[Not curable - Ramnit] Font change, FDD access & start bar no response

Nigejk · 2010/12/01

I have somehow got a virus on my computer and thought I had removed it by using various programs but it still remains.

Have a dual Xeon workstation running XP SP3.

Ran Avira after prob stqarted which found 8 viruses and fixed.

Problem still persisted so ran super anti spyware but crashed when nearly finished found 4 viruses.

Have run combofix which found viruses and fixed but the problem still persists.

Have just run Hijack this (see log below)

At the moment At the moment my FDD tries to access every 10 secs and the fonts have all changed, the task / start bar at the bottom of the screen is completely unresponsive to the mouse (am using the windows key) but programs and desktop respond to mouse

Here is the Hijackthis log, the combofix log was too long to put on the post

---------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:39:50, on 01/12/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Dell\RAID Storage Manager\StorServ.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\Program Files\TalkTalk\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Documents and Settings\spare 1\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\Adobe Contribute CS5\Plugins\IEPlugin\contributeieplugin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5805.1910\swg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\Adobe Contribute CS5\Plugins\IEPlugin\contributeieplugin.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AdobeAAMUpdater-1.0] "C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe "
O4 - HKLM\..\Run: [AdobeCS5ServiceManager] "C:\Program Files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [SwitchBoard] C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe "
O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
O4 - HKLM\..\Run: [NokiaMServer] C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer /watchfiles startup
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe "
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\spare 1\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [{A7AEB066-99F5-82F1-789B-2ABB8B315BF8}] "C:\Documents and Settings\spare 1\Application Data\Hera\syil.exe "
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - https://wow.wiltshire.gov.uk/dana/d...a/term/winlaunchterm.cgi?op=DownloadCitrixCab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1204056491812
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {AD58C149-8AE2-4878-99DC-3A164E32F814} (SAXFileEE FileDownload ActiveX Control) - http://appsnet.bentley.com/myselectcd/SAXFileEE.cab
O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} (Java Plug-in 1.4.2_03) -
O16 - DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} (Java Plug-in 1.6.0_04) -
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} (Java Plug-in 1.6.0_05) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553550000} - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupControlXP Class) - https://wow.wiltshire.gov.uk/dana-cached/setup/JuniperSetupSP1.cab
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} (Windows Live Hotmail Photo Upload Tool) - http://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
O16 - DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} (JuniperSetupClientControl Class) - https://juniper.net/dana-cached/sc/JuniperSetupClient.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate1c9c0f24b9fdc5a) (gupdate1c9c0f24b9fdc5a) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: RAID Storage Manager Agent (RAIDStorAgent) - Dell - C:\Program Files\Dell\RAID Storage Manager\StorServ.exe
O23 - Service: Rapport Management Service (RapportMgmtService) - Trusteer Ltd. - C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
O23 - Service: ServiceLayer - Nokia - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
O23 - Service: SupportSoft Sprocket Service (TalkTalk) (sprtsvc_TalkTalk) - SupportSoft, Inc. - C:\Program Files\TalkTalk\bin\sprtsvc.exe
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\Supportsoft\bin\ssrc.exe
O23 - Service: SwitchBoard - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
O23 - Service: SupportSoft Repair Service (TalkTalk) (tgsrvc_TalkTalk) - SupportSoft, Inc. - C:\Program Files\Common Files\Supportsoft\bin\tgsrvc.exe

--
End of file - 12425 bytes

Admin. · 2010/12/01

Hi,

Read this post as indicated at the top of this forum & follow the instructions.

Nigejk · 2010/12/01

Logs as requested :-

Malwarebytes' Anti-Malware 1.50
www.malwarebytes.org

Database version: 5225

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

01/12/2010 13:32:33
mbam-log-2010-12-01 (13-32-33).txt

Scan type: Quick scan
Objects scanned: 162110
Time elapsed: 4 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{A7AEB066-99F5-82F1-789B-2ABB8B315BF8} (Trojan.ZbotR.Gen) -> Value: {A7AEB066-99F5-82F1-789B-2ABB8B315BF8} -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\spare 1\application data\Odumce\uxed.exe (Trojan.ZbotR.Gen) -> Quarantined and deleted successfully.

----------------------------------------------------------------------------------

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit quick scan 2010-12-01 13:38:18
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-17 WDC_WD740GD-00FLX0 rev.20.08U20
Running: 3yfriwu8.exe; Driver: C:\DOCUME~1\SPARE1~1\LOCALS~1\Temp\aftdqpow.sys

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

----------------------------------------------------------------------------------

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000007d

Kernel Drivers (total 134):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x806FF000 \WINDOWS\system32\hal.dll
0xF7987000 \WINDOWS\system32\KDCOM.DLL
0xF7897000 \WINDOWS\system32\BOOTVID.dll
0xF75F7000 pcndrbvv.sys
0xF7508000 ACPI.sys
0xF7989000 \WINDOWS\System32\DRIVERS\WMILIB.SYS
0xF74F7000 pci.sys
0xF7607000 isapnp.sys
0xF7A4F000 pciide.sys
0xF7707000 \WINDOWS\System32\DRIVERS\PCIIDEX.SYS
0xF7617000 MountMgr.sys
0xF74D8000 ftdisk.sys
0xF798B000 dmload.sys
0xF74B2000 dmio.sys
0xF770F000 PartMgr.sys
0xF7627000 VolSnap.sys
0xF749A000 atapi.sys
0xF7488000 AFAmgt.sys
0xF7637000 disk.sys
0xF7647000 \WINDOWS\System32\DRIVERS\CLASSPNP.SYS
0xF7468000 fltmgr.sys
0xF7456000 sr.sys
0xF7657000 PxHelp20.sys
0xF743F000 KSecDD.sys
0xF742C000 WudfPf.sys
0xF7B52000 Ntfs.sys
0xF786A000 NDIS.sys
0xF7667000 RapportKELL.sys
0xF798D000 \WINDOWS\System32\Drivers\USBD.SYS
0xBA7E6000 Mup.sys
0xF76A7000 \SystemRoot\System32\DRIVERS\intelppm.sys
0xBA5EB000 \SystemRoot\system32\DRIVERS\RT2500.sys
0xBA5CA000 \SystemRoot\System32\DRIVERS\e1000325.sys
0xB9EB2000 \SystemRoot\System32\DRIVERS\nv4_mini.sys
0xB9E9E000 \SystemRoot\System32\DRIVERS\VIDEOPRT.SYS
0xF774F000 \SystemRoot\System32\DRIVERS\usbuhci.sys
0xB9E7A000 \SystemRoot\System32\DRIVERS\USBPORT.SYS
0xF7757000 \SystemRoot\System32\DRIVERS\usbehci.sys
0xB9E1D000 \SystemRoot\system32\drivers\cmaudio.sys
0xB9DF9000 \SystemRoot\system32\drivers\portcls.sys
0xF76B7000 \SystemRoot\system32\drivers\drmk.sys
0xB9DD6000 \SystemRoot\system32\drivers\ks.sys
0xF7777000 \SystemRoot\System32\DRIVERS\fdc.sys
0xF76C7000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF7787000 \SystemRoot\System32\DRIVERS\kbdclass.sys
0xB9DC2000 \SystemRoot\System32\DRIVERS\parport.sys
0xF76D7000 \SystemRoot\System32\DRIVERS\serial.sys
0xF793B000 \SystemRoot\System32\DRIVERS\serenum.sys
0xF76E7000 \SystemRoot\System32\DRIVERS\imapi.sys
0xF76F7000 \SystemRoot\System32\DRIVERS\cdrom.sys
0xF75C6000 \SystemRoot\System32\DRIVERS\redbook.sys
0xB9D04000 \SystemRoot\system32\drivers\smwdm.sys
0xF7997000 \SystemRoot\system32\drivers\aeaudio.sys
0xF7AAA000 \SystemRoot\System32\DRIVERS\audstub.sys
0xF75B6000 \SystemRoot\System32\DRIVERS\rasl2tp.sys
0xF794B000 \SystemRoot\System32\DRIVERS\ndistapi.sys
0xB9CED000 \SystemRoot\System32\DRIVERS\ndiswan.sys
0xF75A6000 \SystemRoot\System32\DRIVERS\raspppoe.sys
0xF7596000 \SystemRoot\System32\DRIVERS\raspptp.sys
0xF77AF000 \SystemRoot\System32\DRIVERS\TDI.SYS
0xB9C3C000 \SystemRoot\System32\DRIVERS\psched.sys
0xF7586000 \SystemRoot\System32\DRIVERS\msgpc.sys
0xF77BF000 \SystemRoot\System32\DRIVERS\ptilink.sys
0xF77CF000 \SystemRoot\System32\DRIVERS\raspti.sys
0xB9C0C000 \SystemRoot\System32\DRIVERS\rdpdr.sys
0xF7576000 \SystemRoot\System32\DRIVERS\termdd.sys
0xF77DF000 \SystemRoot\System32\DRIVERS\mouclass.sys
0xF799D000 \SystemRoot\System32\DRIVERS\swenum.sys
0xB9BAE000 \SystemRoot\System32\DRIVERS\update.sys
0xBA7A2000 \SystemRoot\System32\DRIVERS\mssmbios.sys
0xF7566000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF7556000 \SystemRoot\System32\DRIVERS\usbhub.sys
0xBA776000 \SystemRoot\system32\DRIVERS\gameenum.sys
0xF77F7000 \SystemRoot\System32\DRIVERS\flpydisk.sys
0xF79A7000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7A8F000 \SystemRoot\System32\Drivers\Null.SYS
0xF79AB000 \SystemRoot\System32\Drivers\Beep.SYS
0xF7817000 \SystemRoot\System32\DRIVERS\HIDPARSE.SYS
0xF781F000 \SystemRoot\System32\drivers\vga.sys
0xF79AF000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF79B3000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF773F000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF775F000 \SystemRoot\System32\Drivers\Npfs.SYS
0xB9DB2000 \SystemRoot\System32\DRIVERS\rasacd.sys
0xB79BB000 \SystemRoot\System32\DRIVERS\ipsec.sys
0xB7962000 \SystemRoot\System32\DRIVERS\tcpip.sys
0xB793C000 \SystemRoot\System32\DRIVERS\ipnat.sys
0xB7914000 \SystemRoot\System32\DRIVERS\netbt.sys
0xF7536000 \SystemRoot\System32\DRIVERS\wanarp.sys
0xB78F2000 \SystemRoot\System32\drivers\afd.sys
0xBA766000 \SystemRoot\System32\DRIVERS\netbios.sys
0xF776F000 \SystemRoot\System32\Drivers\StarOpen.SYS
0xF778F000 \SystemRoot\system32\DRIVERS\ssmdrv.sys
0xB78D0000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
0xF7797000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
0xB78A5000 \SystemRoot\System32\DRIVERS\rdbss.sys
0xB787C000 \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys
0xF779F000 \??\C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\19917\RapportCerberus_19917.sys
0xBA7BE000 \SystemRoot\System32\DRIVERS\hidusb.sys
0xBA746000 \SystemRoot\System32\DRIVERS\HIDCLASS.SYS
0xB9BAA000 \SystemRoot\SYSTEM32\DRIVERS\OMCI.SYS
0xB7762000 \SystemRoot\System32\DRIVERS\mrxsmb.sys
0xBA726000 \SystemRoot\System32\Drivers\Fips.SYS
0xB7746000 \SystemRoot\system32\DRIVERS\avipbb.sys
0xF79BB000 \??\C:\Program Files\Avira\AntiVir Desktop\avgio.sys
0xB9BA2000 \SystemRoot\System32\Drivers\ASPI32.SYS
0xB9B8A000 \SystemRoot\system32\drivers\usbscan.sys
0xF77D7000 \SystemRoot\System32\DRIVERS\USBSTOR.SYS
0xB7A62000 \SystemRoot\System32\DRIVERS\mouhid.sys
0xBA706000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xB7706000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF79C1000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xB7A46000 \SystemRoot\System32\drivers\Dxapi.sys
0xB7A36000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7ABC000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\nv4_disp.dll
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xB7147000 \SystemRoot\system32\DRIVERS\avgntflt.sys
0xB7113000 \SystemRoot\system32\DRIVERS\mdc8021x.sys
0xB7103000 \SystemRoot\System32\DRIVERS\ndisuio.sys
0xB6DFA000 \SystemRoot\System32\DRIVERS\mrxdav.sys
0xB6CF5000 \SystemRoot\system32\drivers\wdmaud.sys
0xB6EC7000 \SystemRoot\system32\drivers\sysaudio.sys
0xB69E7000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xB6CF1000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xB67EF000 \??\C:\WINDOWS\System32\drivers\AsfAlrt.sys
0xB6392000 \SystemRoot\System32\DRIVERS\srv.sys
0xB58EE000 \SystemRoot\System32\Drivers\HTTP.sys
0xB43B3000 \??\C:\DOCUME~1\SPARE1~1\LOCALS~1\Temp\aftdqpow.sys
0xB4388000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 48):
0 System Idle Process
4 System
656 C:\WINDOWS\system32\smss.exe
704 C:\WINDOWS\system32\csrss.exe
728 C:\WINDOWS\system32\winlogon.exe
772 C:\WINDOWS\system32\services.exe
784 C:\WINDOWS\system32\lsass.exe
972 C:\WINDOWS\system32\svchost.exe
1040 C:\WINDOWS\system32\svchost.exe
1100 C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
1148 C:\WINDOWS\system32\svchost.exe
1196 C:\WINDOWS\system32\svchost.exe
1324 C:\WINDOWS\system32\svchost.exe
1372 C:\WINDOWS\system32\svchost.exe
1544 C:\WINDOWS\system32\spoolsv.exe
1592 C:\Program Files\Avira\AntiVir Desktop\sched.exe
1632 C:\Program Files\Avira\AntiVir Desktop\avguard.exe
1692 C:\WINDOWS\system32\svchost.exe
240 C:\WINDOWS\explorer.exe
392 C:\Program Files\Internet Explorer\iexplore.exe
400 C:\Program Files\Internet Explorer\iexplore.exe
1472 C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
1768 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
1792 C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
1884 C:\Program Files\DivX\DivX Update\DivXUpdate.exe
1912 C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer.exe
1972 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
172 C:\WINDOWS\system32\ctfmon.exe
980 C:\Program Files\Intel\ASF Agent\ASFAgent.exe
2020 C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
1844 C:\Program Files\Bonjour\mDNSResponder.exe
2116 C:\Program Files\Java\jre6\bin\jqs.exe
2328 C:\WINDOWS\system32\nvsvc32.exe
2376 C:\WINDOWS\system32\PnkBstrA.exe
2504 C:\WINDOWS\system32\PnkBstrB.exe
2576 C:\Program Files\Dell\RAID Storage Manager\StorServ.exe
2728 C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
2876 C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
3028 C:\Program Files\TalkTalk\bin\sprtsvc.exe
3128 C:\WINDOWS\system32\svchost.exe
3424 C:\WINDOWS\system32\wuauclt.exe
3992 C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
2180 C:\WINDOWS\system32\alg.exe
2784 C:\Program Files\Internet Explorer\iexplore.exe
3812 C:\Program Files\Internet Explorer\iexplore.exe
3980 C:\Program Files\Internet Explorer\iexplore.exe
2536 C:\Program Files\Avira\AntiVir Desktop\avcenter.exe
3908 C:\Documents and Settings\spare 1\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\F: --> \\.\PhysicalDrive1 at offset 0x00000000`00007e00 (NTFS)
\\.\G: --> \\.\PhysicalDrive2 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: WDCWD740GD-00FLX0, Rev: 20.08U20
PhysicalDrive1 Model Number: WDCWD400EB-00CPF0, Rev: 06.04G06
PhysicalDrive2 Model Number: WD2500JB External, Rev: 0107

Size Device Name MBR Status
--------------------------------------------
69 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
37 GB \\.\PhysicalDrive1 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
232 GB \\.\PhysicalDrive2 RE: Unknown MBR code
SHA1: 2109F29445E77C0BCB56987F39830EB288D04575

Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:
Options:
[1] Dump the MBR of a physical disk to file.
[2] Restore the MBR of a physical disk with a standard boot code.
[3] Exit.

Enter your choice: Enter the physical disk number to dump (0-99, -1 to exit): 0Dumping \\.\PhysicalDisk0...
Enter filename to dump to:

---------------------------------------------------------------------------------

DDS (Ver_10-11-27.01) - NTFSx86
Run by spare 1 at 13:44:17.03 on 01/12/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.3326.2546 [GMT 0:00]

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Dell\RAID Storage Manager\StorServ.exe
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\Program Files\TalkTalk\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Avira\AntiVir Desktop\avcenter.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Documents and Settings\spare 1\Desktop\dds.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\program files\hyhvjhdj\xcixrpse.exe,
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - c:\program files\adobe\adobe contribute cs5\plugins\ieplugin\contributeieplugin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\adobe contribute cs5\plugins\ieplugin\contributeieplugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe "
uRun: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\nero\lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
uRun: [Google Update] "c:\documents and settings\spare 1\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [AdobeBridge]
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe "
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe "
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe "
mRun: [AdobeCS5ServiceManager] "c:\program files\common files\adobe\cs5servicemanager\CS5ServiceManager.exe" -launchedbylogin
mRun: [SwitchBoard] c:\program files\common files\adobe\switchboard\SwitchBoard.exe
mRun: [NBKeyScan] "c:\program files\nero\nero8\nero backitup\NBKeyScan.exe "
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [NokiaMServer] c:\program files\common files\nokia\mplatform\NokiaMServer /watchfiles startup
dRun: [ctfmon.exe] c:\windows\system32\CTFMON.EXE
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} - hxxps://wow.wiltshire.gov.uk/dana/download/icaweb.cab?url=/dana/term/winlaunchterm.cgi?op=DownloadCitrixCab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/D/0/D/D0DD87DA-994F-4334-8B55-AF2E4D98ED0C/wmv9dmo.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1204056491812
DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} - hxxp://launch.gamespyarcade.com/software/launch/alaunch.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {AD58C149-8AE2-4878-99DC-3A164E32F814} - hxxp://appsnet.bentley.com/myselectcd/SAXFileEE.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553550000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://wow.wiltshire.gov.uk/dana-cached/setup/JuniperSetupSP1.cab
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\spare1~1\applic~1\mozilla\firefox\profiles\h523k0rr.default\
FF - component: c:\program files\adobe\adobe contribute cs5\plugins\firefoxplugin\{01a8ca0a-4c96-465b-a49b-65c46fad54f9}\components\Contribute.dll
FF - component: c:\program files\nokia\nokia ovi suite\connectors\bookmarks connector\firefoxextension\components\FirefoxExtension.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Extension: Firefox Synchronisation Extension: {A27F3FEF-1113-4cfb-A032-8E12D7D8EE70} - c:\program files\nokia\nokia ovi suite\connectors\bookmarks connector\FirefoxExtension
FF - Extension: Adobe Contribute Toolbar: {01A8CA0A-4C96-465b-A49B-65C46FAD54F9} - c:\program files\adobe\adobe contribute cs5\plugins\firefoxplugin\{01A8CA0A-4C96-465b-A49B-65C46FAD54F9}
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\docume~1\spare1~1\applic~1\mozilla\firefox\profiles\h523k0rr.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Extension: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - c:\docume~1\spare1~1\applic~1\mozilla\firefox\profiles\h523k0rr.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}

============= SERVICES / DRIVERS ===============

R0 AFAmgt;AFAmgt;c:\windows\system32\drivers\afamgt.sys [2004-4-21 92411]
R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [2010-10-3 59240]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-12-17 11608]
R1 RapportCerberus_19917;RapportCerberus_19917;c:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportcerberus\19917\RapportCerberus_19917.sys [2010-10-3 34792]
R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2010-10-3 169320]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2009-12-16 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-12-16 67656]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-12-17 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-12-17 185089]
R2 ASFAgent;ASF Agent;c:\program files\intel\asf agent\ASFAgent.exe [2004-2-8 118784]
R2 AsfAlrt;AsfAlrt;c:\windows\system32\drivers\Asfalrt.sys [2002-12-18 36064]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-12-17 56816]
R2 RAIDStorAgent;RAID Storage Manager Agent;c:\program files\dell\raid storage manager\StorServ.exe [2004-6-16 49152]
R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2010-10-3 767208]
R2 sprtsvc_TalkTalk;SupportSoft Sprocket Service (TalkTalk);c:\program files\talktalk\bin\sprtsvc.exe [2007-10-12 202016]
R3 S6U12BScanner;MUSTEK 1200 UB Still Image Device Service;c:\windows\system32\drivers\usbscan.sys [2005-1-3 15104]
S2 gupdate1c9c0f24b9fdc5a;Google Update Service (gupdate1c9c0f24b9fdc5a);c:\program files\google\update\GoogleUpdate.exe [2009-4-19 133104]
S3 CTL511Plus;Video Blaster WebCam 3/WebCam Plus (WDM);c:\windows\system32\drivers\webc3vid.sys [2008-3-30 166504]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\progra~1\belkin\belkin~1.11g\DNINDIS5.SYS [2008-3-30 17149]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2005-1-11 13192]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2005-1-11 8456]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2010-11-29 137344]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [2010-11-29 8320]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-12-16 12872]
S3 SwitchBoard;SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
S3 tgsrvc_TalkTalk;SupportSoft Repair Service (TalkTalk);c:\program files\common files\supportsoft\bin\tgsrvc.exe [2007-8-2 148768]

=============== File Associations ===============

.scr=AutoCADScriptFile

=============== Created Last 30 ================

2010-12-01 13:20:54 -------- d-----w- c:\program files\hYhvJHDj
2010-12-01 13:14:51 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-01 13:14:46 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-01 10:58:31 -------- d-----w- c:\program files\ICSceRLi%±F‘Ã‹xcixrpse.exe
2010-12-01 10:45:51 -------- d-sha-r- C:\cmdcons
2010-11-30 17:24:19 -------- d-----w- c:\program files\windows
2010-11-30 17:24:12 -------- d-----w- c:\program files\KgmLJXQS½g³Ã‹xcixrpse.exe
2010-11-29 13:34:46 -------- d-----w- c:\docume~1\alluse~1\applic~1\NokiaInstallerCache
2010-11-29 11:05:46 -------- d-----w- c:\program files\PC Connectivity Solution
2010-11-29 11:05:30 8320 ----a-w- c:\windows\system32\drivers\nmwcdnsuc.sys
2010-11-29 11:05:30 137344 ----a-w- c:\windows\system32\drivers\nmwcdnsu.sys
2010-11-29 11:05:29 8192 ----a-w- c:\windows\system32\drivers\usbser_lowerfltj.sys
2010-11-29 11:05:28 8192 ----a-w- c:\windows\system32\drivers\usbser_lowerflt.sys
2010-11-29 11:05:28 22528 ----a-w- c:\windows\system32\drivers\ccdcmbo.sys
2010-11-29 11:05:26 662016 ----a-w- c:\windows\system32\nmwcdcocls.dll
2010-11-29 11:05:26 18176 ----a-w- c:\windows\system32\drivers\ccdcmb.sys
2010-11-29 11:05:26 1461992 ----a-w- c:\windows\system32\wdfcoinstaller01009.dll
2010-11-07 21:23:56 -------- d-----w- c:\docume~1\alluse~1\applic~1\DivX
2010-11-07 21:21:33 -------- d-----w- c:\program files\ZD Soft
2010-11-07 20:46:26 -------- d-----w- c:\docume~1\alluse~1\applic~1\Deskshare
2010-11-07 20:46:21 -------- d-----w- c:\docume~1\spare1~1\locals~1\applic~1\Xenocode
2010-11-07 20:46:20 -------- d-----w- c:\program files\Xenocode
2010-11-07 09:09:23 -------- d--h--w- c:\windows\system32\GroupPolicy
2010-11-06 13:04:10 1414440 ----a-w- c:\windows\system32\ShellManager310E2D762.dll
2010-11-06 12:47:11 -------- d-----w- c:\docume~1\spare1~1\applic~1\Yqkyca
2010-11-03 19:57:29 16856 ----a-w- c:\program files\mozilla firefox\plugin-container.exe
2010-11-03 19:57:28 719832 ----a-w- c:\program files\mozilla firefox\mozcpp19.dll

==================== Find3M ====================

2010-11-08 01:20:24 89088 ----a-w- c:\windows\MBR.exe
2010-09-18 11:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ------w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ------w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58:06 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58:06 1469440 ------w- c:\windows\system32\inetcpl.cpl

============= FINISH: 13:45:10.51 ===============

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-11-27.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 03/01/2005 13:48:35
System Uptime: 12/01/2010 13:33:47 (7752 hours ago)

Motherboard: Dell Inc. | | 0P7996
Processor: Intel(R) Xeon(TM) CPU 2.80GHz | Microprocessor | 2793/800mhz
Processor: Intel(R) Xeon(TM) CPU 2.80GHz | Microprocessor | 2793/800mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 69 GiB total, 11.398 GiB free.
D: is CDROM ()
E: is CDROM ()
F: is FIXED (NTFS) - 37 GiB total, 21.714 GiB free.
G: is FIXED (NTFS) - 233 GiB total, 80.54 GiB free.

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP60: 24/10/2010 14:16:46 - System Checkpoint
RP61: 24/10/2010 20:00:55 - Software Distribution Service 3.0
RP62: 26/10/2010 09:14:59 - System Checkpoint
RP63: 27/10/2010 11:35:11 - System Checkpoint
RP64: 28/10/2010 12:20:37 - System Checkpoint
RP65: 29/10/2010 12:48:14 - System Checkpoint
RP66: 29/10/2010 16:40:22 - Printer Driver Microsoft Office Document Image Writer Installed
RP67: 30/10/2010 17:49:31 - System Checkpoint
RP68: 31/10/2010 17:03:52 - System Checkpoint
RP69: 01/11/2010 17:24:32 - System Checkpoint
RP70: 02/11/2010 17:47:02 - System Checkpoint
RP71: 04/11/2010 13:04:36 - System Checkpoint
RP72: 05/11/2010 17:16:31 - System Checkpoint
RP73: 06/11/2010 12:53:02 - Removed IES VE-Ware/Toolkits 5.9
RP74: 06/11/2010 12:56:23 - Removed MobileMe Control Panel
RP75: 06/11/2010 13:02:49 - Removed Nero 8
RP76: 06/11/2010 13:07:04 - Removed Recovery for PowerPoint
RP77: 07/11/2010 09:00:35 - Removed V-Ray for SketchUp
RP78: 07/11/2010 09:04:24 - Removed EASYnat for 3ds Max 9
RP79: 07/11/2010 09:05:16 - Removed Samsung PC Studio 3
RP80: 08/11/2010 09:12:54 - System Checkpoint
RP81: 09/11/2010 10:27:29 - System Checkpoint
RP82: 10/11/2010 10:37:53 - System Checkpoint
RP83: 10/11/2010 20:00:37 - Software Distribution Service 3.0
RP84: 15/11/2010 20:25:34 - System Checkpoint
RP85: 17/11/2010 08:38:18 - System Checkpoint
RP86: 18/11/2010 08:57:39 - System Checkpoint
RP87: 19/11/2010 10:37:54 - System Checkpoint
RP88: 20/11/2010 11:27:35 - System Checkpoint
RP89: 21/11/2010 19:31:54 - System Checkpoint
RP90: 22/11/2010 20:18:45 - System Checkpoint
RP91: 24/11/2010 09:54:55 - System Checkpoint
RP92: 25/11/2010 15:12:05 - System Checkpoint
RP93: 27/11/2010 08:10:06 - System Checkpoint
RP94: 28/11/2010 08:45:27 - System Checkpoint
RP95: 29/11/2010 09:58:39 - System Checkpoint
RP96: 30/11/2010 10:23:12 - System Checkpoint
RP97: 01/12/2010 12:18:46 - System Checkpoint

==== Installed Programs ======================

3dsmax ancillary install
7-Zip 4.57
AC3Filter (remove only)
Add or Remove Adobe Creative Suite 3 Design Premium
Adobe Acrobat 8 Professional
Adobe Acrobat 8.1.4 Professional
Adobe AIR
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe BridgeTalk Plugin CS3
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Community Help
Adobe Creative Suite 3 Design Premium
Adobe Creative Suite 5 Master Collection
Adobe Default Language CS3
Adobe Device Central CS3
Adobe ExtendScript Toolkit 2
Adobe Extension Manager CS3
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Fonts All
Adobe Help Viewer CS3
Adobe InDesign CS3 Icon Handler
Adobe Linguistics CS3
Adobe Media Player
Adobe MotionPicture Color Files
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Reader 8.1.4
Adobe Setup
Adobe SING CS3
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe WAS CS3
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS3
AHV content for Acrobat and Flash
Apple Mobile Device Support
Apple Software Update
AutoCAD 2008 - English
Autodesk 3ds Max 9 32-bit
Autodesk Design Review 2010
Autodesk Ecotect v5.60 (rc2)
Avira AntiVir Personal - Free Antivirus
Backburner
BBC iPlayer Download Manager
Belkin 802.11g Wireless PCI Card
Bentley Architecture US Ncs Dataset V8 XM Edition (V 08.09.04.09) - 1
Bentley Architecture V8 XM Edition (V 08.09.04.33) - 1
Bentley MicroStation V8 XM Edition 08.09.04.51
Bentley MicroStation V8i 08.11.05.17
Bentley TriForma V8 XM Edition (V 08.09.04.63) - 1
Bing Maps 3D
Bonjour
Canon Utilities PhotoStitch 3.1
Citrix Presentation Server Web Client for Win32
Company of Heroes
Company of Heroes - FAKEMSI
Convert AVI to MP4 1.3
Critical Update for Windows Media Player 11 (KB959772)
Dell ResourceCD
Disk Heal
DivX Converter
DivX Plus DirectShow Filters
DivX Setup
DivX Version Checker
Drive Rescue 1.9
EASEUS Partition Master 6.0.1 Professional
EPSON Printer Software
Express Burn Disc Burning Software
FBX Plugin 2006.08 for Max 9.0
GameSpy Arcade
Gamesurround Muse 5.1 DVD - User Manual
Google Chrome
Google Earth
Google SketchUp 6
Google SketchUp 6 Exporters
Google SketchUp 7
Google SketchUp LayOut 6
Google SketchUp Pro 6
Google Toolbar for Internet Explorer
Google Update Helper
Google Updater
Hearts of Iron 2
High Definition Audio Driver Package - KB888111
Hotfix 4 for PSfA 1.0.1
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976002-v5)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
IDrop
Intel (R) Pro Alerting Agent
Intel(R) PRO Network Adapters and Drivers
Intel(R) PROSet for Wired Connections
InterpOSe for Digimap v4.6 From Dotted Eyes
Java(TM) 6 Update 17
Juniper Citrix Services Client
Juniper Networks Host Checker
Juniper Networks Setup Client
Juniper Networks Setup Client Activex Control
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
Microsoft National Language Support Downlevel APIs
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional 2007
Microsoft Office Professional 2007 Trial
Microsoft Office Professional Edition 2003
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.7
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft_VC80_ATL_x86
Microsoft_VC80_CRT_x86
Microsoft_VC80_MFC_x86
Microsoft_VC80_MFCLOC_x86
Microsoft_VC90_ATL_x86
Microsoft_VC90_CRT_x86
Microsoft_VC90_MFC_x86
Mozilla Firefox (3.6.12)
MSVC80_x86_v2
MSVC90_x86
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
MSXML 6.0 Parser (KB933579)
MUSTEK 1200 UB v2.1
neroxml
Nokia Connectivity Cable Driver
Nokia Ovi Suite
Nokia Ovi Suite Software Updater
Nokia Software Updater
nokian95
NVIDIA Drivers
OGA Notifier 2.0.0048.0
Ovi Desktop Sync Engine
OviMPlatform
Paint Shop Pro 7 ESD
PC Connectivity Solution
PCI Audio Driver
PDF Settings
PDF Settings CS5
PhotoStitch
Picasa 3
PunkBuster Services
PxMergeModule
Quake Live Internet Explorer Plugin
QuickTime
RAID Storage Manager
Rapport
RarZilla Free Unrar 2.52
RealPlayer
Realtek AC'97 Audio
Realtek High Definition Audio Driver
Runtime 8.0 Libraries
SAMSUNG CDMA Modem Driver Set
SAMSUNG Mobile Composite Device Software
SAMSUNG Mobile Modem Driver Set
Samsung Mobile phone USB driver Software
SAMSUNG Mobile USB Modem 1.0 Software
SAMSUNG Mobile USB Modem Software
Samsung PC Studio 3 USB Driver Installer
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2289158)
Security Update for 2007 Microsoft Office System (KB2344875)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft Office Access 2007 (KB979440)
Security Update for Microsoft Office Excel 2007 (KB2345035)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office Outlook 2007 (KB2288953)
Security Update for Microsoft Office PowerPoint 2007 (KB982158)
Security Update for Microsoft Office PowerPoint Viewer (KB2413381)
Security Update for Microsoft Office Publisher 2007 (KB982124)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 8 (KB917734)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB913433)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
SIW version 2008-12-16
SoundMAX
SUPERAntiSpyware Free Edition
TalkTalk Assist & Go
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Outlook 2007 Junk Email Filter (KB2443839)
Update for Windows Internet Explorer 8 (KB975364)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
V-Ray for SketchUp
VBA (2627.01)
VC80CRTRedist - 8.0.50727.4053
VCRedistSetup
VideoLAN VLC media player 0.8.6e
Visual Basic for Applications (R) Core
Visual Basic for Applications (R) Core - English
WavePad Sound Editor
WebCam Monitor
WebFldrs XP
WinAce Archiver 2.0
Windows Driver Package - Nokia pccsmcfd (08/22/2008 7.0.0.0)
Windows Feature Pack for Storage (32-bit) - IMAPI update for Blu-Ray
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WinTar ver 3.0 Build 1500
XML Paper Specification Shared Components Pack 1.0
Xvid 1.2.1 final uninstall
ZD Soft Screen Recorder 4.1.3.0

==== Event Viewer Messages From Past Week ========

26/11/2010 08:32:55, error: Service Control Manager [7023] - The HID Input Service service terminated with the following error: The specified module could not be found.
26/11/2010 08:31:29, error: Dhcp [1002] - The IP address lease 192.168.1.2 for the Network Card with network address 00115090C274 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
25/11/2010 11:09:29, error: Dhcp [1001] - Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 00115090C274. The following error occurred: The operation was canceled by the user. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
01/12/2010 13:34:20, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
01/12/2010 13:18:08, error: Service Control Manager [7034] - The SupportSoft Sprocket Service (TalkTalk) service terminated unexpectedly. It has done this 1 time(s).
01/12/2010 13:18:08, error: Service Control Manager [7034] - The RAID Storage Manager Agent service terminated unexpectedly. It has done this 1 time(s).
01/12/2010 13:18:08, error: Service Control Manager [7034] - The FLEXnet Licensing Service service terminated unexpectedly. It has done this 1 time(s).
01/12/2010 13:18:07, error: Service Control Manager [7034] - The spkrmon service terminated unexpectedly. It has done this 1 time(s).
01/12/2010 13:18:07, error: Service Control Manager [7034] - The PnkBstrB service terminated unexpectedly. It has done this 1 time(s).
01/12/2010 13:18:07, error: Service Control Manager [7034] - The PnkBstrA service terminated unexpectedly. It has done this 1 time(s).
01/12/2010 13:18:07, error: Service Control Manager [7034] - The NVIDIA Display Driver Service service terminated unexpectedly. It has done this 1 time(s).
01/12/2010 13:18:07, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
01/12/2010 13:18:07, error: Service Control Manager [7034] - The Bonjour Service service terminated unexpectedly. It has done this 1 time(s).
01/12/2010 13:18:07, error: Service Control Manager [7034] - The Autodesk Licensing Service service terminated unexpectedly. It has done this 1 time(s).
01/12/2010 13:18:07, error: Service Control Manager [7034] - The ASF Agent service terminated unexpectedly. It has done this 1 time(s).
01/12/2010 11:11:23, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD ASPI32 avgio avipbb Fips intelppm IPSec MRxSmb NetBIOS NetBT OMCI RasAcd Rdbss SASDIFSV SASKUTIL ssmdrv StarOpen Tcpip
01/12/2010 11:11:23, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD Networking Support Environment service which failed to start because of the following error: A device attached to the system is not functioning.
01/12/2010 11:11:23, error: Service Control Manager [7001] - The Messenger service depends on the NetBIOS Interface service which failed to start because of the following error: A device attached to the system is not functioning.
01/12/2010 11:11:23, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
01/12/2010 11:11:23, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
01/12/2010 11:11:23, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
01/12/2010 11:11:23, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
01/12/2010 11:10:48, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments " " in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
01/12/2010 11:10:48, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments " " in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
01/12/2010 08:24:23, error: Service Control Manager [7000] - The SASDIFSV service failed to start due to the following error: Cannot create a file when that file already exists.

==== End Of File ===========================

broni · 2010/12/01

Hello

I can see, you left this thread in the middle of cleaning process: http://www.windowsbbs.com/malware-virus-removal/92673-inactive-xp-antivirus-ave-exe.html
If it'll happen again, you may not be able to receive any more help in malware forum.
Our time is too valuable.

Please, observe following rules:

Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.

If you're stuck, or you're not sure about certain step, always ask before doing anything else.

Please refrain from running tools or applying updates other than those I suggest.

Never run more than one scan at a time.

Keep updating me regarding your computer behavior, good, or bad.

The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.

If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.

I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

==============================================================

Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.

[color= "Blue"]**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**[/color]

Please, never rename Combofix unless instructed.

Close any open browsers.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".

Click on [color= "Red"]this link[/color] to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

NOTE1. If Combofix asks you to install Recovery Console, please allow it.
NOTE 2. If Combofix asks you to update the program, always do so.

Close any open browsers.

[color= "Red"]WARNING:[/color] Combofix will disconnect your machine from the Internet as soon as it starts

Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.

If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.

Please post the "C:\ComboFix.txt"

**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results ". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
Use AVG Remover to uninstall it: http://www.avg.com/us-en/download-tools
We can reinstall it when we're done with CF.
**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion ", restart computer to fix the issue.

Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try one of the following:

1. Run Combofix from Safe Mode.

2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
Do NOT run it yet.

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

Rkill.com
Rkill.scr
Rkill.pif
Rkill.exe

Double-click on the Rkill desktop icon to run the tool.

If using Vista or Windows 7 right-click on it and choose Run As Administrator.

A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.

If not, delete the file, then download and use the one provided in Link 2.

If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.

Do not reboot until instructed.

If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

If normal mode still doesn't work, run BOTH tools from safe mode.

In case #2, please post BOTH logs, rKill and Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

Nigejk · 2010/12/02

My computer stopped powering up for a while, I tinkered and removed different bits of hardware and eventually it started up. When I got it going it Avira found the Kill.exe virus. I did deny access and it carried on OK but after a couple of mins it died again and will not powerup again. So consequently I do not have a combofix log yet.

When I power it up the fans whir and after 5 secs it turns itself off. Could this be related to the virus?

When / if I cna get it too boot next I will run it straight in safe mode.

Nigel..

broni · 2010/12/02

When I power it up the fans whir and after 5 secs it turns itself off. Could this be related to the virus?
Click to expand...

I'm not sure. We can check something though...

Let's see, if we can look at your computer booting from an external source.

Please download OTLPE (filesize 120,9 MB)

When downloaded double click on OTLPENet.exe and make sure there is a blank CD in your CD drive. This will automatically create a bootable CD.

Reboot your system using the boot CD you just created.

Note : If you do not know how to set your computer to boot from CD follow the steps here

Your system should now display a REATOGO-X-PE desktop.

Depending on your type of internet connection, you should be able to get online as well so you can access this topic more easily.

Double-click on the OTLPE icon.

When asked Do you wish to load the remote registry, select Yes

When asked Do you wish to load remote user profile(s) for scanning, select Yes

Ensure the box Automatically Load All Remaining Users" is checked and press OK

OTL should now start.

Press Run Scan to start the scan.

When finished, the file will be saved in drive C:\OTL.txt

Copy this file to your USB drive if you do not have internet connection on this system

Please post the contents of the OTL.txt file in your reply.

Nigejk · 2010/12/03

Have managed to get the computer to start, after much tinkering, I have booted from the CD created and run the scan. I have the OTL text file but is 10x as big as the maximum post so have not posted. Is there any part of it that is required.

I think that the powering up issue may have been the PSU being overwhelmed with dust, from the tinkering I did to get it going.

Nigel..

broni · 2010/12/03

If your computer is bootable now, proceed with my reply #4.

Nigejk · 2010/12/04

Ran combofix the first time and it said a robor running. Wouldn't run a couple of times due to freezing. Ran in safe mode. Log below

ComboFix 10-12-03.01 - spare 1 04/12/2010 12:50:20.9.2 - x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.3326.2963 [GMT 0:00]
Running from: c:\documents and settings\spare 1\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\spare 1\Application Data\Byib
c:\documents and settings\spare 1\Application Data\Byib\mufo.exe
c:\documents and settings\spare 1\Application Data\Ocde
c:\documents and settings\spare 1\Application Data\Ocde\upys.exe
c:\program files\Internet Explorer\complete.dat
c:\program files\Internet Explorer\dmlconf.dat
.
---- Previous Run -------
.
c:\documents and settings\spare 1\Application Data\Itekus\rahe.exe
c:\documents and settings\spare 1\Application Data\Koyg\soyq.exe
c:\program files\Adobe\Acrobat 8.0\Designer 8.0\jfsoap.dll
c:\program files\Internet Explorer\complete.dat
c:\program files\Internet Explorer\dmlconf.dat
c:\windows\sysdat.dll
c:\windows\system\winspool.drv
c:\windows\system32\e1000msg.dll

-- Previous Run --

Infected copy of c:\windows\system32\msgsvc.dll was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\msgsvc.dll

--------

.
((((((((((((((((((((((((( Files Created from 2010-11-04 to 2010-12-04 )))))))))))))))))))))))))))))))
.

2010-12-01 15:20 . 2010-12-01 15:20 -------- d-----w- c:\documents and settings\spare 1\NCH.Express.Burn.v4.39.WORKING.READ.NFO.WinAll-LAXiTY[1]
2010-12-01 14:43 . 2010-12-01 15:05 -------- d-----w- c:\documents and settings\spare 1\Local Settings\Application Data\FLVService
2010-12-01 14:43 . 2010-12-01 14:43 -------- d-----w- c:\program files\Freecorder
2010-12-01 14:43 . 2010-12-01 14:43 -------- d-----w- c:\windows\Freecorder
2010-12-01 13:20 . 2010-12-01 13:20 -------- d-----w- c:\program files\hYhvJHDj
2010-12-01 13:14 . 2010-11-29 17:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-01 13:14 . 2010-11-29 17:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-01 10:58 . 2010-12-01 10:58 -------- d-----w- c:\program files\ICSceRLi%±Fâ€˜Ã‹xcixrpse.exe
2010-11-30 17:24 . 2005-01-03 11:18 -------- d-----w- c:\program files\windows
2010-11-30 17:24 . 2010-11-30 17:24 -------- d-----w- c:\program files\KgmLJXQS½g³Ã‹xcixrpse.exe
2010-11-29 13:34 . 2010-11-29 13:34 -------- d-----w- c:\documents and settings\All Users\Application Data\NokiaInstallerCache
2010-11-29 11:05 . 2010-11-29 11:05 -------- d-----w- c:\program files\PC Connectivity Solution
2010-11-29 11:05 . 2010-02-26 14:21 8320 ----a-w- c:\windows\system32\drivers\nmwcdnsuc.sys
2010-11-29 11:05 . 2010-02-26 14:21 137344 ----a-w- c:\windows\system32\drivers\nmwcdnsu.sys
2010-11-29 11:05 . 2010-02-26 14:32 8192 ----a-w- c:\windows\system32\drivers\usbser_lowerfltj.sys
2010-11-29 11:05 . 2010-02-26 14:32 8192 ----a-w- c:\windows\system32\drivers\usbser_lowerflt.sys
2010-11-29 11:05 . 2010-02-26 14:32 22528 ----a-w- c:\windows\system32\drivers\ccdcmbo.sys
2010-11-29 11:05 . 2010-02-26 14:32 662016 ----a-w- c:\windows\system32\nmwcdcocls.dll
2010-11-29 11:05 . 2010-02-26 14:32 18176 ----a-w- c:\windows\system32\drivers\ccdcmb.sys
2010-11-29 11:05 . 2010-02-26 14:19 1461992 ----a-w- c:\windows\system32\wdfcoinstaller01009.dll
2010-11-07 21:23 . 2010-11-07 21:32 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX
2010-11-07 21:21 . 2010-11-07 21:21 -------- d-----w- c:\program files\ZD Soft
2010-11-07 20:46 . 2010-11-07 20:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Deskshare
2010-11-07 20:46 . 2010-11-07 20:46 -------- d-----w- c:\documents and settings\spare 1\Local Settings\Application Data\Xenocode
2010-11-07 20:46 . 2010-11-07 20:46 -------- d-----w- c:\program files\Xenocode
2010-11-07 09:09 . 2010-11-07 09:09 -------- d--h--w- c:\windows\system32\GroupPolicy
2010-11-06 13:04 . 2008-02-28 12:26 1414440 ----a-w- c:\windows\system32\ShellManager310E2D762.dll
2010-11-06 12:47 . 2010-12-01 08:22 -------- d-----w- c:\documents and settings\spare 1\Application Data\Yqkyca

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-03 23:43 . 2010-10-03 23:43 59240 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
2010-09-18 11:23 . 2002-09-03 19:44 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2002-09-03 19:44 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2002-09-03 19:44 954368 ------w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2002-09-03 19:44 953856 ------w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58 . 2006-06-23 11:33 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58 . 2002-09-03 19:42 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58 . 2002-09-03 19:40 1469440 ------w- c:\windows\system32\inetcpl.cpl
.
Code:
<pre>
c:\program files\Microsoft Office\OFFICE11\OUrtTLOOK .EXE
c:\program files\Microsoft Office\OFFICE11\OUTLOOK .EXE
</pre>
((((((((((((((((((((((((((((( SnapShot_2010-12-01_11.23.56 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-01-03 05:40 . 2008-04-14 00:12 146432 c:\windows\system32\dllcache\winspool.drv
+ 2010-12-01 14:43 . 2010-12-01 14:43 473600 c:\windows\Freecorder\uninstall.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg "= "c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-18 68856]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} "= "c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [N/A]
"Google Update "= "c:\documents and settings\spare 1\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-11-02 135664]
"AdobeBridge "=" " [N/A]
"{A7AEB066-99F5-82F1-789B-2ABB8B315BF8} "= "c:\documents and settings\spare 1\Application Data\Byib\mufo.exe" [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NokiaMServer "= "c:\program files\Common Files\Nokia\MPlatform\NokiaMServer" [X]
"Acrobat Assistant 8.0 "= "c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-14 623992]
"QuickTime Task "= "c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"avgnt "= "c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"NvCplDaemon "= "c:\windows\system32\NvCpl.dll" [2008-02-01 8523776]
"AdobeAAMUpdater-1.0 "= "c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
"AdobeCS5ServiceManager "= "c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-07-22 402432]
"SwitchBoard "= "c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"NBKeyScan "= "c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [N/A]
"DivXUpdate "= "c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-09-16 1164584]
"Freecorder FLV Service "= "c:\program files\Freecorder\FLVSrvc.exe" [2010-06-26 167936]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@=" "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@= "Driver "

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride "=dword:00000001
"FirewallOverride "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications "= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\Messenger\\msmsgs.exe "=
"c:\\Program Files\\Autodesk\\3ds Max 9\\3dsmax.exe "=
"c:\\Program Files\\Autodesk\\Backburner\\monitor.exe "=
"c:\\Program Files\\Autodesk\\Backburner\\manager.exe "=
"c:\\Program Files\\Autodesk\\Backburner\\server.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\Google\\Google SketchUp 6\\SketchUp.exe "=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe "=
"c:\\Program Files\\THQ\\Company of Heroes\\RelicCOH.exe "=
"c:\\Program Files\\TalkTalk\\agent\\bin\\bcont.exe "=
"c:\\Program Files\\Common Files\\SupportSoft\\bin\\tgsrvc.exe "=
"c:\\Program Files\\TalkTalk\\agent\\bin\\bcont_nm.exe "=
"c:\\Program Files\\TalkTalk\\bin\\sprtcmd.exe "=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"c:\\Program Files\\GameSpy Arcade\\Aphex.exe "=
"c:\\WINDOWS\\system32\\PnkBstrA.exe "=
"c:\\WINDOWS\\system32\\PnkBstrB.exe "=
"c:\\WINDOWS\\system32\\javaw.exe "=
"c:\\Documents and Settings\\spare 1\\Application Data\\Juniper Networks\\Juniper Citrix Services Client\\dsCitrixProxy.exe "=
"c:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe "=
"c:\\Program Files\\Nokia\\Nokia Ovi Suite\\NokiaOviSuite.exe "=
"c:\\Program Files\\THQ\\Company of Heroes\\RelicDownloader\\RelicDownloader.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"14400:TCP "= 14400:TCP:Service
"14416:TCP "= 14416:TCP:Service

R0 AFAmgt;AFAmgt;c:\windows\system32\drivers\afamgt.sys [21/04/2004 11:36 92411]
R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [03/10/2010 23:43 59240]
S1 RapportCerberus_19917;RapportCerberus_19917;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\19917\RapportCerberus_19917.sys [03/10/2010 23:54 34792]
S1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [03/10/2010 23:43 169320]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [16/12/2009 16:26 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [16/12/2009 16:26 67656]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [17/12/2009 19:35 108289]
S2 ASFAgent;ASF Agent;c:\program files\Intel\ASF Agent\ASFAgent.exe [08/02/2004 16:02 118784]
S2 AsfAlrt;AsfAlrt;c:\windows\system32\drivers\Asfalrt.sys [18/12/2002 12:31 36064]
S2 gupdate1c9c0f24b9fdc5a;Google Update Service (gupdate1c9c0f24b9fdc5a);c:\program files\Google\Update\GoogleUpdate.exe [19/04/2009 13:25 133104]
S2 RAIDStorAgent;RAID Storage Manager Agent;c:\program files\Dell\RAID Storage Manager\StorServ.exe [16/06/2004 22:10 49152]
S2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [03/10/2010 23:43 767208]
S2 sprtsvc_TalkTalk;SupportSoft Sprocket Service (TalkTalk);c:\program files\TalkTalk\bin\sprtsvc.exe [12/10/2007 09:33 202016]
S3 CTL511Plus;Video Blaster WebCam 3/WebCam Plus (WDM);c:\windows\system32\drivers\webc3vid.sys [30/03/2008 19:35 166504]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\progra~1\Belkin\BELKIN~1.11G\DNINDIS5.SYS [30/03/2008 08:45 17149]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [11/01/2005 19:55 13192]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [11/01/2005 19:55 8456]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [29/11/2010 11:05 137344]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [29/11/2010 11:05 8320]
S3 S6U12BScanner;MUSTEK 1200 UB Still Image Device Service;c:\windows\system32\drivers\usbscan.sys [03/01/2005 17:08 15104]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [16/12/2009 16:27 12872]
S3 SwitchBoard;SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [19/02/2010 12:37 517096]
S3 tgsrvc_TalkTalk;SupportSoft Repair Service (TalkTalk);c:\program files\Common Files\SupportSoft\bin\tgsrvc.exe [02/08/2007 14:42 148768]
.
Contents of the 'Scheduled Tasks' folder

2010-12-01 c:\windows\Tasks\AdobeAAMUpdater-1.0-NIGEJK-spare 1.job
- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2010-10-10 02:44]

2010-12-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2010-12-01 c:\windows\Tasks\expressburnDowngrade.job
- c:\program files\NCH Swift Sound\ExpressBurn\expressburn.exe [2010-10-31 13:50]

2005-01-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-19 13:25]

2010-12-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-19 13:25]

2010-12-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-343818398-1844237615-839522115-1008Core.job
- c:\documents and settings\spare 1\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-12-30 19:14]

2010-12-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-343818398-1844237615-839522115-1008UA.job
- c:\documents and settings\spare 1\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-12-30 19:14]

2010-11-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-343818398-1844237615-839522115-500Core.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-12-30 19:14]

2010-12-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-343818398-1844237615-839522115-500UA.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-12-30 19:14]

2005-01-03 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 14:07]

2010-12-01 c:\windows\Tasks\User_Feed_Synchronization-{1D55DF3C-391C-48BC-9A3A-50487986C23F}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 04:31]

2010-10-09 c:\windows\Tasks\wavepadShakeIcon.job
- c:\program files\NCH Swift Sound\WavePad\wavepad.exe [2010-10-06 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {AD58C149-8AE2-4878-99DC-3A164E32F814} - hxxp://appsnet.bentley.com/myselectcd/SAXFileEE.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab
FF - ProfilePath - c:\documents and settings\spare 1\Application Data\Mozilla\Firefox\Profiles\h523k0rr.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1060933&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Freecorder Customized Web Search
FF - prefs.js: browser.startup.homepage - hxxp://search.conduit.com/?ctid=CT1060933&SearchSource=13
FF - component: c:\program files\Adobe\Adobe Contribute CS5\Plugins\FirefoxPlugin\{01A8CA0A-4C96-465b-A49B-65C46FAD54F9}\components\Contribute.dll
FF - component: c:\program files\Nokia\Nokia Ovi Suite\Connectors\Bookmarks Connector\FirefoxExtension\components\FirefoxExtension.dll
FF - plugin: c:\documents and settings\spare 1\Local Settings\Application Data\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npContribute.dll
FF - plugin: c:\program files\Virtual Earth 3D\npVE3D.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Extension: Firefox Synchronisation Extension: {A27F3FEF-1113-4cfb-A032-8E12D7D8EE70} - c:\program files\Nokia\Nokia Ovi Suite\Connectors\Bookmarks Connector\FirefoxExtension
FF - Extension: Adobe Contribute Toolbar: {01A8CA0A-4C96-465b-A49B-65C46FAD54F9} - c:\program files\Adobe\Adobe Contribute CS5\Plugins\FirefoxPlugin\{01A8CA0A-4C96-465b-A49B-65C46FAD54F9}
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\documents and settings\spare 1\Application Data\Mozilla\Firefox\Profiles\h523k0rr.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Extension: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - c:\documents and settings\spare 1\Application Data\Mozilla\Firefox\Profiles\h523k0rr.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
FF - Extension: Conduit Engine : engine@conduit.com - c:\documents and settings\spare 1\Application Data\Mozilla\Firefox\Profiles\h523k0rr.default\extensions\engine@conduit.com
FF - Extension: Freecorder Community Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\documents and settings\spare 1\Application Data\Mozilla\Firefox\Profiles\h523k0rr.default\extensions\{1392b8d2-5c05-419f-a8f6-b9f15a596612}
.
.
------- File Associations -------
.
.scr=AutoCADScriptFile
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-04 12:59
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\documents and settings\spare 1\Start Menu\Programs\Startup\xcixrpse.exe 67086 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-343818398-1844237615-839522115-1008\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"?? "=hex:97,ab,cc,a8,20,3f,eb,79,c8,31,62,a4,2a,fc,68,ee,d5,ef,a4,f8,16,eb,5a,
69,27,ff,43,2a,99,1b,4f,74,be,9a,b7,24,71,17,fb,b4,00,55,a6,ce,16,a2,55,49,\
"?? "=hex:6d,77,c1,5e,09,b0,35,eb,ea,b5,6c,b2,8e,1f,6c,34

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@= "FlashBroker "
"LocalizedString "= "@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101 "

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled "=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@= "c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe "

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@= "{FAB3E735-69C7-453B-A446-B6823C6DF1C9} "

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@= "IFlashBroker4 "

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@= "{00020424-0000-0000-C000-000000000046} "

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@= "{FAB3E735-69C7-453B-A446-B6823C6DF1C9} "
"Version "= "1.0 "
.
Completion time: 2010-12-04 13:01:55
ComboFix-quarantined-files.txt 2010-12-04 13:01
ComboFix2.txt 2010-12-01 11:26
ComboFix3.txt 2010-12-01 11:03
ComboFix4.txt 2010-08-19 06:45
ComboFix5.txt 2005-01-03 10:52

Pre-Run: 11,967,795,200 bytes free
Post-Run: 11,946,139,648 bytes free

- - End Of File - - 1B29B33394A5335153BBC63DE443FFF6

broni · 2010/12/04

1. Please open Notepad

Click Start , then Run

Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:
Code:
File::
c:\program files\ICSceRLi%±F‘Ã‹xcixrpse.exe
c:\program files\KgmLJXQS½g³Ã‹xcixrpse.exe


Folder::
c:\program files\hYhvJHDj
c:\documents and settings\spare 1\Application Data\Yqkyca

RenV::
c:\program files\Microsoft Office\OFFICE11\OUrtTLOOK .EXE
c:\program files\Microsoft Office\OFFICE11\OUTLOOK .EXE


Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "AdobeBridge "=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
 "AntiVirusOverride "=-
 "FirewallOverride "=-
3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt

Nigejk · 2010/12/04

Had a few problems running combofix with the cfscript. Kept getting "Not enough main memory to complete the sort" and then freezing at various points of the process. Eventually got it to work in safe mode. Here is the log

ComboFix 10-12-03.03 - Administrator 05/12/2010 1:38.11.2 - x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.3326.2992 [GMT 0:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\cfscript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

FILE ::
"c:\program files\ICSceRLi%±F‘Ã‹xcixrpse.exe "
"c:\program files\KgmLJXQS½g³Ã‹xcixrpse.exe "
.
/wow section - STAGE 8
The process cannot access the file because it is being used by another process.
The process cannot access the file because it is being used by another process.
The process cannot access the file because it is being used by another process.
The process cannot access the file because it is being used by another process.
The process cannot access the file because it is being used by another process.
The process cannot access the file because it is being used by another process.

/wow section - STAGE 10

/wow section - STAGE 17
The process cannot access the file because it is being used by another process.
The process cannot access the file because it is being used by another process.
The process cannot access the file because it is being used by another process.
The process cannot access the file because it is being used by another process.
The process cannot access the file because it is being used by another process.
The process cannot access the file because it is being used by another process.
The process cannot access the file because it is being used by another process.
The process cannot access the file because it is being used by another process.
The process cannot access the file because it is being used by another process.
The process cannot access the file because it is being used by another process.
The process cannot access the file because it is being used by another process.
The process cannot access the file because it is being used by another process.
The system cannot find the path specified.
The process cannot access the file because it is being used by another process.

/wow section - STAGE 23
The process cannot access the file because it is being used by another process.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\spare 1\Application Data\Qaapz
c:\documents and settings\spare 1\Application Data\Qaapz\lyurg.exe
c:\documents and settings\spare 1\Application Data\Yqkyca
c:\documents and settings\spare 1\Local Settings\temp\NEventMessages.dll
c:\program files\Internet Explorer\complete.dat
c:\program files\Internet Explorer\dmlconf.dat

.
((((((((((((((((((((((((( Files Created from 2010-11-05 to 2010-12-05 )))))))))))))))))))))))))))))))
.

2010-12-04 23:36 . 2010-12-04 23:36 -------- d-----w- c:\program files\iklfyTIL
2010-12-01 15:20 . 2010-12-01 15:20 -------- d-----w- c:\documents and settings\spare 1\NCH.Express.Burn.v4.39.WORKING.READ.NFO.WinAll-LAXiTY[1]
2010-12-01 14:43 . 2010-12-01 15:05 -------- d-----w- c:\documents and settings\spare 1\Local Settings\Application Data\FLVService
2010-12-01 14:43 . 2010-12-01 14:43 -------- d-----w- c:\program files\Freecorder
2010-12-01 14:43 . 2010-12-01 14:43 -------- d-----w- c:\windows\Freecorder
2010-12-01 13:20 . 2010-12-01 13:20 -------- d-----w- c:\program files\hYhvJHDj
2010-12-01 13:14 . 2010-11-29 17:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-01 13:14 . 2010-11-29 17:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-01 10:58 . 2010-12-01 10:58 -------- d-----w- c:\program files\ICSceRLi%±F‘Ã‹xcixrpse.exe
2010-11-30 17:24 . 2010-12-05 01:03 -------- d-----w- c:\program files\windows
2010-11-30 17:24 . 2010-11-30 17:24 -------- d-----w- c:\program files\KgmLJXQS½g³Ã‹xcixrpse.exe
2010-11-29 13:34 . 2010-11-29 13:34 -------- d-----w- c:\documents and settings\All Users\Application Data\NokiaInstallerCache
2010-11-29 11:05 . 2010-11-29 11:05 -------- d-----w- c:\program files\PC Connectivity Solution
2010-11-29 11:05 . 2010-02-26 14:21 8320 ----a-w- c:\windows\system32\drivers\nmwcdnsuc.sys
2010-11-29 11:05 . 2010-02-26 14:21 137344 ----a-w- c:\windows\system32\drivers\nmwcdnsu.sys
2010-11-29 11:05 . 2010-02-26 14:32 8192 ----a-w- c:\windows\system32\drivers\usbser_lowerfltj.sys
2010-11-29 11:05 . 2010-02-26 14:32 8192 ----a-w- c:\windows\system32\drivers\usbser_lowerflt.sys
2010-11-29 11:05 . 2010-02-26 14:32 22528 ----a-w- c:\windows\system32\drivers\ccdcmbo.sys
2010-11-29 11:05 . 2010-02-26 14:32 662016 ----a-w- c:\windows\system32\nmwcdcocls.dll
2010-11-29 11:05 . 2010-02-26 14:32 18176 ----a-w- c:\windows\system32\drivers\ccdcmb.sys
2010-11-29 11:05 . 2010-02-26 14:19 1461992 ----a-w- c:\windows\system32\wdfcoinstaller01009.dll
2010-11-07 21:23 . 2010-11-07 21:32 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX
2010-11-07 21:21 . 2010-11-07 21:21 -------- d-----w- c:\program files\ZD Soft
2010-11-07 20:46 . 2010-11-07 20:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Deskshare
2010-11-07 20:46 . 2010-11-07 20:46 -------- d-----w- c:\documents and settings\spare 1\Local Settings\Application Data\Xenocode
2010-11-07 20:46 . 2010-11-07 20:46 -------- d-----w- c:\program files\Xenocode
2010-11-07 09:09 . 2010-11-07 09:09 -------- d--h--w- c:\windows\system32\GroupPolicy
2010-11-06 13:04 . 2008-02-28 12:26 1414440 ----a-w- c:\windows\system32\ShellManager310E2D762.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-03 23:43 . 2010-10-03 23:43 59240 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
2010-09-18 11:23 . 2002-09-03 19:44 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2002-09-03 19:44 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2002-09-03 19:44 954368 ------w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2002-09-03 19:44 953856 ------w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58 . 2006-06-23 11:33 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58 . 2002-09-03 19:42 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58 . 2002-09-03 19:40 1469440 ------w- c:\windows\system32\inetcpl.cpl
.

((((((((((((((((((((((((((((( SnapShot_2010-12-01_11.23.56 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-01-03 05:40 . 2008-04-14 00:12 146432 c:\windows\system32\dllcache\winspool.drv
+ 2010-12-01 14:43 . 2010-12-01 14:43 473600 c:\windows\Freecorder\uninstall.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg "= "c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-18 68856]
"Google Update "= "c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-11-02 135664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NokiaMServer "= "c:\program files\Common Files\Nokia\MPlatform\NokiaMServer" [X]
"Acrobat Assistant 8.0 "= "c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-14 623992]
"QuickTime Task "= "c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"avgnt "= "c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"NvCplDaemon "= "c:\windows\system32\NvCpl.dll" [2008-02-01 8523776]
"AdobeAAMUpdater-1.0 "= "c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
"AdobeCS5ServiceManager "= "c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-07-22 402432]
"SwitchBoard "= "c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"DivXUpdate "= "c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-09-16 1164584]
"Freecorder FLV Service "= "c:\program files\Freecorder\FLVSrvc.exe" [2010-06-26 167936]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@=" "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@= "Driver "

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications "= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\Messenger\\msmsgs.exe "=
"c:\\Program Files\\Autodesk\\3ds Max 9\\3dsmax.exe "=
"c:\\Program Files\\Autodesk\\Backburner\\monitor.exe "=
"c:\\Program Files\\Autodesk\\Backburner\\manager.exe "=
"c:\\Program Files\\Autodesk\\Backburner\\server.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\Google\\Google SketchUp 6\\SketchUp.exe "=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe "=
"c:\\Program Files\\THQ\\Company of Heroes\\RelicCOH.exe "=
"c:\\Program Files\\TalkTalk\\agent\\bin\\bcont.exe "=
"c:\\Program Files\\Common Files\\SupportSoft\\bin\\tgsrvc.exe "=
"c:\\Program Files\\TalkTalk\\agent\\bin\\bcont_nm.exe "=
"c:\\Program Files\\TalkTalk\\bin\\sprtcmd.exe "=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"c:\\Program Files\\GameSpy Arcade\\Aphex.exe "=
"c:\\WINDOWS\\system32\\PnkBstrA.exe "=
"c:\\WINDOWS\\system32\\PnkBstrB.exe "=
"c:\\WINDOWS\\system32\\javaw.exe "=
"c:\\Documents and Settings\\spare 1\\Application Data\\Juniper Networks\\Juniper Citrix Services Client\\dsCitrixProxy.exe "=
"c:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe "=
"c:\\Program Files\\Nokia\\Nokia Ovi Suite\\NokiaOviSuite.exe "=
"c:\\Program Files\\THQ\\Company of Heroes\\RelicDownloader\\RelicDownloader.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"14400:TCP "= 14400:TCP:Service
"14416:TCP "= 14416:TCP:Service

R0 AFAmgt;AFAmgt;c:\windows\system32\drivers\afamgt.sys [21/04/2004 11:36 92411]
R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [03/10/2010 23:43 59240]
S1 RapportCerberus_19917;RapportCerberus_19917;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\19917\RapportCerberus_19917.sys [03/10/2010 23:54 34792]
S1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [03/10/2010 23:43 169320]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [16/12/2009 16:26 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [16/12/2009 16:26 67656]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [17/12/2009 19:35 108289]
S2 ASFAgent;ASF Agent;c:\program files\Intel\ASF Agent\ASFAgent.exe [08/02/2004 16:02 118784]
S2 AsfAlrt;AsfAlrt;c:\windows\system32\drivers\Asfalrt.sys [18/12/2002 12:31 36064]
S2 gupdate1c9c0f24b9fdc5a;Google Update Service (gupdate1c9c0f24b9fdc5a);c:\program files\Google\Update\GoogleUpdate.exe [19/04/2009 13:25 133104]
S2 RAIDStorAgent;RAID Storage Manager Agent;c:\program files\Dell\RAID Storage Manager\StorServ.exe [16/06/2004 22:10 49152]
S2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [03/10/2010 23:43 767208]
S2 sprtsvc_TalkTalk;SupportSoft Sprocket Service (TalkTalk);c:\program files\TalkTalk\bin\sprtsvc.exe [12/10/2007 09:33 202016]
S3 CTL511Plus;Video Blaster WebCam 3/WebCam Plus (WDM);c:\windows\system32\drivers\webc3vid.sys [30/03/2008 19:35 166504]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\progra~1\Belkin\BELKIN~1.11G\DNINDIS5.SYS [30/03/2008 08:45 17149]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [11/01/2005 19:55 13192]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [11/01/2005 19:55 8456]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [29/11/2010 11:05 137344]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [29/11/2010 11:05 8320]
S3 S6U12BScanner;MUSTEK 1200 UB Still Image Device Service;c:\windows\system32\drivers\usbscan.sys [03/01/2005 17:08 15104]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [16/12/2009 16:27 12872]
S3 SwitchBoard;SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [19/02/2010 12:37 517096]
S3 tgsrvc_TalkTalk;SupportSoft Repair Service (TalkTalk);c:\program files\Common Files\SupportSoft\bin\tgsrvc.exe [02/08/2007 14:42 148768]
.
Contents of the 'Scheduled Tasks' folder

2010-12-01 c:\windows\Tasks\AdobeAAMUpdater-1.0-NIGEJK-spare 1.job
- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2010-10-10 02:44]

2010-12-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2010-12-01 c:\windows\Tasks\expressburnDowngrade.job
- c:\program files\NCH Swift Sound\ExpressBurn\expressburn.exe [2010-10-31 13:50]

2010-12-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-19 13:25]

2010-12-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-19 13:25]

2010-12-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-343818398-1844237615-839522115-1008Core.job
- c:\documents and settings\spare 1\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-12-30 19:14]

2010-12-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-343818398-1844237615-839522115-1008UA.job
- c:\documents and settings\spare 1\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-12-30 19:14]

2010-11-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-343818398-1844237615-839522115-500Core.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-12-30 19:14]

2010-12-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-343818398-1844237615-839522115-500UA.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-12-30 19:14]

2010-12-05 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 14:07]

2010-12-04 c:\windows\Tasks\User_Feed_Synchronization-{1D55DF3C-391C-48BC-9A3A-50487986C23F}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 04:31]

2010-10-09 c:\windows\Tasks\wavepadShakeIcon.job
- c:\program files\NCH Swift Sound\WavePad\wavepad.exe [2010-10-06 08:31]
.
.
------- Supplementary Scan -------
.
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {AD58C149-8AE2-4878-99DC-3A164E32F814} - hxxp://appsnet.bentley.com/myselectcd/SAXFileEE.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab
FF - ProfilePath - c:\documents and settings\spare 1\Application Data\Mozilla\Firefox\Profiles\h523k0rr.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1060933&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Freecorder Customized Web Search
FF - prefs.js: browser.startup.homepage - hxxp://search.conduit.com/?ctid=CT1060933&SearchSource=13
FF - component: c:\program files\Adobe\Adobe Contribute CS5\Plugins\FirefoxPlugin\{01A8CA0A-4C96-465b-A49B-65C46FAD54F9}\components\Contribute.dll
FF - component: c:\program files\Nokia\Nokia Ovi Suite\Connectors\Bookmarks Connector\FirefoxExtension\components\FirefoxExtension.dll
FF - plugin: c:\documents and settings\spare 1\Local Settings\Application Data\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npContribute.dll
FF - plugin: c:\program files\Virtual Earth 3D\npVE3D.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Extension: Firefox Synchronisation Extension: {A27F3FEF-1113-4cfb-A032-8E12D7D8EE70} - c:\program files\Nokia\Nokia Ovi Suite\Connectors\Bookmarks Connector\FirefoxExtension
FF - Extension: Adobe Contribute Toolbar: {01A8CA0A-4C96-465b-A49B-65C46FAD54F9} - c:\program files\Adobe\Adobe Contribute CS5\Plugins\FirefoxPlugin\{01A8CA0A-4C96-465b-A49B-65C46FAD54F9}
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\documents and settings\spare 1\Application Data\Mozilla\Firefox\Profiles\h523k0rr.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Extension: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - c:\documents and settings\spare 1\Application Data\Mozilla\Firefox\Profiles\h523k0rr.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
FF - Extension: Conduit Engine : engine@conduit.com - c:\documents and settings\spare 1\Application Data\Mozilla\Firefox\Profiles\h523k0rr.default\extensions\engine@conduit.com
FF - Extension: Freecorder Community Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\documents and settings\spare 1\Application Data\Mozilla\Firefox\Profiles\h523k0rr.default\extensions\{1392b8d2-5c05-419f-a8f6-b9f15a596612}
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
HKCU-Run-kdx - c:\program files\Kontiki\KHost.exe
HKLM-Run-NBKeyScan - c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-05 01:48
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwQueryDirectoryFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\documents and settings\spare 1\Start Menu\Programs\Startup\xcixrpse.exe 67086 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-343818398-1844237615-839522115-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977 "=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,15,34,9e,10,dd,4b,26,49,83,f6,96,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81 "=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,15,34,9e,10,dd,4b,26,49,83,f6,96,\

[HKEY_USERS\S-1-5-21-343818398-1844237615-839522115-500\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@= "FlashBroker "
"LocalizedString "= "@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101 "

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled "=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@= "c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe "

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@= "{FAB3E735-69C7-453B-A446-B6823C6DF1C9} "

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@= "IFlashBroker4 "

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@= "{00020424-0000-0000-C000-000000000046} "

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@= "{FAB3E735-69C7-453B-A446-B6823C6DF1C9} "
"Version "= "1.0 "
.
Completion time: 2010-12-05 01:51:46
ComboFix-quarantined-files.txt 2010-12-05 01:51
ComboFix2.txt 2010-12-04 13:01
ComboFix3.txt 2010-12-01 11:26
ComboFix4.txt 2010-12-01 11:03
ComboFix5.txt 2010-12-04 23:42

Pre-Run: 15,608,504,320 bytes free
Post-Run: 15,579,922,432 bytes free

- - End Of File - - AC171B432A06E61562D0BA579CA26576

broni · 2010/12/04

1. Please open Notepad

Click Start , then Run

Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:
Code:
File::
c:\program files\ICSceRLi%±F‘Ã‹xcixrpse.exe
c:\program files\KgmLJXQS½g³Ã‹xcixrpse.exe
c:\documents and settings\spare 1\Start Menu\Programs\Startup\xcixrpse.exe


Folder::
c:\program files\iklfyTIL
c:\program files\hYhvJHDj
3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt

Nigejk · 2010/12/05

Ran it in safe mode again as it crashed in normal. It always seems to want to downloaad an updated vbersion when I run it in normal mode despite having just downloaded the latest from the website.

Log:

ComboFix 10-12-03.03 - spare 1 05/12/2010 8:24.12.2 - x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.3326.3005 [GMT 0:00]
Running from: c:\documents and settings\spare 1\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\spare 1\Desktop\cfscript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

FILE ::
"c:\documents and settings\spare 1\Start Menu\Programs\Startup\xcixrpse.exe "
"c:\program files\ICSceRLi%±F‘Ã‹xcixrpse.exe "
"c:\program files\KgmLJXQS½g³Ã‹xcixrpse.exe "
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\spare 1\Application Data\Faihec
c:\documents and settings\spare 1\Application Data\Faihec\irequ.exe
c:\documents and settings\spare 1\Start Menu\Programs\Startup\xcixrpse.exe
c:\program files\Internet Explorer\complete.dat
c:\program files\Internet Explorer\dmlconf.dat

.
((((((((((((((((((((((((( Files Created from 2010-11-05 to 2010-12-05 )))))))))))))))))))))))))))))))
.

2010-12-05 08:09 . 2010-12-05 08:09 -------- d-----w- c:\program files\RWCSLXrJ
2010-12-04 23:36 . 2010-12-04 23:36 -------- d-----w- c:\program files\iklfyTIL
2010-12-01 15:20 . 2010-12-01 15:20 -------- d-----w- c:\documents and settings\spare 1\NCH.Express.Burn.v4.39.WORKING.READ.NFO.WinAll-LAXiTY[1]
2010-12-01 14:43 . 2010-12-01 15:05 -------- d-----w- c:\documents and settings\spare 1\Local Settings\Application Data\FLVService
2010-12-01 14:43 . 2010-12-01 14:43 -------- d-----w- c:\program files\Freecorder
2010-12-01 14:43 . 2010-12-01 14:43 -------- d-----w- c:\windows\Freecorder
2010-12-01 13:20 . 2010-12-01 13:20 -------- d-----w- c:\program files\hYhvJHDj
2010-12-01 13:14 . 2010-11-29 17:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-01 13:14 . 2010-11-29 17:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-01 10:58 . 2010-12-01 10:58 -------- d-----w- c:\program files\ICSceRLi%±F‘Ã‹xcixrpse.exe
2010-11-30 17:24 . 2010-12-05 08:09 -------- d-----w- c:\program files\windows
2010-11-30 17:24 . 2010-11-30 17:24 -------- d-----w- c:\program files\KgmLJXQS½g³Ã‹xcixrpse.exe
2010-11-29 13:34 . 2010-11-29 13:34 -------- d-----w- c:\documents and settings\All Users\Application Data\NokiaInstallerCache
2010-11-29 11:05 . 2010-11-29 11:05 -------- d-----w- c:\program files\PC Connectivity Solution
2010-11-29 11:05 . 2010-02-26 14:21 8320 ----a-w- c:\windows\system32\drivers\nmwcdnsuc.sys
2010-11-29 11:05 . 2010-02-26 14:21 137344 ----a-w- c:\windows\system32\drivers\nmwcdnsu.sys
2010-11-29 11:05 . 2010-02-26 14:32 8192 ----a-w- c:\windows\system32\drivers\usbser_lowerfltj.sys
2010-11-29 11:05 . 2010-02-26 14:32 8192 ----a-w- c:\windows\system32\drivers\usbser_lowerflt.sys
2010-11-29 11:05 . 2010-02-26 14:32 22528 ----a-w- c:\windows\system32\drivers\ccdcmbo.sys
2010-11-29 11:05 . 2010-02-26 14:32 662016 ----a-w- c:\windows\system32\nmwcdcocls.dll
2010-11-29 11:05 . 2010-02-26 14:32 18176 ----a-w- c:\windows\system32\drivers\ccdcmb.sys
2010-11-29 11:05 . 2010-02-26 14:19 1461992 ----a-w- c:\windows\system32\wdfcoinstaller01009.dll
2010-11-07 21:23 . 2010-11-07 21:32 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX
2010-11-07 21:21 . 2010-11-07 21:21 -------- d-----w- c:\program files\ZD Soft
2010-11-07 20:46 . 2010-11-07 20:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Deskshare
2010-11-07 20:46 . 2010-11-07 20:46 -------- d-----w- c:\documents and settings\spare 1\Local Settings\Application Data\Xenocode
2010-11-07 20:46 . 2010-11-07 20:46 -------- d-----w- c:\program files\Xenocode
2010-11-07 09:09 . 2010-11-07 09:09 -------- d--h--w- c:\windows\system32\GroupPolicy
2010-11-06 13:04 . 2008-02-28 12:26 1414440 ----a-w- c:\windows\system32\ShellManager310E2D762.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-03 23:43 . 2010-10-03 23:43 59240 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
2010-09-18 11:23 . 2002-09-03 19:44 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2002-09-03 19:44 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2002-09-03 19:44 954368 ------w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2002-09-03 19:44 953856 ------w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58 . 2006-06-23 11:33 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58 . 2002-09-03 19:42 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58 . 2002-09-03 19:40 1469440 ------w- c:\windows\system32\inetcpl.cpl
.

((((((((((((((((((((((((((((( SnapShot_2010-12-01_11.23.56 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-01-03 05:40 . 2008-04-14 00:12 146432 c:\windows\system32\dllcache\winspool.drv
+ 2010-12-01 14:43 . 2010-12-01 14:43 473600 c:\windows\Freecorder\uninstall.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg "= "c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-18 68856]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} "= "c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [BU]
"Google Update "= "c:\documents and settings\spare 1\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-11-02 135664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NokiaMServer "= "c:\program files\Common Files\Nokia\MPlatform\NokiaMServer" [X]
"Acrobat Assistant 8.0 "= "c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-14 623992]
"QuickTime Task "= "c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"avgnt "= "c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"NvCplDaemon "= "c:\windows\system32\NvCpl.dll" [2008-02-01 8523776]
"AdobeAAMUpdater-1.0 "= "c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
"AdobeCS5ServiceManager "= "c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-07-22 402432]
"SwitchBoard "= "c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"DivXUpdate "= "c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-09-16 1164584]
"Freecorder FLV Service "= "c:\program files\Freecorder\FLVSrvc.exe" [2010-06-26 167936]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@=" "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@= "Driver "

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications "= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\Messenger\\msmsgs.exe "=
"c:\\Program Files\\Autodesk\\3ds Max 9\\3dsmax.exe "=
"c:\\Program Files\\Autodesk\\Backburner\\monitor.exe "=
"c:\\Program Files\\Autodesk\\Backburner\\manager.exe "=
"c:\\Program Files\\Autodesk\\Backburner\\server.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\Google\\Google SketchUp 6\\SketchUp.exe "=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe "=
"c:\\Program Files\\THQ\\Company of Heroes\\RelicCOH.exe "=
"c:\\Program Files\\TalkTalk\\agent\\bin\\bcont.exe "=
"c:\\Program Files\\Common Files\\SupportSoft\\bin\\tgsrvc.exe "=
"c:\\Program Files\\TalkTalk\\agent\\bin\\bcont_nm.exe "=
"c:\\Program Files\\TalkTalk\\bin\\sprtcmd.exe "=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"c:\\Program Files\\GameSpy Arcade\\Aphex.exe "=
"c:\\WINDOWS\\system32\\PnkBstrA.exe "=
"c:\\WINDOWS\\system32\\PnkBstrB.exe "=
"c:\\WINDOWS\\system32\\javaw.exe "=
"c:\\Documents and Settings\\spare 1\\Application Data\\Juniper Networks\\Juniper Citrix Services Client\\dsCitrixProxy.exe "=
"c:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe "=
"c:\\Program Files\\Nokia\\Nokia Ovi Suite\\NokiaOviSuite.exe "=
"c:\\Program Files\\THQ\\Company of Heroes\\RelicDownloader\\RelicDownloader.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"14400:TCP "= 14400:TCP:Service
"14416:TCP "= 14416:TCP:Service

R0 AFAmgt;AFAmgt;c:\windows\system32\drivers\afamgt.sys [21/04/2004 11:36 92411]
R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [03/10/2010 23:43 59240]
S1 RapportCerberus_19917;RapportCerberus_19917;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\19917\RapportCerberus_19917.sys [03/10/2010 23:54 34792]
S1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [03/10/2010 23:43 169320]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [16/12/2009 16:26 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [16/12/2009 16:26 67656]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [17/12/2009 19:35 108289]
S2 ASFAgent;ASF Agent;c:\program files\Intel\ASF Agent\ASFAgent.exe [08/02/2004 16:02 118784]
S2 AsfAlrt;AsfAlrt;c:\windows\system32\drivers\Asfalrt.sys [18/12/2002 12:31 36064]
S2 gupdate1c9c0f24b9fdc5a;Google Update Service (gupdate1c9c0f24b9fdc5a);c:\program files\Google\Update\GoogleUpdate.exe [19/04/2009 13:25 133104]
S2 RAIDStorAgent;RAID Storage Manager Agent;c:\program files\Dell\RAID Storage Manager\StorServ.exe [16/06/2004 22:10 49152]
S2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [03/10/2010 23:43 767208]
S2 sprtsvc_TalkTalk;SupportSoft Sprocket Service (TalkTalk);c:\program files\TalkTalk\bin\sprtsvc.exe [12/10/2007 09:33 202016]
S3 CTL511Plus;Video Blaster WebCam 3/WebCam Plus (WDM);c:\windows\system32\drivers\webc3vid.sys [30/03/2008 19:35 166504]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\progra~1\Belkin\BELKIN~1.11G\DNINDIS5.SYS [30/03/2008 08:45 17149]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [11/01/2005 19:55 13192]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [11/01/2005 19:55 8456]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [29/11/2010 11:05 137344]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [29/11/2010 11:05 8320]
S3 S6U12BScanner;MUSTEK 1200 UB Still Image Device Service;c:\windows\system32\drivers\usbscan.sys [03/01/2005 17:08 15104]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [16/12/2009 16:27 12872]
S3 SwitchBoard;SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [19/02/2010 12:37 517096]
S3 tgsrvc_TalkTalk;SupportSoft Repair Service (TalkTalk);c:\program files\Common Files\SupportSoft\bin\tgsrvc.exe [02/08/2007 14:42 148768]
.
Contents of the 'Scheduled Tasks' folder

2010-12-01 c:\windows\Tasks\AdobeAAMUpdater-1.0-NIGEJK-spare 1.job
- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2010-10-10 02:44]

2010-12-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2010-12-01 c:\windows\Tasks\expressburnDowngrade.job
- c:\program files\NCH Swift Sound\ExpressBurn\expressburn.exe [2010-10-31 13:50]

2010-12-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-19 13:25]

2010-12-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-19 13:25]

2010-12-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-343818398-1844237615-839522115-1008Core.job
- c:\documents and settings\spare 1\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-12-30 19:14]

2010-12-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-343818398-1844237615-839522115-1008UA.job
- c:\documents and settings\spare 1\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-12-30 19:14]

2010-11-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-343818398-1844237615-839522115-500Core.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-12-30 19:14]

2010-12-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-343818398-1844237615-839522115-500UA.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-12-30 19:14]

2010-12-05 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 14:07]

2010-12-04 c:\windows\Tasks\User_Feed_Synchronization-{1D55DF3C-391C-48BC-9A3A-50487986C23F}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 04:31]

2010-10-09 c:\windows\Tasks\wavepadShakeIcon.job
- c:\program files\NCH Swift Sound\WavePad\wavepad.exe [2010-10-06 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {AD58C149-8AE2-4878-99DC-3A164E32F814} - hxxp://appsnet.bentley.com/myselectcd/SAXFileEE.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab
FF - ProfilePath - c:\documents and settings\spare 1\Application Data\Mozilla\Firefox\Profiles\h523k0rr.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1060933&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Freecorder Customized Web Search
FF - prefs.js: browser.startup.homepage - hxxp://search.conduit.com/?ctid=CT1060933&SearchSource=13
FF - component: c:\program files\Adobe\Adobe Contribute CS5\Plugins\FirefoxPlugin\{01A8CA0A-4C96-465b-A49B-65C46FAD54F9}\components\Contribute.dll
FF - component: c:\program files\Nokia\Nokia Ovi Suite\Connectors\Bookmarks Connector\FirefoxExtension\components\FirefoxExtension.dll
FF - plugin: c:\documents and settings\spare 1\Local Settings\Application Data\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npContribute.dll
FF - plugin: c:\program files\Virtual Earth 3D\npVE3D.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Extension: Firefox Synchronisation Extension: {A27F3FEF-1113-4cfb-A032-8E12D7D8EE70} - c:\program files\Nokia\Nokia Ovi Suite\Connectors\Bookmarks Connector\FirefoxExtension
FF - Extension: Adobe Contribute Toolbar: {01A8CA0A-4C96-465b-A49B-65C46FAD54F9} - c:\program files\Adobe\Adobe Contribute CS5\Plugins\FirefoxPlugin\{01A8CA0A-4C96-465b-A49B-65C46FAD54F9}
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\documents and settings\spare 1\Application Data\Mozilla\Firefox\Profiles\h523k0rr.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Extension: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - c:\documents and settings\spare 1\Application Data\Mozilla\Firefox\Profiles\h523k0rr.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
FF - Extension: Conduit Engine : engine@conduit.com - c:\documents and settings\spare 1\Application Data\Mozilla\Firefox\Profiles\h523k0rr.default\extensions\engine@conduit.com
FF - Extension: Freecorder Community Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\documents and settings\spare 1\Application Data\Mozilla\Firefox\Profiles\h523k0rr.default\extensions\{1392b8d2-5c05-419f-a8f6-b9f15a596612}
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-{A7AEB066-99F5-82F1-789B-2ABB8B315BF8} - c:\documents and settings\spare 1\Application Data\Faihec\irequ.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-05 08:33
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\documents and settings\spare 1\Start Menu\Programs\Startup\xcixrpse.exe 67086 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-343818398-1844237615-839522115-1008\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"?? "=hex:97,ab,cc,a8,20,3f,eb,79,c8,31,62,a4,2a,fc,68,ee,d5,ef,a4,f8,16,eb,5a,
69,27,ff,43,2a,99,1b,4f,74,be,9a,b7,24,71,17,fb,b4,00,55,a6,ce,16,a2,55,49,\
"?? "=hex:6d,77,c1,5e,09,b0,35,eb,ea,b5,6c,b2,8e,1f,6c,34

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@= "FlashBroker "
"LocalizedString "= "@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101 "

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled "=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@= "c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe "

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@= "{FAB3E735-69C7-453B-A446-B6823C6DF1C9} "

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@= "IFlashBroker4 "

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@= "{00020424-0000-0000-C000-000000000046} "

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@= "{FAB3E735-69C7-453B-A446-B6823C6DF1C9} "
"Version "= "1.0 "
.
Completion time: 2010-12-05 08:36:16
ComboFix-quarantined-files.txt 2010-12-05 08:36
ComboFix2.txt 2010-12-05 01:51
ComboFix3.txt 2010-12-04 13:01
ComboFix4.txt 2010-12-01 11:26
ComboFix5.txt 2010-12-05 08:21

Pre-Run: 15,594,803,200 bytes free
Post-Run: 15,577,214,976 bytes free

- - End Of File - - 172CEDC846DB58F2888491428E51526B

broni · 2010/12/05

Something is still hiding there...

Download TDSSKiller and save it to your desktop.

Extract (unzip) its contents to your desktop.

Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.

If an infected file is detected, the default action will be Cure, click on Continue.

If a suspicious file is detected, the default action will be Skip, click on Continue.

It may ask you to reboot the computer to complete the process. Click on Reboot Now.

If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.

If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.

Nigejk · 2010/12/05

Nothing detected

2010/12/05 18:23:52.0078 TDSS rootkit removing tool 2.4.10.1 Dec 2 2010 12:28:01
2010/12/05 18:23:52.0078 ================================================================================
2010/12/05 18:23:52.0078 SystemInfo:
2010/12/05 18:23:52.0078
2010/12/05 18:23:52.0078 OS Version: 5.1.2600 ServicePack: 3.0
2010/12/05 18:23:52.0078 Product type: Workstation
2010/12/05 18:23:52.0078 ComputerName: NIGEJK
2010/12/05 18:23:52.0078 UserName: spare 1
2010/12/05 18:23:52.0078 Windows directory: C:\WINDOWS
2010/12/05 18:23:52.0078 System windows directory: C:\WINDOWS
2010/12/05 18:23:52.0078 Processor architecture: Intel x86
2010/12/05 18:23:52.0078 Number of processors: 2
2010/12/05 18:23:52.0078 Page size: 0x1000
2010/12/05 18:23:52.0078 Boot type: Normal boot
2010/12/05 18:23:52.0078 ================================================================================
2010/12/05 18:23:52.0328 Initialize success
2010/12/05 18:23:55.0312 ================================================================================
2010/12/05 18:23:55.0312 Scan started
2010/12/05 18:23:55.0312 Mode: Manual;
2010/12/05 18:23:55.0312 ================================================================================
2010/12/05 18:23:56.0296 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/12/05 18:23:56.0359 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2010/12/05 18:23:56.0468 aeaudio (11c04b17ed2abbb4833694bcd644ac90) C:\WINDOWS\system32\drivers\aeaudio.sys
2010/12/05 18:23:56.0546 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2010/12/05 18:23:56.0609 AFAmgt (709043d03a10e4b91e17488b5c2f9b15) C:\WINDOWS\system32\drivers\AFAmgt.sys
2010/12/05 18:23:56.0671 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2010/12/05 18:23:56.0968 ALCXWDM (744cd5d2a92c34513c34e855cd651988) C:\WINDOWS\system32\drivers\ALCXWDM.SYS
2010/12/05 18:23:57.0625 AsfAlrt (e301dd2b6cced65e0537ceaee8f954b6) C:\WINDOWS\System32\drivers\AsfAlrt.sys
2010/12/05 18:23:57.0687 ASPI32 (b979979ab8027f7f53fb16ec4229b7db) C:\WINDOWS\system32\drivers\ASPI32.sys
2010/12/05 18:23:57.0750 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/12/05 18:23:57.0812 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/12/05 18:23:57.0890 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/12/05 18:23:57.0968 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/12/05 18:23:58.0031 avgio (6a646c46b9415e13095aa9b352040a7a) C:\Program Files\Avira\AntiVir Desktop\avgio.sys
2010/12/05 18:23:58.0093 avgntflt (14fe36d8f2c6a2435275338d061a0b66) C:\WINDOWS\system32\DRIVERS\avgntflt.sys
2010/12/05 18:23:58.0171 avipbb (452e382340bb0c5e694ed9d3625356d0) C:\WINDOWS\system32\DRIVERS\avipbb.sys
2010/12/05 18:23:58.0265 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/12/05 18:23:58.0453 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/12/05 18:23:58.0515 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2010/12/05 18:23:58.0593 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/12/05 18:23:58.0640 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/12/05 18:23:58.0703 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/12/05 18:23:58.0875 cmpci (e5842ccf0953d3d46d5e26427b67e901) C:\WINDOWS\system32\drivers\cmaudio.sys
2010/12/05 18:23:59.0031 CTL511Plus (d491f164e6d5ebacbb73e0f85d47e9d9) C:\WINDOWS\system32\DRIVERS\webc3vid.sys
2010/12/05 18:23:59.0187 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/12/05 18:23:59.0265 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2010/12/05 18:23:59.0328 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2010/12/05 18:23:59.0375 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/12/05 18:23:59.0453 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2010/12/05 18:23:59.0515 DNINDIS5 (d2ee54cdbced01d48f2b18642be79a98) C:\PROGRA~1\Belkin\BELKIN~1.11G\DNINDIS5.SYS
2010/12/05 18:23:59.0625 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/12/05 18:23:59.0687 E1000 (bb98a47faf8b6a99202290c1e7d49d36) C:\WINDOWS\system32\DRIVERS\e1000325.sys
2010/12/05 18:23:59.0781 epmntdrv (f07ba56b0235f15eff8f10dc6389c42e) C:\WINDOWS\system32\epmntdrv.sys
2010/12/05 18:23:59.0859 EuGdiDrv (1f2f4ab15ce03ecc257feb2f6dc5a013) C:\WINDOWS\system32\EuGdiDrv.sys
2010/12/05 18:23:59.0921 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/12/05 18:23:59.0984 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2010/12/05 18:24:00.0031 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2010/12/05 18:24:00.0078 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2010/12/05 18:24:00.0140 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2010/12/05 18:24:00.0234 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/12/05 18:24:00.0281 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/12/05 18:24:00.0328 gameenum (065639773d8b03f33577f6cdaea21063) C:\WINDOWS\system32\DRIVERS\gameenum.sys
2010/12/05 18:24:00.0359 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/12/05 18:24:00.0453 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/12/05 18:24:00.0562 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/12/05 18:24:00.0687 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/12/05 18:24:00.0750 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/12/05 18:24:00.0906 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2010/12/05 18:24:00.0968 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2010/12/05 18:24:01.0031 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/12/05 18:24:01.0093 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/12/05 18:24:01.0156 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/12/05 18:24:01.0218 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/12/05 18:24:01.0296 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/12/05 18:24:01.0359 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/12/05 18:24:01.0390 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/12/05 18:24:01.0437 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2010/12/05 18:24:01.0484 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2010/12/05 18:24:01.0546 KMWDFilter (d8df201e64b455de473fefd4a7a7af0c) C:\WINDOWS\System32\Drivers\KMWDFilter.SYS
2010/12/05 18:24:01.0609 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/12/05 18:24:01.0812 MDC8021X (d7010580bf4e45d5e793a1fe75758c69) C:\WINDOWS\system32\DRIVERS\mdc8021x.sys
2010/12/05 18:24:01.0859 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/12/05 18:24:01.0937 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2010/12/05 18:24:01.0984 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/12/05 18:24:02.0046 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/12/05 18:24:02.0093 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/12/05 18:24:02.0250 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/12/05 18:24:02.0328 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/12/05 18:24:02.0437 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2010/12/05 18:24:02.0484 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/12/05 18:24:02.0531 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/12/05 18:24:02.0609 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/12/05 18:24:02.0671 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/12/05 18:24:02.0734 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2010/12/05 18:24:02.0781 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2010/12/05 18:24:02.0828 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2010/12/05 18:24:02.0890 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2010/12/05 18:24:02.0937 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2010/12/05 18:24:03.0000 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/12/05 18:24:03.0031 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/12/05 18:24:03.0078 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/12/05 18:24:03.0125 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/12/05 18:24:03.0187 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/12/05 18:24:03.0265 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/12/05 18:24:03.0390 nmwcd (c3963d85b721a7f80d8a55f4e2867a3a) C:\WINDOWS\system32\drivers\ccdcmb.sys
2010/12/05 18:24:03.0453 nmwcdc (3859c69a77793180548802dac9f34a38) C:\WINDOWS\system32\drivers\ccdcmbo.sys
2010/12/05 18:24:03.0515 nmwcdnsu (338f83ee9cb9e15eeacf0cbb90218cbf) C:\WINDOWS\system32\drivers\nmwcdnsu.sys
2010/12/05 18:24:03.0593 nmwcdnsuc (d15bac979144fb69ed28f97b2dd84d48) C:\WINDOWS\system32\drivers\nmwcdnsuc.sys
2010/12/05 18:24:03.0625 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2010/12/05 18:24:03.0671 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/12/05 18:24:03.0750 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/12/05 18:24:04.0000 nv (e45dafdc5687a64c7ac658927569703a) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2010/12/05 18:24:04.0296 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/12/05 18:24:04.0375 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/12/05 18:24:04.0453 OMCI (cec7e2c6c1fa00c7ab2f5434f848ae51) C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS
2010/12/05 18:24:04.0531 OVT511Plus (c5739be3a8eecdf951955a38e1741f45) C:\WINDOWS\system32\Drivers\omcamvid.sys
2010/12/05 18:24:04.0593 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2010/12/05 18:24:04.0640 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/12/05 18:24:04.0703 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/12/05 18:24:04.0750 pccsmcfd (fd2041e9ba03db7764b2248f02475079) C:\WINDOWS\system32\DRIVERS\pccsmcfd.sys
2010/12/05 18:24:04.0781 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/12/05 18:24:04.0843 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2010/12/05 18:24:04.0890 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2010/12/05 18:24:05.0234 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/12/05 18:24:05.0281 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
2010/12/05 18:24:05.0343 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/12/05 18:24:05.0406 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/12/05 18:24:05.0468 PxHelp20 (e42e3433dbb4cffe8fdd91eab29aea8e) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2010/12/05 18:24:05.0750 RapportCerberus_19917 (539fbdcff37a24102c507092b333ec2b) C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\19917\RapportCerberus_19917.sys
2010/12/05 18:24:05.0828 RapportKELL (b64262f33c53d690ed662fde57102b10) C:\WINDOWS\system32\Drivers\RapportKELL.sys
2010/12/05 18:24:05.0890 RapportPG (c9b8a131aaf77d969cbc3987537b319d) C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys
2010/12/05 18:24:05.0953 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/12/05 18:24:06.0015 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/12/05 18:24:06.0062 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/12/05 18:24:06.0109 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/12/05 18:24:06.0203 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/12/05 18:24:06.0265 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/12/05 18:24:06.0328 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2010/12/05 18:24:06.0390 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/12/05 18:24:06.0484 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/12/05 18:24:06.0593 RT2500 (16f6f00e7a89224eb3c5b354be8eccee) C:\WINDOWS\system32\DRIVERS\RT2500.sys
2010/12/05 18:24:06.0656 S6U12BScanner (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\drivers\usbscan.sys
2010/12/05 18:24:06.0750 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
2010/12/05 18:24:06.0781 SASENUM (7ce61c25c159f50f9eaf6d77fc83fa35) C:\Program Files\SUPERAntiSpyware\SASENUM.SYS
2010/12/05 18:24:06.0812 SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
2010/12/05 18:24:06.0890 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/12/05 18:24:06.0984 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2010/12/05 18:24:07.0046 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2010/12/05 18:24:07.0109 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/12/05 18:24:07.0250 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2010/12/05 18:24:07.0328 smwdm (4aa922332433cdeb8b82c072c212e32e) C:\WINDOWS\system32\drivers\smwdm.sys
2010/12/05 18:24:07.0421 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2010/12/05 18:24:07.0484 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/12/05 18:24:07.0531 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/12/05 18:24:07.0609 ssmdrv (654dfea96bc82b4acda4f37e5e4a3bbf) C:\WINDOWS\system32\DRIVERS\ssmdrv.sys
2010/12/05 18:24:07.0656 ss_bus (5a1d0ca8a5f1e7b4ec50b9d76c001f0e) C:\WINDOWS\system32\DRIVERS\ss_bus.sys
2010/12/05 18:24:07.0734 ss_mdfl (f0a85580e36a3a85059037d39a9cf079) C:\WINDOWS\system32\DRIVERS\ss_mdfl.sys
2010/12/05 18:24:07.0796 ss_mdm (84c3dbfd1bfa4adc0a950b3d5506cb00) C:\WINDOWS\system32\DRIVERS\ss_mdm.sys
2010/12/05 18:24:07.0843 StarOpen (306521935042fc0a6988d528643619b3) C:\WINDOWS\system32\drivers\StarOpen.sys
2010/12/05 18:24:07.0921 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2010/12/05 18:24:08.0000 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/12/05 18:24:08.0046 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2010/12/05 18:24:08.0296 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/12/05 18:24:08.0375 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/12/05 18:24:08.0453 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/12/05 18:24:08.0515 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/12/05 18:24:08.0562 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/12/05 18:24:08.0687 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2010/12/05 18:24:08.0781 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2010/12/05 18:24:08.0859 upperdev (0ccadc7391021376edbb8aa649d04e68) C:\WINDOWS\system32\DRIVERS\usbser_lowerflt.sys
2010/12/05 18:24:08.0937 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/12/05 18:24:08.0984 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/12/05 18:24:09.0015 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/12/05 18:24:09.0062 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2010/12/05 18:24:09.0125 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2010/12/05 18:24:09.0171 usbser (1c888b000c2f9492f4b15b5b6b84873e) C:\WINDOWS\system32\drivers\usbser.sys
2010/12/05 18:24:09.0265 UsbserFilt (68b4f83cccf70a2ff32ee142c234332a) C:\WINDOWS\system32\DRIVERS\usbser_lowerfltj.sys
2010/12/05 18:24:09.0328 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/12/05 18:24:09.0375 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2010/12/05 18:24:09.0421 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2010/12/05 18:24:09.0515 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/12/05 18:24:09.0593 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/12/05 18:24:09.0656 Wdf01000 (d918617b46457b9ac28027722e30f647) C:\WINDOWS\system32\Drivers\wdf01000.sys
2010/12/05 18:24:09.0796 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/12/05 18:24:09.0937 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
2010/12/05 18:24:10.0000 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2010/12/05 18:24:10.0062 WudfPf (6ff66513d372d479ef1810223c8d20ce) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2010/12/05 18:24:10.0125 WudfRd (ac13cb789d93412106b0fb6c7eb2bcb6) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2010/12/05 18:24:10.0343 ================================================================================
2010/12/05 18:24:10.0343 Scan finished
2010/12/05 18:24:10.0343 ================================================================================

broni · 2010/12/05

Please run a free online scan with the ESET Online Scanner

Disable your antivirus program

Tick the box next to YES, I accept the Terms of Use

Click Start

IMPORTANT! UN-check Remove found threats

Accept any security warnings from your browser.

Check Scan archives

Click Start

ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.

When the scan completes, push List of found threats

Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.

Nigejk · 2010/12/08

ESET log

C:\Documents and Settings\All Users\Documents\Server\hlp.dat Win32/Bamital.DZ trojan
C:\Documents and Settings\spare 1\Application Data\Veom\pyuwi.exe Win32/Spy.Zbot.ZR trojan
C:\Documents and Settings\spare 1\Local Settings\temp\tmpdaa26159\ALL-zahlung.exe a variant of Win32/Kryptik.IQZ trojan
C:\Documents and Settings\spare 1\Local Settings\temp\tmpe7968403\KillEXE.exe a variant of Win32/Kryptik.IQZ trojan
C:\Qoobox\Quarantine\C\Documents and Settings\spare 1\Application Data\svchost.exe.vir a variant of Win32/Kryptik.IOC trojan
C:\Qoobox\Quarantine\C\Documents and Settings\spare 1\Application Data\Byib\mufo.exe.vir Win32/Spy.Zbot.ZR trojan
C:\Qoobox\Quarantine\C\Documents and Settings\spare 1\Application Data\Faihec\irequ.exe.vir Win32/Spy.Zbot.ZR trojan
C:\Qoobox\Quarantine\C\Documents and Settings\spare 1\Application Data\Hera\syil.exe.vir a variant of Win32/Kryptik.IOF trojan
C:\Qoobox\Quarantine\C\Documents and Settings\spare 1\Application Data\Itekus\rahe.exe.vir a variant of Win32/Kryptik.IOF trojan
C:\Qoobox\Quarantine\C\Documents and Settings\spare 1\Application Data\Koyg\soyq.exe.vir a variant of Win32/Kryptik.IOF trojan
C:\Qoobox\Quarantine\C\Documents and Settings\spare 1\Application Data\Nuib\deex.exe.vir Win32/Spy.Zbot.ZR trojan
C:\Qoobox\Quarantine\C\Documents and Settings\spare 1\Application Data\Ocde\upys.exe.vir a variant of Win32/Kryptik.IOF trojan
C:\Qoobox\Quarantine\C\Documents and Settings\spare 1\Application Data\Qaapz\lyurg.exe.vir Win32/Spy.Zbot.ZR trojan
C:\Qoobox\Quarantine\C\Documents and Settings\spare 1\Start Menu\Programs\Startup\_sishzm32_.exe.zip Win32/TrojanDownloader.Bredolab.BE trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\config\systemprofile\Application Data\svchost.exe.vir a variant of Win32/Kryptik.IOC trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\config\systemprofile\Application Data\Tiukn\arix.exe.vir a variant of Win32/Kryptik.IOF trojan
C:\System Volume Information\_restore{8943F114-E307-4677-A395-F03007AE2733}\RP1\A0000459.exe Win32/Spy.Zbot.ZR trojan
C:\System Volume Information\_restore{8943F114-E307-4677-A395-F03007AE2733}\RP1\A0001006.exe Win32/Ramnit.A virus
C:\System Volume Information\_restore{8943F114-E307-4677-A395-F03007AE2733}\RP1\A0001081.exe Win32/Ramnit.A virus
C:\System Volume Information\_restore{8943F114-E307-4677-A395-F03007AE2733}\RP1\A0001179.exe Win32/Spy.Zbot.ZR trojan
C:\System Volume Information\_restore{8943F114-E307-4677-A395-F03007AE2733}\RP1\A0001258.exe Win32/Spy.Zbot.ZR trojan
C:\System Volume Information\_restore{8943F114-E307-4677-A395-F03007AE2733}\RP1\A0001264.exe Win32/Ramnit.A virus
C:\System Volume Information\_restore{8943F114-E307-4677-A395-F03007AE2733}\RP1\A0001365.exe Win32/Spy.Zbot.ZR trojan
C:\System Volume Information\_restore{8943F114-E307-4677-A395-F03007AE2733}\RP1\A0001446.exe Win32/Ramnit.A virus
C:\System Volume Information\_restore{8943F114-E307-4677-A395-F03007AE2733}\RP1\A0001523.exe Win32/Ramnit.A virus
C:\System Volume Information\_restore{8943F114-E307-4677-A395-F03007AE2733}\RP1\A0002440.exe Win32/Ramnit.A virus
C:\System Volume Information\_restore{8943F114-E307-4677-A395-F03007AE2733}\RP1\A0003440.exe Win32/Ramnit.A virus
C:\System Volume Information\_restore{8943F114-E307-4677-A395-F03007AE2733}\RP1\A0005440.exe Win32/Ramnit.A virus
C:\System Volume Information\_restore{8943F114-E307-4677-A395-F03007AE2733}\RP1\A0005470.exe Win32/Ramnit.A virus
G:\PROGRAMS\Nero-8.3.2.1_eng_trial.exe Win32/Toolbar.AskSBar application

broni · 2010/12/08

I'm afraid I have very bad news.

You're infected with Ramnit file infector virus.

Win32/Ramnit.A is a file infector with IRCBot functionality which infects .exe, and .HTML/HTM files, and opens a back door that compromises your computer. Using this backdoor, a remote attacker can access and instruct the infected computer to download and execute more malicious files. The infected .HTML or .HTM files may be detected as Virus:VBS/Ramnit.A. Win32/Ramnit.A!dll is a related file infector often seen with this infection. It too has IRCBot functionality which infects .exe, .dll and .HTML/HTM files and opens a back door that compromises your computer. This component is injected into the default web browser by Worm:Win32/Ramnit.A which is dropped by a Ramnit infected executable file.

-- Note: As with most malware infections, the threat name may be different depending on the anti-virus or anti-malware program which detected it. Each security vendor uses their own naming conventions to identify various types of malware.

Understanding virus names

Threat aliases for Win32/Ramnit.A

With this particular infection the safest solution and only sure way to remove it effectively is to reformat and reinstall the OS.

Why? The malware injects code in legitimate files similar to the Virut virus and in many cases the infected files (which could number in the thousands) cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files often become corrupted and the system may become unstable or irreparable. The longer Ramnit.A remains on a computer, the more files it infects and corrupts so the degree of infection can vary.

Ramnit is commonly spread via a flash drive (usb, pen, thumb, jump) infection where it copies Worm:Win32/Ramnit.A with a random file name. The infection is often contracted by visiting remote, crack and keygen sites. These type of sites are infested with a smÃ¶rgÃ¥sbord of malware and a major source of system infection.

In my opinion, Ramnit.A is not effectively disinfectable, so your best option is to perform a full reformat as there is no guarantee this infection can be completely removed. In most instances it may have caused so much damage to your system files that it cannot be completely cleaned or repaired. Further, your machine has likely been compromised by the backdoor Trojan and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if your anti-virus reports that the malware appears to have been removed.

Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

When should I re-format? How should I reinstall?

Where to draw the line? When to recommend a format and reinstall?

Whenever a system has been compromised by a backdoor payload, it is impossible to know if or how much the backdoor has been used to affect your system...There are only a few ways to return a compromised system to a confident security configuration. These include:
• Reimaging the system
• Restoring the entire system using a full system backup from before the backdoor infection
• Reformatting and reinstalling the system
Click to expand...

Backdoors and What They Mean to You

This is what Jesper M. Johansson at Microsoft TechNet has to say: Help: I Got Hacked. Now What Do I Do?.

The only way to clean a compromised system is to flatten and rebuild. That’s right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications).
Click to expand...

Important Note:: If your computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to to include those used for banking, email, eBay, paypal and any online activities which require a username and password. You should consider them to be compromised. You should change each password using a clean computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach. Failure to notify your financial institution and local law enforcement can result in refusal to reimburse funds lost due to fraud or similar criminal activity.

broni · 2010/12/08

I'm afraid I have very bad news.

You're infected with Ramnit file infector virus.

Win32/Ramnit.A is a file infector with IRCBot functionality which infects .exe, and .HTML/HTM files, and opens a back door that compromises your computer. Using this backdoor, a remote attacker can access and instruct the infected computer to download and execute more malicious files. The infected .HTML or .HTM files may be detected as Virus:VBS/Ramnit.A. Win32/Ramnit.A!dll is a related file infector often seen with this infection. It too has IRCBot functionality which infects .exe, .dll and .HTML/HTM files and opens a back door that compromises your computer. This component is injected into the default web browser by Worm:Win32/Ramnit.A which is dropped by a Ramnit infected executable file.

-- Note: As with most malware infections, the threat name may be different depending on the anti-virus or anti-malware program which detected it. Each security vendor uses their own naming conventions to identify various types of malware.

Understanding virus names

Threat aliases for Win32/Ramnit.A

With this particular infection the safest solution and only sure way to remove it effectively is to reformat and reinstall the OS.

Why? The malware injects code in legitimate files similar to the Virut virus and in many cases the infected files (which could number in the thousands) cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files often become corrupted and the system may become unstable or irreparable. The longer Ramnit.A remains on a computer, the more files it infects and corrupts so the degree of infection can vary.

Ramnit is commonly spread via a flash drive (usb, pen, thumb, jump) infection where it copies Worm:Win32/Ramnit.A with a random file name. The infection is often contracted by visiting remote, crack and keygen sites. These type of sites are infested with a smÃ¶rgÃ¥sbord of malware and a major source of system infection.

In my opinion, Ramnit.A is not effectively disinfectable, so your best option is to perform a full reformat as there is no guarantee this infection can be completely removed. In most instances it may have caused so much damage to your system files that it cannot be completely cleaned or repaired. Further, your machine has likely been compromised by the backdoor Trojan and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if your anti-virus reports that the malware appears to have been removed.

Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

When should I re-format? How should I reinstall?

Where to draw the line? When to recommend a format and reinstall?

Whenever a system has been compromised by a backdoor payload, it is impossible to know if or how much the backdoor has been used to affect your system...There are only a few ways to return a compromised system to a confident security configuration. These include:
â€¢ Reimaging the system
â€¢ Restoring the entire system using a full system backup from before the backdoor infection
â€¢ Reformatting and reinstalling the system
Click to expand...

Backdoors and What They Mean to You

This is what Jesper M. Johansson at Microsoft TechNet has to say: Help: I Got Hacked. Now What Do I Do?.

The only way to clean a compromised system is to flatten and rebuild. That’s right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications).
Click to expand...

Important Note:: If your computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to to include those used for banking, email, eBay, paypal and any online activities which require a username and password. You should consider them to be compromised. You should change each password using a clean computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach. Failure to notify your financial institution and local law enforcement can result in refusal to reimburse funds lost due to fraud or similar criminal activity.

Nigejk · 2010/12/09

****.....

Reformatting the hard drive is not too much of an issue. All documents and personal files etc are kept on an external hard drive. Is there much of a chance that there are issues with that as well, as I would really not want to lose any of the info on that ?

Log in or Sign up

[Not curable - Ramnit] Font change, FDD access & start bar no response

Nigejk Inactive Thread Starter

Admin. Administrator Administrator Staff

Nigejk Inactive Thread Starter

broni Moderator Malware Analyst

Nigejk Inactive Thread Starter

broni Moderator Malware Analyst

Nigejk Inactive Thread Starter

broni Moderator Malware Analyst

Nigejk Inactive Thread Starter

broni Moderator Malware Analyst

Nigejk Inactive Thread Starter

broni Moderator Malware Analyst

Nigejk Inactive Thread Starter

broni Moderator Malware Analyst

Nigejk Inactive Thread Starter

broni Moderator Malware Analyst

Nigejk Inactive Thread Starter

broni Moderator Malware Analyst

broni Moderator Malware Analyst

Nigejk Inactive Thread Starter

Share This Page

Log in or Sign up

[Not curable - Ramnit] Font change, FDD access & start bar no response

Nigejk Inactive Thread Starter

Admin. Administrator Administrator Staff

Nigejk Inactive Thread Starter

broni Moderator Malware Analyst

Nigejk Inactive Thread Starter

broni Moderator Malware Analyst

Nigejk Inactive Thread Starter

broni Moderator Malware Analyst

Nigejk Inactive Thread Starter

broni Moderator Malware Analyst

Nigejk Inactive Thread Starter

broni Moderator Malware Analyst

Nigejk Inactive Thread Starter

broni Moderator Malware Analyst

Nigejk Inactive Thread Starter

broni Moderator Malware Analyst

Nigejk Inactive Thread Starter

broni Moderator Malware Analyst

broni Moderator Malware Analyst

Nigejk Inactive Thread Starter

Share This Page

Useful Searches