Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

multiple browser issue, certain pages wont open aswell as dobe reader


  • This topic is locked This topic is locked

#31
Satchfan

Satchfan

    Trusted Helper

  • Malware Removal
  • 585 posts
I need to se the first log where you said an item was deleted. I need to know what was deleted

A copy of the log will be saved automatically to the root of the drive (typically C:\) called TDSSKiller_*** (*** denotes version & date)
  • 0

Advertisements


#32
Wig86

Wig86

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
oops sorry wrong log, the log u requested is

2011/07/18 13:26:23.0062 3548 TDSS rootkit removing tool 2.5.11.0 Jul 11 2011 16:56:56
2011/07/18 13:26:24.0140 3548 ================================================================================
2011/07/18 13:26:24.0140 3548 SystemInfo:
2011/07/18 13:26:24.0140 3548
2011/07/18 13:26:24.0140 3548 OS Version: 5.1.2600 ServicePack: 3.0
2011/07/18 13:26:24.0140 3548 Product type: Workstation
2011/07/18 13:26:24.0140 3548 ComputerName: NICOLA-86150
2011/07/18 13:26:24.0140 3548 UserName: Nicola Scullion
2011/07/18 13:26:24.0140 3548 Windows directory: C:\WINDOWS
2011/07/18 13:26:24.0140 3548 System windows directory: C:\WINDOWS
2011/07/18 13:26:24.0140 3548 Processor architecture: Intel x86
2011/07/18 13:26:24.0140 3548 Number of processors: 2
2011/07/18 13:26:24.0140 3548 Page size: 0x1000
2011/07/18 13:26:24.0140 3548 Boot type: Normal boot
2011/07/18 13:26:24.0140 3548 ================================================================================
2011/07/18 13:26:29.0437 3548 Initialize success
2011/07/18 13:26:32.0750 2760 ================================================================================
2011/07/18 13:26:32.0750 2760 Scan started
2011/07/18 13:26:32.0750 2760 Mode: Manual;
2011/07/18 13:26:32.0750 2760 ================================================================================
2011/07/18 13:26:35.0312 2760 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/07/18 13:26:35.0390 2760 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/07/18 13:26:35.0656 2760 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/07/18 13:26:35.0718 2760 AFD (355556d9e580915118cd7ef736653a89) C:\WINDOWS\System32\drivers\afd.sys
2011/07/18 13:26:36.0562 2760 ApfiltrService (3ed81e8b4709d13e5a38db2d8e792b28) C:\WINDOWS\system32\DRIVERS\Apfiltr.sys
2011/07/18 13:26:36.0937 2760 AR5211 (78e15866befe8b940046c36ba92f9eb6) C:\WINDOWS\system32\DRIVERS\ar5211.sys
2011/07/18 13:26:37.0140 2760 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2011/07/18 13:26:37.0671 2760 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/07/18 13:26:37.0843 2760 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/07/18 13:26:38.0046 2760 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/07/18 13:26:38.0171 2760 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/07/18 13:26:38.0578 2760 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/07/18 13:26:39.0125 2760 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/07/18 13:26:39.0312 2760 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/07/18 13:26:39.0406 2760 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/07/18 13:26:39.0640 2760 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/07/18 13:26:39.0890 2760 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
2011/07/18 13:26:40.0125 2760 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2011/07/18 13:26:40.0515 2760 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/07/18 13:26:40.0875 2760 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/07/18 13:26:41.0234 2760 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/07/18 13:26:41.0421 2760 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/07/18 13:26:41.0703 2760 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/07/18 13:26:41.0968 2760 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/07/18 13:26:42.0312 2760 e1express (da1d21bb7d9b06c64275564f8e86c94e) C:\WINDOWS\system32\DRIVERS\e1e5132.sys
2011/07/18 13:26:42.0546 2760 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/07/18 13:26:42.0906 2760 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
2011/07/18 13:26:43.0062 2760 FdRedir (3314f3134ac59771a133a0cd3d343fff) C:\Program Files\Common Files\Protector Suite QL\Drivers\FdRedir.sys
2011/07/18 13:26:43.0109 2760 FileDisk2 (7b33f094a7a42a0225c344f5b25b1b05) C:\Program Files\Common Files\Protector Suite QL\Drivers\filedisk.sys
2011/07/18 13:26:43.0406 2760 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/07/18 13:26:43.0531 2760 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2011/07/18 13:26:43.0843 2760 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/07/18 13:26:43.0953 2760 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/07/18 13:26:44.0109 2760 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/07/18 13:26:44.0187 2760 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2011/07/18 13:26:44.0265 2760 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/07/18 13:26:44.0343 2760 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/07/18 13:26:44.0625 2760 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/07/18 13:26:44.0718 2760 hitmanpro35 (6022645993a89434332569e1dd9f009b) C:\WINDOWS\system32\drivers\hitmanpro35.sys
2011/07/18 13:26:45.0125 2760 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/07/18 13:26:45.0515 2760 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/07/18 13:26:46.0515 2760 ialm (e8c7cc369c2fb657e0792af70df529e6) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
2011/07/18 13:26:47.0312 2760 iaStor (fd7f9d74c2b35dbda400804a3f5ed5d8) C:\WINDOWS\system32\drivers\iaStor.sys
2011/07/18 13:26:47.0421 2760 IFXTPM (0b556e950404d90d097c687e65238730) C:\WINDOWS\system32\DRIVERS\IFXTPM.SYS
2011/07/18 13:26:47.0468 2760 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/07/18 13:26:47.0703 2760 IntcAzAudAddService (e37589414437a60797e94c0f57c546db) C:\WINDOWS\system32\drivers\RtkHDAud.sys
2011/07/18 13:26:47.0890 2760 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/07/18 13:26:47.0937 2760 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/07/18 13:26:47.0968 2760 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/07/18 13:26:48.0031 2760 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/07/18 13:26:48.0093 2760 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/07/18 13:26:48.0156 2760 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/07/18 13:26:48.0234 2760 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/07/18 13:26:48.0312 2760 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/07/18 13:26:48.0390 2760 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/07/18 13:26:48.0421 2760 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/07/18 13:26:48.0453 2760 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/07/18 13:26:48.0500 2760 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/07/18 13:26:48.0640 2760 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/07/18 13:26:48.0718 2760 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/07/18 13:26:48.0750 2760 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/07/18 13:26:48.0796 2760 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/07/18 13:26:48.0828 2760 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/07/18 13:26:48.0968 2760 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/07/18 13:26:49.0062 2760 MRxSmb (0dc719e9b15e902346e87e9dcd5751fa) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/07/18 13:26:49.0140 2760 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/07/18 13:26:49.0234 2760 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/07/18 13:26:49.0281 2760 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/07/18 13:26:49.0328 2760 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/07/18 13:26:49.0375 2760 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/07/18 13:26:49.0406 2760 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
2011/07/18 13:26:49.0484 2760 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/07/18 13:26:49.0578 2760 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/07/18 13:26:49.0593 2760 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/07/18 13:26:49.0640 2760 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/07/18 13:26:49.0828 2760 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/07/18 13:26:50.0046 2760 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/07/18 13:26:50.0187 2760 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/07/18 13:26:50.0484 2760 Netdevio (1265eb253ed4ebe4acb3bd5f548ff796) C:\WINDOWS\system32\DRIVERS\netdevio.sys
2011/07/18 13:26:50.0906 2760 NETw4x32 (12b0d99865434387f784268b70e23360) C:\WINDOWS\system32\DRIVERS\NETw4x32.sys
