Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Do I have some kind of infection?

Started by Lombardo , Apr 23 2010 10:18 AM

  • Please log in to reply

#1
Lombardo
Posted 23 April 2010 - 10:18 AM

Lombardo

    New Member

  • Member
  • Pip
  • 5 posts
I suspect I may have some kind of infection - i can reboot a m/c and check the processes and have no rundll32.exe running. If left overnight the next morning I have over twenty rundll32.exe running.
I have ran thru your suggested procedure and enclose the required logs. I tried running the TFC but as this machine is a few hours drive away and I am remotely connected - the application stopped my remote service.
I have a fully upto date Kaspersky anti virus and performed a full scan with no problems.

GMER:
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-20 18:31:17
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\kiosk2\LOCALS~1\Temp\uwtdqpoc.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\Windows\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwClose [0xAA4FFF50]
SSDT \??\C:\Windows\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwConnectPort [0xAA4FE200]
SSDT \??\C:\Windows\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwCreateKey [0xAA4F1700]
SSDT \??\C:\Windows\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwCreateProcess [0xAA4FFC80]
SSDT \??\C:\Windows\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwCreateProcessEx [0xAA4FFDF0]
SSDT \??\C:\Windows\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwCreateSection [0xAA500A50]
SSDT \??\C:\Windows\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwCreateSymbolicLinkObject [0xAA500520]
SSDT \??\C:\Windows\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwCreateThread [0xAA501370]
SSDT \??\C:\Windows\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwDeleteKey [0xAA4F1800]
SSDT \??\C:\Windows\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwDeleteValueKey [0xAA4F1880]
SSDT \??\C:\Windows\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwDuplicateObject [0xAA5000F0]
SSDT \??\C:\Windows\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwEnumerateKey [0xAA4F1930]
SSDT \??\C:\Windows\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwEnumerateValueKey [0xAA4F19E0]
SSDT \??\C:\Windows\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwFlushKey [0xAA4F1A90]
SSDT \??\C:\Windows\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwInitializeRegistry [0xAA4F1B10]
SSDT \??\C:\Windows\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwLoadDriver [0xAA4FDD60]
SSDT \??\C:\Windows\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwLoadKey [0xAA4F2530]
SSDT \??\C:\Windows\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwLoadKey2 [0xAA4F1B30]
SSDT \??\C:\Windows\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwNotifyChangeKey [0xAA4F1C10]
SSDT kl1.sys (Kaspersky Unified Driver/Kaspersky Lab) ZwOpenFile [0xF7555030]
SSDT \??\C:\Windows\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwOpenKey [0xAA4F1CF0]
SSDT \??\C:\Windows\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwOpenProcess [0xAA4FFA70]
SSDT \??\C:\Windows\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwOpenSection [0xAA500880]
SSDT \??\C:\Windows\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwQueryKey [0xAA4F1DD0]
SSDT \??\C:\Windows\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwQueryMultipleValueKey [0xAA4F1E80]
SSDT \??\C:\Windows\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwQuerySystemInformation [0xAA501020]
SSDT \??\C:\Windows\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwQueryValueKey [0xAA4F1F30]
SSDT \??\C:\Windows\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwReplaceKey [0xAA4F2010]
SSDT \??\C:\Windows\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwRequestWaitReplyPort [0xAA4FE7F0]
SSDT \??\C:\Windows\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwRestoreKey [0xAA4F20A0]
SSDT \??\C:\Windows\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwResumeThread [0xAA501320]
SSDT \??\C:\Windows\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwSaveKey [0xAA4F22A0]
SSDT \??\C:\Windows\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwSetContextThread [0xAA5016A0]
SSDT \??\C:\Windows\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwSetInformationFile [0xAA501CC0]
SSDT \??\C:\Windows\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwSetInformationKey [0xAA4F2330]
SSDT \??\C:\Windows\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwSetSecurityObject [0xAA4FC940]
SSDT \??\C:\Windows\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwSetSystemInformation [0xAA500700]
SSDT \??\C:\Windows\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwSetValueKey [0xAA4F23D0]
SSDT \??\C:\Windows\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwSuspendThread [0xAA5012D0]
SSDT \??\C:\Windows\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwSystemDebugControl [0xAA4FE0C0]
SSDT \??\C:\Windows\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwTerminateProcess [0xAA500E70]
SSDT \??\C:\Windows\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwUnloadKey [0xAA4F24F0]
SSDT \??\C:\Windows\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwWriteVirtualMemory [0xAA4FFFB0]

Code \??\C:\Windows\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) FsRtlCheckLockForReadAccess
Code \??\C:\Windows\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) IoIsOperationSynchronous

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_abnormal_termination + 1D0 804E982C 12 Bytes [60, DD, 4F, AA, 30, 25, 4F, ...] {PUSHA ; FISTTP QWORD [EDI-0x56]; XOR [0x1b30aa4f], AH; DEC EDI; STOSB }
.text ntoskrnl.exe!_abnormal_termination + 21C 804E9878 1 Byte [30]
.text ntoskrnl.exe!IoIsOperationSynchronous 804EF75A 5 Bytes JMP AA5026A0 \??\C:\Windows\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab)
.text ntoskrnl.exe!FsRtlCheckLockForReadAccess 8050A289 5 Bytes JMP AA5020E0 \??\C:\Windows\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab)

---- User code sections - GMER 1.0.15 ----

? C:\AV\gmer.exe[160] C:\Windows\system32\kernel32.dll time/date stamp mismatch;
? C:\Windows\System32\snmp.exe[176] C:\Windows\system32\kernel32.dll time/date stamp mismatch;
? C:\Program Files\Netviewer\remote\nvRemoteHost.exe[200] C:\Windows\system32\kernel32.dll time/date stamp mismatch;
? C:\Windows\system32\spoolsv.exe[284] C:\Windows\system32\kernel32.dll time/date stamp mismatch;
? C:\Windows\system32\igfxtray.exe[400] C:\Windows\system32\kernel32.dll time/date stamp mismatch;
? C:\Windows\system32\hkcmd.exe[408] C:\Windows\system32\kernel32.dll time/date stamp mismatch;
? C:\Windows\system32\msdtc.exe[452] C:\Windows\system32\kernel32.dll time/date stamp mismatch;
? C:\Windows\system32\igfxpers.exe[536] C:\Windows\system32\kernel32.dll time/date stamp mismatch;
? C:\Windows\SOUNDMAN.EXE[544] C:\Windows\system32\kernel32.dll time/date stamp mismatch;
? C:\Program Files\Java\jre6\bin\jusched.exe[644] C:\Windows\system32\kernel32.dll time/date stamp mismatch;
? C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe[668] C:\Windows\system32\kernel32.dll time/date stamp mismatch;
? C:\Windows\system32\ctfmon.exe[688] C:\Windows\system32\kernel32.dll time/date stamp mismatch;
? C:\Windows\system32\csrss.exe[888] C:\Windows\system32\KERNEL32.dll time/date stamp mismatch;
? C:\WINDOWS\system32\tlntsvr.exe[892] C:\Windows\system32\kernel32.dll time/date stamp mismatch;
? C:\Windows\system32\winlogon.exe[920] C:\Windows\system32\kernel32.dll time/date stamp mismatch;
? C:\Windows\system32\services.exe[964] C:\Windows\system32\kernel32.dll time/date stamp mismatch;
? C:\Windows\system32\lsass.exe[976] C:\Windows\system32\kernel32.dll time/date stamp mismatch;
? C:\Program Files\Netviewer\remote\nvRemoteSettings_EN.exe[1092] C:\Windows\system32\kernel32.dll time/date stamp mismatch;
? C:\Windows\system32\svchost.exe[1156] C:\Windows\system32\kernel32.dll time/date stamp mismatch;
? C:\Windows\system32\svchost.exe[1212] C:\Windows\system32\kernel32.dll time/date stamp mismatch;
? C:\Program Files\MicroTouch\MT7\TwMonitor.exe[1268] C:\Windows\system32\kernel32.dll time/date stamp mismatch;
? C:\Windows\System32\svchost.exe[1376] C:\Windows\system32\kernel32.dll time/date stamp mismatch;
? C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe[1448] C:\Windows\system32\kernel32.dll time/date stamp mismatch;
? C:\Windows\system32\inetsrv\inetinfo.exe[1492] C:\Windows\system32\kernel32.dll time/date stamp mismatch;
? C:\Windows\system32\svchost.exe[1516] C:\Windows\system32\kernel32.dll time/date stamp mismatch;
? C:\PROGRAM FILES\MICROTOUCH\MT7\TwRegSvc.exe[1556] C:\Windows\system32\kernel32.dll time/date stamp mismatch;
? C:\Program Files\Netviewer\remote\nvRemoteHost.exe[1568] C:\Windows\system32\kernel32.dll time/date stamp mismatch;
? C:\Program Files\UsbFloppy\usbfloppyservice.exe[1580] C:\Windows\system32\kernel32.dll time/date stamp mismatch;
? C:\Program Files\Java\jre6\bin\jqs.exe[1656] C:\Windows\system32\kernel32.dll time/date stamp mismatch;
? C:\Program Files\UsbFloppy\usbfloppy.exe[1684] C:\Windows\system32\kernel32.dll time/date stamp mismatch;
? C:\Windows\system32\svchost.exe[1700] C:\Windows\system32\kernel32.dll time/date stamp mismatch;
? C:\Program Files\UltraVNC\WinVNC.exe[1760] C:\Windows\system32\kernel32.dll time/date stamp mismatch;
? C:\Windows\System32\svchost.exe[1852] C:\Windows\system32\kernel32.dll time/date stamp mismatch;
? C:\Windows\Explorer.EXE[1856] C:\Windows\system32\kernel32.dll time/date stamp mismatch;
? C:\Windows\System32\SCardSvr.exe[1964] C:\Windows\system32\kernel32.dll time/date stamp mismatch;
? C:\Windows\System32\svchost.exe[1996] C:\Windows\system32\kernel32.dll time/date stamp mismatch;
? C:\Windows\system32\mqsvc.exe[2136] C:\Windows\system32\kernel32.dll time/date stamp mismatch;
? C:\Windows\system32\mqtgsvc.exe[2428] C:\Windows\system32\kernel32.dll time/date stamp mismatch;
? C:\Program Files\Netviewer\remote\nvRemoteHost.exe[2584] C:\Windows\system32\kernel32.dll time/date stamp mismatch;
? C:\WINDOWS\system32\wbem\wmiprvse.exe[3068] C:\Windows\system32\kernel32.dll time/date stamp mismatch;
? C:\Ariane\bin\AllegroStatisticsAlarms.exe[3560] C:\Windows\system32\KERNEL32.dll time/date stamp mismatch;
? C:\Ariane\bin\ars_backup.exe[3576] C:\Windows\system32\KERNEL32.dll time/date stamp mismatch;

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs klif.sys (spuper-ptor/Kaspersky Lab)
AttachedDevice \Driver\Tcpip \Device\Ip kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\Tcpip \Device\Tcp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\Tcpip \Device\Udp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\Tcpip \Device\RawIp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \FileSystem\Fastfat \Fat klif.sys (spuper-ptor/Kaspersky Lab)

---- Threads - GMER 1.0.15 ----

Thread System [4:472] 86787030
Thread System [4:476] 86765000
Thread System [4:480] 86765000
Thread System [4:484] 867327E0
Thread System [4:488] 867327E0
Thread System [4:496] 867347D0
Thread System [4:500] 867347D0
Thread System [4:504] 867327E0
Thread System [4:532] 86765000
Thread System [4:772] 86765000
Thread System [4:2060] 85D6B190

---- EOF - GMER 1.0.15 ----


OTF.txt:
OTL logfile created on: 20/04/2010 18:34:59 - Run 1
OTL by OldTimer - Version 3.2.1.3 Folder = C:\AV
Windows XP Windows XP Embedded Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1,014.00 Mb Total Physical Memory | 352.00 Mb Available Physical Memory | 35.00% Memory free
920.00 Mb Paging File | 390.00 Mb Available in Paging File | 42.00% Paging File free
Paging file location(s): [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 29.58 Gb Total Space | 22.62 Gb Free Space | 76.49% Space Free | Partition Type: NTFS
Drive D: | 44.95 Gb Total Space | 44.51 Gb Free Space | 99.03% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: KIOSK2
Current User Name: kiosk2
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/04/20 18:35:29 | 000,562,176 | ---- | M] (OldTimer Tools) -- C:\AV\OTL.exe
PRC - [2010/02/23 11:08:22 | 000,181,760 | ---- | M] () -- C:\Ariane\bin\AllegroStatisticsAlarms.exe
PRC - [2010/01/29 17:53:54 | 000,094,208 | ---- | M] (Ariane-Systems) -- C:\Ariane\bin\ARS_BackUp.exe
PRC - [2009/08/31 12:13:10 | 000,231,952 | ---- | M] (Kaspersky Lab) -- C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe
PRC - [2008/09/03 17:34:58 | 000,073,728 | ---- | M] (3M Touch Systems, Inc.) -- C:\Program Files\MicroTouch\MT7\TwMonitor.exe
PRC - [2008/07/16 15:08:22 | 000,765,264 | ---- | M] (Netviewer AG) -- C:\Program Files\Netviewer\remote\nvRemoteHost.exe
PRC - [2008/07/16 15:08:12 | 000,582,456 | ---- | M] (Netviewer AG) -- C:\Program Files\Netviewer\remote\nvRemoteSettings_EN.exe
PRC - [2008/02/20 14:09:08 | 000,032,768 | ---- | M] () -- C:\Program Files\MicroTouch\MT7\TwRegSvc.exe
PRC - [2007/06/13 12:26:03 | 001,033,216 | R--- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2007/04/16 15:28:22 | 000,577,536 | ---- | M] (Realtek Semiconductor Corp.) -- C:\Windows\soundman.exe
PRC - [2006/11/20 11:17:52 | 000,033,280 | ---- | M] (Microsoft Corporation) -- C:\Windows\system32\snmp.exe
PRC - [2006/05/30 15:38:32 | 000,028,672 | ---- | M] (Carthagene Consulting) -- C:\Program Files\UsbFloppy\UsbFloppy.exe
PRC - [2005/08/06 19:45:14 | 000,974,848 | ---- | M] (UltraVNC) -- C:\Program Files\UltraVNC\winvnc.exe
PRC - [2005/03/19 16:12:40 | 000,013,312 | ---- | M] () -- C:\Program Files\UsbFloppy\usbfloppyservice.exe
PRC - [2004/12/02 11:59:57 | 000,015,872 | ---- | M] (Microsoft Corporation) -- C:\Windows\system32\inetsrv\inetinfo.exe


========== Modules (SafeList) ==========

MOD - [2010/04/20 18:35:29 | 000,562,176 | ---- | M] (OldTimer Tools) -- C:\AV\OTL.exe
MOD - [2004/12/02 11:59:53 | 001,050,624 | ---- | M] (Microsoft Corporation) -- C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (WYN_V52)
SRV - [2009/08/31 12:13:10 | 000,231,952 | ---- | M] (Kaspersky Lab) [Auto | Running] -- C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe -- (AVP)
SRV - [2008/11/17 08:05:32 | 000,195,752 | ---- | M] (CybelSoft) [On_Demand | Stopped] -- C:\Program Files\ma-config.com\maconfservice.exe -- (maconfservice)
SRV - [2008/07/16 15:08:22 | 000,765,264 | ---- | M] (Netviewer AG) [Auto | Running] -- C:\Program Files\Netviewer\remote\nvRemoteHost.exe -- (nvRemote_Service)
SRV - [2008/02/20 14:09:08 | 000,032,768 | ---- | M] () [Auto | Running] -- C:\PROGRAM FILES\MICROTOUCH\MT7\TwRegSvc.exe -- (TwRegSvc)
SRV - [2006/11/20 11:17:52 | 000,033,280 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\system32\snmp.exe -- (SNMP)
SRV - [2006/01/24 22:30:01 | 000,035,648 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Microsoft Point Of Service\Microsoft.PointOfService.Service.exe -- (POSPerformanceCounters)
SRV - [2005/08/06 19:45:14 | 000,974,848 | ---- | M] (UltraVNC) [Auto | Running] -- C:\Program Files\UltraVNC\WinVNC.exe -- (winvnc)
SRV - [2005/03/19 16:12:40 | 000,013,312 | ---- | M] () [Auto | Running] -- C:\Program Files\UsbFloppy\usbfloppyservice.exe -- (usbfloppyservice)
SRV - [2004/12/02 12:00:03 | 000,086,016 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\system32\p2pgasvc.dll -- (p2pgasvc)
SRV - [2004/12/02 11:59:57 | 000,015,872 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\system32\inetsrv\inetinfo.exe -- (W3SVC)
SRV - [2004/12/02 11:59:57 | 000,015,872 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\system32\inetsrv\inetinfo.exe -- (SMTPSVC) Simple Mail Transfer Protocol (SMTP)
SRV - [2004/12/02 11:59:57 | 000,015,872 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\system32\inetsrv\inetinfo.exe -- (IISADMIN)
SRV - [2004/12/02 11:59:55 | 000,123,904 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Common Files\DUAgent.exe -- (DUAgent)
SRV - [2004/11/01 11:50:00 | 000,106,496 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\pcAnywhere\awhost32.exe -- (awhost32)
SRV - [2001/08/18 06:36:58 | 000,019,456 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\system32\tcpsvcs.exe -- (LPDSVC)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



O1 HOSTS File: ([2001/08/23 13:00:00 | 000,000,734 | ---- | M]) - C:\Windows\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [AVP] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe (Kaspersky Lab)
O4 - HKLM..\Run: [Bgariane] C:\BGInfo\BGInfo.exe (Sysinternals)
O4 - HKLM..\Run: [BluetoothAuthenticationAgent] C:\Windows\System32\bthprops.cpl (Microsoft Corporation)
O4 - HKLM..\Run: [SoundMan] C:\Windows\soundman.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [Starting] C:\starting.bat ()
O4 - HKLM..\Run: [TrackPointSrv] File not found
O4 - HKLM..\Run: [XeroxScannerDaemon] C:\Program Files\Xerox\NWWia\XrxFTPLt.exe File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Shortcut to HT28.lnk = C:\ONITY\HT28v3\HT28.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Shortcut to start.lnk = C:\start.cmd ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Touch Monitor.lnk = C:\Program Files\MicroTouch\MT7\TwMonitor.exe (3M Touch Systems, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDesktopCleanupWizard = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 01 00 00 00 [binary data]
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: SoftwareSASGeneration = 3
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoWindowsUpdate = 0
O8 - Extra context menu item: Ajouter à Kaspersky Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\ie_banner_deny.htm ()
O9 - Extra Button: Statistiques d’Anti-Virus Internet - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\SCIEPlgn.dll (Kaspersky Lab)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Windows\System32\nwprovau.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\Windows\System32\rsvpsp.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\Windows\System32\rsvpsp.dll File not found
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.micros...b?1238422580218 (WUWebControl Class)
O16 - DPF: {7B19E477-0FF8-11d4-9914-005004D3B3DB} http://java.sun.com/...122_008-win.cab (JavaPlugin.Object)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...122_008-win.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.ma...ent/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.214.6
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = stn.rdsas.com
O18 - Protocol\Handler\vnd.ms.radio {3DA2AA3B-3D96-11D2-9BD2-204C4F4F5020} - Reg Error: Key error. File not found
O20 - AppInit_DLLs: (C:\PROGRA~1\KASPER~1\KASPER~1.0FO\adialhk.dll) - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\adialhk.dll (Kaspersky Lab)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\Windows\System32\igfxdev.dll (Intel Corporation)
O20 - Winlogon\Notify\klogon: DllName - C:\Windows\system32\klogon.dll - C:\Windows\system32\klogon.dll (Kaspersky Lab)
O20 - Winlogon\Notify\PCANotify: DllName - PCANotify.dll - C:\Windows\System32\PCANotify.dll (Symantec Corporation)
O20 - Winlogon\Notify\SSOExec: DllName - %windir%\temp\sso\ssoexec.dll - C:\Windows\temp\sso\ssoexec.dll File not found
O29 - HKLM SecurityProviders - (msapsspc.dll) - File not found
O32 - HKLM CDRom: AutoRun - 1
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: Ias - C:\Windows\system32\ias [2005/04/08 14:30:00 | 000,000,000 | ---D | M]
NetSvcs: Iprip - C:\Windows\system32\iprip.dll (Microsoft Corporation)
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: TrkWks - File not found
NetSvcs: WmdmPmSp - File not found
NetSvcs: helpsvc - File not found
Unable to start service SrService!

========== Files/Folders - Created Within 14 Days ==========

[2010/04/20 16:10:03 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2010/04/20 16:08:37 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2010/04/20 15:45:05 | 000,000,000 | ---D | C] -- C:\AV
[2010/04/20 14:45:20 | 000,000,000 | ---D | C] -- C:\Program Files\TrendMicro
[2010/04/20 14:14:31 | 000,000,000 | ---D | C] -- C:\audit
[2005/04/08 04:46:20 | 000,123,904 | ---- | C] (Microsoft Corporation) -- C:\Program Files\Common Files\DUAgent.exe
[2003/01/01 04:18:50 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2003/01/01 04:18:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2003/01/01 04:18:48 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2003/01/01 04:18:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft

========== Files - Modified Within 14 Days ==========

[2010/04/20 18:32:51 | 000,488,992 | -HS- | M] () -- C:\Windows\System32\drivers\fidbox2.dat
[2010/04/20 18:25:38 | 010,495,776 | -HS- | M] () -- C:\Windows\System32\drivers\fidbox.dat
[2010/04/20 18:00:00 | 000,000,354 | ---- | M] () -- C:\Windows\tasks\At12.job
[2010/04/20 18:00:00 | 000,000,350 | ---- | M] () -- C:\Windows\tasks\At1.job
[2010/04/20 17:00:00 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At10.job
[2010/04/20 16:08:39 | 000,000,617 | ---- | M] () -- C:\Documents and Settings\kiosk2\Desktop\NTREGOPT.lnk
[2010/04/20 16:08:39 | 000,000,598 | ---- | M] () -- C:\Documents and Settings\kiosk2\Desktop\ERUNT.lnk
[2010/04/20 16:03:54 | 003,145,782 | ---- | M] () -- C:\Windows\BGInfo.bmp
[2010/04/20 16:02:32 | 000,000,354 | ---- | M] () -- C:\Windows\tasks\At8.job
[2010/04/20 16:02:32 | 000,000,354 | ---- | M] () -- C:\Windows\tasks\At7.job
[2010/04/20 16:02:32 | 000,000,354 | ---- | M] () -- C:\Windows\tasks\At32.job
[2010/04/20 16:02:32 | 000,000,354 | ---- | M] () -- C:\Windows\tasks\At30.job
[2010/04/20 16:02:32 | 000,000,354 | ---- | M] () -- C:\Windows\tasks\At27.job
[2010/04/20 16:02:32 | 000,000,354 | ---- | M] () -- C:\Windows\tasks\At23.job
[2010/04/20 16:02:32 | 000,000,354 | ---- | M] () -- C:\Windows\tasks\At17.job
[2010/04/20 16:02:32 | 000,000,354 | ---- | M] () -- C:\Windows\tasks\At15.job
[2010/04/20 16:02:32 | 000,000,352 | ---- | M] () -- C:\Windows\tasks\At9.job
[2010/04/20 16:02:32 | 000,000,352 | ---- | M] () -- C:\Windows\tasks\At6.job
[2010/04/20 16:02:32 | 000,000,352 | ---- | M] () -- C:\Windows\tasks\At33.job
[2010/04/20 16:02:32 | 000,000,352 | ---- | M] () -- C:\Windows\tasks\At28.job
[2010/04/20 16:02:32 | 000,000,352 | ---- | M] () -- C:\Windows\tasks\At25.job
[2010/04/20 16:02:32 | 000,000,352 | ---- | M] () -- C:\Windows\tasks\At24.job
[2010/04/20 16:02:32 | 000,000,352 | ---- | M] () -- C:\Windows\tasks\At22.job
[2010/04/20 16:02:32 | 000,000,352 | ---- | M] () -- C:\Windows\tasks\At18.job
[2010/04/20 16:02:32 | 000,000,350 | ---- | M] () -- C:\Windows\tasks\At40.job
[2010/04/20 16:02:32 | 000,000,350 | ---- | M] () -- C:\Windows\tasks\At39.job
[2010/04/20 16:02:32 | 000,000,350 | ---- | M] () -- C:\Windows\tasks\At34.job
[2010/04/20 16:02:32 | 000,000,350 | ---- | M] () -- C:\Windows\tasks\At31.job
[2010/04/20 16:02:32 | 000,000,350 | ---- | M] () -- C:\Windows\tasks\At3.job
[2010/04/20 16:02:32 | 000,000,350 | ---- | M] () -- C:\Windows\tasks\At29.job
[2010/04/20 16:02:32 | 000,000,350 | ---- | M] () -- C:\Windows\tasks\At21.job
[2010/04/20 16:02:32 | 000,000,350 | ---- | M] () -- C:\Windows\tasks\At19.job
[2010/04/20 16:02:32 | 000,000,350 | ---- | M] () -- C:\Windows\tasks\At14.job
[2010/04/20 16:02:32 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At5.job
[2010/04/20 16:02:32 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At4.job
[2010/04/20 16:02:32 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At38.job
[2010/04/20 16:02:32 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At37.job
[2010/04/20 16:02:32 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At36.job
[2010/04/20 16:02:32 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At35.job
[2010/04/20 16:02:32 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At26.job
[2010/04/20 16:02:32 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At20.job
[2010/04/20 16:02:32 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At2.job
[2010/04/20 16:02:32 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At16.job
[2010/04/20 16:02:32 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At13.job
[2010/04/20 16:02:32 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At11.job
[2010/04/20 16:02:32 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/04/20 16:02:27 | 000,002,184 | ---- | M] () -- C:\Windows\System32\wpa.dbl
[2010/04/20 16:01:36 | 001,835,008 | -H-- | M] () -- C:\Documents and Settings\kiosk2\NTUSER.DAT
[2010/04/20 16:01:36 | 000,141,476 | -HS- | M] () -- C:\Windows\System32\drivers\fidbox.idx
[2010/04/20 16:01:36 | 000,046,796 | -HS- | M] () -- C:\Windows\System32\drivers\fidbox2.idx
[2010/04/20 14:45:39 | 000,002,443 | ---- | M] () -- C:\Documents and Settings\kiosk2\Desktop\HiJackThis.lnk
[2010/04/19 14:14:47 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\kiosk2\ntuser.ini
[2010/04/15 15:54:22 | 006,395,804 | -H-- | M] () -- C:\Documents and Settings\kiosk2\Local Settings\Application Data\IconCache.db

========== Files Created - No Company Name ==========

[2010/04/20 16:08:39 | 000,000,617 | ---- | C] () -- C:\Documents and Settings\kiosk2\Desktop\NTREGOPT.lnk
[2010/04/20 16:08:39 | 000,000,598 | ---- | C] () -- C:\Documents and Settings\kiosk2\Desktop\ERUNT.lnk
[2010/04/20 14:45:20 | 000,002,443 | ---- | C] () -- C:\Documents and Settings\kiosk2\Desktop\HiJackThis.lnk
[2010/04/20 09:18:38 | 000,029,310 | ---- | C] () -- C:\Documents and Settings\kiosk2\TLogSvc-2536.txt
[2010/04/20 09:18:38 | 000,001,358 | ---- | C] () -- C:\Documents and Settings\kiosk2\TLogSvc-2448.txt
[2010/04/13 10:52:16 | 000,485,207 | ---- | C] () -- C:\Documents and Settings\kiosk2\TLogSvc-3052.txt
[2010/04/13 10:52:16 | 000,002,171 | ---- | C] () -- C:\Documents and Settings\kiosk2\TLogSvc-3004.txt
[2010/03/29 10:15:45 | 000,157,013 | ---- | C] () -- C:\Documents and Settings\kiosk2\TLogSvc-3592.txt
[2010/03/29 10:15:45 | 000,001,141 | ---- | C] () -- C:\Documents and Settings\kiosk2\TLogSvc-3636.txt
[2010/03/25 14:56:37 | 000,020,552 | ---- | C] () -- C:\Windows\System32\drivers\utdrv.sys
[2010/03/11 11:03:25 | 000,050,572 | ---- | C] () -- C:\Documents and Settings\kiosk2\TLogSvc-2620.txt
[2010/03/11 11:03:25 | 000,001,346 | ---- | C] () -- C:\Documents and Settings\kiosk2\TLogSvc-2216.txt
[2010/02/24 14:31:02 | 000,000,224 | ---- | C] () -- C:\Documents and Settings\kiosk2\ScenarioPlayer_5_9_2.xml
[2010/02/09 11:00:06 | 000,024,254 | ---- | C] () -- C:\Documents and Settings\kiosk2\TLogSvc-2880.txt
[2010/02/09 11:00:06 | 000,001,834 | ---- | C] () -- C:\Documents and Settings\kiosk2\TLogSvc-3552.txt
[2009/11/03 09:46:08 | 000,207,811 | ---- | C] () -- C:\Documents and Settings\kiosk2\TLogSvc-3500.txt
[2009/11/03 09:46:08 | 000,001,241 | ---- | C] () -- C:\Documents and Settings\kiosk2\TLogSvc-452.txt
[2009/10/27 17:46:57 | 000,122,408 | ---- | C] () -- C:\Documents and Settings\kiosk2\TLogSvc-2628.txt
[2009/10/27 17:46:57 | 000,003,208 | ---- | C] () -- C:\Documents and Settings\kiosk2\TLogSvc-1240.txt
[2009/10/27 16:29:40 | 000,108,553 | ---- | C] () -- C:\Documents and Settings\kiosk2\TLogSvc-2968.txt
[2009/10/27 16:29:39 | 000,001,396 | ---- | C] () -- C:\Documents and Settings\kiosk2\TLogSvc-3328.txt
[2009/09/24 11:53:29 | 000,239,771 | ---- | C] () -- C:\Documents and Settings\kiosk2\TLogSvc-2476.txt
[2009/09/24 11:53:29 | 000,001,308 | ---- | C] () -- C:\Documents and Settings\kiosk2\TLogSvc-2272.txt
[2009/09/23 17:17:13 | 000,000,490 | RHS- | C] () -- C:\Documents and Settings\kiosk2\ntuser.pol
[2009/09/11 16:12:40 | 000,000,000 | ---- | C] () -- C:\Windows\HPMProp.INI
[2009/09/09 13:46:24 | 000,002,412 | RHS- | C] () -- C:\Documents and Settings\All Users\ntuser.pol
[2009/09/09 13:00:42 | 000,000,129 | ---- | C] () -- C:\Documents and Settings\kiosk2\Local Settings\Application Data\fusioncache.dat
[2009/09/09 11:30:52 | 000,074,418 | ---- | C] () -- C:\Documents and Settings\kiosk2\ip.txt
[2009/09/09 11:30:29 | 000,000,178 | -HS- | C] () -- C:\Documents and Settings\kiosk2\ntuser.ini
[2009/09/09 11:30:28 | 001,835,008 | -H-- | C] () -- C:\Documents and Settings\kiosk2\NTUSER.DAT
[2009/09/09 11:30:28 | 000,020,480 | -H-- | C] () -- C:\Documents and Settings\kiosk2\ntuser.dat.LOG
[2009/08/28 15:23:12 | 000,004,743 | ---- | C] () -- C:\Windows\SigPlus.ini
[2009/02/25 17:31:33 | 000,056,832 | ---- | C] () -- C:\Windows\System32\ActPanel.dll
[2005/04/08 05:01:10 | 000,021,791 | ---- | C] () -- C:\Windows\System32\smtpctrs.ini
[2005/04/08 05:01:10 | 000,001,037 | ---- | C] () -- C:\Windows\System32\ntfsdrct.ini
[2005/04/08 05:01:04 | 000,038,576 | ---- | C] () -- C:\Windows\System32\w3ctrs.ini
[2005/04/08 05:01:04 | 000,010,225 | ---- | C] () -- C:\Windows\System32\axperf.ini
[2005/04/08 05:01:01 | 000,011,435 | ---- | C] () -- C:\Windows\System32\infoctrs.ini
[2005/04/08 04:45:48 | 000,001,793 | ---- | C] () -- C:\Windows\System32\fxsperf.ini
[2005/04/08 04:43:50 | 000,363,520 | ---- | C] () -- C:\Windows\System32\psisdecd.dll
[2003/01/05 23:39:38 | 000,147,456 | ---- | C] () -- C:\Windows\System32\RtlCPAPI.dll
[2003/01/05 23:20:12 | 000,204,800 | ---- | C] () -- C:\Windows\System32\igfxCoIn_v4764.dll
[2000/03/29 22:00:00 | 000,125,440 | ---- | C] () -- C:\Windows\System32\UNZDLL.DLL
[1999/10/23 18:29:44 | 000,053,248 | ---- | C] () -- C:\Windows\System32\UNRAR.DLL
[1999/08/11 15:28:02 | 000,101,888 | ---- | C] () -- C:\Windows\System32\LIBBZ2.DLL
[1999/05/21 21:10:00 | 000,129,024 | ---- | C] () -- C:\Windows\System32\ZIPDLL.DLL
[1998/01/28 00:06:04 | 000,045,056 | ---- | C] () -- C:\Windows\System32\UNACE.DLL

