Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

High CPU (System and explorer.exe), Possibly Malware?

Started by Calebio , Sep 15 2010 04:43 PM

  • Please log in to reply

#1
Calebio
Posted 15 September 2010 - 04:43 PM

Calebio

    New Member

  • Member
  • Pip
  • 3 posts
As the title suggests I'm having experiencing high CPU from the process 'System' and 'explorer.exe'. This occurs as soon as I see my desktop and never goes down from 100% CPU Usage. (System and explorer.exe tpically float around 50 each)

I've had the problem a few times before and always solved it by doing a System Restore after finding nothing that worked on a number of help forums. However this time when I try and so a System Restore there are no restore points to go back to (the System Restore is still on it just doesn't seem to be working anymore).

I did a scan with Malwarebytes and it found a Trojan in Temp files and this was deleted but didn't seem to make a difference.

My computer is an old Dell Inspiron running XP and over the last couple of years something regularly goes wrong but I have always managed to find the solution on line or do a System Restore as a last resort which has fixed it. This time I can't sort it out and the high CPU is making it pretty much unusable.

I ran a Hijackthis scan in safe mode and results are below. It doesn't mean a lot to me but even I can tell it is a bit of a mess as there are programs on there that I have tried to remove and haven't been removed properly for any reason. Any specific problems and their solutions would be much appreciated:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 23:16:32, on 15/09/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\Rob\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [I&F Viewer toolbar] "C:\Program Files\Photo Toolkit\ivbar\phototoolkitmem.exe" -start
O4 - HKCU\..\Run: [Gadwin PrintScreen] C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe /nosplash
O4 - HKCU\..\Run: [Ghuripenoxokexaq] rundll32.exe "C:\WINDOWS\w32pscl.dll",Startup
O4 - HKCU\..\Run: [{D5AC3C3C-64B6-C9D9-FACF-AC0285B801BA}] "C:\Documents and Settings\Rob\Application Data\Hotiic\gyraz.exe"
O4 - HKUS\S-1-5-21-3978994186-3995233041-1756435253-1007\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-3978994186-3995233041-1756435253-1007\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" (User '?')
O4 - HKUS\S-1-5-21-3978994186-3995233041-1756435253-1007\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\S-1-5-21-3978994186-3995233041-1756435253-1007\..\Run: [I&F Viewer toolbar] "C:\Program Files\Photo Toolkit\ivbar\phototoolkitmem.exe" -start (User '?')
O4 - HKUS\S-1-5-21-3978994186-3995233041-1756435253-1007\..\Run: [Gadwin PrintScreen] C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe /nosplash (User '?')
O4 - HKUS\S-1-5-21-3978994186-3995233041-1756435253-1007\..\Run: [Ghuripenoxokexaq] rundll32.exe "C:\WINDOWS\w32pscl.dll",Startup (User '?')
O4 - HKUS\S-1-5-21-3978994186-3995233041-1756435253-1007\..\Run: [{D5AC3C3C-64B6-C9D9-FACF-AC0285B801BA}] "C:\Documents and Settings\Rob\Application Data\Hotiic\gyraz.exe" (User '?')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User '?')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - S-1-5-21-3978994186-3995233041-1756435253-1007 Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe (User '?')
O4 - .DEFAULT User Startup: cokizi.exe (User 'Default user')
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Google AdSense Preview Tool - http://pagead2.googl...en/preview.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {360E40AA-EE8B-4101-BA67-0CAD3F7A48DD} (Nyoko Downloader Class) - http://www.luckynugg...elper/Nyoko.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - https://wimpro.cce.h...ads/sysinfo.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by108w.bay108...es/MsnPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase6087.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2....re/HPDEXAXO.cab
O16 - DPF: {77DD44BF-551D-4E3C-82CD-D637D5018D3C} - http://www.surveys.c...TCAST SETUP.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (Download Helper Class) - http://activex.micro...n7/dlhelper.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-31-0.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://signin3.valu...018/flashax.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.ad...Plus/1.6/gp.cab
O16 - DPF: {E6ACF817-0A85-4EBE-9F0A-096C6488CFEA} (NTR ActiveX 1.1.8) - http://www.inquiero....tivex118_24.cab
O20 - Winlogon Notify: rksocket - rksocket.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Workstation lanmanworkstationhpqcxs08 (lanmanworkstationhpqcxs08) - Unknown owner - C:\WINDOWS\
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com McShield McShield Driver HPZ12 (McShield Driver HPZ12) - Unknown owner - C:\WINDOWS\
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee SecurityCenter Update Manager mcupdmgr.exeupnphost (mcupdmgr.exeupnphost) - Unknown owner - C:\WINDOWS\TEMP\rldE.tmp.exe (file missing)
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Peer Name Resolution Protocol PNRPSvcDnscache (PNRPSvcDnscache) - Unknown owner - C:\WINDOWS\TEMP\rld4.tmp.exe (file missing)
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe

--
End of file - 12593 bytes
  • 0

Advertisements

#2
Rorschach112
Posted 15 September 2010 - 05:01 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Download ComboFix here :

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Here is a guide on how to disable them

    Click me

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.
  • 0

#3
Calebio
Posted 16 September 2010 - 04:55 AM

Calebio

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
Thanks for the reply.