2011/07/18 13:26:51.0468 2760 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2011/07/18 13:26:51.0515 2760 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/07/18 13:26:51.0562 2760 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/07/18 13:26:51.0937 2760 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/07/18 13:26:52.0031 2760 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/07/18 13:26:52.0406 2760 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/07/18 13:26:52.0578 2760 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2011/07/18 13:26:52.0921 2760 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
2011/07/18 13:26:53.0031 2760 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/07/18 13:26:53.0328 2760 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/07/18 13:26:53.0468 2760 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/07/18 13:26:53.0781 2760 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/07/18 13:26:53.0968 2760 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
2011/07/18 13:26:54.0953 2760 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/07/18 13:26:55.0046 2760 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/07/18 13:26:55.0125 2760 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/07/18 13:26:55.0390 2760 PxHelp20 (d86b4a68565e444d76457f14172c875a) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/07/18 13:26:55.0937 2760 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/07/18 13:26:56.0140 2760 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/07/18 13:26:56.0250 2760 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/07/18 13:26:56.0359 2760 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/07/18 13:26:56.0453 2760 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/07/18 13:26:56.0500 2760 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/07/18 13:26:56.0875 2760 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/07/18 13:26:57.0000 2760 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/07/18 13:26:57.0109 2760 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/07/18 13:26:57.0187 2760 ROOTMODEM (d8b0b4ade32574b2d9c5cc34dc0dbbe7) C:\WINDOWS\system32\Drivers\RootMdm.sys
2011/07/18 13:26:57.0343 2760 sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINDOWS\system32\DRIVERS\sdbus.sys
2011/07/18 13:26:57.0484 2760 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/07/18 13:26:57.0546 2760 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/07/18 13:26:57.0593 2760 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/07/18 13:26:57.0703 2760 sffdisk (0fa803c64df0914b41f807ea276bf2a6) C:\WINDOWS\system32\DRIVERS\sffdisk.sys
2011/07/18 13:26:57.0906 2760 sffp_sd (c17c331e435ed8737525c86a7557b3ac) C:\WINDOWS\system32\DRIVERS\sffp_sd.sys
2011/07/18 13:26:58.0015 2760 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/07/18 13:26:58.0218 2760 smihlp (94eede27fd7d46707be49127922695a7) C:\Program Files\Protector Suite QL\smihlp.sys
2011/07/18 13:26:58.0390 2760 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/07/18 13:26:58.0515 2760 sptd (c4bb8a12843d9cbb65f5ff617f389bbd) C:\WINDOWS\system32\Drivers\sptd.sys
2011/07/18 13:26:58.0515 2760 Suspicious file (NoAccess): C:\WINDOWS\system32\Drivers\sptd.sys. md5: c4bb8a12843d9cbb65f5ff617f389bbd
2011/07/18 13:26:58.0531 2760 sptd - detected LockedFile.Multi.Generic (1)
2011/07/18 13:26:58.0875 2760 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/07/18 13:26:58.0953 2760 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/07/18 13:26:59.0125 2760 StarOpen (306521935042fc0a6988d528643619b3) C:\WINDOWS\system32\drivers\StarOpen.sys
2011/07/18 13:26:59.0203 2760 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/07/18 13:26:59.0281 2760 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/07/18 13:26:59.0515 2760 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/07/18 13:26:59.0609 2760 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/07/18 13:26:59.0750 2760 TcUsb (fc6fe02f400308606a911640e72326b5) C:\WINDOWS\system32\Drivers\tcusb.sys
2011/07/18 13:26:59.0828 2760 tdcmdpst (2f8bfbdb5824c71f672779b4b8cf8b01) C:\WINDOWS\system32\DRIVERS\tdcmdpst.sys
2011/07/18 13:26:59.0953 2760 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/07/18 13:27:00.0046 2760 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/07/18 13:27:00.0171 2760 tdudf (f56a9327c58ff985616c5e197472932c) C:\WINDOWS\system32\DRIVERS\tdudf.sys
2011/07/18 13:27:00.0265 2760 TEchoCan (65855534483d0c1330703100b31cac00) C:\WINDOWS\system32\DRIVERS\TEchoCan.sys
2011/07/18 13:27:00.0375 2760 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/07/18 13:27:00.0531 2760 Thpdrv (557cfdb7869499d357da1877ed93043f) C:\WINDOWS\system32\DRIVERS\thpdrv.sys
2011/07/18 13:27:00.0593 2760 Thpevm (681b0132a9e0ec12e674c2b2ae75e201) C:\WINDOWS\system32\DRIVERS\Thpevm.SYS
2011/07/18 13:27:00.0640 2760 tifm21 (e4c85c291ddb3dc5e4a2f227ca465ba6) C:\WINDOWS\system32\drivers\tifm21.sys
2011/07/18 13:27:00.0718 2760 TMEI3E (684bfb1e9abb05d3f48c53f3cd16a3e6) C:\WINDOWS\system32\Drivers\TMEI3E.SYS
2011/07/18 13:27:01.0000 2760 tosporte (90afa1a4451bbbee87c9f18a665d8121) C:\WINDOWS\system32\DRIVERS\tosporte.sys
2011/07/18 13:27:01.0046 2760 tosrfbd (51d7f024a66814f8bee33e4be394a03e) C:\WINDOWS\system32\DRIVERS\tosrfbd.sys
2011/07/18 13:27:01.0140 2760 tosrfbnp (74392bab3f0d4810da8436ec79d6955d) C:\WINDOWS\system32\Drivers\tosrfbnp.sys
2011/07/18 13:27:01.0296 2760 Tosrfcom (1ad9eb1b5abd0aeee4084c8153476f1e) C:\WINDOWS\system32\Drivers\tosrfcom.sys
2011/07/18 13:27:01.0390 2760 tosrfec (9ee240f7029771b21cc6200be6516d60) C:\WINDOWS\system32\DRIVERS\tosrfec.sys
2011/07/18 13:27:01.0437 2760 Tosrfhid (a72a3473180f378cc07d342803ffd580) C:\WINDOWS\system32\DRIVERS\Tosrfhid.sys
2011/07/18 13:27:01.0515 2760 tosrfnds (b2a1a6538245fd69578224bbf2fd4677) C:\WINDOWS\system32\DRIVERS\tosrfnds.sys
2011/07/18 13:27:01.0625 2760 tosrfusb (18dfbb06907c169bb54f6960b9f95367) C:\WINDOWS\system32\DRIVERS\tosrfusb.sys
2011/07/18 13:27:01.0734 2760 trudf (3f9ba8878aa26d0831116733f9bc53ff) C:\WINDOWS\system32\DRIVERS\trudf.sys
2011/07/18 13:27:01.0781 2760 TVALZ (73d3312955f805054e32fabdca5230b1) C:\WINDOWS\system32\DRIVERS\TVALZ.SYS
2011/07/18 13:27:01.0859 2760 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/07/18 13:27:02.0031 2760 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/07/18 13:27:02.0140 2760 USBAAPL (4b8a9c16b6d9258ed99c512aecb8c555) C:\WINDOWS\system32\Drivers\usbaapl.sys
2011/07/18 13:27:02.0234 2760 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/07/18 13:27:02.0500 2760 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/07/18 13:27:02.0593 2760 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/07/18 13:27:02.0687 2760 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/07/18 13:27:02.0796 2760 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/07/18 13:27:02.0890 2760 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/07/18 13:27:02.0984 2760 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/07/18 13:27:03.0062 2760 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/07/18 13:27:03.0140 2760 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/07/18 13:27:03.0359 2760 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/07/18 13:27:03.0546 2760 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/07/18 13:27:03.0875 2760 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
2011/07/18 13:27:04.0171 2760 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/07/18 13:27:04.0390 2760 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/07/18 13:27:04.0500 2760 MBR (0x1B8) (92923fc5e125114def8c7f7514afeb44) \Device\Harddisk0\DR0
2011/07/18 13:27:05.0171 2760 MBR (0x1B8) (65e858a8a0293be11a920b0bc99d695e) \Device\Harddisk1\DR4
2011/07/18 13:27:05.0265 2760 Boot (0x1200) (18bb9d138fa81d98383cd3df88a47b62) \Device\Harddisk0\DR0\Partition0
2011/07/18 13:27:05.0296 2760 Boot (0x1200) (ca9e8760f1ae324fc92d3057cefac6c4) \Device\Harddisk0\DR0\Partition1
2011/07/18 13:27:05.0312 2760 Boot (0x1200) (41321b333076fbcebc886e156e5c175d) \Device\Harddisk1\DR4\Partition0
2011/07/18 13:27:05.0328 2760 ================================================================================
2011/07/18 13:27:05.0328 2760 Scan finished
2011/07/18 13:27:05.0328 2760 ================================================================================
2011/07/18 13:27:05.0343 3188 Detected object count: 1
2011/07/18 13:27:05.0343 3188 Actual detected object count: 1
2011/07/18 16:04:41.0218 3188 HKLM\SYSTEM\ControlSet001\services\sptd - will be deleted after reboot
2011/07/18 16:04:41.0218 3188 HKLM\SYSTEM\ControlSet003\services\sptd - will be deleted after reboot
2011/07/18 16:04:41.0234 3188 C:\WINDOWS\system32\Drivers\sptd.sys - will be deleted after reboot
2011/07/18 16:04:41.0234 3188 LockedFile.Multi.Generic(sptd) - User select action: Delete
2011/07/18 16:04:50.0765 0708 Deinitialize success
  • 0