========== LOP Check ==========

[2003/01/05 23:17:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ma-config.com
[2010/04/20 18:00:00 | 000,000,350 | ---- | M] () -- C:\Windows\Tasks\At1.job
[2010/04/20 17:00:00 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At10.job
[2010/04/20 16:02:32 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At11.job
[2010/04/20 18:00:00 | 000,000,354 | ---- | M] () -- C:\Windows\Tasks\At12.job
[2010/04/20 16:02:32 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At13.job
[2010/04/20 16:02:32 | 000,000,350 | ---- | M] () -- C:\Windows\Tasks\At14.job
[2010/04/20 16:02:32 | 000,000,354 | ---- | M] () -- C:\Windows\Tasks\At15.job
[2010/04/20 16:02:32 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At16.job
[2010/04/20 16:02:32 | 000,000,354 | ---- | M] () -- C:\Windows\Tasks\At17.job
[2010/04/20 16:02:32 | 000,000,352 | ---- | M] () -- C:\Windows\Tasks\At18.job
[2010/04/20 16:02:32 | 000,000,350 | ---- | M] () -- C:\Windows\Tasks\At19.job
[2010/04/20 16:02:32 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At2.job
[2010/04/20 16:02:32 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At20.job
[2010/04/20 16:02:32 | 000,000,350 | ---- | M] () -- C:\Windows\Tasks\At21.job
[2010/04/20 16:02:32 | 000,000,352 | ---- | M] () -- C:\Windows\Tasks\At22.job
[2010/04/20 16:02:32 | 000,000,354 | ---- | M] () -- C:\Windows\Tasks\At23.job
[2010/04/20 16:02:32 | 000,000,352 | ---- | M] () -- C:\Windows\Tasks\At24.job
[2010/04/20 16:02:32 | 000,000,352 | ---- | M] () -- C:\Windows\Tasks\At25.job
[2010/04/20 16:02:32 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At26.job
[2010/04/20 16:02:32 | 000,000,354 | ---- | M] () -- C:\Windows\Tasks\At27.job
[2010/04/20 16:02:32 | 000,000,352 | ---- | M] () -- C:\Windows\Tasks\At28.job
[2010/04/20 16:02:32 | 000,000,350 | ---- | M] () -- C:\Windows\Tasks\At29.job
[2010/04/20 16:02:32 | 000,000,350 | ---- | M] () -- C:\Windows\Tasks\At3.job
[2010/04/20 16:02:32 | 000,000,354 | ---- | M] () -- C:\Windows\Tasks\At30.job
[2010/04/20 16:02:32 | 000,000,350 | ---- | M] () -- C:\Windows\Tasks\At31.job
[2010/04/20 16:02:32 | 000,000,354 | ---- | M] () -- C:\Windows\Tasks\At32.job
[2010/04/20 16:02:32 | 000,000,352 | ---- | M] () -- C:\Windows\Tasks\At33.job
[2010/04/20 16:02:32 | 000,000,350 | ---- | M] () -- C:\Windows\Tasks\At34.job
[2010/04/20 16:02:32 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At35.job
[2010/04/20 16:02:32 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At36.job
[2010/04/20 16:02:32 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At37.job
[2010/04/20 16:02:32 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At38.job
[2010/04/20 16:02:32 | 000,000,350 | ---- | M] () -- C:\Windows\Tasks\At39.job
[2010/04/20 16:02:32 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At4.job
[2010/04/20 16:02:32 | 000,000,350 | ---- | M] () -- C:\Windows\Tasks\At40.job
[2010/04/20 16:02:32 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At5.job
[2010/04/20 16:02:32 | 000,000,352 | ---- | M] () -- C:\Windows\Tasks\At6.job
[2010/04/20 16:02:32 | 000,000,354 | ---- | M] () -- C:\Windows\Tasks\At7.job
[2010/04/20 16:02:32 | 000,000,354 | ---- | M] () -- C:\Windows\Tasks\At8.job
[2010/04/20 16:02:32 | 000,000,352 | ---- | M] () -- C:\Windows\Tasks\At9.job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >
[2004/01/28 08:24:22 | 000,040,960 | ---- | M] (.) -- C:\DVE.exe
[2008/01/09 09:39:28 | 000,828,752 | ---- | M] (Netviewer AG) -- C:\NV_o2o_Participant_FR.exe


< MD5 for: AGP440.SYS >
[2005/03/02 18:51:14 | 018,738,937 | R--- | M] () .cab file -- C:\Windows\I386\sp2.cab:AGP440.sys

< MD5 for: ATAPI.SYS >
[2005/03/02 18:51:14 | 018,738,937 | R--- | M] () .cab file -- C:\Windows\I386\sp2.cab:atapi.sys
[2004/12/02 11:59:53 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\Windows\system32\drivers\atapi.sys
[2003/03/25 07:04:52 | 000,091,136 | ---- | M] (Microsoft Corporation) MD5=FA30640404376517930772D7E559AEF1 -- C:\I386\system32\drivers\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2004/12/02 11:59:56 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\Windows\system32\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2003/03/25 20:14:42 | 000,418,816 | ---- | M] (Microsoft Corporation) MD5=4B7021EFC4323AA4949DB2E53AD1052C -- C:\I386\system32\netlogon.dll
[2004/12/02 12:00:02 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\Windows\system32\netlogon.dll

< MD5 for: SCECLI.DLL >
[2004/12/02 12:00:04 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\Windows\system32\scecli.dll
[2003/03/25 20:14:50 | 000,183,808 | ---- | M] (Microsoft Corporation) MD5=A927F6B1F40B0F5323EA7B9FED7164CB -- C:\I386\system32\scecli.dll

< MD5 for: SYMMPI.SYS >
[2003/03/25 07:13:10 | 000,026,496 | ---- | M] (LSI Logic) MD5=1F754D0B8CC3058370D4CEF712E3A3A7 -- C:\I386\system32\drivers\symmpi.sys

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >

< %systemroot%\system32\drivers\*.sys /90 >
< End of report >



Extra.txt:
OTL Extras logfile created on: 20/04/2010 18:34:59 - Run 1
OTL by OldTimer - Version 3.2.1.3 Folder = C:\AV
Windows XP Windows XP Embedded Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1,014.00 Mb Total Physical Memory | 352.00 Mb Available Physical Memory | 35.00% Memory free
920.00 Mb Paging File | 390.00 Mb Available in Paging File | 42.00% Paging File free
Paging file location(s): [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 29.58 Gb Total Space | 22.62 Gb Free Space | 76.49% Space Free | Partition Type: NTFS
Drive D: | 44.95 Gb Total Space | 44.51 Gb Free Space | 99.03% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: KIOSK2
Current User Name: kiosk2
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.hlp [@ = Reg Error: Key error.] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- Reg Error: Key error.
htmlfile [edit] -- Reg Error: Key error.
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 1
"FirewallDisableNotify" = 1
"UpdatesDisableNotify" = 1
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring" = 1
"" =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"137:UDP" = 137:UDP:*:Enabled:NetBIOS Name Service
"138:UDP" = 138:UDP:*:Enabled:NetBIOS Datagram Service
"139:TCP" = 139:TCP:*:Enabled:NetBIOS Session Service
"445:TCP" = 445:TCP:*:Enabled:SMB over TCP
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:SSDP
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:UPnp Framework over TCP
"3389:TCP" = 3389:TCP:*:Enabled:Remote Desktop
"3587:TCP" = 3587:TCP:*:Enabled:Windows Peer-to-Peer Grouping
"3540:UDP" = 3540:UDP:*:Enabled:Peer Name Resolution Protocol (PNRP)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0
"DisableUnicastResponsesToMulticastBroadcast" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"137:UDP" = 137:UDP:LocalSubNet:Enabled:NetBIOS Name Service
"138:UDP" = 138:UDP:LocalSubNet:Enabled:NetBIOS Datagram Service
"139:TCP" = 139:TCP:LocalSubNet:Enabled:NetBIOS Session Service
"445:TCP" = 445:TCP:LocalSubNet:Enabled:SMB over TCP
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:SSDP
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:UPnp Framework over TCP
"3389:TCP" = 3389:TCP:*:Enabled:Remote Desktop
"3587:TCP" = 3587:TCP:*:Enabled:Windows Peer-to-Peer Grouping
"3540:UDP" = 3540:UDP:*:Enabled:Peer Name Resolution Protocol (PNRP)
"48113:TCP" = 48113:TCP:LocalSubNet:Enabled:maconfig_tcp
"48113:UDP" = 48113:UDP:LocalSubNet:Enabled:maconfig_udp

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\ariane\bin\VKeyboardPlayer.exe" = C:\ariane\bin\VKeyboardPlayer.exe:*:Enabled:VKeyboardPlayer -- ()
"C:\ariane\bin\ScenarioPlayer.exe" = C:\ariane\bin\ScenarioPlayer.exe:*:Enabled:Scenario Player -- (Ariane Systems)
"C:\ariane\BackOfficeLite\BOL_TCPServer\BOL_TCPServer.exe" = C:\ariane\BackOfficeLite\BOL_TCPServer\BOL_TCPServer.exe:*:Enabled: -- File not found
"C:\ONITY\HT28v3\HT28.exe" = C:\ONITY\HT28v3\HT28.exe:*:Enabled:HT28 -- ()
"C:\ARIANE\bin\AllegroStatisticsAlarms.exe" = C:\ARIANE\bin\AllegroStatisticsAlarms.exe:*:Enabled:AllegroStatisticsAlarms -- ()

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\ma-config.com\maconfservice.exe" = C:\Program Files\ma-config.com\maconfservice.exe:LocalSubNet:Enabled:maconfservice -- (CybelSoft)
"C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Directory 1 for UltraVnc-Serveur-101-Fr.zip\winvnc.exe" = C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Directory 1 for UltraVnc-Serveur-101-Fr.zip\winvnc.exe:*:Enabled:Serveur VNC pour Win32 -- File not found
"C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Directory 2 for UltraVnc-Serveur-101-Fr.zip\winvnc.exe" = C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Directory 2 for UltraVnc-Serveur-101-Fr.zip\winvnc.exe:*:Enabled:Serveur VNC pour Win32 -- File not found


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}" = HiJackThis
"{0868BB9D-5EA0-40AF-A1CC-A38ED4E5BC67}" = 32 Bit HP CIO Components Installer
"{115E8183-866A-11D3-97DF-0000F8D8F2E9}" = Symantec pcAnywhere
"{26A24AE4-039D-4CA4-87B4-2F83216010FF}" = Java™ 6 Update 11
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3A4EE7A4-356E-43B7-A4A3-9C55B22A05B3}" = Ma-Config.com
"{3F7924B9-D148-3141-87B1-68F36043A940}" = Microsoft .NET Framework 2.0 Service Pack 1 Language Pack - FRA
"{511DF669-2930-30C0-8EB6-552887E29EC8}" = Microsoft .NET Framework 3.0 Service Pack 1 Language Pack - FRA
"{59D5295A-7A91-4A74-8823-5F007467D62A}" = BOL_UserInterface v1.2.0 Setup
"{5B76AEA2-D4E5-3B55-B965-ACC36AE0EAFC}" = Microsoft .NET Framework 3.5 Language Pack - fra
"{78715FBA-F394-4309-8566-7E407F7DC19F}" = BOL_TCPServer_1.2.0
"{79B986AD-54D8-4498-AA06-89808829ACC0}" = Kaspersky Anti-Virus 6.0 for Windows Workstations
"{8C02CB4A-50D8-F0A7-0281-940024835EF9}" = Netviewer remote
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A8AD990E-355A-4413-8647-A9B168978423}_is1" = UltraVNC v1.0.1
"{ABC8D23C-D769-4684-B89A-FB3A60F2DA4A}" = Ariane Allegro 5.5.0
"{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation
"{C05ED040-923C-4175-8B8D-A8693B93598B}" = Microsoft POS for .NET 1.1
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{EDEA8AB7-7683-4ED2-AA19-E6C078064C0D}" = Microsoft WSE 3.0
"{FB08F381-6533-4108-B7DD-039E11FBC27E}" = Realtek AC'97 Audio
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"CePrnSpy" = CePrnSpy
"d72520cb767454006c3f77a01e6254fa" = MT 7.12 (build 5) for Windows
"ERUNT_is1" = ERUNT 1.1j
"HDMI" = Intel® Graphics Media Accelerator Driver
"HT28" = HT28
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"InstallWIX_{79B986AD-54D8-4498-AA06-89808829ACC0}" = Kaspersky Anti-Virus 6.0 for Windows Workstations
"JRE 1.2.2" = Java 2 Runtime Environment Standard Edition v1.2.2
"KpmSpy" = KpmSpy
"LiveReg" = LiveReg (Symantec Corporation)
"LiveUpdate" = LiveUpdate 2.5 (Symantec Corporation)
"Lucent Technologies Soft Modem" = Lucent Technologies Soft Modem AMR
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 Language Pack - fra" = Module linguistique Microsoft .NET Framework 3.5 - fra
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"PowerArchiver" = PowerArchiver
"PROGUSB" = PROGUSB
"Topaz e-Signatures SigPlusNET 1.12" = Topaz e-Signatures SigPlusNET 1.12
"Toshiba Soft Modem" = Toshiba Soft Modem AMR
"Tweak UI 2.10" = Tweak UI
"USBTrace_is1" = USBTrace V2.4.3
"WIC" = Windows Imaging Component
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0
"XPSEPSCLP" = XML Paper Specification Shared Components Language Pack 1.0

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 20/04/2010 10:45:42 | Computer Name = KIOSK2 | Source = Service Control Manager | ID = 7034
Description =

Error - 20/04/2010 10:45:42 | Computer Name = KIOSK2 | Source = Service Control Manager | ID = 7034
Description =

Error - 20/04/2010 10:45:42 | Computer Name = KIOSK2 | Source = Service Control Manager | ID = 7034
Description =

Error - 20/04/2010 10:45:42 | Computer Name = KIOSK2 | Source = Service Control Manager | ID = 7034
Description =

Error - 20/04/2010 10:45:42 | Computer Name = KIOSK2 | Source = Service Control Manager | ID = 7034
Description =

Error - 20/04/2010 10:45:42 | Computer Name = KIOSK2 | Source = Service Control Manager | ID = 7034
Description =

Error - 20/04/2010 11:02:59 | Computer Name = KIOSK2 | Source = MSMQ | ID = 2164
Description = The Message Queuing service will not join the STN domain. An MSMQ Configuration
(msmq) object exists in the new domain with an ID differing from the service ID.
Please
delete the MSMQ Configuration object in the new domain and restart the Message
Queuing service.

Error - 20/04/2010 11:03:08 | Computer Name = KIOSK2 | Source = Service Control Manager | ID = 7023
Description =

Error - 20/04/2010 11:03:08 | Computer Name = KIOSK2 | Source = Service Control Manager | ID = 7000
Description =

Error - 20/04/2010 11:08:00 | Computer Name = KIOSK2 | Source = Service Control Manager | ID = 7023
Description =

[ System Events ]
Error - 30/03/2010 06:14:54 | Computer Name = KIOSK2 | Source = Serial | ID = 393234
Description = No Parameters subkey was found for user defined data. This is odd,
and it also means no user configuration can be found.

Error - 31/03/2010 05:03:48 | Computer Name = KIOSK2 | Source = Serial | ID = 393234
Description = No Parameters subkey was found for user defined data. This is odd,
and it also means no user configuration can be found.

Error - 01/04/2010 03:52:12 | Computer Name = KIOSK2 | Source = Serial | ID = 393234
Description = No Parameters subkey was found for user defined data. This is odd,
and it also means no user configuration can be found.

Error - 08/04/2010 05:25:28 | Computer Name = KIOSK2 | Source = Serial | ID = 393234
Description = No Parameters subkey was found for user defined data. This is odd,
and it also means no user configuration can be found.

Error - 13/04/2010 09:16:16 | Computer Name = KIOSK2 | Source = Serial | ID = 393234
Description = No Parameters subkey was found for user defined data. This is odd,
and it also means no user configuration can be found.

Error - 15/04/2010 10:56:11 | Computer Name = KIOSK2 | Source = Serial | ID = 393234
Description = No Parameters subkey was found for user defined data. This is odd,
and it also means no user configuration can be found.

Error - 19/04/2010 09:09:22 | Computer Name = KIOSK2 | Source = Serial | ID = 393234
Description = No Parameters subkey was found for user defined data. This is odd,
and it also means no user configuration can be found.

Error - 19/04/2010 09:09:42 | Computer Name = KIOSK2 | Source = NETLOGON | ID = 5719
Description = No Domain Controller is available for domain STN due to the following:
%%1311. Make sure that the computer is connected to the network and try again. If
the problem persists, please contact your domain administrator.

Error - 19/04/2010 09:22:44 | Computer Name = KIOSK2 | Source = Serial | ID = 393234
Description = No Parameters subkey was found for user defined data. This is odd,
and it also means no user configuration can be found.

Error - 20/04/2010 11:02:45 | Computer Name = KIOSK2 | Source = Serial | ID = 393234
Description = No Parameters subkey was found for user defined data. This is odd,
and it also means no user configuration can be found.


< End of report >
  • 0

Advertisements

#2
RKinner
Posted 25 April 2010 - 05:16 PM

RKinner

    Malware Expert

  • Expert
  • 24,624 posts
  • MVP
Start, Run, services.msc , OK to bring up the services window. Find the Task Scheduler service, right click on it and select Properties then change Startup Type: to Disabled and Apply then STOP the service.

Why? Because your malware has created all of these tasks to fire off at odd intervals and we would prefer that it not do that.

[2010/04/20 18:00:00 | 000,000,350 | ---- | M] () -- C:\Windows\Tasks\At1.job
[2010/04/20 17:00:00 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At10.job
[2010/04/20 16:02:32 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At11.job
[2010/04/20 18:00:00 | 000,000,354 | ---- | M] () -- C:\Windows\Tasks\At12.job
[2010/04/20 16:02:32 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At13.job
[2010/04/20 16:02:32 | 000,000,350 | ---- | M] () -- C:\Windows\Tasks\At14.job
[2010/04/20 16:02:32 | 000,000,354 | ---- | M] () -- C:\Windows\Tasks\At15.job
[2010/04/20 16:02:32 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At16.job
[2010/04/20 16:02:32 | 000,000,354 | ---- | M] () -- C:\Windows\Tasks\At17.job
[2010/04/20 16:02:32 | 000,000,352 | ---- | M] () -- C:\Windows\Tasks\At18.job
[2010/04/20 16:02:32 | 000,000,350 | ---- | M] () -- C:\Windows\Tasks\At19.job
[2010/04/20 16:02:32 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At2.job
[2010/04/20 16:02:32 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At20.job
[2010/04/20 16:02:32 | 000,000,350 | ---- | M] () -- C:\Windows\Tasks\At21.job
[2010/04/20 16:02:32 | 000,000,352 | ---- | M] () -- C:\Windows\Tasks\At22.job
[2010/04/20 16:02:32 | 000,000,354 | ---- | M] () -- C:\Windows\Tasks\At23.job
[2010/04/20 16:02:32 | 000,000,352 | ---- | M] () -- C:\Windows\Tasks\At24.job
[2010/04/20 16:02:32 | 000,000,352 | ---- | M] () -- C:\Windows\Tasks\At25.job
[2010/04/20 16:02:32 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At26.job
[2010/04/20 16:02:32 | 000,000,354 | ---- | M] () -- C:\Windows\Tasks\At27.job
[2010/04/20 16:02:32 | 000,000,352 | ---- | M] () -- C:\Windows\Tasks\At28.job
[2010/04/20 16:02:32 | 000,000,350 | ---- | M] () -- C:\Windows\Tasks\At29.job
[2010/04/20 16:02:32 | 000,000,350 | ---- | M] () -- C:\Windows\Tasks\At3.job
[2010/04/20 16:02:32 | 000,000,354 | ---- | M] () -- C:\Windows\Tasks\At30.job
[2010/04/20 16:02:32 | 000,000,350 | ---- | M] () -- C:\Windows\Tasks\At31.job
[2010/04/20 16:02:32 | 000,000,354 | ---- | M] () -- C:\Windows\Tasks\At32.job
[2010/04/20 16:02:32 | 000,000,352 | ---- | M] () -- C:\Windows\Tasks\At33.job
[2010/04/20 16:02:32 | 000,000,350 | ---- | M] () -- C:\Windows\Tasks\At34.job
[2010/04/20 16:02:32 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At35.job
[2010/04/20 16:02:32 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At36.job
[2010/04/20 16:02:32 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At37.job
[2010/04/20 16:02:32 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At38.job
[2010/04/20 16:02:32 | 000,000,350 | ---- | M] () -- C:\Windows\Tasks\At39.job
[2010/04/20 16:02:32 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At4.job
[2010/04/20 16:02:32 | 000,000,350 | ---- | M] () -- C:\Windows\Tasks\At40.job
[2010/04/20 16:02:32 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At5.job
[2010/04/20 16:02:32 | 000,000,352 | ---- | M] () -- C:\Windows\Tasks\At6.job
[2010/04/20 16:02:32 | 000,000,354 | ---- | M] () -- C:\Windows\Tasks\At7.job
[2010/04/20 16:02:32 | 000,000,354 | ---- | M] () -- C:\Windows\Tasks\At8.job
[2010/04/20 16:02:32 | 000,000,352 | ---- | M] () -- C:\Windows\Tasks\At9.job


We can turn the service back on when we are done.

Malwarebytes' Anti-Malware
:!: If you have a previous version of MalwareBytes', remove it via Add or Remove Programs and download a fresh copy. :!:

http://www.malwarebytes.org/mbam.php

SAVE Malwarebytes' Anti-Malware to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.

* Be sure that everything is checked, and click Remove Selected.

* When completed, a log will open in Notepad. Please save it to a convenient location.
* The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
* Post that log back here.


Download but do not yet run ComboFix
:!: If you have a previous version of Combofix.exe, delete it and download a fresh copy. :!:

:!: It must be saved to your desktop, do not run it :!:

:!: Disable your Antivirus software when downloading or running Combofix. If it has Script Blocking features, please disable these as well. See: http://www.bleepingc...opic114351.html


Download and Rename this file -- (call it george.exe ) to your Desktop -- from either of these two sources:
http://download.blee...Bs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Doubleclick on george to start the program.



* :!: Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.


* A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix. Allow it to install the Recovery Console then Continue. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.


A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

A file will be created at => C:\Combofix.txt. I'll need to see that in your reply.

Re-activate your protection programs at this time :!:


Post Back (copy/paste the .txt files, do not use attachments)
After following the above, post back with:



1.Contents of C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

2. Contents of C:\Combofix.txt;

Ron

Edited by RKinner, 25 April 2010 - 05:17 PM.

  • 0

#3
Lombardo
Posted 26 April 2010 - 05:39 AM

Lombardo

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Thanks for the excellent instructions - please find results below.

Does this mean I should be clean now - or do we have anything else to do?

Am I ok to to restart the Task Scheduler service again now?

Regards,


Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 4036

Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.13

26/04/2010 10:59:17
mbam-log-2010-04-26 (10-59-17).txt

Scan type: Full scan (A:\|C:\|D:\|)
Objects scanned: 219264
Time elapsed: 32 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\start.cmd (Trojan.Agent) -> Quarantined and deleted successfully.

COMBOFIX.TXT
ComboFix 10-04-21.01 - kiosk2 26/04/2010 11:36:23.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.33.1033.18.1014.434 [GMT 1:00]
Lancé depuis: c:\documents and settings\kiosk2\Desktop\george.exe
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Anti-Virus *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\Cache
c:\windows\system32\win.ini
c:\windows\system32\winhelp.exe

.
((((((((((((((((((((((((((((( Fichiers créés du 2010-03-26 au 2010-04-26 ))))))))))))))))))))))))))))))))))))
.

2010-04-26 08:48 . 2010-04-26 08:48 -------- d-----w- c:\documents and settings\kiosk2\Application Data\Malwarebytes
2010-04-26 08:48 . 2010-03-29 23:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-26 08:47 . 2010-04-26 08:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-26 08:47 . 2010-04-26 08:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-26 08:47 . 2010-03-29 23:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-20 15:08 . 2010-04-20 15:08 -------- d-----w- c:\program files\ERUNT
2010-04-20 14:45 . 2010-04-26 10:11 -------- d-----w- C:\AV
2010-04-20 14:36 . 2010-04-20 14:42 -------- d-----w- c:\temp\AV
2010-04-20 13:45 . 2010-04-20 13:45 388096 ----a-r- c:\documents and settings\kiosk2\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-04-20 13:45 . 2010-04-20 13:45 -------- d-----w- c:\program files\TrendMicro
2010-04-20 13:14 . 2010-04-20 13:14 -------- d-----w- C:\audit
2010-04-13 09:50 . 2010-04-13 09:50 3470153 ----a-w- c:\temp\LOG_2010-03-30_2010-04-13.zip
2010-03-30 09:08 . 2010-03-30 09:08 460532 ----a-w- c:\temp\LOG_2010-03-29_2010-03-30.zip
2010-03-29 09:10 . 2010-03-29 09:10 1006779 ----a-w- c:\temp\LOG_2010-03-26_2010-03-29.zip

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-26 11:00 . 2009-08-31 10:32 10734112 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-04-26 10:58 . 2009-08-31 10:32 497440 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2010-04-26 10:58 . 2009-08-31 10:32 47708 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2010-04-26 10:58 . 2009-08-31 10:32 144716 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-04-26 10:30 . 2009-08-31 10:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2010-04-13 16:48 . 2010-03-25 13:56 -------- d-----w- c:\program files\USBTrace
2010-03-25 15:09 . 2010-03-22 14:51 16 ----a-w- c:\windows\system32\utinfo.dat
2010-03-25 15:08 . 2010-03-25 15:09 61 ----a-w- c:\windows\system32\utlicense.dat
2010-02-25 08:32 . 2010-02-25 08:32 136 ----a-w- c:\documents and settings\KIOSK2\ASPNET\Local Settings\Application Data\fusioncache.dat
2004-12-02 10:59 . 2005-04-08 03:46 123904 ----a-w- c:\program files\Common Files\DUAgent.exe
.

------- Sigcheck -------

[-] 2007-02-09 . 05AB81909514BFD69CBB1F2C147CF6B9 . 574976 . . [5.1.2600.3081] . . c:\windows\system32\DllCache\ntfs.sys
[-] 2007-02-09 . 05AB81909514BFD69CBB1F2C147CF6B9 . 574976 . . [5.1.2600.3081] . . c:\windows\system32\drivers\ntfs.sys
[7] 2004-12-02 . B78BE402C3F63DD55521F73876951CDD . 574592 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB930916$\ntfs.sys

[-] 2008-06-20 . 744E57C99232201AE98C49168B918F48 . 360960 . . [5.1.2600.3394] . . c:\windows\system32\DllCache\tcpip.sys
[-] 2008-06-20 . 744E57C99232201AE98C49168B918F48 . 360960 . . [5.1.2600.3394] . . c:\windows\system32\drivers\tcpip.sys
[7] 2004-12-02 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB951748$\tcpip.sys

[-] 2005-08-22 . 3516D8A18B36784B1005B950B84232E1 . 197632 . . [5.1.2600.2743] . . c:\windows\system32\netman.dll
[7] 2004-12-02 . DAB9E6C7105D2EF49876FE92C524F565 . 198144 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB905414$\netman.dll

[-] 2005-07-26 . C369DF215D352B6F3A0B8C3469AA34F8 . 398336 . . [5.1.2600.2726] . . c:\windows\system32\rpcss.dll
[-] 2005-04-28 . DA383FB39A6F1C445F3AFC94B3EB1248 . 396288 . . [5.1.2600.2665] . . c:\windows\$NtUninstallKB902400$\rpcss.dll
[7] 2004-12-02 . 5C83A4408604F737717AB96371201680 . 395776 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB894391$\rpcss.dll

[-] 2005-06-11 . AD3D9D191AEA7B5445FE1D82FFBB4788 . 57856 . . [5.1.2600.2696] . . c:\windows\system32\spoolsv.exe
[7] 2004-12-02 . 7435B108B935E42EA92CA94F59C8E717 . 57856 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB896423$\spoolsv.exe

[-] 2006-08-25 . B0124CB21D28B1C9F678B566B6B57D92 . 617472 . . [5.82] . . c:\windows\system32\comctl32.dll
[-] 2006-08-25 . B0124CB21D28B1C9F678B566B6B57D92 . 617472 . . [5.82] . . c:\windows\system32\DllCache\comctl32.dll
[7] 2004-12-02 . A77DFB85FAEE49D66C74DA6024EBC69B . 611328 . . [5.82] . . c:\windows\$NtUninstallKB923191$\comctl32.dll

[-] 2008-07-07 20:06 . A4AB3DCA4A383F0DF4988ABDEB84F9A4 . 253952 . . [2001.12.4414.320] . . c:\windows\system32\es.dll
[-] 2008-07-07 20:06 . A4AB3DCA4A383F0DF4988ABDEB84F9A4 . 253952 . . [2001.12.4414.320] . . c:\windows\system32\DllCache\es.dll
[7] 2004-12-02 10:59 . ACD36A2DD7D1E9D8A060AA651DC07E63 . 243200 . . [2001.12.4414.258] . . c:\windows\$NtUninstallKB950974$\es.dll

[-] 2007-04-16 . 09F7CB3687F86EDAA4CA081F7AB66C03 . 986112 . . [5.1.2600.3119] . . c:\windows\system32\kernel32.dll
[-] 2007-04-16 . 09F7CB3687F86EDAA4CA081F7AB66C03 . 986112 . . [5.1.2600.3119] . . c:\windows\system32\DllCache\kernel32.dll
[7] 2004-12-02 . 888190E31455FAD793312F8D087146EB . 983552 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB935839$\kernel32.dll

[-] 2005-09-01 . 648BF0B4DDE4F7A1156DAE7174D36EFA . 19968 . . [5.1.2600.2751] . . c:\windows\system32\linkinfo.dll
[7] 2004-12-02 . C2BBD044C741EA4292016C36F718D2E4 . 18944 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB900725$\linkinfo.dll

[-] 2009-01-16 . CC9D001B7370B292C35B366CA05B12B4 . 3596288 . . [7.00.6000.20996] . . c:\windows\system32\mshtml.dll
[-] 2009-01-16 . CC9D001B7370B292C35B366CA05B12B4 . 3596288 . . [7.00.6000.20996] . . c:\windows\system32\DllCache\mshtml.dll
[-] 2008-08-27 . 1AD035E04A7068EC2820B055A3131ED8 . 3593216 . . [7.00.6000.16735] . . c:\windows\SoftwareDistribution\Download\5d9d48823dca01f9929a959c29f5edc4\SP2GDR\mshtml.dll
[-] 2008-08-26 . 25CC085720EE3617FD1F8AB9E2F7CAB2 . 3594752 . . [7.00.6000.20900] . . c:\windows\ie7updates\KB961260-IE7\mshtml.dll
[-] 2008-08-26 . 25CC085720EE3617FD1F8AB9E2F7CAB2 . 3594752 . . [7.00.6000.20900] . . c:\windows\SoftwareDistribution\Download\5d9d48823dca01f9929a959c29f5edc4\SP2QFE\mshtml.dll
[-] 2008-08-20 . 20D44D1A5A406CD8E129D3D4F0B5717C . 3067392 . . [6.00.2900.3429] . . c:\windows\ie7\mshtml.dll
[-] 2007-08-13 . C6EC2493346ED8888A549F59210A8ED3 . 3578368 . . [7.00.5730.13] . . c:\windows\ie7updates\KB956390-IE7\mshtml.dll
[-] 2006-02-01 . 51C91AC189321A320FC4BC90B56255A3 . 3073024 . . [6.00.2900.2838] . . c:\windows\$NtUninstallKB956390$\mshtml.dll

[-] 2008-06-20 . 1DFCA7713EA5A70D5D93B436AEA0317A . 245248 . . [5.1.2600.3394] . . c:\windows\system32\mswsock.dll
[-] 2008-06-20 . 1DFCA7713EA5A70D5D93B436AEA0317A . 245248 . . [5.1.2600.3394] . . c:\windows\system32\DllCache\mswsock.dll
[7] 2004-12-02 . 4E74AF063C3271FBEA20DD940CFD1184 . 245248 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB951748$\mswsock.dll

[-] 2008-08-14 . CE69DBD54221F2D40E49FF6DB77C6507 . 2185984 . . [5.1.2600.3427] . . c:\windows\I386\ntoskrnl.exe
[-] 2008-08-14 . CE69DBD54221F2D40E49FF6DB77C6507 . 2185984 . . [5.1.2600.3427] . . c:\windows\system32\ntoskrnl.exe
[-] 2008-08-14 . CE69DBD54221F2D40E49FF6DB77C6507 . 2185984 . . [5.1.2600.3427] . . c:\windows\system32\DllCache\ntoskrnl.exe
[7] 2004-12-02 . CE218BC7088681FAA06633E218596CA7 . 2180992 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB956841$\ntoskrnl.exe

[-] 2005-07-08 . 1418A3A6E76E5A2E3F5E43866E793A8B . 249344 . . [5.1.2600.2716] . . c:\windows\system32\tapisrv.dll
[7] 2004-12-02 . EB4A4187D74A8EFDCBEA3EA2CB1BDFBD . 246272 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB893756$\tapisrv.dll

[-] 2007-03-08 . 7AA4F6C00405DFC4B70ED4214E7D687B . 578048 . . [5.1.2600.3099] . . c:\windows\system32\user32.dll
[-] 2007-03-08 . 7AA4F6C00405DFC4B70ED4214E7D687B . 578048 . . [5.1.2600.3099] . . c:\windows\system32\DllCache\user32.dll
[7] 2005-04-06 . F81A42B8A963053EC9C0DE9E3F1B7C8C . 584024 . . [5.1.2600.2647] . . c:\windows\$NtUninstallKB925902$\user32.dll

[-] 2008-12-20 . 044E0A4E9FE97C0FB9AFE9C89E2A82E6 . 827904 . . [7.00.6000.20978] . . c:\windows\system32\wininet.dll
[-] 2008-12-20 . 044E0A4E9FE97C0FB9AFE9C89E2A82E6 . 827904 . . [7.00.6000.20978] . . c:\windows\system32\DllCache\wininet.dll
[-] 2008-08-26 . 77C192FE56A70D7FA0247BA0A6201C32 . 827904 . . [7.00.6000.20900] . . c:\windows\ie7updates\KB961260-IE7\wininet.dll
[-] 2008-08-26 . 77C192FE56A70D7FA0247BA0A6201C32 . 827904 . . [7.00.6000.20900] . . c:\windows\SoftwareDistribution\Download\5d9d48823dca01f9929a959c29f5edc4\SP2QFE\wininet.dll
[-] 2008-08-26 . EF8EBA98145BFA44E80D17A3B3453300 . 826368 . . [7.00.6000.16735] . . c:\windows\SoftwareDistribution\Download\5d9d48823dca01f9929a959c29f5edc4\SP2GDR\wininet.dll
[-] 2008-08-20 . C91E3A6EF094202F6B5CA8960DFCF243 . 667648 . . [6.00.2900.3429] . . c:\windows\ie7\wininet.dll
[-] 2007-08-13 . A4A0FC92358F39538A6494C42EF99FE9 . 818688 . . [7.00.5730.13] . . c:\windows\ie7updates\KB956390-IE7\wininet.dll
[-] 2006-01-09 . DDE9597A3311748C1519444E2BC147BD . 662016 . . [6.00.2900.2823] . . c:\windows\$NtUninstallKB956390$\wininet.dll

[-] 2007-06-13 . 7712DF0CDDE3A5AC89843E61CD5B3658 . 1033216 . . [6.00.2900.3156] . . c:\windows\explorer.exe
[-] 2007-06-13 . 7712DF0CDDE3A5AC89843E61CD5B3658 . 1033216 . . [6.00.2900.3156] . . c:\windows\system32\DllCache\explorer.exe
[7] 2005-04-06 . BB9212EE1A8A18EEC2D62B5614BBD9B3 . 1039192 . . [6.00.2900.2647] . . c:\windows\$NtUninstallKB938828$\explorer.exe

[-] 2006-12-19 . 53D9184A21C5CBF600D918E51EF3A7E5 . 135168 . . [6.00.2900.3051] . . c:\windows\system32\shsvcs.dll
[-] 2006-12-19 . 53D9184A21C5CBF600D918E51EF3A7E5 . 135168 . . [6.00.2900.3051] . . c:\windows\system32\DllCache\shsvcs.dll
[7] 2004-12-02 . E7518DC542D3EBDCB80EDD98462C7821 . 134656 . . [6.00.2900.2180] . . c:\windows\$NtUninstallKB928255$\shsvcs.dll

[-] 2006-02-15 00:30 . 1EE7B434BA961EF845DE136224C30FEC . 142464 . . [5.1.2601.2180] . . c:\windows\I386\aec.sys
[-] 2006-02-15 00:30 . 1EE7B434BA961EF845DE136224C30FEC . 142464 . . [5.1.2601.2180] . . c:\windows\system32\drivers\aec.sys
[7] 2004-08-03 21:39 . 841F385C6CFAF66B58FBD898722BB4F0 . 142464 . . [5.1.2601.2078] . . c:\windows\$NtUninstallKB900485$\aec.sys

[-] 2006-11-01 19:17 . 925F8B61ED301A317BA850EBEECBDAA0 . 927504 . . [4.1.0.61] . . c:\windows\system32\mfc40u.dll
[-] 2006-11-01 19:17 . 925F8B61ED301A317BA850EBEECBDAA0 . 927504 . . [4.1.0.61] . . c:\windows\system32\DllCache\mfc40u.dll
[7] 2001-08-18 05:36 . DDF8D47ACF8FC3FE5F7F2B95C4D4D136 . 924432 . . [4.1.6140] . . c:\windows\$NtUninstallKB924667$\mfc40u.dll

[-] 2008-08-14 . 63EC865DFF6CCFC7BEF94B5C50297CAD . 2062976 . . [5.1.2600.3427] . . c:\windows\I386\ntkrnlpa.exe
[-] 2008-08-14 . 63EC865DFF6CCFC7BEF94B5C50297CAD . 2062976 . . [5.1.2600.3427] . . c:\windows\system32\ntkrnlpa.exe
[-] 2008-08-14 . 63EC865DFF6CCFC7BEF94B5C50297CAD . 2062976 . . [5.1.2600.3427] . . c:\windows\system32\DllCache\ntkrnlpa.exe
[-] 2007-02-08 . F252FAE094C54572ECE38A039F2103C4 . 2058880 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB956841$\ntkrnlpa.exe

[-] 2007-02-05 . 36ACA6CDC19C95FF468A1426EB7F32F0 . 185344 . . [5.1.2600.3077] . . c:\windows\system32\upnphost.dll
[-] 2007-02-05 . 36ACA6CDC19C95FF468A1426EB7F32F0 . 185344 . . [5.1.2600.3077] . . c:\windows\system32\DllCache\upnphost.dll
[7] 2004-12-02 . 0546477BDE979E33294FE97F6B3DE84A . 185344 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB931261$\upnphost.dll
.
((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-12-02 110592]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-01-13 131072]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-01-13 163840]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-01-13 135168]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 577536]
"Bgariane"="c:\bginfo\BGInfo.exe" [2006-10-06 741421]
"Starting"="C:\starting.bat" [2009-07-07 190]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Shortcut to HT28.lnk - c:\onity\HT28v3\HT28.exe [2009-9-2 4490240]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SoftwareSASGeneration"= 3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
2004-11-01 10:50 8704 ----a-w- c:\windows\system32\PCANotify.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sr.sys]
@="FSFilter Undelete"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinVNC]
2005-08-06 18:45 974848 ----a-w- c:\program files\UltraVNC\winvnc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Windows\\system32\\mqsvc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:Remote Desktop
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
"AllowInboundTimeStampRequest"= 0 (0x0)
"AllowInboundMaskRequest"= 0 (0x0)
"AllowInboundRouterRequest"= 0 (0x0)
"AllowOutboundDestinationUnreachable"= 0 (0x0)
"AllowOutboundSourceQuench"= 0 (0x0)
"AllowOutboundParameterProblem"= 0 (0x0)
"AllowOutboundTimeExceeded"= 0 (0x0)
"AllowRedirect"= 0 (0x0)

R2 nvRemote_Service;Netviewer Remote Service;c:\program files\Netviewer\remote\nvRemoteHost.exe [16/07/2008 15:08 765264]
R2 TwRegSvc;MT7 Registry Service;c:\program files\MicroTouch\MT7\TwRegSvc.exe [27/02/2009 16:06 32768]
R2 usbfloppyservice;usbfloppyservice;c:\program files\UsbFloppy\usbfloppyservice.exe [27/11/2008 11:35 13312]
R3 Ramdisk;Windows RAM Disk Driver;c:\windows\system32\drivers\ramdisk.sys [08/04/2005 05:04 20736]
R3 TwTouch;MicroTouch Touch Screen;c:\windows\system32\drivers\TwTouch.sys [27/11/2008 16:07 83217]
S2 WYN_V52;WYN_V52;c:\wynid\WMAJ\UTILS\MAKE_SERVICE\WSTARTER --> c:\wynid\WMAJ\UTILS\MAKE_SERVICE\WSTARTER [?]
S3 ALiIRDA;ALi Infrared Device Driver;c:\windows\system32\drivers\alifir.sys [08/04/2005 05:04 26624]
S3 maconfservice;Ma-Config Service;c:\program files\ma-config.com\maconfservice.exe [17/11/2008 08:05 195752]
S3 NECIRDA;NEC IrCC Miniport Device Driver;c:\windows\system32\drivers\smcirda.sys [08/04/2005 05:04 35913]
S3 OBOE;Toshiba FIR Port Type-O;c:\windows\system32\drivers\tos4mo.sys [08/04/2005 05:04 28232]
S3 scsiscan;SCSI Scanner Driver;c:\windows\system32\drivers\scsiscan.sys [08/04/2005 04:46 10880]
S3 SIERRA;MKNet MK7100-based VFIR (16Mbps) Wireless PCI Adapter;c:\windows\system32\drivers\irmk7.sys [08/04/2005 05:04 23552]
S3 SPI;Sony Programmable I/O Control Device;c:\windows\system32\drivers\Sonypi.sys [08/04/2005 04:43 37040]
S3 TDASYNC;TDASYNC;c:\windows\system32\drivers\tdasync.sys [08/04/2005 04:46 13192]
S3 TDIPX;TDIPX;c:\windows\system32\drivers\tdipx.sys [08/04/2005 04:46 21896]
S3 TDSPX;TDSPX;c:\windows\system32\drivers\tdspx.sys [08/04/2005 04:46 19464]
S3 utdrv;utdrv;c:\windows\system32\drivers\utdrv.sys [25/03/2010 14:56 20552]
S3 WBFIRDMA;Winbond Infrared Device Driver;c:\windows\system32\drivers\wbfirdma.sys [08/04/2005 05:04 35871]
S4 DUAgent;Device Update Agent;c:\program files\Common Files\DUAgent.exe [08/04/2005 04:46 123904]
S4 POSPerformanceCounters;Point Of Service Performance Counters;c:\program files\Microsoft Point of Service\Microsoft.PointOfService.Service.exe [24/01/2006 22:30 35648]

--- Autres Services/Pilotes en mémoire ---

*NewlyCreated* - HELPSVC

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
termsvcs REG_SZ TermService
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contenu du dossier 'Tâches planifiées'
.
.
------- Examen supplémentaire -------
.
uStart Page = about:blank
.
.
------- Associations de fichier -------
.
JSEFile=c:\windows\system32\WScript.exe %1
.
- - - - ORPHELINS SUPPRIMES - - - -

HKLM-Run-TrackPointSrv - tp4mon.exe
HKLM-Run-XeroxScannerDaemon - c:\program files\Xerox\NWWia\XrxFTPLt.exe
Notify-SSOExec - c:\windows\temp\sso\ssoexec.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-26 12:01
Windows 5.1.2600 Service Pack 2 NTFS

Recherche de processus cachés ...

Recherche d'éléments en démarrage automatique cachés ...

Recherche de fichiers cachés ...

Scan terminé avec succès
Fichiers cachés: 0

**************************************************************************
.
--------------------- CLES DE REGISTRE BLOQUEES ---------------------

[HKEY_LOCAL_MACHINE\CMILoadedHive-{6638F373-3864-4058-81C1-57E83F3E65DA}\Classes\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10b.exe,-101"

[HKEY_LOCAL_MACHINE\CMILoadedHive-{6638F373-3864-4058-81C1-57E83F3E65DA}\Classes\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\CMILoadedHive-{6638F373-3864-4058-81C1-57E83F3E65DA}\Classes\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10b.exe"

[HKEY_LOCAL_MACHINE\CMILoadedHive-{6638F373-3864-4058-81C1-57E83F3E65DA}\Classes\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\CMILoadedHive-{6638F373-3864-4058-81C1-57E83F3E65DA}\Classes\CLSID\{3DA165B6-CC41-11d2-BDC6-00C04F79EC6B}\ProgID]
@Denied: (A) (Everyone)

[HKEY_LOCAL_MACHINE\CMILoadedHive-{6638F373-3864-4058-81C1-57E83F3E65DA}\Classes\CLSID\{3DA165B6-CC41-11d2-BDC6-00C04F79EC6B}\Version]
@Denied: (A) (Everyone)

[HKEY_LOCAL_MACHINE\CMILoadedHive-{6638F373-3864-4058-81C1-57E83F3E65DA}\Classes\CLSID\{8D8763AB-E93B-4812-964E-F04E0008FD50}\Version]
@Denied: (A) (Everyone)
@="{8D8763AB-E93B-4812-964E-F04E0008FD50}"

[HKEY_LOCAL_MACHINE\CMILoadedHive-{6638F373-3864-4058-81C1-57E83F3E65DA}\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"

[HKEY_LOCAL_MACHINE\CMILoadedHive-{6638F373-3864-4058-81C1-57E83F3E65DA}\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\Flash10b.ocx"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\CMILoadedHive-{6638F373-3864-4058-81C1-57E83F3E65DA}\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"

[HKEY_LOCAL_MACHINE\CMILoadedHive-{6638F373-3864-4058-81C1-57E83F3E65DA}\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"

[HKEY_LOCAL_MACHINE\CMILoadedHive-{6638F373-3864-4058-81C1-57E83F3E65DA}\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\system32\\Macromed\\Flash\\Flash10b.ocx, 1"

[HKEY_LOCAL_MACHINE\CMILoadedHive-{6638F373-3864-4058-81C1-57E83F3E65DA}\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

[HKEY_LOCAL_MACHINE\CMILoadedHive-{6638F373-3864-4058-81C1-57E83F3E65DA}\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"

[HKEY_LOCAL_MACHINE\CMILoadedHive-{6638F373-3864-4058-81C1-57E83F3E65DA}\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"

[HKEY_LOCAL_MACHINE\CMILoadedHive-{6638F373-3864-4058-81C1-57E83F3E65DA}\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"

[HKEY_LOCAL_MACHINE\CMILoadedHive-{6638F373-3864-4058-81C1-57E83F3E65DA}\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\Flash10b.ocx"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\CMILoadedHive-{6638F373-3864-4058-81C1-57E83F3E65DA}\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"

[HKEY_LOCAL_MACHINE\CMILoadedHive-{6638F373-3864-4058-81C1-57E83F3E65DA}\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\system32\\Macromed\\Flash\\Flash10b.ocx, 1"

[HKEY_LOCAL_MACHINE\CMILoadedHive-{6638F373-3864-4058-81C1-57E83F3E65DA}\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

[HKEY_LOCAL_MACHINE\CMILoadedHive-{6638F373-3864-4058-81C1-57E83F3E65DA}\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"

[HKEY_LOCAL_MACHINE\CMILoadedHive-{6638F373-3864-4058-81C1-57E83F3E65DA}\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"

[HKEY_LOCAL_MACHINE\CMILoadedHive-{6638F373-3864-4058-81C1-57E83F3E65DA}\Classes\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}]
@Denied: (A 2) (Everyone)
@="IFlashBroker2"

[HKEY_LOCAL_MACHINE\CMILoadedHive-{6638F373-3864-4058-81C1-57E83F3E65DA}\Classes\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\CMILoadedHive-{6638F373-3864-4058-81C1-57E83F3E65DA}\Classes\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\CMILoadedHive-{6638F373-3864-4058-81C1-57E83F3E65DA}\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)

[HKEY_LOCAL_MACHINE\CMILoadedHive-{6638F373-3864-4058-81C1-57E83F3E65DA}\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"

[HKEY_LOCAL_MACHINE\CMILoadedHive-{6638F373-3864-4058-81C1-57E83F3E65DA}\Classes\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""

[HKEY_LOCAL_MACHINE\CMILoadedHive-{6638F373-3864-4058-81C1-57E83F3E65DA}\Classes\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"

[HKEY_LOCAL_MACHINE\CMILoadedHive-{6638F373-3864-4058-81C1-57E83F3E65DA}\Microsoft\Windows NT\CurrentVersion\Windows]
@Denied: (Full) (Everyone)
@Denied: (Full) (Everyone)
@="mnmsrvc"
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"TransmissionRetryTimeout"="90"
"swapdisk"=""
"Spooler"="yes"
"USERProcessHandleQuota"=dword:00002710
.
--------------------- DLLs chargées dans les processus actifs ---------------------

- - - - - - - > 'winlogon.exe'(920)
c:\windows\system32\EmbdTrst.DLL
c:\windows\system32\klogon.dll
.
------------------------ Autres processus actifs ------------------------
.
c:\windows\system32\msdtc.exe
c:\windows\system32\rundll32.exe
c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe
c:\windows\SOUNDMAN.EXE
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\MicroTouch\MT7\TwMonitor.exe
c:\windows\System32\SCardSvr.exe
c:\windows\System32\snmp.exe
c:\program files\Netviewer\remote\nvRemoteSettings_EN.exe
c:\program files\UsbFloppy\usbfloppy.exe
c:\windows\system32\mqsvc.exe
c:\windows\system32\mqtgsvc.exe
.
**************************************************************************
.
Heure de fin: 2010-04-26 12:02:24 - La machine a redémarré
ComboFix-quarantined-files.txt 2010-04-26 11:02

Avant-CF: 24,158,593,024 bytes free
Après-CF: 24,092,631,040 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-FRA.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\Windows
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\Windows="Windows Embedded for Point of Service" /fastdetect

- - End Of File - - 238B0DA2EC73B7C3E850FFDE77889418
  • 0

#4
RKinner
Posted 26 April 2010 - 10:23 AM

RKinner

    Malware Expert

  • Expert
  • 24,624 posts
  • MVP
I aasume you removed the atxx.job files since they don't show up in Combofix. Did you happen to look to see what they were trying to do?

I see a couple of suspicious files. Do you know what they are?

C:\starting.bat (right click on the file and Edit to see what it does)

C:\DVE.exe (Submit this one to http://virustotal.com if you don't know what it is)

S2 WYN_V52;WYN_V52;c:\wynid\WMAJ\UTILS\MAKE_SERVICE\WSTARTER --> c:\wynid\WMAJ\UTILS\MAKE_SERVICE\WSTARTER [?]


Are you a software programmer? I see a bunch of locked registry entries that are usually associated Microsoft Target Designer but might be made by another compiler.

Can you run Microsoft's Malicious Software Removal Tool

http://go.microsoft....k/?LinkId=40587

You are way behind in microsoft updates. Is this because the computer is not on the internet or because updates don't work?

Wait to restart Task Scheduler until we are sure you are clean.

Ron

Edited by RKinner, 26 April 2010 - 10:23 AM.

  • 0

#5
Lombardo
Posted 27 April 2010 - 10:44 AM

Lombardo

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Hi Ron,

I have not removed any of the atxx.job files - just stopped the Task Scheduler service as you suggested. I wouldn't know how to look at then to see what they were doing either!

The two files you had a doubt about - are known to me and not a problem.

I am not a programmer, but work for a Software company that produces an application to run on XP. The machines this application run on only use this application and this is a reason why we are not running windows updates - the machines do not ordinarily access the internet. Allowing updates may affect the running of our application, so we do not enable it.

i have ran the Microsoft's Malicious Software Removal Tool - and at the end, for each file it said "not infected" (I didn't see any possibility to save a file so I could paste here).

Is there anything else to try?

Regards.
  • 0

#6
RKinner
Posted 27 April 2010 - 05:45 PM

RKinner

    Malware Expert

  • Expert
  • 24,624 posts
  • MVP
I think if you go into Control Panel, Scheduled Tasks and (if they are still there) double click on one of them and it will tell you what it wants to do where it says Run. We want to verify that whatever it is trying to do refers to a file we have already removed. Perhaps when we turned off Task Scheduler it deleted them for us. If you don't see any tasks then turn the service back on and check again.

We need to clean up System Restore. Follow Jim's procedure here:
http://forum.aumha.o...581099691bf108f


I usually recommend a free BitDefender online scan as a final check to see if we missed anything. http://www.bitdefend...nline/free.html

Ron
  • 0

#7
Lombardo
Posted 28 April 2010 - 11:00 AM

Lombardo

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Thanks Ron.

There were no tasks in Task Scheduler - so guess they were deleted when I closed the service.

I have turned the service on again now.

Good thing now after a couple of days I am not seeing the spurious rundll32.exe in process'.

I have performed the system restore clean up as recommended.

Results of the BitDefender scan below - it found something else!!

BitDefender Online Scanner



Scan report generated at: Wed, Apr 28, 2010 - 16:03:58





Scan path: A:\;C:\;D:\;X:\;







Statistics

Time
01:06:47

Files
312870

Folders
5463

Boot Sectors
0

Archives
1232

Packed Files
2766




Results

Identified Viruses
1

Infected Files
1

Suspect Files
0

Warnings
0

Disinfected
0

Deleted Files
1




Engines Info

Virus Definitions
5691812

Engine build
AVCORE v2.1 Windows/i386 11.0.0.33 (Feb 25 2010)

Scan plugins
17

Archive plugins
44

Unpack plugins
8

E-mail plugins
6

System plugins
4




Scan Settings

First Action
Disinfect

Second Action
Delete

Heuristics
Yes

Enable Warnings
Yes

Scanned Extensions
*;

Exclude Extensions


Scan Emails
Yes

Scan Archives
Yes

Scan Packed
Yes

Scan Files
Yes

Scan Boot
Yes




Scanned File
Status

C:\Windows\RESKIT\psexec.exe
Detected with: Application.PsExec.A

C:\Windows\RESKIT\psexec.exe
Disinfection failed

C:\Windows\RESKIT\psexec.exe
Deleted

Anything else to try?

Kind Regards.
  • 0

#8
RKinner
Posted 28 April 2010 - 11:28 AM

RKinner

    Malware Expert

  • Expert
  • 24,624 posts
  • MVP
I think it's a false positive. Looks like it was probably a file from:

http://technet.micro...s/bb897553.aspx

If you want you can run the ESET scan:

Use IE and go to http://eset.com/onlinescan and click on ESET online Scanner. Accept the terms then press Start (If you get a warning from your browser tell it you want to run it).

# Check Scan Archives
# Push the Start button.
# ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
# When the scan completes, push LIST OF THREATS FOUND
# Push EXPORT TO TEXT FILE , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
# Push the BACK button.
# Push Finish

Ron
  • 0

#9
Lombardo
Posted 29 April 2010 - 05:38 AM

Lombardo

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
OK I have ran the ESET online scanner - and nothing found.
I didn't see an option to export file - perhaps coz it didn't find anything?
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP