Computer Hope
Software => Computer viruses and spyware => Topic started by: darts44 on November 02, 2010, 04:35:01 PM
-
Hi!
Back to ask your help after a long time.
It is about "Think Point". I got it on my PC and here what i did to get it off my PC.
I located the file in : file:///c:/Users/Yves/AppData/Roaming and scanned the file hotfix.exe with my ZoneAlarm.
There was the "HEUR.Trojan.Win32.Generic" and was removed by my ZoneAlarm.
The problem seem to be fixed, because i was able to go on the internet and that little window from Think Point
didn't come back.
To make sure there was no virus from it anymore on my PC, i scanned one more time with the deep scan and ZoneAlarm
found another virus " Trojan.win 32.FakeAV.ppa", was it a renamed one (?). ZoneAlarm deleted this one too.
Could you help me to make sure there is no more virus hiding on my PC and to guide me how to do it?
Thanks Guys, I know i can rely on your help. Best regards, Yves
-
Please follow the instructions in the following link and post your logs:
http://www.computerhope.com/forum/index.php/topic,46313.0.html
-
Hi! Here is the log of the results of the "SUPERAntiSpyware".
Do i need to do the others too?
Regards, Yves
[recovering disk space - old attachment deleted by admin]
-
Hi! Here is the log of the MBAM scan. All clear.
Regards, Yves
[recovering disk space - old attachment deleted by admin]
-
Hi!
First, I have to ask if it is O.K. with the attachments from the "SUPERAntiSpyware" and "MBAM" i put in my replies.
I am asking because i read i should have pasted them in my post.
I am having a problem with the "HijackThis". I got the following message:
For some reason your system denied write access to the Hosts file, If any hijacked domains are in this file, HijackThis may NOT be able to fix this.
If that happens, you need to edit the file yourself. To do this, click Start, run and type:
notepad C:\Windows\System32\drivers\etc\hosts
and press Enter, Find the line(s)
HijackThis Reports and delete them..........i can't find this in it.
Save the file as "hosts." (with quotes) and reboot. When i try to save , the file is sved without the quote.
I try to copy the result of the scan, but it is no working, i can't do it, Why?
Regards, Yves
-
Hi! I try againt about creating and saving that file "hosts", but i got the message:
C:\Windows\System32\drivers\etc\'hosts'.txt
You don't have permission t save in this location.
Contact the administrator to obtain permission.
Would you like to save in the My Documents folder instead.
And i don't know what to do!
Regards, Yves
-
Hi! Here is the copy and paste of SUPERAntiSpyware
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 11/03/2010 at 11:39 AM
Application Version : 4.45.1000
Core Rules Database Version : 5799
Trace Rules Database Version: 3611
Scan type : Complete Scan
Total Scan Time : 02:08:03
Memory items scanned : 779
Memory threats detected : 0
Registry items scanned : 8865
Registry threats detected : 2
File items scanned : 138411
File threats detected : 0
Malware.Trace
HKU\S-1-5-21-169488594-3743224538-1985200111-1000\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON#SHELL
Disabled.FolderOption
HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED\FOLDER\HIDDEN\SHOWALL#CHECKEDVALUE
Regards, Yves
-
Hi! Here is the copy and paste for MBAM
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 5026
Windows 6.1.7600
Internet Explorer 8.0.7600.16385
3/11/2010 1:28:43 PM
mbam-log-2010-11-03 (13-28-43).txt
Scan type: Quick scan
Objects scanned: 137633
Time elapsed: 5 minute(s), 56 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
-
This is my first post on this forum. I just want to say what a great resource this forum is. I hope to enjoy my stay and contribute more in days to come.
Thanks
Andy
-
Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer. I am working under the guidance of one of the specialist of this forum so it may take a bit longer to process your logs.
1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.
Download Security Check by screen317 from one of the following links and save it to your desktop.
Link 1 (http://screen317.spywareinfoforum.org/SecurityCheck.exe)
Link 2 (http://screen317.changelog.fr/SecurityCheck.exe)
* Unzip SecurityCheck.zip and a folder named Security Check should appear.
* Open the Security Check folder and double-click Security Check.bat
* Follow the on-screen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.
Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.
************************************
Please download ComboFix (http://img7.imageshack.us/img7/4930/combofix.gif) from BleepingComputer.com (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Alternate link: GeeksToGo.com (http://subs.geekstogo.com/ComboFix.exe)
Rename ComboFix.exe to commy.exe before you save it to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here (http://www.bleepingcomputer.com/forums/topic114351.html)
Click Start then copy paste the following command into the search box & hit enter: "%userprofile%\desktop\commy.exe" /stepdel
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. This will not install in Vista. Just continue scanning, and skip the console install.
When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.
If you have problems with ComboFix usage, see How to use ComboFix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)
-
Hi! Dave, I downloaded the SecurityCheck.zip on my Desktop, and when i click on the Icon, then an windows open with "run" and when i click on "run" , i got the message : C:\Users\Yves\Desktop\Securitycheck.exe is not a valit win32 application.
I am surpprise of it and fear something bad is going on in my PC.
Thanks for your time and help Dave, i really appreciate it.
Regards, Yves
-
Hi! Dave, I deleted the folder SecurityCheck. zip from my Desktop to re-dowload it againt .
From the forum page with your Link 1 / Link2, when i click on the Link 1 or 2, a new windows on my browser open and search to connect to the link, and then the windows close and i am back to computer hope forum.
Regards, yves
-
Hi! Dave, I succeded to download againt the file Security Check. zip, but the problem with the message is till the same. Regards, yves
-
Ok. Just forget about Security Check for the moment and run ComboFix.
-
Hi! Dave, About the Security Check file , i realise the file i downloaded from Link 1 or 2 is not a ZIP file and when i click on proprieties , there is not byte in it. OK , i go to work on ComboFix and will let you know as soon as possible. Regards, Yves
-
Hi! Dave, Here is what i did:
downloaded the ComboFix from BleepingComputer.com and renamed it and saved on my desktop.
Disebled my AntiVirus from ZoneAlarm
Typed in START "%userprofile%\desktop\commy.exe"/stepdel and hit ENTER
then i got the message: C:\Users\Yves\desktop\commy.exe is not a valid Win32 application
:'( Regards, Yves
-
Hi! Dave, after i hit the enter an windows opened , see additional options and clicked on RUN and then got the message.
I am on Wndows 7 prenium.Regards, Yves
-
Here the additional
[recovering disk space - old attachment deleted by admin]
-
Ok. Delete ComboFix. Let's try this to see what's happening on your computer.
Download OTL (http://oldtimer.geekstogo.com/OTL.exe) to your Desktop
- Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
- Under the Custom Scan box paste this in
netsvcs
msconfig
safebootminimal
safebootnetwork
activex
drivers32
%SYSTEMDRIVE%\*.exe
%systemroot%\*. /mp /s
c:\$recycle.bin\*.* /s
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
nvstor32.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
explorer.exe
svchost.exe
userinit.exe
qmgr.dll
ws2_32.dll
proquota.exe
imm32.dll
kernel32.dll
ndis.sys
autochk.exe
spoolsv.exe
xmlprov.dll
ntmssvc.dll
mswsock.dll
Beep.SYS
ntfs.sys
termsrv.dll
sfcfiles.dll
st3shark.sys
ahcix86.sys
srsvc.dll
nvrd32.sys
/md5stop
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
- Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
- When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
- Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time
-
Hi! Dave, did it, but the same. Got a windows with RUN and then the message:
C:\Users\Yves\Desktop\OTL.exe is not a valit Win 32 application.
Regards, Yves :'(
-
Hi! Dave, This may help?See additional. Regards, Yves
[recovering disk space - old attachment deleted by admin]
-
Here the real name :
csrss.exe
dwm.exe
hotfix.exe
taskhost.exe
taskmgr.exe
Winlogon.exe
there was also somewhere , but i can't remember:
(waiting for) Form2
-
Hi! Dave, This may help too. See additional. Regards, Yves
[recovering disk space - old attachment deleted by admin]
-
Deleting legitimate Windows files certainly doesn't help me and it certainly doesn't help your computer. I specifically asked you at the start not to do anything on your own. Please run this to see if any damage was done to the computer.
Do you have your OS CD/DVD?
If so,
1/ Click the Start button.
2/ From the Start Menu, Click All programs followed by Accessories.
3/ In the Accessories menu, Right Click on the Command Prompt option.
4/ From the drop down menu that appears, Click on the Run as administrator option.
5/ If you have the User Account Control (UAC) enabled you will be asked for authorisation prior to the command prompt opening. You may simply need to press the Continue button if you are the administrator or insert the administrator password etc.
6/ In the Command Prompt window, type: sfc /scannow and then press Enter.
7/ A message will appear stating that the system scan will begin.
8/ Be patient because the scan may take some time.
9/ If any files require replacing SFC will replace them. You may be asked to insert your Vista DVD for this process to continue.
10/ If everything is okay you should, after the scan, see the following message Windows resource protection did not find any integrity violations.
11/ After the scan has completed, Close the command prompt window.
-
Hi! Dave, That was before i asked your help, since then i followed your instructions to the letter.
OK , i soon as the scan is finish , i let you know. Regards, Yves
-
HI1 Dave, I am not on Vista, but on Windows 7 prenium. Regards, Yves
-
Hi! Dave,
In the Windows Command Prompt, there is :
C:\Windows\system32>_
Should i complete the sentence like this: C:\Windows\system32>sfc/scannow
or
to start a new one with just: sfc/scannow
Regards, Yves
-
Hi! Dave,
I worked the solution to my preview reply myself and did the scan.
I am very happy to report: Windows resource protection did not find any integrity violations.
Regards ,Yves ;D
-
Ok. Please run OTL as suggested in Reply # 18 and post the logs.
-
Hi! Dave,
Downloaded the OTL twice, the reason and explanation for that is in the additionals.
There is no byte in the dowloaded file, see additional.
Then , when i run it , i got the message, see additional.
I am not sure, but could it be possible something is preventing the complete download?
Regards, Yves
[recovering disk space - old attachment deleted by admin]
-
I'd like to scan your machine with ESET OnlineScan
•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan (http://eset.com/onlinescan)
•Click the (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetOnline.png) button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
- Click on (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstall.png) to download the ESET Smart Installer. Save it to your desktop.
- Double click on the (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstallDesktopIcon.png) icon on your desktop.
•Check (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetAcceptTerms.png)
•Click the (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetStart.png) button.
•Accept any security warnings from your browser.
•Check (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetScanArchives.png)
•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetListThreats.png)
•Push (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetExport.png), and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetBack.png) button.
•Push (http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetFinish.png)
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt
-
Hi! Dave,
After a few attempts, i finally succeeded to download the ESET.
I unchecked the box "remove found threats", because i was not sure you wanted it that way. You didn't mention if i needded to keep it on not.
Here is the results of the scan:
C:\Program Files\YouTube Downloader Toolbar\SearchSettings.dll Win32/Adware.Toolbar.Dealio application
C:\Program Files\YouTube Downloader Toolbar\SearchSettings.exe Win32/Adware.Toolbar.Dealio application
C:\Program Files\YouTube Downloader Toolbar\WidgiHelper.exe Win32/Adware.Toolbar.Dealio application
C:\Program Files\YouTube Downloader Toolbar\IE\1.0\youtubedownloaderToolbarIE.dll Win32/Adware.Toolbar.Dealio application
C:\Windows\Installer\6bcc6a.msi Win32/Adware.Toolbar.Dealio application
Operating memory Win32/Adware.Toolbar.Dealio application
Waiting your intructions eagerly.
Regards,
Yves
-
Please run it again and check "remove found threats".
-
Hi! Dave,
Here is the results:
C:\Program Files\YouTube Downloader Toolbar\SearchSettings.dll Win32/Adware.Toolbar.Dealio application cleaned by deleting (after the next restart) - quarantined
C:\Program Files\YouTube Downloader Toolbar\SearchSettings.exe Win32/Adware.Toolbar.Dealio application cleaned by deleting - quarantined
C:\Program Files\YouTube Downloader Toolbar\WidgiHelper.exe Win32/Adware.Toolbar.Dealio application cleaned by deleting - quarantined
C:\Program Files\YouTube Downloader Toolbar\IE\1.0\youtubedownloaderToolbarIE.dll Win32/Adware.Toolbar.Dealio application cleaned by deleting - quarantined
C:\Users\Yves\AppData\Local\Temp\NOD349B.tmp Win32/Adware.Toolbar.Dealio application cleaned by deleting (after the next restart) - quarantined
C:\Windows\Installer\6bcc6a.msi Win32/Adware.Toolbar.Dealio application deleted - quarantined
Regards, Yves
-
How's your computer running now?. Any issues?
-
Hi! Dave,
My PC seem to be O.K, but how can i make sure there is nothing left from that" Think Point" on it?
There is still some names of files on the "Windows Task Manager", how can i get rid of them? See additional. atiedxx.exe, csrss.exe, winlogon.exe
Regards, Yves
-
here is the additional
[recovering disk space - old attachment deleted by admin]
-
atiedxx.exe
This is a file for your video card.
csrss.exe
The Microsoft Client Server Runtime Server subsystem utilizes the process csrss.exe for managing the majority of the graphical instruction sets under the Microsoft Windows operating system.
winlogon.exe
winlogon.exe is a process belonging to the Windows login manager. It handles the login and logout procedures on your system. This program is important for the stable and secure running of your computer and should not be terminated.
You can google all those files to find out what are their functions .
Let's see if you can run ComboFix again as outlined in Reply #9
-
Hi! Dave,
O.K , i run the ComboFix and here is the results:
ComboFix 10-11-09.01 - Yves 10/11/2010 5:47.1.2 - x86
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.61.1033.18.3070.2010 [GMT 10:00]
Running from: c:\users\Yves\Desktop\commy.exe
Command switches used :: /stepdel
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\arp.exe
G:\Autorun.inf
c:\windows\system32\userinit.exe . . . is infected!!
.
((((((((((((((((((((((((( Files Created from 2010-10-09 to 2010-11-09 )))))))))))))))))))))))))))))))
.
2010-11-09 20:47 . 2010-11-09 20:47 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-11-09 08:06 . 2010-10-07 23:21 6146896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{44CDFD57-B753-47D5-9915-893F16DBC98A}\mpengine.dll
2010-11-09 04:26 . 2010-11-09 04:26 -------- d-----w- c:\program files\Vodafone
2010-11-03 04:36 . 2010-11-03 04:36 -------- d-----w- c:\program files\Common Files\Java
2010-11-03 04:35 . 2010-11-03 04:35 -------- d-----w- c:\program files\Sun
2010-11-03 04:32 . 2010-11-03 04:34 -------- d-----w- c:\program files\Java
2010-11-03 02:59 . 2010-11-03 02:59 -------- d-----w- c:\users\Yves\AppData\Roaming\Malwarebytes
2010-11-03 02:59 . 2010-11-08 23:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-03 02:59 . 2010-11-03 02:59 -------- d-----w- c:\programdata\Malwarebytes
2010-11-02 23:16 . 2010-11-02 23:16 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2010-10-26 20:45 . 2010-08-04 06:18 641536 ----a-w- c:\windows\system32\CPFilters.dll
2010-10-26 20:45 . 2010-08-04 06:17 417792 ----a-w- c:\windows\system32\msdri.dll
2010-10-26 20:45 . 2010-08-04 06:15 204288 ----a-w- c:\windows\system32\MSNP.ax
2010-10-26 20:45 . 2010-08-04 06:15 199680 ----a-w- c:\windows\system32\mpg2splt.ax
2010-10-26 20:39 . 2010-07-13 05:22 26504 ----a-w- c:\windows\system32\drivers\Diskdump.sys
2010-10-23 11:36 . 2010-10-23 11:36 -------- d-----w- c:\programdata\5D
2010-10-23 10:25 . 2010-10-23 11:28 -------- d-----w- c:\users\Yves\AppData\Local\BearShare
2010-10-23 10:18 . 2010-10-23 20:49 -------- dc-h--w- c:\programdata\~0
2010-10-23 10:18 . 2010-10-23 10:18 -------- d-----w- c:\users\Yves\AppData\Local\PackageAware
2010-10-20 14:18 . 2010-10-20 14:18 -------- d-----w- c:\windows\en
2010-10-20 14:18 . 2010-10-20 14:18 -------- dc----w- c:\windows\system32\DRVSTORE
2010-10-20 14:18 . 2010-09-22 14:21 39272 ----a-w- c:\windows\system32\drivers\fssfltr.sys
2010-10-20 14:13 . 2010-10-20 14:13 -------- d-----w- c:\program files\MSN Toolbar
2010-10-20 14:13 . 2010-10-20 14:14 -------- d-----w- c:\program files\Bing Bar Installer
2010-10-20 14:13 . 2009-09-04 07:44 69464 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2010-10-20 14:13 . 2009-09-04 07:44 515416 ----a-w- c:\windows\system32\XAudio2_5.dll
2010-10-20 14:13 . 2009-09-04 07:29 453456 ----a-w- c:\windows\system32\d3dx10_42.dll
2010-10-20 14:12 . 2010-10-20 14:12 469256 ----a-w- c:\program files\Common Files\Windows Live\.cache\c76b1f1e1cb70602b\InstallManager_WLE_WLE.exe
2010-10-20 14:11 . 2010-10-20 14:11 15712 ----a-w- c:\program files\Common Files\Windows Live\.cache\b5d373971cb706020\MeshBetaRemover.exe
2010-10-20 14:11 . 2010-10-20 14:11 94040 ----a-w- c:\program files\Common Files\Windows Live\.cache\a5a337da1cb706018\DSETUP.dll
2010-10-20 14:11 . 2010-10-20 14:11 525656 ----a-w- c:\program files\Common Files\Windows Live\.cache\a5a337da1cb706018\DXSETUP.exe
2010-10-20 14:11 . 2010-10-20 14:11 1691480 ----a-w- c:\program files\Common Files\Windows Live\.cache\a5a337da1cb706018\dsetup32.dll
2010-10-20 14:11 . 2010-10-20 14:11 525656 ----a-w- c:\program files\Common Files\Windows Live\.cache\a40e8dec1cb706017\DXSETUP.exe
2010-10-20 14:11 . 2010-10-20 14:11 1691480 ----a-w- c:\program files\Common Files\Windows Live\.cache\a40e8dec1cb706017\dsetup32.dll
2010-10-20 14:11 . 2010-10-20 14:11 94040 ----a-w- c:\program files\Common Files\Windows Live\.cache\a40e8dec1cb706017\DSETUP.dll
2010-10-20 14:09 . 2010-11-06 03:26 -------- d-----w- c:\users\Yves\AppData\Local\Windows Live
2010-10-20 14:09 . 2010-05-23 10:15 1619456 ----a-w- c:\windows\system32\WMVDECOD.DLL
2010-10-20 14:09 . 2010-05-23 10:11 196608 ----a-w- c:\windows\system32\mfreadwrite.dll
2010-10-20 14:09 . 2010-05-23 10:11 3181568 ----a-w- c:\windows\system32\mf.dll
2010-10-15 21:34 . 2010-05-05 06:46 363520 ----a-w- c:\windows\system32\StructuredQuery.dll
2010-10-15 21:03 . 2010-08-21 05:36 738816 ----a-w- c:\windows\system32\wmpmde.dll
2010-10-15 21:01 . 2010-09-01 04:26 164864 ----a-w- c:\program files\Windows Media Player\wmplayer.exe
2010-10-15 21:01 . 2010-09-01 04:23 12625408 ----a-w- c:\windows\system32\wmploc.DLL
2010-10-15 21:01 . 2010-09-01 02:34 2327552 ----a-w- c:\windows\system32\win32k.sys
2010-10-15 21:01 . 2010-08-27 05:46 168448 ----a-w- c:\windows\system32\srvsvc.dll
2010-10-15 21:01 . 2010-08-27 03:31 310784 ----a-w- c:\windows\system32\drivers\srv.sys
2010-10-15 21:01 . 2010-08-27 03:30 308736 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-10-15 21:01 . 2010-08-27 03:30 113664 ----a-w- c:\windows\system32\drivers\srvnet.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-03 04:35 . 2010-07-27 22:47 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-10-19 01:41 . 2010-07-26 23:48 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-09-22 14:47 . 2010-09-22 14:47 49016 ----a-w- c:\windows\system32\sirenacm.dll
2010-09-22 14:32 . 2010-09-22 14:32 301936 ----a-w- c:\windows\WLXPGSS.SCR
2010-09-21 04:03 . 2010-09-21 04:03 208768 ----a-w- c:\windows\system32\LIVESSP.DLL
2010-08-25 20:48 . 2010-08-25 20:48 53248 ----a-r- c:\users\Yves\AppData\Roaming\Microsoft\Installer\{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}\ARPPRODUCTICON.exe
2010-08-21 05:32 . 2010-09-15 06:16 316928 ----a-w- c:\windows\system32\spoolsv.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DU Meter"="c:\program files\DU Meter\DUMeter.exe" [2010-09-29 2942856]
"AnyTime Organizer"="c:\program files\AnyTime Organizer Premier\AtDem.exe" [2007-11-21 29696]
"E09AXLRD_2727443"="c:\program files\Microsoft Encarta\Encarta Premium DVD 2009\EDICT.EXE" [2008-06-03 351000]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-07-20 1038848]
"MobileBroadband"="c:\program files\Vodafone\Vodafone Mobile Broadband\Bin\MobileBroadband.exe" [2010-06-25 253952]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux2"=wdmaud.drv
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup
[HKLM\~\startupfolder\C:^Users^Yves^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^AnyTime.lnk]
path=c:\users\Yves\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AnyTime.lnk
backup=c:\windows\pss\AnyTime.lnk.Startup
backupExtension=.Startup
[HKLM\~\startupfolder\C:^Users^Yves^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^FastStone Capture.lnk]
path=c:\users\Yves\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FastStone Capture.lnk
backup=c:\windows\pss\FastStone Capture.lnk.Startup
backupExtension=.Startup
[HKLM\~\startupfolder\C:^Users^Yves^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Logitech . Product Registration.lnk]
path=c:\users\Yves\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Logitech . Product Registration.lnk
backup=c:\windows\pss\Logitech . Product Registration.lnk.Startup
backupExtension=.Startup
[HKLM\~\startupfolder\C:^Users^Yves^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 3.2.lnk]
path=c:\users\Yves\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.2.lnk
backup=c:\windows\pss\OpenOffice.org 3.2.lnk.Startup
backupExtension=.Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
2010-03-27 06:07 362232 ----a-w- c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\adm_tray.exe]
2010-06-04 08:49 530768 ----a-w- c:\program files\Acronis\DriveMonitor\adm_tray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-20 13:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-09-22 18:47 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeAAMUpdater-1.0]
2010-03-05 17:44 500208 ------w- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS5ServiceManager]
2010-07-22 12:10 402432 ----a-w- c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyTime Organizer]
2007-11-21 03:45 29696 ----a-w- c:\progra~1\ANYTIM~1\AtDem.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DU Meter]
2010-09-29 05:30 2942856 ----a-w- c:\program files\DU Meter\DUMeter.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E09AXLRD_15580131]
2008-06-03 10:05 351000 ----a-w- c:\program files\Microsoft Encarta\Encarta Premium DVD 2009\EDICT.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E09AXLRD_2163780]
2008-06-03 10:05 351000 ----a-w- c:\program files\Microsoft Encarta\Encarta Premium DVD 2009\EDICT.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E09AXLRD_2494237]
2008-06-03 10:05 351000 ----a-w- c:\program files\Microsoft Encarta\Encarta Premium DVD 2009\EDICT.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E09AXLRD_2519946]
2008-06-03 10:05 351000 ----a-w- c:\program files\Microsoft Encarta\Encarta Premium DVD 2009\EDICT.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E09AXLRD_25437101]
2008-06-03 10:05 351000 ----a-w- c:\program files\Microsoft Encarta\Encarta Premium DVD 2009\EDICT.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E09AXLRD_31464294]
2008-06-03 10:05 351000 ----a-w- c:\program files\Microsoft Encarta\Encarta Premium DVD 2009\EDICT.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E09AXLRD_5542044]
2008-06-03 10:05 351000 ----a-w- c:\program files\Microsoft Encarta\Encarta Premium DVD 2009\EDICT.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E09AXLRD_5633040]
2008-06-03 10:05 351000 ----a-w- c:\program files\Microsoft Encarta\Encarta Premium DVD 2009\EDICT.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E09AXLRD_582850]
2008-06-03 10:05 351000 ----a-w- c:\program files\Microsoft Encarta\Encarta Premium DVD 2009\EDICT.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E09AXLRD_6173833]
2008-06-03 10:05 351000 ----a-w- c:\program files\Microsoft Encarta\Encarta Premium DVD 2009\EDICT.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E09AXLRD_6696436]
2008-06-03 10:05 351000 ----a-w- c:\program files\Microsoft Encarta\Encarta Premium DVD 2009\EDICT.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E09AXLRD_738477]
2008-06-03 10:05 351000 ----a-w- c:\program files\Microsoft Encarta\Encarta Premium DVD 2009\EDICT.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E09AXLRD_8550430]
2008-06-03 10:05 351000 ----a-w- c:\program files\Microsoft Encarta\Encarta Premium DVD 2009\EDICT.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E09AXLRD_9218411]
2008-06-03 10:05 351000 ----a-w- c:\program files\Microsoft Encarta\Encarta Premium DVD 2009\EDICT.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E09AXLRD_969171]
2008-06-03 10:05 351000 ----a-w- c:\program files\Microsoft Encarta\Encarta Premium DVD 2009\EDICT.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2009-11-18 06:13 54576 ----a-w- c:\program files\HP\HP Software Update\hpwuschd2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IncrediMail]
2010-10-22 20:47 353736 ----a-w- c:\program files\IncrediMail\Bin\IncMail.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
2010-07-21 06:52 1797008 ----a-w- c:\program files\Microsoft IntelliPoint\ipoint.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\itype]
2010-07-21 07:07 1778064 ----a-w- c:\program files\Microsoft IntelliType Pro\itype.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Vid]
2010-05-11 06:43 6061400 ----a-w- c:\program files\Logitech\Vid\Vid.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Vid HD]
2010-05-11 06:43 6061400 ----a-w- c:\program files\Logitech\Vid\Vid.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LWS]
2010-05-07 08:35 165208 ----a-w- c:\program files\Logitech\LWS\Webcam Software\LWS.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2010-06-01 00:17 5252408 ----a-w- c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MobileBroadband]
2010-06-25 02:57 253952 ----a-w- c:\program files\Vodafone\Vodafone Mobile Broadband\Bin\MobileBroadband.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RESTART_STICKY_NOTES]
2009-07-14 01:14 354304 ----a-w- c:\windows\System32\StikyNot.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 01:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SwitchBoard]
2010-02-19 03:37 517096 ----a-w- c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
2010-03-27 06:06 5107232 ----a-w- c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorldTime2006]
2007-10-21 07:17 1486848 ----a-w- c:\program files\AnyTime Organizer Premier\WorldTime.exe
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 DUMeterDrv;Hagel Technologies DU Meter traffic accounting driver;c:\program files\DU Meter\DUMETR32.SYS [2010-09-29 18576]
R3 icsak;icsak;c:\program files\CheckPoint\ZAForceField\AK\icsak.sys [2010-06-15 35568]
R3 massfilter;MBB Mass Storage Filter Driver;c:\windows\system32\DRIVERS\massfilter.sys [2010-06-10 9216]
R3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\System32\svchost.exe [2009-07-14 20992]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-03-01 139776]
R3 SwitchBoard;SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-07-27 1343400]
R3 zgwhsdiag;ZTE WCDMA Handset Diagnostic Port;c:\windows\system32\DRIVERS\zgwhsdiag.sys [2009-10-28 105216]
R3 zgwhsmdm;ZTE WCDMA Handset USB Modem;c:\windows\system32\DRIVERS\zgwhsmdm.sys [2009-10-28 105216]
R3 zgwhsnmea;WCDMA Handset NMEA Port;c:\windows\system32\DRIVERS\zgwhsnmea.sys [2009-10-28 105216]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 51040]
S0 tdrpman258;Acronis Try&Decide and Restore Points filter (build 258);c:\windows\system32\DRIVERS\tdrpm258.sys [2010-07-27 911680]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 afcdpsrv;Acronis Nonstop Backup service;c:\program files\Common Files\Acronis\CDP\afcdpsrv.exe [2010-07-27 2480048]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-08-03 176128]
S2 Application Updater;Application Updater;c:\program files\Application Updater\ApplicationUpdater.exe [2010-02-19 380928]
S2 DUMeterSvc;DU Meter Service;c:\program files\DU Meter\DUMeterSvc.exe [2010-09-29 1412488]
S2 ISWKL;ZoneAlarm ForceField ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [2010-06-15 26352]
S2 IswSvc;ZoneAlarm ForceField IswSvc;c:\program files\CheckPoint\ZAForceField\IswSvc.exe [2010-06-15 493032]
S2 VmbService;Vodafone Mobile Broadband Service;c:\program files\Vodafone\Vodafone Mobile Broadband\Bin\VmbService.exe [2010-06-25 9216]
S3 afcdp;afcdp;c:\windows\system32\DRIVERS\afcdp.sys [2010-07-27 160704]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2010-08-03 6096384]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2010-08-03 214016]
S3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys [2010-07-07 44432]
S3 vodafone_K3805-z_dc_enum;vodafone_K3805-z_dc_enum;c:\windows\system32\DRIVERS\vodafone_K3805-z_dc_enum.sys [2010-03-01 61952]
S3 ZTEusbvoice;ZTE VoUSB Port;c:\windows\system32\DRIVERS\ZTEusbvoice.sys [2010-04-30 105856]
S3 ZTEusbwwan;ZTE MBN Miniport;c:\windows\system32\DRIVERS\ZTEusbwwan.sys [2010-06-10 194048]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
TCP: {E481D8DE-43C8-4878-B42D-DD2FAEC18884} = 202.124.65.22 202.124.65.18
.
- - - - ORPHANS REMOVED - - - -
BHO-{0974BA1E-64EC-11DE-B2A5-E43756D89593} - c:\progra~1\BEARSH~1\MediaBar\ToolBar\BearshareMediabarDx.dll
Toolbar-{0974BA1E-64EC-11DE-B2A5-E43756D89593} - c:\progra~1\BEARSH~1\MediaBar\ToolBar\BearshareMediabarDx.dll
HKLM-Run-atr.exe - (no file)
MSConfigStartUp-DATAMNGR - c:\progra~1\BEARSH~1\MediaBar\Datamngr\DATAMN~1.EXE
MSConfigStartUp-SearchSettings - c:\program files\YouTube Downloader Toolbar\SearchSettings.exe
AddRemove-Hoadley Options Strategy Evaluation Tool_is1 - c:\program files\HoadleyOptions\unins000.exe
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DUMeterSvc]
"ImagePath"="c:\program files\DU Meter\DUMeterSvc.exe /startedbyscm:E1F6D4BE-40E33354-DUMeterService"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'Explorer.exe'(3860)
c:\program files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
c:\program files\Common Files\Microsoft Shared\Encarta Search Bar\A\ESBRes.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\atieclxx.exe
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\conhost.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Acronis\DriveMonitor\adm.exe
.
**************************************************************************
.
Completion time: 2010-11-10 07:20:44 - machine was rebooted
ComboFix-quarantined-files.txt 2010-11-09 21:20
Pre-Run: 313,216,090,112 bytes free
Post-Run: 313,234,837,504 bytes free
- - End Of File - - 15DBDB942C9E623E8AA909342BBEF4BF
Look a pretty long one and very impressive. Please, explain to me the results!
Should i delete "ComboFix" from my PC?
Best regards, Yves
-
Please download SystemLook from one of the links below and save it to your desktop.
Link # 1 (http://jpshortstuff.247fixes.com/SystemLook.exe)
Link # 2 (http://images.malwareremoval.com/jpshortstuff/SystemLook.exe)
Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this (http://www.bleepingcomputer.com/forums/topic114351.html) link to see a list of security programs that should be disabled and how to disable them.
Double-click SystemLook.exe to run it.
Copy the contents of the following codebox into the main textfield.
:filefind
userinit.exe
Click the Look button to start the scan.
Note: The scan may take some time so please just let it do its work and be patient (or do something else unrelated to the computer).
When finished, a notepad window will open with the results of the scan. Please post the log. The log can also be found on your desktop entitled SystemLook.txt
******************************
SysProt Antirootkit
Download
SysProt Antirootkit from the link below (you will find it at the bottom
of the page under attachments, or you can get it from one of the
mirrors).
http://sites.google.com/site/sysprotantirootkit/ (http://sites.google.com/site/sysprotantirootkit/)
Unzip it into a folder on your desktop.
- Double click Sysprot.exe to start the program.
- Click on the Log tab.
- In the Write to log box select the following items.
- Process << Selected
- Kernel Modules << Selected
- SSDT << Selected
- Kernel Hooks << Selected
- IRP Hooks << NOT Selected
- Ports << NOT Selected
- Hidden Files << Selected
- At the bottom of the page
- Hidden Objects Only << Selected
- Click on the Create Log button on the bottom right.
- After a few seconds a new window should appear.
- Select Scan Root Drive. Click on the Start button.
- When it is complete a new window will appear to indicate that the scan is finished.
- The log will be saved automatically in the same folder Sysprot.exe was
extracted to. Open the text file and copy/paste the log here.
[/list]
-
Hi! Dave,
Here are the results of the scan with " SystemLook".
Regards,
Yves
SystemLook 04.09.10 by jpshortstuff
Log created at 09:23 on 11/11/2010 by Yves
Administrator - Elevation successful
========== filefind ==========
Searching for "userinit.exe "
C:\Windows\ERDNT\cache\userinit.exe --a---- 26112 bytes [21:08 09/11/2010] [01:14 14/07/2009] 6DE80F60D7DE9CE6B8C2DDFDF79EF175
C:\Windows\System32\userinit.exe --a---- 26112 bytes [23:34 13/07/2009] [01:14 14/07/2009] 6DE80F60D7DE9CE6B8C2DDFDF79EF175
C:\Windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.1.7600.16385_none_dbff103933038d7c\userinit.exe --a---- 26112 bytes [23:34 13/07/2009] [01:14 14/07/2009] 6DE80F60D7DE9CE6B8C2DDFDF79EF175
-= EOF =-
-
Hi! Dave,
Here are the results with the scan SysProtAntirootkit
SysProt AntiRootkit v1.0.1.0
by swatkat
******************************************************************************************
******************************************************************************************
No Hidden Processes found
******************************************************************************************
******************************************************************************************
No Hidden Kernel Modules found
******************************************************************************************
******************************************************************************************
No SSDT Hooks found
******************************************************************************************
******************************************************************************************
No Kernel Hooks found
******************************************************************************************
******************************************************************************************
No hidden files/folders found
I am happy with the results. ;D
Regards,
Yves
-
Ok. Let's see if we can fix that corrupted/infected file.
Re-running ComboFix to remove infections:
- Close any open browsers.
- Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
- Open notepad and copy/paste the text in the quotebox below into it:
KillAll::
FCopy::
C:\Windows\ERDNT\cache\userinit.exe | c:\windows\system32\userinit.exe
- Save this as CFScript.txt, in the same location as ComboFix.exe
(http://img19.imageshack.us/img19/5660/cfscriptb4.gif)
- Referring to the picture above, drag CFScript into ComboFix.exe
- When finished, it shall produce a log for you at C:\ComboFix.txt
- Please post the contents of the log in your next reply.
-
Hi! Dave,
Here i am not sure....
I got the "commy.exe" and it is this one i have to use and drag "CFScript.txt" in it.
Or re-download the original ComboFix?
Regards, Yves
-
Yes, use the one you have on your desktop.
-
Hi! Dave,
You write: Open notepad........is that a new notepad or ....... Could you give more details.
I want to make sure i do the right thing.
Regards, Yves
-
Hi! Dave,
Hold on , i got it.
-
Hi! Dave,
Here are the results of the scan
ComboFix 10-11-09.01 - Yves 11/11/2010 11:05:32.2.2 - x86
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.61.1033.18.3070.1942 [GMT 10:00]
Running from: c:\users\Yves\Desktop\commy.exe
Command switches used :: c:\users\Yves\Desktop\CFScript.txt
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
--------------- FCopy ---------------
c:\windows\ERDNT\cache\userinit.exe --> c:\windows\system32\userinit.exe
.
((((((((((((((((((((((((( Files Created from 2010-10-11 to 2010-11-11 )))))))))))))))))))))))))))))))
.
2010-11-11 01:23 . 2010-11-11 01:23 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2010-11-11 01:23 . 2010-11-11 01:23 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-11-09 08:06 . 2010-10-07 23:21 6146896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{44CDFD57-B753-47D5-9915-893F16DBC98A}\mpengine.dll
2010-11-09 04:26 . 2010-11-09 04:26 -------- d-----w- c:\program files\Vodafone
2010-11-03 04:36 . 2010-11-03 04:36 -------- d-----w- c:\program files\Common Files\Java
2010-11-03 04:35 . 2010-11-03 04:35 -------- d-----w- c:\program files\Sun
2010-11-03 04:32 . 2010-11-03 04:34 -------- d-----w- c:\program files\Java
2010-11-03 02:59 . 2010-11-03 02:59 -------- d-----w- c:\users\Yves\AppData\Roaming\Malwarebytes
2010-11-03 02:59 . 2010-11-08 23:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-03 02:59 . 2010-11-03 02:59 -------- d-----w- c:\programdata\Malwarebytes
2010-11-02 23:16 . 2010-11-02 23:16 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2010-10-26 20:45 . 2010-08-04 06:18 641536 ----a-w- c:\windows\system32\CPFilters.dll
2010-10-26 20:45 . 2010-08-04 06:17 417792 ----a-w- c:\windows\system32\msdri.dll
2010-10-26 20:45 . 2010-08-04 06:15 204288 ----a-w- c:\windows\system32\MSNP.ax
2010-10-26 20:45 . 2010-08-04 06:15 199680 ----a-w- c:\windows\system32\mpg2splt.ax
2010-10-26 20:39 . 2010-07-13 05:22 26504 ----a-w- c:\windows\system32\drivers\Diskdump.sys
2010-10-23 11:36 . 2010-10-23 11:36 -------- d-----w- c:\programdata\5D
2010-10-23 10:25 . 2010-10-23 11:28 -------- d-----w- c:\users\Yves\AppData\Local\BearShare
2010-10-23 10:18 . 2010-10-23 20:49 -------- dc-h--w- c:\programdata\~0
2010-10-23 10:18 . 2010-10-23 10:18 -------- d-----w- c:\users\Yves\AppData\Local\PackageAware
2010-10-20 14:18 . 2010-10-20 14:18 -------- d-----w- c:\windows\en
2010-10-20 14:18 . 2010-10-20 14:18 -------- dc----w- c:\windows\system32\DRVSTORE
2010-10-20 14:18 . 2010-09-22 14:21 39272 ----a-w- c:\windows\system32\drivers\fssfltr.sys
2010-10-20 14:13 . 2010-10-20 14:13 -------- d-----w- c:\program files\MSN Toolbar
2010-10-20 14:13 . 2010-10-20 14:14 -------- d-----w- c:\program files\Bing Bar Installer
2010-10-20 14:13 . 2009-09-04 07:44 69464 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2010-10-20 14:13 . 2009-09-04 07:44 515416 ----a-w- c:\windows\system32\XAudio2_5.dll
2010-10-20 14:13 . 2009-09-04 07:29 453456 ----a-w- c:\windows\system32\d3dx10_42.dll
2010-10-20 14:12 . 2010-10-20 14:12 469256 ----a-w- c:\program files\Common Files\Windows Live\.cache\c76b1f1e1cb70602b\InstallManager_WLE_WLE.exe
2010-10-20 14:11 . 2010-10-20 14:11 15712 ----a-w- c:\program files\Common Files\Windows Live\.cache\b5d373971cb706020\MeshBetaRemover.exe
2010-10-20 14:11 . 2010-10-20 14:11 94040 ----a-w- c:\program files\Common Files\Windows Live\.cache\a5a337da1cb706018\DSETUP.dll
2010-10-20 14:11 . 2010-10-20 14:11 525656 ----a-w- c:\program files\Common Files\Windows Live\.cache\a5a337da1cb706018\DXSETUP.exe
2010-10-20 14:11 . 2010-10-20 14:11 1691480 ----a-w- c:\program files\Common Files\Windows Live\.cache\a5a337da1cb706018\dsetup32.dll
2010-10-20 14:11 . 2010-10-20 14:11 525656 ----a-w- c:\program files\Common Files\Windows Live\.cache\a40e8dec1cb706017\DXSETUP.exe
2010-10-20 14:11 . 2010-10-20 14:11 1691480 ----a-w- c:\program files\Common Files\Windows Live\.cache\a40e8dec1cb706017\dsetup32.dll
2010-10-20 14:11 . 2010-10-20 14:11 94040 ----a-w- c:\program files\Common Files\Windows Live\.cache\a40e8dec1cb706017\DSETUP.dll
2010-10-20 14:09 . 2010-11-06 03:26 -------- d-----w- c:\users\Yves\AppData\Local\Windows Live
2010-10-20 14:09 . 2010-05-23 10:15 1619456 ----a-w- c:\windows\system32\WMVDECOD.DLL
2010-10-20 14:09 . 2010-05-23 10:11 196608 ----a-w- c:\windows\system32\mfreadwrite.dll
2010-10-20 14:09 . 2010-05-23 10:11 3181568 ----a-w- c:\windows\system32\mf.dll
2010-10-15 21:34 . 2010-05-05 06:46 363520 ----a-w- c:\windows\system32\StructuredQuery.dll
2010-10-15 21:03 . 2010-08-21 05:36 738816 ----a-w- c:\windows\system32\wmpmde.dll
2010-10-15 21:01 . 2010-09-01 04:26 164864 ----a-w- c:\program files\Windows Media Player\wmplayer.exe
2010-10-15 21:01 . 2010-09-01 04:23 12625408 ----a-w- c:\windows\system32\wmploc.DLL
2010-10-15 21:01 . 2010-09-01 02:34 2327552 ----a-w- c:\windows\system32\win32k.sys
2010-10-15 21:01 . 2010-08-27 05:46 168448 ----a-w- c:\windows\system32\srvsvc.dll
2010-10-15 21:01 . 2010-08-27 03:31 310784 ----a-w- c:\windows\system32\drivers\srv.sys
2010-10-15 21:01 . 2010-08-27 03:30 308736 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-10-15 21:01 . 2010-08-27 03:30 113664 ----a-w- c:\windows\system32\drivers\srvnet.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-03 04:35 . 2010-07-27 22:47 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-10-19 01:41 . 2010-07-26 23:48 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-09-22 14:47 . 2010-09-22 14:47 49016 ----a-w- c:\windows\system32\sirenacm.dll
2010-09-22 14:32 . 2010-09-22 14:32 301936 ----a-w- c:\windows\WLXPGSS.SCR
2010-09-21 04:03 . 2010-09-21 04:03 208768 ----a-w- c:\windows\system32\LIVESSP.DLL
2010-08-25 20:48 . 2010-08-25 20:48 53248 ----a-r- c:\users\Yves\AppData\Roaming\Microsoft\Installer\{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}\ARPPRODUCTICON.exe
2010-08-21 05:32 . 2010-09-15 06:16 316928 ----a-w- c:\windows\system32\spoolsv.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DU Meter"="c:\program files\DU Meter\DUMeter.exe" [2010-09-29 2942856]
"AnyTime Organizer"="c:\program files\AnyTime Organizer Premier\AtDem.exe" [2007-11-21 29696]
"E09AXLRD_2727443"="c:\program files\Microsoft Encarta\Encarta Premium DVD 2009\EDICT.EXE" [2008-06-03 351000]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-07-20 1038848]
"MobileBroadband"="c:\program files\Vodafone\Vodafone Mobile Broadband\Bin\MobileBroadband.exe" [2010-06-25 253952]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux2"=wdmaud.drv
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup
[HKLM\~\startupfolder\C:^Users^Yves^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^AnyTime.lnk]
path=c:\users\Yves\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AnyTime.lnk
backup=c:\windows\pss\AnyTime.lnk.Startup
backupExtension=.Startup
[HKLM\~\startupfolder\C:^Users^Yves^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^FastStone Capture.lnk]
path=c:\users\Yves\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FastStone Capture.lnk
backup=c:\windows\pss\FastStone Capture.lnk.Startup
backupExtension=.Startup
[HKLM\~\startupfolder\C:^Users^Yves^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Logitech . Product Registration.lnk]
path=c:\users\Yves\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Logitech . Product Registration.lnk
backup=c:\windows\pss\Logitech . Product Registration.lnk.Startup
backupExtension=.Startup
[HKLM\~\startupfolder\C:^Users^Yves^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 3.2.lnk]
path=c:\users\Yves\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.2.lnk
backup=c:\windows\pss\OpenOffice.org 3.2.lnk.Startup
backupExtension=.Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
2010-03-27 06:07 362232 ----a-w- c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\adm_tray.exe]
2010-06-04 08:49 530768 ----a-w- c:\program files\Acronis\DriveMonitor\adm_tray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-20 13:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-09-22 18:47 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeAAMUpdater-1.0]
2010-03-05 17:44 500208 ------w- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS5ServiceManager]
2010-07-22 12:10 402432 ----a-w- c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyTime Organizer]
2007-11-21 03:45 29696 ----a-w- c:\progra~1\ANYTIM~1\AtDem.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DU Meter]
2010-09-29 05:30 2942856 ----a-w- c:\program files\DU Meter\DUMeter.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E09AXLRD_15580131]
2008-06-03 10:05 351000 ----a-w- c:\program files\Microsoft Encarta\Encarta Premium DVD 2009\EDICT.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E09AXLRD_2163780]
2008-06-03 10:05 351000 ----a-w- c:\program files\Microsoft Encarta\Encarta Premium DVD 2009\EDICT.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E09AXLRD_2494237]
2008-06-03 10:05 351000 ----a-w- c:\program files\Microsoft Encarta\Encarta Premium DVD 2009\EDICT.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E09AXLRD_2519946]
2008-06-03 10:05 351000 ----a-w- c:\program files\Microsoft Encarta\Encarta Premium DVD 2009\EDICT.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E09AXLRD_25437101]
2008-06-03 10:05 351000 ----a-w- c:\program files\Microsoft Encarta\Encarta Premium DVD 2009\EDICT.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E09AXLRD_31464294]
2008-06-03 10:05 351000 ----a-w- c:\program files\Microsoft Encarta\Encarta Premium DVD 2009\EDICT.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E09AXLRD_5542044]
2008-06-03 10:05 351000 ----a-w- c:\program files\Microsoft Encarta\Encarta Premium DVD 2009\EDICT.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E09AXLRD_5633040]
2008-06-03 10:05 351000 ----a-w- c:\program files\Microsoft Encarta\Encarta Premium DVD 2009\EDICT.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E09AXLRD_582850]
2008-06-03 10:05 351000 ----a-w- c:\program files\Microsoft Encarta\Encarta Premium DVD 2009\EDICT.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E09AXLRD_6173833]
2008-06-03 10:05 351000 ----a-w- c:\program files\Microsoft Encarta\Encarta Premium DVD 2009\EDICT.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E09AXLRD_6696436]
2008-06-03 10:05 351000 ----a-w- c:\program files\Microsoft Encarta\Encarta Premium DVD 2009\EDICT.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E09AXLRD_738477]
2008-06-03 10:05 351000 ----a-w- c:\program files\Microsoft Encarta\Encarta Premium DVD 2009\EDICT.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E09AXLRD_8550430]
2008-06-03 10:05 351000 ----a-w- c:\program files\Microsoft Encarta\Encarta Premium DVD 2009\EDICT.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E09AXLRD_9218411]
2008-06-03 10:05 351000 ----a-w- c:\program files\Microsoft Encarta\Encarta Premium DVD 2009\EDICT.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E09AXLRD_969171]
2008-06-03 10:05 351000 ----a-w- c:\program files\Microsoft Encarta\Encarta Premium DVD 2009\EDICT.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2009-11-18 06:13 54576 ----a-w- c:\program files\HP\HP Software Update\hpwuschd2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IncrediMail]
2010-10-22 20:47 353736 ----a-w- c:\program files\IncrediMail\Bin\IncMail.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
2010-07-21 06:52 1797008 ----a-w- c:\program files\Microsoft IntelliPoint\ipoint.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\itype]
2010-07-21 07:07 1778064 ----a-w- c:\program files\Microsoft IntelliType Pro\itype.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Vid]
2010-05-11 06:43 6061400 ----a-w- c:\program files\Logitech\Vid\Vid.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Vid HD]
2010-05-11 06:43 6061400 ----a-w- c:\program files\Logitech\Vid\Vid.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LWS]
2010-05-07 08:35 165208 ----a-w- c:\program files\Logitech\LWS\Webcam Software\LWS.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2010-06-01 00:17 5252408 ----a-w- c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MobileBroadband]
2010-06-25 02:57 253952 ----a-w- c:\program files\Vodafone\Vodafone Mobile Broadband\Bin\MobileBroadband.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RESTART_STICKY_NOTES]
2009-07-14 01:14 354304 ----a-w- c:\windows\System32\StikyNot.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 01:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SwitchBoard]
2010-02-19 03:37 517096 ----a-w- c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
2010-03-27 06:06 5107232 ----a-w- c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorldTime2006]
2007-10-21 07:17 1486848 ----a-w- c:\program files\AnyTime Organizer Premier\WorldTime.exe
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 DUMeterDrv;Hagel Technologies DU Meter traffic accounting driver;c:\program files\DU Meter\DUMETR32.SYS [2010-09-29 18576]
R3 massfilter;MBB Mass Storage Filter Driver;c:\windows\system32\DRIVERS\massfilter.sys [2010-06-10 9216]
R3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\System32\svchost.exe [2009-07-14 20992]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-03-01 139776]
R3 SwitchBoard;SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-07-27 1343400]
R3 zgwhsdiag;ZTE WCDMA Handset Diagnostic Port;c:\windows\system32\DRIVERS\zgwhsdiag.sys [2009-10-28 105216]
R3 zgwhsmdm;ZTE WCDMA Handset USB Modem;c:\windows\system32\DRIVERS\zgwhsmdm.sys [2009-10-28 105216]
R3 zgwhsnmea;WCDMA Handset NMEA Port;c:\windows\system32\DRIVERS\zgwhsnmea.sys [2009-10-28 105216]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 51040]
S0 tdrpman258;Acronis Try&Decide and Restore Points filter (build 258);c:\windows\system32\DRIVERS\tdrpm258.sys [2010-07-27 911680]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 afcdpsrv;Acronis Nonstop Backup service;c:\program files\Common Files\Acronis\CDP\afcdpsrv.exe [2010-07-27 2480048]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-08-03 176128]
S2 Application Updater;Application Updater;c:\program files\Application Updater\ApplicationUpdater.exe [2010-02-19 380928]
S2 DUMeterSvc;DU Meter Service;c:\program files\DU Meter\DUMeterSvc.exe [2010-09-29 1412488]
S2 ISWKL;ZoneAlarm ForceField ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [2010-06-15 26352]
S2 IswSvc;ZoneAlarm ForceField IswSvc;c:\program files\CheckPoint\ZAForceField\IswSvc.exe [2010-06-15 493032]
S2 VmbService;Vodafone Mobile Broadband Service;c:\program files\Vodafone\Vodafone Mobile Broadband\Bin\VmbService.exe [2010-06-25 9216]
S3 afcdp;afcdp;c:\windows\system32\DRIVERS\afcdp.sys [2010-07-27 160704]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2010-08-03 6096384]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2010-08-03 214016]
S3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys [2010-07-07 44432]
S3 icsak;icsak;c:\program files\CheckPoint\ZAForceField\AK\icsak.sys [2010-06-15 35568]
S3 vodafone_K3805-z_dc_enum;vodafone_K3805-z_dc_enum;c:\windows\system32\DRIVERS\vodafone_K3805-z_dc_enum.sys [2010-03-01 61952]
S3 ZTEusbvoice;ZTE VoUSB Port;c:\windows\system32\DRIVERS\ZTEusbvoice.sys [2010-04-30 105856]
S3 ZTEusbwwan;ZTE MBN Miniport;c:\windows\system32\DRIVERS\ZTEusbwwan.sys [2010-06-10 194048]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
TCP: {E481D8DE-43C8-4878-B42D-DD2FAEC18884} = 202.124.65.22 202.124.65.18
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DUMeterSvc]
"ImagePath"="c:\program files\DU Meter\DUMeterSvc.exe /startedbyscm:E1F6D4BE-40E33354-DUMeterService"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'lsass.exe'(856)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\program files\CheckPoint\ZAForceField\AK\icsak.dll
- - - - - - - > 'Explorer.exe'(2940)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\program files\CheckPoint\ZAForceField\AK\icsak.dll
c:\program files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
c:\program files\Common Files\Microsoft Shared\Encarta Search Bar\A\ESBRes.DLL
- - - - - - - > 'csrss.exe'(516)
c:\program files\CheckPoint\ZAForceField\AK\akconsole.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\atieclxx.exe
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\conhost.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Acronis\DriveMonitor\adm.exe
.
**************************************************************************
.
Completion time: 2010-11-11 11:40:51 - machine was rebooted
ComboFix-quarantined-files.txt 2010-11-11 01:40
ComboFix2.txt 2010-11-09 21:21
Pre-Run: 310,590,455,808 bytes free
Post-Run: 310,706,073,600 bytes free
- - End Of File - - 7A5DC2DC34D92E2BE90D746632674453
Another long one.
Thanks Dave for your help and time.
Regards, Yves
-
Very good. Now, please run the ESET scan again as outlined in Reply # 30.
-
Hi! Dave,
Here is the result of the ESET Scan.
No threats found
And that is wonderful ;D.
Best regards,
Yves
-
Hi! Guys,
I think it is done and i want to take this opportunity to thanks everyone at Computer Hope for the wonderful
help and the kindness. Particularly Dave for his time helping me to clean up my P.C. from this
nasty virus. I am very grateful to all.
Thanks Guys, i love you all.
Yves from Down under. ;D
-
Ok. That's good news. Let's do some cleanup.
* Click START then RUN - Vista users press the Windows Key and the R keys together for the Run box.
* Now type commy /uninstall in the runbox
* Make sure there's a space between commy and /Uninstall
* Then hit Enter
* The above procedure will:
* Delete the following:
* ComboFix and its associated files and folders.
* Reset the clock settings.
* Hide file extensions, if required.
* Hide System/Hidden files, if required.
* Set a new, clean Restore Point.
********************************
Clean out your temporary internet files and temp files.
Download TFC by OldTimer (http://oldtimer.geekstogo.com/TFC.exe) to your desktop.
Double-click TFC.exe to run it.
Note: If you are running on Vista, right-click on the file and choose Run As Administrator
TFC will close all programs when run, so make sure you have saved all your work before you begin.
* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.
* Please let TFC run uninterrupted until it is finished.
Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.
**************************************
Use the Secunia Software Inspector (http://secunia.com/software_inspector) to check for out of date software.
•Click Start Now
•Check the box next to Enable thorough system inspection.
•Click Start
•Allow the scan to finish and scroll down to see if any updates are needed.
•Update anything listed.
.
----------
Go to Microsoft Windows Update (http://windowsupdate.microsoft.com/) and get all critical updates.
----------
I suggest using WOT - Web of Trust (http://www.mywot.com/). WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.
SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html)- Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer (http://www.bleepingcomputer.com/forums/tutorial49.html) from Spyware and Malware
* If you don't know what ActiveX controls are, see here (http://www.webopedia.com/TERM/A/ActiveX_control.html)
Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. (http://www.safer-networking.org/en/spybotsd/index.html) Guide: Use Spybot's Immunize Feature (http://www.bleepingcomputer.com/tutorials/tutorial43.html#immunize) to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ (http://www.safer-networking.org/en/faq/index.html)
Check out Keeping Yourself Safe On The Web (http://evilfantasy.wordpress.com/2008/05/20/keeping-yourself-safe-on-the-web/) for tips and free tools to help keep you safe in the future.
Also see Slow Computer? It may not be Malware (http://evilfantasy.wordpress.com/2008/05/24/slow-computer-it-may-not-be-malware/) for free cleaning/maintenance tools to help keep your computer running smoothly.
Safe Surfing!
-
Hi! Dave,
Done it all.
Thanks for the finishing touch.
Best regards,
yves