#33
Satchfan

Satchfan

    Trusted Helper

  • Malware Removal
  • 585 posts
Wig86

This infection seems to be blocking programs from running.

Download and run ComboFix

Download Combofix from another computer to a flash drive if necessary, but it must be transferred to the desktop of the infected computer.

Download it from either of the links below. You must rename it to 123abc before saving it.

Choose the location of where you are saving it, (flash drive or desktop). Change the save as file type to "all files"

**Note: In the event you already have Combofix, delete it, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  • If you are using Firefox, make sure that your download settings are as follows:

  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".

Link 1
Link 2


When all this is complete, transfer the program to the infected computer’s desktop, if necessary.

===================================================

Run Rkill.

Note: You may have to make repeated attempts to use Rkill several times before it will run as some malware variants try to block it.

If you get an alert that Rkill is infected, ignore it. The alert is a fake warning that is given if rogue softwareis present and it attempts to terminate tools that try to remove it. If you see such a warning, leave the warning on the screen and then run Rkill again. By not closing the warning, this sometimes allows you to bypass the malware's attempt to protect itself so that Rkill can perform its routine.


===================================================

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  • NOTE: If ComboFix asks to install the Recovery Console, please ALLOW it to do so.
  • Double click on the renamed ComboFix.exe & follow the prompts.

When finished, it will produce a report for you. Please post the C:\ComboFix.txt in your next reply.

Satchfan
  • 0

#34
Wig86

Wig86

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
Just thought id let you know my bank called earlier today, someone has logged into my online bank and tried to make transaction of 967.32 to an HSBC account i have managed to temp susspend this account untill the computer is completly clean. will post back once i have the logs done also
  • 0

#35
Wig86

Wig86

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
Attached are the logs requested.



ComboFix 11-07-19.01 - Nicola Scullion 19/07/2011 14:16:24.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1015.431 [GMT 1:00]
Running from: c:\documents and settings\Nicola Scullion\Desktop\abc123.exe
AV: Norton Internet Security *Disabled/Outdated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *Disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Nicola Scullion\WINDOWS
.
.
((((((((((((((((((((((((( Files Created from 2011-06-19 to 2011-07-19 )))))))))))))))))))))))))))))))
.
.
2011-07-19 00:40 . 2011-07-19 00:40 210884 ----a-w- c:\windows\Explorermgr.exe
2011-07-18 17:08 . 2011-07-18 17:08 -------- d-----w- c:\documents and settings\Nicola Scullion\Application Data\FCTB000061465
2011-07-18 16:18 . 2011-07-18 16:18 -------- d-----w- c:\program files\Nectar Search Toolbar
2011-07-18 11:38 . 2011-07-18 12:23 210884 ----a-w- c:\windows\system32\notepadmgr.exe
2011-07-17 23:27 . 2011-07-17 23:27 -------- d-----w- c:\program files\SeaMonkey
2011-07-17 23:21 . 2011-07-17 23:22 -------- d-----w- c:\documents and settings\Nicola Scullion\Application Data\Maxthon3
2011-07-17 23:21 . 2011-07-17 23:21 -------- d-----w- c:\program files\Maxthon3
2011-07-14 21:41 . 2011-07-14 21:41 -------- d-----w- c:\program files\Foxit Software
2011-07-11 20:16 . 2011-07-11 20:31 20552 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-07-11 20:16 . 2011-07-11 20:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2011-07-01 11:07 . 2011-07-01 11:07 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
2011-07-01 11:07 . 2011-07-01 11:07 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-09 21:06 . 2011-06-03 08:18 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-02 15:31 . 2007-05-30 09:21 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 16:19 . 2007-05-30 08:13 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-25 16:11 . 2007-05-30 08:13 916480 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 16:11 . 2007-05-30 08:13 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-04-25 16:11 . 2007-05-30 08:13 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-04-25 12:01 . 2007-05-30 08:13 385024 ----a-w- c:\windows\system32\html.iec
2011-04-21 13:37 . 2007-05-30 08:13 105472 ----a-w- c:\windows\system32\drivers\mup.sys
2011-07-01 11:07 . 2011-04-09 00:48 142296 ------w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{ada2ac0d-15c6-4611-ba5d-5b0a8b52fd6d}"= "c:\program files\Nectar Search Toolbar\Helper.dll" [2011-07-18 575432]
.
[HKEY_CLASSES_ROOT\clsid\{ada2ac0d-15c6-4611-ba5d-5b0a8b52fd6d}]
[HKEY_CLASSES_ROOT\FreeCauseURLSearchHook.FCToolbarURLSearchHook.1]
[HKEY_CLASSES_ROOT\TypeLib\{8021825B-2FBA-43AA-8FC9-1289DCD80B76}]
[HKEY_CLASSES_ROOT\FreeCauseURLSearchHook.FCToolbarURLSearchHook]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2011-01-17 14:54 175912 ------w- c:\program files\ConduitEngine\prxConduitEngine.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b2e293ee-fd7e-4c71-a714-5f4750d8d7b7}]
2011-01-17 14:54 175912 ------w- c:\program files\myBabylon_English\prxtbmyB2.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B7C2F0D8-2209-4693-A15D-5A537211D48B}]
2011-07-18 16:18 1781695 ----a-w- c:\program files\Nectar Search Toolbar\Toolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{b2e293ee-fd7e-4c71-a714-5f4750d8d7b7}"= "c:\program files\myBabylon_English\prxtbmyB2.dll" [2011-01-17 175912]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\prxConduitEngine.dll" [2011-01-17 175912]
"{8020143D-5926-4394-A04D-DD0B649DA121}"= "c:\program files\Nectar Search Toolbar\Toolbar.dll" [2011-07-18 1781695]
.
[HKEY_CLASSES_ROOT\clsid\{b2e293ee-fd7e-4c71-a714-5f4750d8d7b7}]
.
[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
.
[HKEY_CLASSES_ROOT\clsid\{8020143d-5926-4394-a04d-dd0b649da121}]
[HKEY_CLASSES_ROOT\FCTB000061465.IEToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{22466F1F-0B10-41B0-A971-3A28599AA7C7}]
[HKEY_CLASSES_ROOT\FCTB000061465.IEToolbar]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{B2E293EE-FD7E-4C71-A714-5F4750D8D7B7}"= "c:\program files\myBabylon_English\prxtbmyB2.dll" [2011-01-17 175912]
"{8020143D-5926-4394-A04D-DD0B649DA121}"= "c:\program files\Nectar Search Toolbar\Toolbar.dll" [2011-07-18 1781695]
.
[HKEY_CLASSES_ROOT\clsid\{b2e293ee-fd7e-4c71-a714-5f4750d8d7b7}]
.
[HKEY_CLASSES_ROOT\clsid\{8020143d-5926-4394-a04d-dd0b649da121}]
[HKEY_CLASSES_ROOT\FCTB000061465.IEToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{22466F1F-0B10-41B0-A971-3A28599AA7C7}]
[HKEY_CLASSES_ROOT\FCTB000061465.IEToolbar]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-03-26 198160]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,,c:\program files\powgrvnf\xuoscywv.exe"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2006-05-05 16:48 40448 ----a-w- c:\windows\system32\psqlpwd.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TosBtNP]
2006-07-22 02:54 65536 ----a-w- c:\windows\system32\TosBtNP.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0bootdelete
.
SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
@="Driver Group"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth Manager.lnk
backup=c:\windows\pss\Bluetooth Manager.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Directrec Configuration Tool.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Directrec Configuration Tool.lnk
backup=c:\windows\pss\Directrec Configuration Tool.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CFSServ.exe]
CFSServ.exe -NoClient [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ThpSrv]
c:\windows\system32\thpsrv [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\000StTHK]
2001-06-23 03:28 24576 ----a-w- c:\windows\system32\000StTHK.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\00THotkey]
2006-08-07 11:58 253952 ----a-w- c:\windows\system32\00THotkey.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
2007-11-07 18:18 148760 ----a-w- c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-03 19:43 69632 ----a-w- c:\windows\Alcmtr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
2004-03-24 05:40 414046 ----a-w- c:\program files\Apoint2K\Apoint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2009-08-13 15:51 177440 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DDWMon]
2007-04-26 10:49 713221 ----a-w- c:\program files\TOSHIBA\TOSHIBA Direct Disc Writer\DDWMon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DpUtil]
2005-08-05 14:54 155648 ----a-w- c:\program files\TOSHIBA\DualPointUtility\TEDTray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EEventManager]
2009-04-07 09:13 673616 ------w- c:\progra~1\EPSONS~1\EVENTM~1\EEventManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Epson Stylus SX510W(Network)]
2008-11-20 06:00 199680 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\E_FATIFIE.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON SX510W Series]
2008-11-20 06:00 199680 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\E_FATIFIE.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-11-16 20:32 136176 ------w- c:\documents and settings\Nicola Scullion\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2007-04-09 22:00 162584 ----a-w- c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
2007-02-12 12:37 174872 ----a-w- c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2007-04-09 22:01 138008 ----a-w- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ITSecMng]
2009-07-22 12:40 83336 ----a-w- c:\program files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-03-07 14:33 421160 ------w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2007-04-09 22:01 138008 ----a-w- c:\windows\system32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PSQLLauncher]
2006-05-05 16:36 244070 ----a-w- c:\program files\Protector Suite QL\launcher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2007-04-12 18:33 16132608 ----a-w- c:\windows\RTHDCPL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmoothView]
2007-05-11 09:06 360812 ----a-w- c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 10:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2008-06-30 23:15 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TAudEffect]
2006-08-09 18:48 344144 ----a-w- c:\program files\TOSHIBA\TAudEffect\TAudEff.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TFNF5]
2006-04-11 01:14 622592 ----a-w- c:\windows\system32\TFNF5.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2009-03-26 23:54 198160 ------w- c:\program files\Common Files\Real\Update_OB\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\topi]
2007-04-02 11:48 577536 ----a-w- c:\program files\TOSHIBA\Toshiba Online Product Information\TOPI.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TOSCDSPD]
2005-04-11 10:26 283044 ----a-w- c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TOSDCR]
2005-12-12 17:54 57344 ----a-w- c:\windows\system32\TOSDCR.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TosHKCW.exe]
2005-05-17 10:42 266713 ----a-w- c:\program files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TouchED]
2005-08-31 13:46 102400 ----a-w- c:\program files\TOSHIBA\TouchED\TouchED.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPSMain]
2007-04-18 12:34 299008 ----a-w- c:\windows\system32\TPSMain.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPSODDCtl]
2007-04-18 12:34 102400 ----a-w- c:\windows\system32\TPSODDCtl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=2 (0x2)
"TVersityMediaServer"=2 (0x2)
"TOSHIBA Bluetooth Service"=2 (0x2)
"TODDSrv"=2 (0x2)
"Tmesrv"=2 (0x2)
"Symantec Core LC"=3 (0x3)
"SupportSoft RemoteAssist"=2 (0x2)
"SQLWriter"=3 (0x3)
"sprtsvc_O2"=2 (0x2)
"SeaPort"=2 (0x2)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"iPod Service"=3 (0x3)
"ImapiService"=3 (0x3)
"GoogleDesktopManager-061008-081103"=3 (0x3)
"fsssvc"=3 (0x3)
"DM1Service"=2 (0x2)
"CFSvcs"=2 (0x2)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"AgereModemAudio"=2 (0x2)
"AcrSch2Svc"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\helpctr.exe"=
"c:\\Documents and Settings\\Nicola Scullion\\Local Settings\\Application Data\\CrossLoop\\vncviewer.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Nectar Search Toolbar\\TroubleShooter.exe"=
"c:\\Program Files\\Nectar Search Toolbar\\ToolbarUpdate.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"5910:TCP"= 5910:TCP:vnc5910
.
R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\drivers\thpdrv.sys [22/03/2007 13:07 20992]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [09/03/2007 15:23 6528]
R1 TMEI3E;TMEI3E;c:\windows\system32\drivers\TMEI3E.sys [30/05/2007 16:23 5888]
R2 FdRedir;FdRedir;c:\program files\Common Files\Protector Suite QL\Drivers\FdRedir.sys [05/05/2006 18:00 13568]
R2 FileDisk2;FileDisk Protector Kernel Driver;c:\program files\Common Files\Protector Suite QL\Drivers\filedisk.sys [05/05/2006 17:59 33024]
R2 smihlp;SMI helper driver;c:\program files\Protector Suite QL\smihlp.sys [05/05/2006 17:33 3456]
R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [26/03/2007 12:22 105856]
R2 trudf;TOSHIBA DVD-RAM UDF File System Driver;c:\windows\system32\drivers\trudf.sys [19/02/2007 12:15 134016]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [31/05/2007 16:10 35968]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys --> c:\windows\system32\Drivers\avgldx86.sys [?]
S1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\Drivers\avgtdix.sys --> c:\windows\system32\Drivers\avgtdix.sys [?]
S2 CrossLoopService;CrossLoop Service;"c:\documents and settings\Nicola Scullion\Local Settings\Application Data\CrossLoop\CrossLoopService.exe" --service --> c:\documents and settings\Nicola Scullion\Local Settings\Application Data\CrossLoop\CrossLoopService.exe [?]
S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [11/07/2011 21:16 20552]
S3 TEchoCan;Toshiba Audio Effect;c:\windows\system32\drivers\TEchoCan.sys [30/05/2007 16:26 435072]
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 10:50]
.
2011-07-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2200450885-670807637-2469435395-1008Core.job
- c:\documents and settings\Nicola Scullion\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-11-16 20:32]
.
2011-07-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2200450885-670807637-2469435395-1008UA.job
- c:\documents and settings\Nicola Scullion\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-11-16 20:32]
.
2011-07-18 c:\windows\Tasks\ParetoLogic Registration.job
- c:\program files\Common Files\ParetoLogic\UUS2\UUS.dll [2009-01-13 14:59]
.
2011-07-17 c:\windows\Tasks\ParetoLogic Update Version2.job
- c:\program files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe [2009-01-13 14:59]
.
2011-07-18 c:\windows\Tasks\User_Feed_Synchronization-{41C6D239-16CF-4538-B90C-A09B472EE71B}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 03:31]
.
.
------- Supplementary Scan -------
.
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: o2.co.uk\*.broadband
Trusted Zone: soe.com
Trusted Zone: sony.com
TCP: DhcpNameServer = 192.168.2.1
FF - ProfilePath - c:\documents and settings\Nicola Scullion\Application Data\Mozilla\Firefox\Profiles\q2v22uz4.default\
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKCU-Run-limewire plus+ - c:\program files\Limewire Plus+\limewire.exe
HKCU-Run-AdobeUpdater - c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe
MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe
MSConfigStartUp-AdobeUpdater - c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe
MSConfigStartUp-DAEMON Tools Pro Agent - c:\program files\DAEMON Tools Pro\DTAgent.exe
MSConfigStartUp-Google Desktop Search - c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
MSConfigStartUp-googletalk - c:\program files\Google\Google Talk\googletalk.exe
MSConfigStartUp-limewire plus+ - c:\program files\Limewire Plus+\limewire.exe
MSConfigStartUp-MsnMsgr - c:\progra~1\WI1F86~1\MESSEN~1\msnmsgr.exe
MSConfigStartUp-O2 - c:\program files\O2\bin\sprtcmd.exe
MSConfigStartUp-QuickTime Task - c:\program files\QuickTime\qttask.exe
MSConfigStartUp-TMERzCtl - c:\program files\TOSHIBA\TME3\TMERzCtl.EXE
MSConfigStartUp-TMESRV - c:\program files\TOSHIBA\TME3\TMESRV31.EXE
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-07-19 14:28
Windows 5.1.2600 Service Pack 3 NTFS
.
detected NTDLL code modification:
ZwQueryDirectoryFile
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\documents and settings\Nicola Scullion\Start Menu\Programs\Startup\xuoscywv.exe 210884 bytes executable
C:\xuoscywv.exe 210884 bytes executable
.
scan completed successfully
hidden files: 2
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(952)
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\infra.dll
c:\program files\Protector Suite QL\homefus2.dll
c:\windows\system32\biologon.dll
c:\program files\Protector Suite QL\homepass.dll
c:\program files\Protector Suite QL\bio.dll
c:\program files\Protector Suite QL\remote.dll
c:\program files\Protector Suite QL\crypto.dll
.
- - - - - - - > 'explorer.exe'(3408)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Protector Suite QL\mysafe.dll
c:\program files\Protector Suite QL\infra.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\EPSON\EBAPI\eEBSVC.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\ThpSrv.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2011-07-19 14:32:43 - machine was rebooted
ComboFix-quarantined-files.txt 2011-07-19 13:32
.
Pre-Run: 8,752,807,936 bytes free
Post-Run: 8,735,125,504 bytes free
.
- - End Of File - - C4F6594AF787888A3CB0C531624FB1C1



This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 19/07/2011 at 14:34:38.
Operating System: Microsoft Windows XP


Processes terminated by Rkill or while it was running:

C:\WINDOWS\system32\grpconv.exe


Rkill completed on 19/07/2011 at 14:34:56.
  • 0

#36
Satchfan

Satchfan

    Trusted Helper

  • Malware Removal
  • 585 posts
Hi wig86

Sorry for the delay but BT was being unco-operative with my Internet service last night.

===================================================

I’m sorry to hear about the bank situation. Your log shows evidence of a rootkit and a backdoor Trojan that can allow remote access to your computer.

I would advise you to do the following:

  • disconnect this PC from the Internet when you are not using it to download programs we request.
  • use another, uninfected computer to change all your internet passwords, especially ones with financial implications such as banks, paypal, ebay, etc. You should also change the passwords for any other site you use.
  • call credit card companies or any other institution which may be affected and advise them that your login/password or credit card information may have been stolen and ask what steps to take with regard to your account.
  • consider what other private information could possibly have been taken from your computer and take appropriate steps
This infection can almost certainly be cleaned, but as the malware could be configured to run any program a remote attacker requires, it will be impossible to be 100% sure that the machine is clean, if this is unacceptable to you then you should consider reformatting the system partition and reinstalling Windows as this is the only 100% sure answer.

If you wish to reformat then please let me know in your next response. If not, please follow these instructions:

===================================================

Download & run SafeBootKeyRepair-CF from here:

It’ll only take a moment for it to finish running and then a log will be produced at C:\SafeBoot_Repair.txt. Please post that in your next reply.

===================================================

Open ComboFix

Please do the following:


• Close any open browsers.
Close/disable all anti virus and anti malware programs so that they do not interfere with the running of ComboFix.
• Open notepad and copy/paste the text in the codebox below into it:
File::
c:\program files\powgrvnf\xuoscywv.exe
C:\WINDOWS\system32\grpconv.exe

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,"
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000000
"FirewallOverride"=dword:00000000

Rootkit::
c:\documents and settings\Nicola Scullion\Start Menu\Programs\Startup\xuoscywv.exe
C:\xuoscywv.exe


Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe

Posted Image

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it produces a log at C:\ComboFix.txt. Post the contents of Combofix.txt in your next reply.

===================================================

Please tell me if you know what this is and if it is something you have installed. It is a program from a company called TWD Remote:

c:\\Documents and Settings\\Nicola Scullion\\Local Settings\\Application Data\\CrossLoop\\vncviewer.exe

This process allows other users to control your PC via a local network or the Internet. If it is used maliciously it can also allow users to access your PC from remote locations, stealing passwords, Internet banking and personal data.

Satchfan
  • 0

#37
Wig86

Wig86

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
safeboot log

Reg export of SafeBoot key after repair:
========================

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\HelpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\ip6fw.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\ipnat.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\LanmanServer]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\LanmanWorkstation]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\LmHosts]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Messenger]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NDIS]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NDIS Wrapper]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Ndisuio]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetBIOS]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetBIOSGroup]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetBT]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetDDEGroup]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Netlogon]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetMan]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Network]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetworkProvider]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NtLmSsp]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PCI Configuration]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PEVSystemStart]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PlugPlay]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PNP Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PNP_TDI]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Primary disk]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\procexp90.Sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdpcdd.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdpdd.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdpwd.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdsessmgr]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\RpcSs]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\SCSI Class]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\sermouse.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\SharedAccess]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\SprtListen]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\SprtListenPush]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\sr.sys]
@="FSFilter System Recovery"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\SRService]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Streams Drivers]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\SupportSoft RemoteAssist]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\System Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Tcpip]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\TDI]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\tdpipe.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\tdtcp.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\termservice]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\vga.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\WinMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\WZCSVC]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{36FC9E60-C465-11CF-8056-444553540000}]
@="Universal Serial Bus controllers"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E965-E325-11CE-BFC1-08002BE10318}]
@="CD-ROM Drive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E969-E325-11CE-BFC1-08002BE10318}]
@="Standard floppy disk controller"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}]
@="Net"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E973-E325-11CE-BFC1-08002BE10318}]
@="NetClient"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}]
@="NetService"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E975-E325-11CE-BFC1-08002BE10318}]
@="NetTrans"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E977-E325-11CE-BFC1-08002BE10318}]
@="PCMCIA Adapters"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E97B-E325-11CE-BFC1-08002BE10318}]
@="SCSIAdapter"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E980-E325-11CE-BFC1-08002BE10318}]
@="Floppy disk drive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]
@="Human Interface Devices"

========================


SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.
~~\SafeBoot\Minimal\Base
~~\SafeBoot\Minimal\Boot Bus Extender
~~\SafeBoot\Minimal\Boot file system
~~\SafeBoot\Minimal\dmboot.sys
~~\SafeBoot\Minimal\dmio.sys
~~\SafeBoot\Minimal\dmload.sys
~~\SafeBoot\Minimal\dmserver
~~\SafeBoot\Minimal\File system
~~\SafeBoot\Minimal\Filter
~~\SafeBoot\Minimal\PCI Configuration
~~\SafeBoot\Minimal\Primary disk
~~\SafeBoot\Minimal\RpcSs
~~\SafeBoot\Minimal\SCSI Class
~~\SafeBoot\Minimal\sermouse.sys
~~\SafeBoot\Minimal\System Bus Extender
~~\SafeBoot\Minimal\vga.sys
~~\SafeBoot\Minimal\vgasave.sys
~~\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}
~~\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}
~~\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}
~~\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}
~~\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}
~~\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}

========================

Error: Key: system\currentcontrolset\control\safeboot\minimal does not exist!


will post combofix in just a moment
  • 0

#38
Wig86

Wig86

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
combofix log attached also i have used crossloop in the past and dont appear to have had any issues with. have you heard of others having issues ?

ComboFix 11-07-20.02 - Nicola Scullion 20/07/2011 11:48:24.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1015.641 [GMT 1:00]
Running from: c:\documents and settings\Nicola Scullion\Desktop\abc123.exe
Command switches used :: c:\documents and settings\Nicola Scullion\Desktop\CFScript.txt
AV: Norton Internet Security *Disabled/Outdated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *Disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.
FILE ::
"c:\program files\powgrvnf\xuoscywv.exe"
"c:\windows\system32\grpconv.exe"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\Application Data\Microsoft\Internet Explorer\Desktop.htt
c:\documents and settings\Nicola Scullion\Application Data\Microsoft\Internet Explorer\Desktop.htt
c:\program files\Internet Explorer\IEXPLOREmgr.exe
c:\program files\powgrvnf\xuoscywv.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-06-20 to 2011-07-20 )))))))))))))))))))))))))))))))
.
.
2011-07-19 00:40 . 2011-07-20 10:48 210884 ----a-w- c:\windows\Explorermgr.exe
2011-07-18 17:08 . 2011-07-18 17:08 -------- d-----w- c:\documents and settings\Nicola Scullion\Application Data\FCTB000061465
2011-07-18 16:18 . 2011-07-18 16:18 -------- d-----w- c:\program files\Nectar Search Toolbar
2011-07-18 11:38 . 2011-07-18 12:23 210884 ----a-w- c:\windows\system32\notepadmgr.exe
2011-07-17 23:27 . 2011-07-17 23:27 -------- d-----w- c:\program files\SeaMonkey
2011-07-17 23:21 . 2011-07-17 23:22 -------- d-----w- c:\documents and settings\Nicola Scullion\Application Data\Maxthon3
2011-07-17 23:21 . 2011-07-17 23:21 -------- d-----w- c:\program files\Maxthon3
2011-07-14 21:41 . 2011-07-14 21:41 -------- d-----w- c:\program files\Foxit Software
2011-07-11 20:16 . 2011-07-11 20:31 20552 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-07-11 20:16 . 2011-07-11 20:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2011-07-01 11:07 . 2011-07-01 11:07 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
2011-07-01 11:07 . 2011-07-01 11:07 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-09 21:06 . 2011-06-03 08:18 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-02 15:31 . 2007-05-30 09:21 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 16:19 . 2007-05-30 08:13 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-25 16:11 . 2007-05-30 08:13 916480 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 16:11 . 2007-05-30 08:13 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-04-25 16:11 . 2007-05-30 08:13 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-04-25 12:01 . 2007-05-30 08:13 385024 ----a-w- c:\windows\system32\html.iec
2011-04-21 13:37 . 2007-05-30 08:13 105472 ----a-w- c:\windows\system32\drivers\mup.sys
2011-07-01 11:07 . 2011-04-09 00:48 142296 ------w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{ada2ac0d-15c6-4611-ba5d-5b0a8b52fd6d}"= "c:\program files\Nectar Search Toolbar\Helper.dll" [2011-07-18 575432]
.
[HKEY_CLASSES_ROOT\clsid\{ada2ac0d-15c6-4611-ba5d-5b0a8b52fd6d}]
[HKEY_CLASSES_ROOT\FreeCauseURLSearchHook.FCToolbarURLSearchHook.1]
[HKEY_CLASSES_ROOT\TypeLib\{8021825B-2FBA-43AA-8FC9-1289DCD80B76}]
[HKEY_CLASSES_ROOT\FreeCauseURLSearchHook.FCToolbarURLSearchHook]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2011-01-17 14:54 175912 ------w- c:\program files\ConduitEngine\prxConduitEngine.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b2e293ee-fd7e-4c71-a714-5f4750d8d7b7}]
2011-01-17 14:54 175912 ------w- c:\program files\myBabylon_English\prxtbmyB2.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B7C2F0D8-2209-4693-A15D-5A537211D48B}]
2011-07-18 16:18 1781695 ----a-w- c:\program files\Nectar Search Toolbar\Toolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{b2e293ee-fd7e-4c71-a714-5f4750d8d7b7}"= "c:\program files\myBabylon_English\prxtbmyB2.dll" [2011-01-17 175912]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\prxConduitEngine.dll" [2011-01-17 175912]
"{8020143D-5926-4394-A04D-DD0B649DA121}"= "c:\program files\Nectar Search Toolbar\Toolbar.dll" [2011-07-18 1781695]
.
[HKEY_CLASSES_ROOT\clsid\{b2e293ee-fd7e-4c71-a714-5f4750d8d7b7}]
.
[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
.
[HKEY_CLASSES_ROOT\clsid\{8020143d-5926-4394-a04d-dd0b649da121}]
[HKEY_CLASSES_ROOT\FCTB000061465.IEToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{22466F1F-0B10-41B0-A971-3A28599AA7C7}]
[HKEY_CLASSES_ROOT\FCTB000061465.IEToolbar]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{B2E293EE-FD7E-4C71-A714-5F4750D8D7B7}"= "c:\program files\myBabylon_English\prxtbmyB2.dll" [2011-01-17 175912]
"{8020143D-5926-4394-A04D-DD0B649DA121}"= "c:\program files\Nectar Search Toolbar\Toolbar.dll" [2011-07-18 1781695]
.
[HKEY_CLASSES_ROOT\clsid\{b2e293ee-fd7e-4c71-a714-5f4750d8d7b7}]
.
[HKEY_CLASSES_ROOT\clsid\{8020143d-5926-4394-a04d-dd0b649da121}]
[HKEY_CLASSES_ROOT\FCTB000061465.IEToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{22466F1F-0B10-41B0-A971-3A28599AA7C7}]
[HKEY_CLASSES_ROOT\FCTB000061465.IEToolbar]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-03-26 198160]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,,c:\program files\powgrvnf\xuoscywv.exe"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2006-05-05 16:48 40448 ----a-w- c:\windows\system32\psqlpwd.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TosBtNP]
2006-07-22 02:54 65536 ----a-w- c:\windows\system32\TosBtNP.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0bootdelete
.
SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
@="Driver Group"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth Manager.lnk
backup=c:\windows\pss\Bluetooth Manager.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Directrec Configuration Tool.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Directrec Configuration Tool.lnk
backup=c:\windows\pss\Directrec Configuration Tool.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CFSServ.exe]
CFSServ.exe -NoClient [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ThpSrv]
c:\windows\system32\thpsrv [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\000StTHK]
2001-06-23 03:28 24576 ----a-w- c:\windows\system32\000StTHK.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\00THotkey]
2006-08-07 11:58 253952 ----a-w- c:\windows\system32\00THotkey.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
2007-11-07 18:18 148760 ----a-w- c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-03 19:43 69632 ----a-w- c:\windows\Alcmtr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