I followed the instructions. First time round Combofix didn't run properly and didn't even get to the bit about Windows Recovery Console. I then restarted in Safe Mode with Networking and ran it from there. This then came up with a messgae saying it had detected Rootkit and had to reboot. Then after rebooting back in normal mode Combofix ran automatically and produced the log info (pasted below). One concern would be that McAfee might have restarted on reboot into normal mode, but seeing as Combofix began automatically I thought I'd let it run, also there was no icons on the desktop so I would have had to shut it down with the power off button. Anyway the CPU is actually back to normal which is great but the might be some further health checks and actions to keep the machine clean, log file below:

ComboFix 10-09-15.01 - Rob 16/09/2010 10:53:02.2.1 - x86 NETWORK
Running from: c:\documents and settings\Rob\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\BotLog.txt
c:\documents and settings\Rob\Application Data\Duon
c:\documents and settings\Rob\Application Data\Duon\qeazk.sad
c:\documents and settings\Rob\Application Data\Duon\qeazk.tmp
c:\documents and settings\Rob\Application Data\Hotiic\gyraz.exe
c:\documents and settings\Rob\Application Data\Idaxux
c:\documents and settings\Rob\Application Data\Idaxux\ablaw.tmp
c:\documents and settings\Rob\Application Data\Idaxux\ablaw.wus
c:\documents and settings\Rob\Application Data\Unrye
c:\documents and settings\Rob\Application Data\Unrye\vesy.tmp
c:\documents and settings\Rob\Application Data\Unrye\vesy.ucn
c:\documents and settings\Rob\decr_step1.bin
c:\documents and settings\Rob\Local Settings\Application Data\oqtybekfl
c:\documents and settings\Rob\Local Settings\Application Data\oqtybekfl\iphucyhshdw.exe
c:\windows\Downloaded Program Files\dlhelper.dll
c:\windows\gvcasinos.ini
c:\windows\system32\1081827863.dat
c:\windows\system32\3774464551.dat
c:\windows\system32\404Fix.exe
c:\windows\system32\995175899.dat
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\decr_step1.bin
c:\windows\system32\dumphive.exe
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\o4Patch.exe
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe
c:\windows\w32pscl.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Legacy_USNJSVC
-------\Service_usnjsvc


((((((((((((((((((((((((( Files Created from 2010-08-16 to 2010-09-16 )))))))))))))))))))))))))))))))
.

2010-09-15 22:21 . 2010-09-15 22:21 -------- dc----w- c:\documents and settings\NetworkService\Application Data\McAfee.com Personal Firewall
2010-09-14 08:34 . 2010-09-14 08:34 -------- d-----w- c:\program files\OpenXML-ODF Translator
2010-09-09 14:44 . 2010-09-09 14:44 -------- d-----w- c:\windows\system32\wbem\Repository
2010-08-31 20:56 . 2010-08-31 20:56 -------- dc----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-08-25 21:13 . 2010-08-25 21:13 -------- dcsh--w- c:\documents and settings\LocalService\IETldCache
2010-08-19 08:05 . 2010-09-15 08:16 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-08-18 15:02 . 2010-08-18 15:02 59840 ----a-w- c:\documents and settings\Rob\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-08-18 14:18 . 2010-08-18 14:32 -------- dc----w- c:\documents and settings\All Users\Application Data\NOS
2010-08-18 14:18 . 2010-08-18 14:18 -------- d-----w- c:\program files\NOS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-16 10:02 . 2007-08-14 16:13 -------- dc----w- c:\documents and settings\Rob\Application Data\Hotiic
2010-09-15 22:27 . 2010-01-21 12:09 -------- dc----w- c:\documents and settings\Rob\Application Data\HPAppData
2010-09-15 08:19 . 2010-09-15 08:19 452104 -c--a-w- c:\documents and settings\Rob\Application Data\Real\Update\setup3.12\setup.exe
2010-09-14 20:49 . 2006-08-09 01:42 -------- dc----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-09-09 14:30 . 2006-04-15 05:29 -------- dc----w- c:\documents and settings\Rob\Application Data\Tydee
2010-09-07 10:45 . 2006-07-25 08:48 -------- dc----w- c:\documents and settings\Rob\Application Data\Heotdo
2010-08-23 09:38 . 2005-07-19 22:05 -------- dc----w- c:\documents and settings\Rob\Application Data\AdobeUM
2010-08-18 07:50 . 2005-12-08 00:17 -------- d-----w- c:\program files\Google
2010-08-09 15:51 . 2010-08-09 15:51 26682864 -c--a-w- c:\documents and settings\Rob\Application Data\Real\Update\setup3.12\rp\RealPlayerSPGold.exe
2010-08-09 15:51 . 2010-08-09 15:51 220272 -c--a-w- c:\documents and settings\Rob\Application Data\Real\Update\setup3.12\gtb\GOOGLE_TOOLBAR\GoogleToolbarInstaller.exe
2010-08-09 15:51 . 2010-08-09 15:51 149000 -c--a-w- c:\documents and settings\Rob\Application Data\Real\Update\setup3.12\chr_helper\LaunchHelper.exe
2010-08-09 15:51 . 2010-08-09 15:50 13407072 -c--a-w- c:\documents and settings\Rob\Application Data\Real\Update\setup3.12\chr\ChromeInstaller.exe
2010-08-09 15:50 . 2010-08-09 15:50 79368 -c--a-w- c:\documents and settings\Rob\Application Data\Real\Update\setup3.12\RUP\vista.exe
2010-08-09 15:50 . 2010-08-09 15:50 73344 -c--a-w- c:\documents and settings\Rob\Application Data\Real\Update\setup3.12\RUP\inst_config\gtapi_v6.dll
2010-08-09 15:50 . 2010-08-09 15:50 64000 -c--a-w- c:\documents and settings\Rob\Application Data\Real\Update\setup3.12\RUP\inst_config\gcapi_dll.dll
2010-08-09 15:50 . 2010-08-09 15:50 52288 -c--a-w- c:\documents and settings\Rob\Application Data\Real\Update\setup3.12\RUP\inst_config\gtapi.dll
2010-08-09 15:50 . 2010-08-09 15:50 122880 -c--a-w- c:\documents and settings\Rob\Application Data\Real\Update\setup3.12\RUP\inst_config\compat.dll
2010-07-28 23:31 . 2010-07-28 23:12 193359 ----a-w- c:\windows\hpoins46.dat
2010-07-28 23:18 . 2010-01-21 11:34 -------- d-----w- c:\program files\HP
2010-07-27 20:34 . 2010-07-27 20:34 -------- d-----w- c:\program files\Nectar Search Toolbar
2010-07-27 17:45 . 2010-07-27 17:45 -------- dc----w- c:\documents and settings\Rob\Application Data\TP
2010-07-18 22:48 . 2010-07-18 22:48 -------- d-----w- c:\program files\IrfanView
2010-06-30 12:31 . 2004-08-04 05:00 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:22 . 2004-08-04 05:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-23 13:44 . 2004-08-04 05:00 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-21 15:27 . 2004-08-04 05:00 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-05-04 16:25 . 2010-05-04 16:25 2131808 ----a-w- c:\program files\avg_free_stb_all_9_114_cnet.exe
2006-05-06 12:01 . 2006-05-06 11:21 2198143 ----a-w- c:\program files\AiRoboForm-sscou.exe
2005-12-08 00:17 . 2005-12-08 00:11 11817800 ----a-w- c:\program files\GoogleEarthSetup.exe
2005-01-26 17:00 . 2005-01-26 16:59 700928 ----a-w- c:\program files\Sunny.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-09 68856]
"I&F Viewer toolbar"="c:\program files\Photo Toolkit\ivbar\phototoolkitmem.exe" [2006-10-27 65536]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VSOCheckTask"="c:\progra~1\mcafee.com\vso\mcmnhdlr.exe" [2003-08-08 122880]
"VirusScan Online"="c:\progra~1\mcafee.com\vso\mcvsshld.exe" [2003-08-17 163840]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-10-09 185896]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"SpeedTouch USB Diagnostics"="c:\program files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-01-26 866816]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-17 421888]
"MPFExe"="c:\progra~1\McAfee.com\PERSON~1\MpfTray.exe" [2004-03-24 1380352]
"MCUpdateExe"="c:\progra~1\mcafee.com\agent\McUpdate.exe" [2006-01-11 212992]
"MCAgentExe"="c:\progra~1\mcafee.com\agent\mcagent.exe" [2005-09-22 303104]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2009-11-18 54576]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 53248]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2004-09-27 610304]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-31 339968]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]
"rmoc3260.dll OCX"="c:\windows\system32\rmoc3260.dll" [2007-09-13 185688]

c:\documents and settings\Guest\Start Menu\Programs\Startup\
behu.exe [2010-9-15 139264]

c:\documents and settings\Rob\Start Menu\Programs\Startup\
Picture Motion Browser Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe [2009-8-12 390432]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2004-12-16 24576]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-11-18 275072]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2009-6-19 525640]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
cokizi.exe [2010-9-15 139264]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
2004-01-12 06:55 110592 ----a-w- c:\windows\SYSTEM32\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SEOLinkVine]
2010-05-10 16:27 1359360 ----a-w- c:\program files\SEOLinkVine\SEO LinkVine Ranker.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" /background
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe"
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"PRONoMgr.exe"="c:\program files\Intel\NCS\PROSet\PRONoMgr.exe"
"MCAgentExe"=c:\progra~1\mcafee.com\agent\mcagent.exe
"MCUpdateExe"=c:\progra~1\mcafee.com\agent\McUpdate.exe
"dla"=c:\windows\system32\dla\tfswctrl.exe
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Documents and Settings\\Rob\\Desktop\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\SimpleCenter\\Home Media Server.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy2.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\Bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)
"46419:TCP"= 46419:TCP:Skype1
"443:TCP"= 443:TCP:Skype3
"59309:TCP"= 59309:TCP:Service
"59319:TCP"= 59319:TCP:Service
"18892:TCP"= 18892:TCP:Service
"25253:TCP"= 25253:TCP:Service
"29029:TCP"= 29029:TCP:Service
"15556:TCP"= 15556:TCP:Service
"29259:TCP"= 29259:TCP:Service
"29488:TCP"= 29488:TCP:Service
"32968:TCP"= 32968:TCP:Service
"24332:TCP"= 24332:TCP:Service
"20318:TCP"= 20318:TCP:Service
"35967:TCP"= 35967:TCP:Service
"29079:TCP"= 29079:TCP:Service
"37586:TCP"= 37586:TCP:Service
"21301:TCP"= 21301:TCP:Service
"30303:TCP"= 30303:TCP:Service
"33576:TCP"= 33576:TCP:Service
"15817:TCP"= 15817:TCP:Service
"15458:TCP"= 15458:TCP:Service
"17224:TCP"= 17224:TCP:Service
"30859:TCP"= 30859:TCP:Service
"35039:TCP"= 35039:TCP:Service
"25302:TCP"= 25302:TCP:Service
"34522:TCP"= 34522:TCP:Service
"26956:TCP"= 26956:TCP:Service
"36028:TCP"= 36028:TCP:Service
"19946:TCP"= 19946:TCP:Service
"18016:TCP"= 18016:TCP:Service
"35603:TCP"= 35603:TCP:Service
"20490:TCP"= 20490:TCP:Service

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-01-07 135664]
R2 lanmanworkstationhpqcxs08;Workstation lanmanworkstationhpqcxs08;đ%€|x srv [x]
R2 McShield Driver HPZ12;McAfee.com McShield McShield Driver HPZ12;đ%€|x srv [x]
R3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\System32\svchost.exe [2008-04-14 14336]
S2 Iprip;RIP Listener;c:\windows\System32\svchost.exe [2008-04-14 14336]
S3 NaiFiltr;NaiFiltr;c:\windows\system32\DRIVERS\NaiFiltr.sys [2002-03-13 23296]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2010-09-03 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2007\SystemOptimizer.exe [2006-12-19 14:53]

2010-09-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 10:50]

2010-09-16 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-01-26 22:42]

2010-09-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-07 23:22]

2010-09-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-07 23:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: Google AdSense Preview Tool - http://pagead2.googl...en/preview.html
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
DPF: {360E40AA-EE8B-4101-BA67-0CAD3F7A48DD} - hxxp://www.luckynugget.com/download_helper/Nyoko.cab
DPF: {77DD44BF-551D-4E3C-82CD-D637D5018D3C} - hxxp://www.surveys.com/promptcast/Installs/SURVEYS.COM%20PROMPTCAST%20SETUP.cab
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
HKCU-Run-Gadwin PrintScreen - c:\program files\Gadwin Systems\PrintScreen\PrintScreen.exe
HKCU-Run-Ghuripenoxokexaq - c:\windows\w32pscl.dll
HKCU-Run-{D5AC3C3C-64B6-C9D9-FACF-AC0285B801BA} - c:\documents and settings\Rob\Application Data\Hotiic\gyraz.exe
MSConfigStartUp-Antivirus - c:\program files\AnVi\avt.exe
MSConfigStartUp-Skype - c:\program files\Skype\Phone\Skype.exe
AddRemove-Convert Image To PDF_is1 - c:\program files\Softinterface
AddRemove-Dell Photo Printer 720 - c:\windows\system32\spool\drivers\w32x86\3\DLBCUN5C.EXE



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-16 11:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\lanmanworkstationhpqcxs08]
"ImagePath"="đ%€|x\01\0c srv"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\McShield Driver HPZ12]
"ImagePath"="đ%€|x\01\0c srv"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):cd,be,90,5f,a7,6f,84,d4,32,50,2d,03,71,3c,c1,02,1f,a4,4f,26,60,
6e,ce,29,2d,4c,d7,13,86,39,b4,8d,f5,36,89,9b,9f,50,fe,7f,00,00,00,00,00,00,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7aba9f07-ad0f-48f9-bb30-4d5a0abe3dc2}]
@Denied: (Full) (Everyone)
"Model"=dword:0000013f
"Therad"=dword:0000001e
"MData"=hex(0):2b,8f,78,29,5a,0c,ce,ec,48,d4,68,e5,9f,6a,96,3e,ab,de,c5,81,26,
38,95,44,ab,9e,50,1b,eb,77,d1,ab,b5,66,4a,d0,23,02,d0,61,75,31,85,e2,32,10,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(900)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\LgNotify.dll

- - - - - - - > 'explorer.exe'(1688)
c:\windows\system32\WININET.dll
c:\program files\Photo Toolkit\ivbar\ivbarhk.dll
c:\program files\Photo Toolkit\ivbar\ivbar.dll
c:\progra~1\mcafee.com\vso\McVSSkt.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\S24EvMon.exe
c:\windows\system32\ZCfgSvc.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\1XConfig.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\AOL\ACS\AOLAcsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\progra~1\mcafee.com\agent\mctskshd.exe
c:\progra~1\mcafee.com\vso\mcvsrte.exe
c:\progra~1\McAfee.com\PERSON~1\MPFSERVICE.exe
c:\windows\system32\RegSrvc.exe
c:\windows\system32\tcpsvcs.exe
c:\progra~1\mcafee.com\vso\mcshield.exe
c:\windows\system32\wscntfy.exe
c:\program files\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\windows\system32\imapi.exe
c:\progra~1\McAfee.com\PERSON~1\MpfAgent.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-09-16 11:18:36 - machine was rebooted
ComboFix-quarantined-files.txt 2010-09-16 10:18

Pre-Run: 30,296,281,088 bytes free
Post-Run: 29,822,095,360 bytes free

- - End Of File - - BA8352D9F4E2B91CE3BB4C6317969C41
  • 0

#4
Rorschach112
Posted 16 September 2010 - 05:40 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Folder::
c:\documents and settings\Rob\Application Data\Hotiic
c:\documents and settings\Rob\Application Data\Heotdo

File::
c:\program files\Sunny.exe
c:\documents and settings\Guest\Start Menu\Programs\Startup\behu.exe
c:\windows\system32\rmoc3260.dll
c:\documents and settings\Default User\Start Menu\Programs\Startup\cokizi.exe

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"59309:TCP"=-
"59319:TCP"=-
"18892:TCP"=-
"25253:TCP"=-
"29029:TCP"=-
"15556:TCP"=-
"29259:TCP"=-
"29488:TCP"=-
"32968:TCP"=-
"24332:TCP"=-
"20318:TCP"=-
"35967:TCP"=-
"29079:TCP"=-
"37586:TCP"=-
"21301:TCP"=-
"30303:TCP"=-
"33576:TCP"=-
"15817:TCP"=-
"15458:TCP"=-
"17224:TCP"=-
"30859:TCP"=-
"35039:TCP"=-
"25302:TCP"=-
"34522:TCP"=-
"26956:TCP"=-
"36028:TCP"=-
"19946:TCP"=-
"18016:TCP"=-
"35603:TCP"=-
"20490:TCP"=-

Driver::
lanmanworkstationhpqcxs08
McShield Driver HPZ12



Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.



Please download HelpAsst_mebroot_fix.exe and save it to your desktop.
Close out all other open programs and windows.
Double click the file to run it and follow any prompts.
If the tool detects an mbr infection, please allow it to run mbr -f and shutdown your computer.
Upon restarting, please wait about 5 minutes, click Start>Run and type the following bolded command, then hit Enter.

helpasst -mbrt

Make sure you leave a space between helpasst and -mbrt !
When it completes, a log will open.
Please post the contents of that log.


*In the event the tool does not detect an mbr infection and completes, click Start>Run and type the following bolded command, then hit Enter.

mbr -f

Now, please do the Start>Run>mbr -f command a second time.
Now shut down the computer (do not restart, but shut it down), wait a few minutes then start it back up.
Give it about 5 minutes, then click Start>Run and type the following bolded command, then hit Enter.

helpasst -mbrt

Make sure you leave a space between helpasst and -mbrt !
When it completes, a log will open.
Please post the contents of that log.

**Important note to Dell users - fixing the mbr may prevent access the the Dell Restore Utility, which allows you to press a key on startup and revert your computer to a factory delivered state. There are a couple of known fixes for said condition, though the methods are somewhat advanced. If you are unwilling to take such a risk, you should not allow the tool to execute mbr -f nor execute the command manually, and you will either need to restore your computer to a factory state or allow your computer to remain having an infected mbr (the latter not recommended).
  • 0

#5
Calebio
Posted 18 September 2010 - 07:17 AM

Calebio

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
Thanks again. The new ComboFix log is below.

I downloaded and ran the HelpAsst_mebroot_fix.exe but it doesn't seem to work. It says

'HelpAssistant profile not found

Press any key to continue...'


It then says:

'user & KERNEL MBR OK

The tool has completed

Press any key to continue...'


The window then closes and I don't get a log file or anything.

I then carried on with the instructions and got a log file from running helpasst -mbrt and this is pasted below the CFScript log.




Log file from CFScript.txt

ComboFix 10-09-15.01 - Rob 18/09/2010 13:32:58.3.1 - x86 NETWORK
Running from: c:\documents and settings\Rob\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Rob\Desktop\CFScript.txt
* Created a new restore point

FILE ::
"c:\documents and settings\Default User\Start Menu\Programs\Startup\cokizi.exe"
"c:\documents and settings\Guest\Start Menu\Programs\Startup\behu.exe"
"c:\program files\Sunny.exe"
"c:\windows\system32\rmoc3260.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Default User\Start Menu\Programs\Startup\cokizi.exe
c:\documents and settings\Guest\Start Menu\Programs\Startup\behu.exe
c:\documents and settings\Rob\Application Data\Heotdo
c:\documents and settings\Rob\Application Data\Heotdo\uffua.tmp
c:\documents and settings\Rob\Application Data\Heotdo\uffua.zaa
c:\documents and settings\Rob\Application Data\Hotiic
c:\program files\Sunny.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_LANMANWORKSTATIONHPQCXS08
-------\Legacy_MCSHIELD_DRIVER_HPZ12
-------\Service_lanmanworkstationhpqcxs08
-------\Service_McShield Driver HPZ12


((((((((((((((((((((((((( Files Created from 2010-08-18 to 2010-09-18 )))))))))))))))))))))))))))))))
.

2010-09-15 22:21 . 2010-09-15 22:21 -------- dc----w- c:\documents and settings\NetworkService\Application Data\McAfee.com Personal Firewall
2010-09-14 08:34 . 2010-09-14 08:34 -------- d-----w- c:\program files\OpenXML-ODF Translator
2010-09-09 14:44 . 2010-09-09 14:44 -------- d-----w- c:\windows\system32\wbem\Repository
2010-08-31 20:56 . 2010-08-31 20:56 -------- dc----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-08-25 21:13 . 2010-08-25 21:13 -------- dcsh--w- c:\documents and settings\LocalService\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-18 11:56 . 2010-01-21 12:09 -------- dc----w- c:\documents and settings\Rob\Application Data\HPAppData
2010-09-15 08:19 . 2010-09-15 08:19 452104 -c--a-w- c:\documents and settings\Rob\Application Data\Real\Update\setup3.12\setup.exe
2010-09-15 08:16 . 2010-08-19 08:05 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-09-14 20:49 . 2006-08-09 01:42 -------- dc----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-09-09 14:30 . 2006-04-15 05:29 -------- dc----w- c:\documents and settings\Rob\Application Data\Tydee
2010-08-23 09:38 . 2005-07-19 22:05 -------- dc----w- c:\documents and settings\Rob\Application Data\AdobeUM
2010-08-18 15:02 . 2010-08-18 15:02 59840 ----a-w- c:\documents and settings\Rob\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-08-18 14:32 . 2010-08-18 14:18 -------- dc----w- c:\documents and settings\All Users\Application Data\NOS
2010-08-18 14:18 . 2010-08-18 14:18 -------- d-----w- c:\program files\NOS
2010-08-18 07:50 . 2005-12-08 00:17 -------- d-----w- c:\program files\Google
2010-08-09 15:51 . 2010-08-09 15:51 26682864 -c--a-w- c:\documents and settings\Rob\Application Data\Real\Update\setup3.12\rp\RealPlayerSPGold.exe
2010-08-09 15:51 . 2010-08-09 15:51 220272 -c--a-w- c:\documents and settings\Rob\Application Data\Real\Update\setup3.12\gtb\GOOGLE_TOOLBAR\GoogleToolbarInstaller.exe
2010-08-09 15:51 . 2010-08-09 15:51 149000 -c--a-w- c:\documents and settings\Rob\Application Data\Real\Update\setup3.12\chr_helper\LaunchHelper.exe
2010-08-09 15:51 . 2010-08-09 15:50 13407072 -c--a-w- c:\documents and settings\Rob\Application Data\Real\Update\setup3.12\chr\ChromeInstaller.exe
2010-08-09 15:50 . 2010-08-09 15:50 79368 -c--a-w- c:\documents and settings\Rob\Application Data\Real\Update\setup3.12\RUP\vista.exe
2010-08-09 15:50 . 2010-08-09 15:50 73344 -c--a-w- c:\documents and settings\Rob\Application Data\Real\Update\setup3.12\RUP\inst_config\gtapi_v6.dll
2010-08-09 15:50 . 2010-08-09 15:50 64000 -c--a-w- c:\documents and settings\Rob\Application Data\Real\Update\setup3.12\RUP\inst_config\gcapi_dll.dll
2010-08-09 15:50 . 2010-08-09 15:50 52288 -c--a-w- c:\documents and settings\Rob\Application Data\Real\Update\setup3.12\RUP\inst_config\gtapi.dll
2010-08-09 15:50 . 2010-08-09 15:50 122880 -c--a-w- c:\documents and settings\Rob\Application Data\Real\Update\setup3.12\RUP\inst_config\compat.dll
2010-07-28 23:31 . 2010-07-28 23:12 193359 ----a-w- c:\windows\hpoins46.dat
2010-07-28 23:18 . 2010-01-21 11:34 -------- d-----w- c:\program files\HP
2010-07-27 20:34 . 2010-07-27 20:34 -------- d-----w- c:\program files\Nectar Search Toolbar
2010-07-27 17:45 . 2010-07-27 17:45 -------- dc----w- c:\documents and settings\Rob\Application Data\TP
2010-06-30 12:31 . 2004-08-04 05:00 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:22 . 2004-08-04 05:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-23 13:44 . 2004-08-04 05:00 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-21 15:27 . 2004-08-04 05:00 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-05-04 16:25 . 2010-05-04 16:25 2131808 ----a-w- c:\program files\avg_free_stb_all_9_114_cnet.exe
2006-05-06 12:01 . 2006-05-06 11:21 2198143 ----a-w- c:\program files\AiRoboForm-sscou.exe
2005-12-08 00:17 . 2005-12-08 00:11 11817800 ----a-w- c:\program files\GoogleEarthSetup.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-09 68856]
"I&F Viewer toolbar"="c:\program files\Photo Toolkit\ivbar\phototoolkitmem.exe" [2006-10-27 65536]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VSOCheckTask"="c:\progra~1\mcafee.com\vso\mcmnhdlr.exe" [2003-08-08 122880]
"VirusScan Online"="c:\progra~1\mcafee.com\vso\mcvsshld.exe" [2003-08-17 163840]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-10-09 185896]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"SpeedTouch USB Diagnostics"="c:\program files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-01-26 866816]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-17 421888]
"MPFExe"="c:\progra~1\McAfee.com\PERSON~1\MpfTray.exe" [2004-03-24 1380352]
"MCUpdateExe"="c:\progra~1\mcafee.com\agent\McUpdate.exe" [2006-01-11 212992]
"MCAgentExe"="c:\progra~1\mcafee.com\agent\mcagent.exe" [2005-09-22 303104]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2009-11-18 54576]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 53248]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2004-09-27 610304]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-31 339968]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]
"rmoc3260.dll OCX"="c:\windows\system32\rmoc3260.dll" [2007-09-13 185688]

c:\documents and settings\Rob\Start Menu\Programs\Startup\
Picture Motion Browser Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe [2009-8-12 390432]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2004-12-16 24576]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-11-18 275072]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2009-6-19 525640]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
2004-01-12 06:55 110592 ----a-w- c:\windows\SYSTEM32\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SEOLinkVine]
2010-05-10 16:27 1359360 ----a-w- c:\program files\SEOLinkVine\SEO LinkVine Ranker.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" /background
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe"
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"PRONoMgr.exe"="c:\program files\Intel\NCS\PROSet\PRONoMgr.exe"
"MCAgentExe"=c:\progra~1\mcafee.com\agent\mcagent.exe
"MCUpdateExe"=c:\progra~1\mcafee.com\agent\McUpdate.exe
"dla"=c:\windows\system32\dla\tfswctrl.exe
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Documents and Settings\\Rob\\Desktop\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\SimpleCenter\\Home Media Server.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy2.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\Bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)
"46419:TCP"= 46419:TCP:Skype1
"443:TCP"= 443:TCP:Skype3

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-01-07 135664]
R3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\System32\svchost.exe [2008-04-14 14336]
S2 Iprip;RIP Listener;c:\windows\System32\svchost.exe [2008-04-14 14336]
S3 NaiFiltr;NaiFiltr;c:\windows\system32\DRIVERS\NaiFiltr.sys [2002-03-13 23296]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2010-09-17 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2007\SystemOptimizer.exe [2006-12-19 14:53]

2010-09-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 10:50]

2010-09-18 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-01-26 22:42]

2010-09-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-07 23:22]

2010-09-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-07 23:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: Google AdSense Preview Tool - http://pagead2.googl...en/preview.html
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
DPF: {360E40AA-EE8B-4101-BA67-0CAD3F7A48DD} - hxxp://www.luckynugget.com/download_helper/Nyoko.cab
DPF: {77DD44BF-551D-4E3C-82CD-D637D5018D3C} - hxxp://www.surveys.com/promptcast/Installs/SURVEYS.COM%20PROMPTCAST%20SETUP.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-18 13:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):cd,be,90,5f,a7,6f,84,d4,32,50,2d,03,71,3c,c1,02,1f,a4,4f,26,60,
6e,ce,29,2d,4c,d7,13,86,39,b4,8d,f5,36,89,9b,9f,50,fe,7f,00,00,00,00,00,00,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7aba9f07-ad0f-48f9-bb30-4d5a0abe3dc2}]
@Denied: (Full) (Everyone)
"Model"=dword:0000013f
"Therad"=dword:0000001e
"MData"=hex(0):2b,8f,78,29,5a,0c,ce,ec,48,d4,68,e5,9f,6a,96,3e,ab,de,c5,81,26,
38,95,44,ab,9e,50,1b,eb,77,d1,ab,b5,66,4a,d0,23,02,d0,61,75,31,85,e2,32,10,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(904)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\LgNotify.dll

- - - - - - - > 'explorer.exe'(1064)
c:\windows\system32\WININET.dll
c:\program files\Photo Toolkit\ivbar\ivbarhk.dll
c:\program files\Photo Toolkit\ivbar\ivbar.dll
c:\progra~1\mcafee.com\vso\McVSSkt.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\msi.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\S24EvMon.exe
c:\windows\system32\ZCfgSvc.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\1XConfig.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\AOL\ACS\AOLAcsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\progra~1\mcafee.com\agent\mctskshd.exe
c:\progra~1\mcafee.com\vso\mcvsrte.exe
c:\progra~1\McAfee.com\PERSON~1\MPFSERVICE.exe
c:\windows\system32\RegSrvc.exe
c:\windows\system32\tcpsvcs.exe
c:\progra~1\mcafee.com\vso\mcshield.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\windows\system32\imapi.exe
c:\progra~1\McAfee.com\PERSON~1\MpfAgent.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-09-18 13:57:39 - machine was rebooted
ComboFix-quarantined-files.txt 2010-09-18 12:57
ComboFix2.txt 2010-09-16 10:18

Pre-Run: 30,290,382,848 bytes free
Post-Run: 29,753,782,272 bytes free

- - End Of File - - 773AB488557B6138B53FA0E816FBB477




Log file from helpasst -mbrt

C:\Documents and Settings\Rob\Desktop\HelpAsst_mebroot_fix.exe
18/09/2010 at 14:02:12.84

HelpAssistant account Inactive

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found

~~ Checking firewall ports ~~

HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\globallyopenports\list

HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking mbr ~~

user & kernel MBR OK

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Status check on 18/09/2010 at 14:15:09.51

Account active No
Local Group Memberships

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
kernel: MBR read successfully
user & kernel MBR OK

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %SystemRoot%\System32\termsrv.dll

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking for HelpAssistant directories ~~

none found

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]


~~ EOF ~~
  • 0

#6
Rorschach112
Posted 18 September 2010 - 10:45 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Download OTL to your Desktop
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Click on Minimal Output at the top
  • Download the following file scan.txt to your Desktop. Click here to download it. You may need to right click on it and select "Save"
  • Double click inside the Custom Scan box at the bottom
  • A window will appear saying "Click Ok to load a custom scan from a file or Cancel to cancel"
  • Click the Ok button and navigate to the file scan.txt which we just saved to your desktop
  • Select scan.txt and click Open. Writing will now appear under the Custom Scan box
  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time and post them in your topic

  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP