys]
        @="FSFilter System Recovery"

        [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
        @="Service"

        [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
        "DisableMonitoring"=dword:00000001

        [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
        "VistaSp2"=hex(b):78,da,8f,f3,df,3d,ca,01

        R0 Lbd;Lbd;c:\windows\System32\drivers\Lbd.sys [25/01/2010 17:17 64288]
        R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [03/06/2009 15:51 333192]
        R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\drivers\avgtdix.sys [03/06/2009 15:51 360584]
        R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [05/01/2010 07:56 9968]
        R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [05/01/2010 07:56 74480]
        R2 a2free;a-squared Free Service;c:\program files\a-squared Free\a2service.exe [26/01/2010 10:23 1858144]
        R2 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSrv.exe [17/11/2009 13:33 81920]
        R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [27/10/2009 16:44 906520]
        R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [27/10/2009 16:43 285392]
        R2 DQLWinService;DQLWinService;c:\program files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe [12/02/2007 10:46 208896]
        R2 NMSCore;Intel(R) NMSCore;c:\program files\Common Files\Intel\IntelDH\NMS\NMSCore\NMSCore.exe [27/06/2007 09:14 317656]
        R2 nmsunidr;UniDriver for NMS;c:\windows\System32\drivers\nmsunidr.sys [18/02/2007 19:34 5376]
        R2 QualityManager;Intel(R) Quality Manager;c:\program files\Intel\IntelDH\Intel Media Server\Media Server\bin\QualityManager.exe [27/06/2007 09:17 272600]
        R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [13/11/2009 11:31 92008]
        R2 wwEngineSvc;Window Washer Engine;c:\program files\Webroot\Washer\WasherSvc.exe [28/05/2009 08:12 598856]
        R3 IntelDH;IntelDH Driver;c:\windows\System32\drivers\IntelDH.sys [10/04/2008 16:29 5632]
        R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [05/01/2010 07:56 7408]
        S2 gupdate1c9f354452512a9;Google Update Service (gupdate1c9f354452512a9);c:\program files\Google\Update\GoogleUpdate.exe [22/06/2009 16:12 133104]
        S3 DHTRACE;Intel(R) DHTrace Controller;c:\program files\Common Files\Intel\IntelDH\bin\DHTraceController.exe [27/06/2007 09:15 39640]
        S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [30/09/2008 07:30 21504]
        S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\System32\drivers\ggflt.sys [09/06/2009 16:58 13224]
        S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [10/04/2008 16:32 30192]
        S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [02/12/2009 13:19 1181328]
        S3 PSI;PSI;c:\windows\System32\drivers\psi_mf.sys [17/06/2009 12:20 12648]
        S3 s3017bus;Sony Ericsson Device 3017 driver (WDM);c:\windows\System32\drivers\s3017bus.sys [09/01/2009 10:42 83880]
        S3 s3017mdfl;Sony Ericsson Device 3017 USB WMC Modem Filter;c:\windows\System32\drivers\s3017mdfl.sys [09/01/2009 10:44 15016]
        S3 s3017mdm;Sony Ericsson Device 3017 USB WMC Modem Driver;c:\windows\System32\drivers\s3017mdm.sys [09/01/2009 10:44 110632]
        S3 s3017mgmt;Sony Ericsson Device 3017 USB WMC Device Management Drivers (WDM);c:\windows\System32\drivers\s3017mgmt.sys [09/01/2009 10:50 104616]
        S3 s3017nd5;Sony Ericsson Device 3017 USB Ethernet Emulation SEMC3017 (NDIS);c:\windows\System32\drivers\s3017nd5.sys [09/01/2009 10:54 25512]
        S3 s3017obex;Sony Ericsson Device 3017 USB WMC OBEX Interface;c:\windows\System32\drivers\s3017obex.sys [09/01/2009 10:49 100648]
        S3 s3017unic;Sony Ericsson Device 3017 USB Ethernet Emulation SEMC3017 (WDM);c:\windows\System32\drivers\s3017unic.sys [09/01/2009 10:51 110120]

        [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
        WindowsMobile   REG_MULTI_SZ      wcescomm rapimgr
        LocalServiceRestricted   REG_MULTI_SZ      WcesComm RapiMgr
        LocalServiceAndNoImpersonation   REG_MULTI_SZ      FontCache
        .
        Contents of the 'Scheduled Tasks' folder

        2010-02-08 c:\windows\Tasks\AutoSmartDefrag.job
        - c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe [2010-01-19 15:30]

        2010-02-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
        - c:\program files\Google\Update\GoogleUpdate.exe [2009-06-22 16:12]

        2010-02-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
        - c:\program files\Google\Update\GoogleUpdate.exe [2009-06-22 16:12]

        2010-02-02 c:\windows\Tasks\SmartDefrag.job
        - c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe [2010-01-19 15:30]

        2010-02-08 c:\windows\Tasks\User_Feed_Synchronization-{FA4F8ED9-C3D2-43A5-B120-BB37897806F4}.job
        - c:\windows\system32\msfeedssync.exe [2010-01-22 04:56]
        .
        .
        ------- Supplementary Scan -------
        .
        uStart Page = hxxp://google.atcomet.com/b/
        uSearchURL,(Default) = hxxp://uk.search.yahoo.com/search?fr=mcafee&p=%s
        IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
        DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://connect2.pb.com/dana-cached/sc/JuniperSetupClient.cab
        FF - ProfilePath - c:\users\Jamie\AppData\Roaming\Mozilla\Firefox\Profiles\tga7fkpk.default\
        FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
        FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
        FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
        FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
        FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
        FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

        ---- FIREFOX POLICIES ----
        FF - user.js: browser.cache.memory.capacity - 65536
        FF - user.js: browser.chrome.favicons - fales
        FF - user.js: browser.display.show_image_placeholders - true
        FF - user.js: browser.turbo.enabled - true
        FF - user.js: browser.urlbar.autocomplete.enabled - true
        FF - user.js: browser.urlbar.autofill - true
        FF - user.js: content.interrupt.parsing - true
        FF - user.js: content.max.tokenizing.time - 2250000
        FF - user.js: content.notify.backoffcount - 5
        FF - user.js: content.notify.interval - 750000
        FF - user.js: content.notify.ontimer - true
        FF - user.js: content.switch.threshold - 750000
        FF - user.js: network.http.max-connections - 48
        FF - user.js: network.http.max-connections-per-server - 16
        FF - user.js: network.http.max-persistent-connections-per-proxy - 16
        FF - user.js: network.http.max-persistent-connections-per-server - 8
        FF - user.js: network.http.pipelining - true
        FF - user.js: network.http.pipelining.firstrequest - true
        FF - user.js: network.http.pipelining.maxrequests - 8
        FF - user.js: network.http.proxy.pipelining - true
        FF - user.js: network.http.request.max-start-delay - 0
        FF - user.js: nglayout.initialpaint.delay - 0
        FF - user.js: plugin.expose_full_path - true
        FF - user.js: ui.submenuDelay - 0
        FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
        c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
        c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
        c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut. enabled", true);
        c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
        c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency",   1600);
        c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
        c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
        c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
        c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug",            false);
        c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight",       2);
        c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize",       1);
        c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
        c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
        c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight",   25);
        c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight",     5);
        c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
        c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
        c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
        c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
        c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
        c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
        c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
        c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
        c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
        c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
        c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugi n", false);
        c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
        c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
        c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
        c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
        c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
        .
        - - - - ORPHANS REMOVED - - - -

        SafeBoot-dmboot.sys
        SafeBoot-dmio.sys
        SafeBoot-dmload.sys
        SafeBoot-dmadmin
        SafeBoot-dmserver
        SafeBoot-SRService



        **************************************************************************

        catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
        Rootkit scan 2010-02-08 09:53
        Windows 6.0.6002 Service Pack 2 NTFS

        scanning hidden processes ... 

        scanning hidden autostart entries ...

        scanning hidden files ... 


        c:\users\Jamie\AppData\Local\Temp\Cab18FC.tmp 29771 bytes
        c:\users\Jamie\AppData\Local\Temp\Tar18FD.tmp 77580 bytes

        scan completed successfully
        hidden files: 2

        **************************************************************************
        .
        --------------------- LOCKED REGISTRY KEYS ---------------------

        [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\Default_Monitor\5&14c66cf6&0&12345678&02&01\Properties\{83da6326-97a6-4088-9453-a1923f573b29}]
        @DACL=(02 0000)

        [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\Default_Monitor\5&14c66cf6&0&12345678&02&01\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}]
        @DACL=(02 0000)

        [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\HWP26CE\4&211ab9e2&0&UID16843008\Properties\{83da6326-97a6-4088-9453-a1923f573b29}]
        @DACL=(02 0000)

        [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\HWP26CE\4&211ab9e2&0&UID16843008\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}]
        @DACL=(02 0000)

        [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\TEO6770\4&211ab9e2&0&UID16843008\Properties\{83da6326-97a6-4088-9453-a1923f573b29}]
        @DACL=(02 0000)

        [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\TEO6770\4&211ab9e2&0&UID16843008\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}]
        @DACL=(02 0000)

        [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\TEO6770\5&14c66cf6&0&12345678&02&01\Properties\{83da6326-97a6-4088-9453-a1923f573b29}]
        @DACL=(02 0000)

        [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\TEO6770\5&14c66cf6&0&12345678&02&01\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}]
        @DACL=(02 0000)
        .
        --------------------- DLLs Loaded Under Running Processes ---------------------

        - - - - - - - > 'Explorer.exe'(4896)
        c:\program files\Stardock\ObjectDock\DockShellHook.dll
        c:\program files\Portrait Displays\Pivot Software\winphook.dll
        .
        ------------------------ Other Running Processes ------------------------
        .
        c:\program files\Intel\IntelDH\CCU\AlertService.exe
        c:\program files\Common Files\Portrait Displays\Shared\DTSRVC.exe
        c:\program files\Kontiki\KService.exe
        c:\program files\AVG\AVG9\avgnsx.exe
        c:\program files\Dell Support Center\bin\sprtsvc.exe
        c:\program files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
        c:\program files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
        c:\program files\AVG\AVG9\avgcsrvx.exe
        c:\program files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe
        c:\program files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe
        c:\program files\AVG\AVG9\avgchsvx.exe
        c:\program files\AVG\AVG9\avgrsx.exe
        c:\program files\AVG\AVG9\avgcsrvx.exe
        c:\windows\system32\conime.exe
        c:\windows\system32\igfxsrvc.exe
        c:\program files\Common Files\Portrait Displays\Shared\HookManager.exe
        c:\windows\ehome\ehmsas.exe
        c:\program files\Portrait Displays\Pivot Software\floater.exe
        c:\program files\Intel\IntelDH\CCU\CCU_Engine.exe
        c:\program files\Secunia\PSI\psi.exe
        .
        **************************************************************************
        .
        Completion time: 2010-02-08  09:58:36 - machine was rebooted
        ComboFix-quarantined-files.txt  2010-02-08 09:58

        Pre-Run: 193,404,383,232 bytes free
        Post-Run: 193,377,882,112 bytes free

        - - End Of File - - AC84C96F6CA637E54AFB508ABA734AEE












        GooredFix by jpshortstuff (08.01.10.1)
        Log created at 10:12 on 08/02/2010 (Jamie)
        Firefox version 3.6 (en-GB)

        ========== GooredScan ==========


        ========== GooredLog ==========

        C:\Program Files\Mozilla Firefox\extensions\
        {972ce4c6-7e08-4474-a285-3208198ce6fd} [17:15 29/04/2008]
        {B13721C7-F507-4982-B2E5-502A71474FED} [11:45 18/09/2009]
        {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} [10:30 05/03/2009]
        {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} [17:21 26/03/2009]
        {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} [07:40 31/08/2009]
        {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} [14:04 28/01/2010]

        C:\Users\Jamie\Application Data\Mozilla\Firefox\Profiles\tga7fkpk.default\extensions\
        [email protected] [08:42 18/01/2010]
        {0545b830-f0aa-4d7e-8820-50a4629a56fe} [16:47 04/02/2010]
        {20a82645-c095-46ed-80e3-08825760534b} [07:31 11/07/2009]
        {73a6fe31-595d-460b-a920-fcc0f8843232} [10:17 05/02/2010]
        {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} [13:13 26/01/2010]
        {B042753D-F57E-4e8e-A01B-7379A6D4CEFB}-trash [10:22 10/12/2009]
        {b9db16a4-6edc-47ec-a1f4-b86292ed211d} [08:42 18/01/2010]
        {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} [20:12 09/01/2010]

        [HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
        "{ABDE892B-13A8-4d1b-88E6-365A6E755758}"="C:\Program Files\Real\RealPlayer\browserrecord" [17:18 09/05/2008]
        "{3f963a5b-e555-4543-90e2-c3908898db71}"="C:\Program Files\AVG\AVG9\Firefox" [16:43 27/10/2009]
        "{20a82645-c095-46ed-80e3-08825760534b}"="c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [15:53 09/06/2009]

        -=E.O.F=-










        Rooter.exe (v1.0.2) by Eric_71
        .
        SeDebugPrivilege granted successfully ...
        .
        Windows Vista Home Edition (6.0.6002) Service Pack 2
        [32_bits] - x86 Family 6 Model 15 Stepping 13, GenuineIntel
        .
        [wscsvc] (Security Center) RUNNING (state:4)
        [MpsSvc] RUNNING (state:4)
        Windows Firewall -> Enabled
        Windows Defender -> Disabled !
        User Account Control (UAC) -> Enabled
        .
        Internet Explorer 8.0.6001.18882
        Mozilla Firefox 3.6 (en-GB)
        .
        C:\  [Fixed-NTFS] .. ( Total:288 Go - Free:180 Go )
        D:\  [Fixed-NTFS] .. ( Total:9 Go - Free:6 Go )
        E:\  [CD_Rom]
        F:\  [Fixed-FAT32] .. ( Total:232 Go - Free:30 Go )
        G:\  [CD_Rom]
        .
        Scan : 10:13.27
        Path : C:\Users\Jamie\Desktop\Rooter.exe
        User : Jamie ( Administrator -> YES )
        .
        ----------------------\\ Processes
        .
        Locked [System Process] (0)
        Locked System (4)
        ______ \SystemRoot\System32\smss.exe (424)
        ______ C:\Windows\system32\csrss.exe (500)
        ______ C:\Windows\system32\wininit.exe (544)
        ______ C:\Windows\system32\csrss.exe (556)
        ______ C:\Windows\system32\services.exe (588)
        ______ C:\Windows\system32\lsass.exe (604)
        ______ C:\Windows\system32\lsm.exe (612)
        ______ C:\Windows\system32\winlogon.exe (656)
        ______ C:\Windows\system32\svchost.exe (816)
        ______ C:\Windows\system32\svchost.exe (880)
        ______ C:\Windows\System32\svchost.exe (1012)
        ______ C:\Windows\System32\svchost.exe (1044)
        ______ C:\Windows\system32\svchost.exe (1060)
        Locked audiodg.exe (1168)
        ______ C:\Windows\system32\svchost.exe (1192)
        ______ C:\Windows\system32\SLsvc.exe (1212)
        ______ C:\Windows\system32\svchost.exe (1244)
        ______ C:\Windows\system32\svchost.exe (1424)
        ______ C:\Windows\System32\spoolsv.exe (1628)
        ______ C:\Windows\system32\svchost.exe (1652)
        ______ C:\Program Files\a-squared Free\a2service.exe (1804)
        ______ C:\Program Files\Realtek\Audio\HDA\AERTSrv.exe (1860)
        ______ C:\Program Files\Intel\IntelDH\CCU\AlertService.exe (1880)
        ______ C:\Program Files\AVG\AVG9\avgwdsvc.exe (1896)
        ______ C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe (1920)
        ______ C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe (1948)
        ______ C:\Program Files\Kontiki\KService.exe (260)
        ______ C:\Program Files\AVG\AVG9\avgnsx.exe (1000)
        ______ C:\Program Files\Common Files\Intel\IntelDH\NMS\NMSCore\NMSCore.exe (972)
        ______ C:\Windows\system32\svchost.exe (464)
        ______ C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\qualitymanager.exe (1732)
        ______ C:\Program Files\Dell Support Center\bin\sprtsvc.exe (688)
        ______ C:\Windows\system32\svchost.exe (2060)
        ______ C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe (2088)
        ______ C:\Windows\System32\svchost.exe (2120)
        ______ C:\Windows\system32\SearchIndexer.exe (2204)
        ______ C:\Program Files\Webroot\Washer\WasherSvc.exe (2240)
        ______ C:\Program Files\AVG\AVG9\avgemc.exe (2316)
        ______ C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe (2348)
        ______ C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe (2368)
        ______ C:\Windows\system32\taskeng.exe (2520)
        ______ C:\Program Files\AVG\AVG9\avgcsrvx.exe (2528)
        ______ C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe (2852)
        ______ C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe (2896)
        ______ C:\Program Files\AVG\AVG9\avgchsvx.exe (2984)
        ______ C:\Program Files\AVG\AVG9\avgrsx.exe (2992)
        ______ C:\Program Files\AVG\AVG9\avgcsrvx.exe (3020)
        ______ C:\Windows\system32\svchost.exe (3756)
        ______ C:\Windows\system32\Dwm.exe (156)
        ______ C:\Windows\system32\taskeng.exe (1724)
        ______ C:\Windows\Explorer.EXE (3904)
        ______ C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe (732)
        ______ C:\Windows\system32\taskeng.exe (720)
        ______ C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe (3388)
        ______ C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exe (1980)
        ______ C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe (3700)
        ______ C:\Windows\WindowsMobile\wmdSync.exe (2232)
        ______ C:\Program Files\Dell Support Center\bin\sprtcmd.exe (2676)
        ______ C:\Program Files\Portrait Displays\Pivot Software\wpCtrl.exe (2912)
        ______ C:\Program Files\Portrait Displays\HP My Display\dthtml.exe (1828)
        ______ C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe (3516)
        ______ C:\Windows\System32\igfxtray.exe (608)
        ______ C:\Windows\System32\hkcmd.exe (2592)
        ______ C:\Windows\System32\igfxpers.exe (3988)
        ______ C:\Program Files\Java\jre1.6.0\bin\jusched.exe (2804)
        ______ C:\Windows\ehome\ehtray.exe (476)
        ______ C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe (3964)
        ______ C:\Program Files\Webroot\Washer\wwDisp.exe (1132)
        ______ C:\Windows\system32\igfxsrvc.exe (3900)
        ______ C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (4208)
        ______ C:\Program Files\Common Files\Cloanto\Software Director\softdir.exe (4216)
        ______ C:\Program Files\Broadband Download Monitor\bdm.exe (4224)
        ______ C:\Program Files\Stardock\ObjectDock\ObjectDock.exe (4232)
        ______ C:\Windows\ehome\ehmsas.exe (4404)
        ______ C:\Program Files\Portrait Displays\Pivot Software\floater.exe (4620)
        ______ C:\Program Files\Common Files\Portrait Displays\Shared\HookManager.exe (4716)
        ______ C:\Program Files\Intel\IntelDH\CCU\CCU_Engine.exe (4752)
        ______ C:\Program Files\Secunia\PSI\psi.exe (5008)
        ______ C:\Windows\system32\conime.exe (5112)
        ______ C:\Users\Jamie\Desktop\Rooter.exe (5096)
        .
        ----------------------\\ Device\Harddisk0\
        .
        \Device\Harddisk0 [Sectors : 63 x 512 Bytes]
        .
        \Device\Harddisk0\Partition1 (Start_Offset:32256 | Length:57544704)
        \Device\Harddisk0\Partition2 (Start_Offset:57671680 | Length:10737418240)
        \Device\Harddisk0\Partition3 --[ MBR ]-- (Start_Offset:10795089920 | Length:309276442624)
        .
        ----------------------\\ Scheduled Tasks
        .
        C:\Windows\Tasks\AutoSmartDefrag.job
        C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
        C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
        C:\Windows\Tasks\SA.DAT
        C:\Windows\Tasks\SCHEDLGU.TXT
        C:\Windows\Tasks\SmartDefrag.job
        C:\Windows\Tasks\User_Feed_Synchronization-{FA4F8ED9-C3D2-43A5-B120-BB37897806F4}.job
        .
        ----------------------\\ Registry
        .
        .
        ----------------------\\ Files & Folders
        .
        ----------------------\\ Scan completed at 10:13.36
        .
        C:\Rooter$\Rooter_1.txt - (08/02/2010 | 10:13.36)


        Logged

        evilfantasy

        • Malware Removal Specialist
        • Moderator


          • Genius
        • Calm like a bomb
          • Thanked: 493
        • Experience: Experienced
        • OS: Windows 11
        Re: I've got a trojan hourse (or two) and can't get shot of it. "psw.generic7.bemv"
        « Reply #22 on: February 08, 2010, 02:08:10 PM »
        atapi.sys

        Please download SystemLook from one of the below links and save it to your desktop.

        Link #1
        Link #2

        Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

        * Double-click SystemLook.exe to run it.
        * Copy the contents of the following codebox into the main textfield.

        Code: [Select]
        :filefind
        *atapi*

        * Click the Look button to start the scan.
        * Note: The scan may take some time so please just let it do its work and be patient (or do something else unrelated to the computer).
        * When finished, a notepad window will open with the results of the scan. Please post the log.

        The log can also be found on your desktop entitled SystemLook.txt
        Logged

        macca614

          Topic Starter


          Rookie

          Re: I've got a trojan hourse (or two) and can't get shot of it. "psw.generic7.bemv"
          « Reply #23 on: February 09, 2010, 04:52:34 AM »
          Disabled AVG, Spybot, Adaware, and SAS

          Ran System look as requested.

          Switch back on AVG, Spybot, Adaware, and SAS





          SystemLook v1.0 by jpshortstuff (11.01.10)
          Log created at 11:34 on 09/02/2010 by Jamie (Administrator - Elevation successful)

          ========== filefind ==========

          Searching for "*atapi*"
          C:\Qoobox\Quarantine\C\Windows\System32\drivers\atapi.sys.vir   --a--- 19944 bytes   [09:15 24/09/2009]   [13:55 05/02/2010] F0CE0B2BD34E63C0D57139F0AE1C6747
          C:\Users\Public\Documents\Amiga Files\System\dir\System\Devs\atapi.device   --a--- 13172 bytes   [17:29 11/08/2009]   [04:16 23/09/2003] D0396596015EAC86FB19552FE356F691
          C:\Windows\ERDNT\cache\atapi.sys   --a--- 19944 bytes   [11:04 01/02/2010]   [13:55 05/02/2010] 1F05B78AB91C9075565A9D8A4B880BC4
          C:\Windows\inf\iteatapi.inf   --a--- 33660 bytes   [10:25 02/11/2006]   [10:25 02/11/2006] E4EB9FDA7CA1965653EAB8C109CCE546
          C:\Windows\inf\iteatapi.PNF   --a--- 17916 bytes   [10:25 02/11/2006]   [12:51 02/11/2006] 73DF176A398D10A2338BBD40B56EF72E
          C:\Windows\System32\DriverStore\en-US\iteatapi.inf_loc   --a--- 308 bytes   [12:40 02/11/2006]   [12:40 02/11/2006] DBC002F0F2C65A0519A1BD24D84B22C2
          C:\Windows\System32\DriverStore\FileRepository\iteatapi.inf_431397fb\iteatapi.inf   --a--- 33660 bytes   [10:25 02/11/2006]   [06:35 02/11/2006] E4EB9FDA7CA1965653EAB8C109CCE546
          C:\Windows\System32\DriverStore\FileRepository\iteatapi.inf_431397fb\iteatapi.sys   --a--- 35944 bytes   [10:25 02/11/2006]   [09:50 02/11/2006] BCED60D16156E428F8DF8CF27B0DF150
          C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_5a9555b4\atapi.sys   --a--- 21688 bytes   [23:58 10/04/2008]   [23:58 10/04/2008] 9E7E85EC61D1C9C3171CC08427108863
          C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_5da5d093\atapi.sys   --a--- 21688 bytes   [00:11 11/04/2008]   [00:11 11/04/2008] 61CA2C1E145809813C28752298CF9843
          C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_64dfd8ea\atapi.sys   --a--- 21560 bytes   [21:48 30/04/2008]   [21:48 30/04/2008] E03E8C99D15D0381E02743C36AFC7C6F
          C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_6c3af7d3\atapi.sys   --a--- 21688 bytes   [00:11 11/04/2008]   [00:11 11/04/2008] 7EB55F6BEFB392BD312CD0CD5263305D
          C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_7de13c21\atapi.sys   --a--- 21560 bytes   [21:48 30/04/2008]   [21:48 30/04/2008] B35CFCEF838382AB6490B321C87EDF17
          C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_82339ef2\atapi.sys   --a--- 19048 bytes   [23:58 10/04/2008]   [23:58 10/04/2008] A779CA2C76DA4FCB595E692C05E8E4EB
          C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_b12d8e84\atapi.sys   --a--- 19944 bytes   [09:15 24/09/2009]   [06:32 11/04/2009] 1F05B78AB91C9075565A9D8A4B880BC4
          C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_c6c2e699\atapi.sys   --a--- 19048 bytes   [10:25 02/11/2006]   [09:49 02/11/2006] 4F4FCB8B6EA06784FB6D475B7EC7300F
          C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_cc18792d\atapi.sys   --a--- 21560 bytes   [07:30 30/09/2008]   [07:41 19/01/2008] 2D9C903DC76A66813D350A562DE40ED9
          C:\Windows\System32\drivers\atapi.sys   ------ 19944 bytes   [09:15 24/09/2009]   [13:55 05/02/2010] 1F05B78AB91C9075565A9D8A4B880BC4
          C:\Windows\System32\drivers\iteatapi.sys   --a--- 35944 bytes   [07:36 02/11/2006]   [09:50 02/11/2006] BCED60D16156E428F8DF8CF27B0DF150
          C:\Windows\System32\en-US\WinSATAPI.dll.mui   --a--- 6144 bytes   [12:41 02/11/2006]   [12:41 02/11/2006] 64BDEA749C5954CECAB7EC5E9CC24D39
          C:\Windows\System32\WinSATAPI.dll   --a--- 383488 bytes   [07:31 30/09/2008]   [07:36 19/01/2008] 3FCB7347D2DE38488C85A31EA7838A3C
          C:\Windows\winsxs\Manifests\x86_iteatapi.inf.resources_31bf3856ad364e35_6.0.6000.16386_en-us_20cdea2c37532736.manifest   --a--- 1913 bytes   [12:39 02/11/2006]   [12:39 02/11/2006] 99D99FA87B40A9FB8F9284AD0D7A71C9
          C:\Windows\winsxs\x86_iteatapi.inf.resources_31bf3856ad364e35_6.0.6000.16386_en-us_20cdea2c37532736\iteatapi.inf_loc   --a--- 308 bytes   [12:40 02/11/2006]   [12:40 02/11/2006] DBC002F0F2C65A0519A1BD24D84B22C2
          C:\Windows\winsxs\x86_microsoft-windows-w..emassessmenttoolapi_31bf3856ad364e35_6.0.6000.16386_none_e167a01dfaaf52f2\WinSATAPI.dll   --a--- 382976 bytes   [12:34 02/11/2006]   [12:34 02/11/2006] D5289700FAD39825C8A7BB20B7FC0A0D
          C:\Windows\winsxs\x86_microsoft-windows-w..emassessmenttoolapi_31bf3856ad364e35_6.0.6001.18000_none_e39e6219f79a63c6\WinSATAPI.dll   --a--- 383488 bytes   [07:31 30/09/2008]   [07:36 19/01/2008] 3FCB7347D2DE38488C85A31EA7838A3C
          C:\Windows\winsxs\x86_microsoft-windows-w..nttoolapi.resources_31bf3856ad364e35_6.0.6000.16386_en-us_86f384ab3e5358a7\WinSATAPI.dll.mui   --a--- 6144 bytes   [12:41 02/11/2006]   [12:41 02/11/2006] 64BDEA749C5954CECAB7EC5E9CC24D39
          C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.16391_none_daf194c024ab5b06\atapi.sys   --a--- 19048 bytes   [23:58 10/04/2008]   [23:58 10/04/2008] A779CA2C76DA4FCB595E692C05E8E4EB
          C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.16470_none_db063634249c06f4\atapi.sys   --a--- 21688 bytes   [00:11 11/04/2008]   [00:11 11/04/2008] 7EB55F6BEFB392BD312CD0CD5263305D
          C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.16632_none_db337a442479c42c\atapi.sys   --a--- 21560 bytes   [21:48 30/04/2008]   [21:48 30/04/2008] B35CFCEF838382AB6490B321C87EDF17
          C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.20485_none_db8a029f3dbd443b\atapi.sys   --a--- 19048 bytes   [23:58 10/04/2008]   [23:58 10/04/2008] 5653737BAD8C6C10136451C195C19881
          C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.20509_none_dbe4850d3d78c736\atapi.sys   --a--- 21688 bytes   [23:58 10/04/2008]   [23:58 10/04/2008] 9E7E85EC61D1C9C3171CC08427108863
          C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.20580_none_db8503133dc1c2af\atapi.sys   --a--- 21688 bytes   [00:11 11/04/2008]   [00:11 11/04/2008] 61CA2C1E145809813C28752298CF9843
          C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.20757_none_dbac78a93da31a8b\atapi.sys   --a--- 21560 bytes   [21:48 30/04/2008]   [21:48 30/04/2008] E03E8C99D15D0381E02743C36AFC7C6F
          C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6001.18000_none_dd38281a2189ce9c\atapi.sys   --a--- 21560 bytes   [07:30 30/09/2008]   [07:41 19/01/2008] 2D9C903DC76A66813D350A562DE40ED9
          C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6002.18005_none_df23a1261eab99e8\atapi.sys   --a--- 19944 bytes   [09:15 24/09/2009]   [06:32 11/04/2009] 1F05B78AB91C9075565A9D8A4B880BC4

          -=End Of File=-
          Logged

          evilfantasy

          • Malware Removal Specialist
          • Moderator


            • Genius
          • Calm like a bomb
            • Thanked: 493
          • Experience: Experienced
          • OS: Windows 11
          Re: I've got a trojan hourse (or two) and can't get shot of it. "psw.generic7.bemv"
          « Reply #24 on: February 09, 2010, 09:47:14 AM »
          * Click START then RUN - Vista users press the Windows Key and the R keys for the Run box.
          * Now type Combofix /Uninstall in the runbox
          * Make sure there's a space between Combofix and /Uninstall
          * Then hit Enter

          * The above procedure will:
          * Delete the following:
          * ComboFix and its associated files and folders.
          * Reset the clock settings.
          * Hide file extensions, if required.
          * Hide System/Hidden files, if required.
          * Set a new, clean Restore Point.

          ----------

          Clean out your temporary internet files and temp files.

          Download TFC by OldTimer to your desktop.

          Double-click TFC.exe to run it.

          Note: If you are running on Vista, right-click on the file and choose Run As Administrator

          TFC will close all programs when run, so make sure you have saved all your work before you begin.

          * Click the Start button to begin the cleaning process.
          * Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. 
          * Please let TFC run uninterrupted until it is finished.

          Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.

          ----------

          ESET Online Scan

          Scan your computer with the ESET FREE Online Virus Scan

          * Click the ESET Online Scanner button.

          * For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
          * Click on the esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop
          * Double click on the esetsmartinstaller_enu.exe icon on your desktop.
          * Place a check mark next to YES, I accept the Terms of Use.

          * Click the Start button.
          * Accept any security warnings from your browser.
          * Leave the check mark next to Remove found threats and place a check next to Scan archives.
          * Click the Start button.
          * ESET will then download updates, install, and begin scanning your computer. Please be patient as this can take some time.
          * When the scan completes, click List of found threats.
          * Next click Export to text file and save the file to your desktop using a name such as ESETScan. Include the contents of this report in your next reply.
          * Click the <<Back button then click Finish.

          In your next reply please include the ESET Online Scan Log
          Logged

          macca614

            Topic Starter


            Rookie

            Re: I've got a trojan hourse (or two) and can't get shot of it. "psw.generic7.bemv"
            « Reply #25 on: February 10, 2010, 06:18:38 AM »
            F:\My docs backup 2008 04 29\Programs\files\click_me_insults.html   probably a variant of JS/Seeker.AF trojan   cleaned by deleting - quarantined


            F: is my external USB backup drive that was thankfully not connected when all this trouble started.
            Logged

            evilfantasy

            • Malware Removal Specialist
            • Moderator


              • Genius
            • Calm like a bomb
              • Thanked: 493
            • Experience: Experienced
            • OS: Windows 11
            Re: I've got a trojan hourse (or two) and can't get shot of it. "psw.generic7.bemv"
            « Reply #26 on: February 10, 2010, 10:11:03 AM »
            If there are no more malware issues we can finish up now.


            Use the Secunia Software Inspector to check for out of date software.

            * Click Start Now
            * Check the box next to Enable thorough system inspection.
            * Click Start
            * Allow the scan to finish and scroll down to see if any updates are needed.
            * Update anything listed.

            ----------

            Go to Microsoft Windows Update and get all critical updates.

            ----------

            If you are using or have installed IE6 you are using an outdated and soon to be unsupported version of Internet Explorer and I strongly suggest you update to the latest version directly from Microsoft Internet Explorer 8: Home page.

            ----------

            I recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no realtime protection so will not interfere with each other. They do not use any significant amount of resources (except a little disk space) until you run a scan.

            I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

            SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
            * Using SpywareBlaster to protect your computer from Spyware and Malware
            * If you don't know what ActiveX controls are, see here

            Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ

            Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

            Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.
            Logged

            macca614

              Topic Starter


              Rookie

              Re: I've got a trojan hourse (or two) and can't get shot of it. "psw.generic7.bemv"
              « Reply #27 on: February 10, 2010, 11:09:46 AM »
              Cheers for all the help guys.
              Logged

              evilfantasy

              • Malware Removal Specialist
              • Moderator


                • Genius
              • Calm like a bomb
                • Thanked: 493
              • Experience: Experienced
              • OS: Windows 11
              Re: I've got a trojan hourse (or two) and can't get shot of it. "psw.generic7.bemv"
              « Reply #28 on: February 10, 2010, 11:23:15 AM »
              Your welcome.

              Safe surfing...
              Logged
              Pages: 1 [2]  All   Go Up
              « previous next »