2004-03-24 05:40 414046 ----a-w- c:\program files\Apoint2K\Apoint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2009-08-13 15:51 177440 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DDWMon]
2007-04-26 10:49 713221 ----a-w- c:\program files\TOSHIBA\TOSHIBA Direct Disc Writer\DDWMon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DpUtil]
2005-08-05 14:54 155648 ----a-w- c:\program files\TOSHIBA\DualPointUtility\TEDTray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EEventManager]
2009-04-07 09:13 673616 ------w- c:\progra~1\EPSONS~1\EVENTM~1\EEventManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Epson Stylus SX510W(Network)]
2008-11-20 06:00 199680 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\E_FATIFIE.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON SX510W Series]
2008-11-20 06:00 199680 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\E_FATIFIE.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-11-16 20:32 136176 ------w- c:\documents and settings\Nicola Scullion\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2007-04-09 22:00 162584 ----a-w- c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
2007-02-12 12:37 174872 ----a-w- c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2007-04-09 22:01 138008 ----a-w- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ITSecMng]
2009-07-22 12:40 83336 ----a-w- c:\program files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-03-07 14:33 421160 ------w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2007-04-09 22:01 138008 ----a-w- c:\windows\system32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PSQLLauncher]
2006-05-05 16:36 244070 ----a-w- c:\program files\Protector Suite QL\launcher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2007-04-12 18:33 16132608 ----a-w- c:\windows\RTHDCPL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmoothView]
2007-05-11 09:06 360812 ----a-w- c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 10:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2008-06-30 23:15 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TAudEffect]
2006-08-09 18:48 344144 ----a-w- c:\program files\TOSHIBA\TAudEffect\TAudEff.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TFNF5]
2006-04-11 01:14 622592 ----a-w- c:\windows\system32\TFNF5.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2009-03-26 23:54 198160 ------w- c:\program files\Common Files\Real\Update_OB\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\topi]
2007-04-02 11:48 577536 ----a-w- c:\program files\TOSHIBA\Toshiba Online Product Information\TOPI.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TOSCDSPD]
2005-04-11 10:26 283044 ----a-w- c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TOSDCR]
2005-12-12 17:54 57344 ----a-w- c:\windows\system32\TOSDCR.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TosHKCW.exe]
2005-05-17 10:42 266713 ----a-w- c:\program files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TouchED]
2005-08-31 13:46 102400 ----a-w- c:\program files\TOSHIBA\TouchED\TouchED.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPSMain]
2007-04-18 12:34 299008 ----a-w- c:\windows\system32\TPSMain.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPSODDCtl]
2007-04-18 12:34 102400 ----a-w- c:\windows\system32\TPSODDCtl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=2 (0x2)
"TVersityMediaServer"=2 (0x2)
"TOSHIBA Bluetooth Service"=2 (0x2)
"TODDSrv"=2 (0x2)
"Tmesrv"=2 (0x2)
"Symantec Core LC"=3 (0x3)
"SupportSoft RemoteAssist"=2 (0x2)
"SQLWriter"=3 (0x3)
"sprtsvc_O2"=2 (0x2)
"SeaPort"=2 (0x2)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"iPod Service"=3 (0x3)
"ImapiService"=3 (0x3)
"GoogleDesktopManager-061008-081103"=3 (0x3)
"fsssvc"=3 (0x3)
"DM1Service"=2 (0x2)
"CFSvcs"=2 (0x2)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"AgereModemAudio"=2 (0x2)
"AcrSch2Svc"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\helpctr.exe"=
"c:\\Documents and Settings\\Nicola Scullion\\Local Settings\\Application Data\\CrossLoop\\vncviewer.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Nectar Search Toolbar\\TroubleShooter.exe"=
"c:\\Program Files\\Nectar Search Toolbar\\ToolbarUpdate.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"5910:TCP"= 5910:TCP:vnc5910
.
R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\drivers\thpdrv.sys [22/03/2007 13:07 20992]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [09/03/2007 15:23 6528]
R1 TMEI3E;TMEI3E;c:\windows\system32\drivers\TMEI3E.sys [30/05/2007 16:23 5888]
R2 FdRedir;FdRedir;c:\program files\Common Files\Protector Suite QL\Drivers\FdRedir.sys [05/05/2006 18:00 13568]
R2 FileDisk2;FileDisk Protector Kernel Driver;c:\program files\Common Files\Protector Suite QL\Drivers\filedisk.sys [05/05/2006 17:59 33024]
R2 smihlp;SMI helper driver;c:\program files\Protector Suite QL\smihlp.sys [05/05/2006 17:33 3456]
R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [26/03/2007 12:22 105856]
R2 trudf;TOSHIBA DVD-RAM UDF File System Driver;c:\windows\system32\drivers\trudf.sys [19/02/2007 12:15 134016]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [31/05/2007 16:10 35968]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys --> c:\windows\system32\Drivers\avgldx86.sys [?]
S1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\Drivers\avgtdix.sys --> c:\windows\system32\Drivers\avgtdix.sys [?]
S2 CrossLoopService;CrossLoop Service;"c:\documents and settings\Nicola Scullion\Local Settings\Application Data\CrossLoop\CrossLoopService.exe" --service --> c:\documents and settings\Nicola Scullion\Local Settings\Application Data\CrossLoop\CrossLoopService.exe [?]
S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [11/07/2011 21:16 20552]
S3 TEchoCan;Toshiba Audio Effect;c:\windows\system32\drivers\TEchoCan.sys [30/05/2007 16:26 435072]
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 10:50]
.
2011-07-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2200450885-670807637-2469435395-1008Core.job
- c:\documents and settings\Nicola Scullion\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-11-16 20:32]
.
2011-07-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2200450885-670807637-2469435395-1008UA.job
- c:\documents and settings\Nicola Scullion\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-11-16 20:32]
.
2011-07-19 c:\windows\Tasks\ParetoLogic Registration.job
- c:\program files\Common Files\ParetoLogic\UUS2\UUS.dll [2009-01-13 14:59]
.
2011-07-17 c:\windows\Tasks\ParetoLogic Update Version2.job
- c:\program files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe [2009-01-13 14:59]
.
2011-07-20 c:\windows\Tasks\User_Feed_Synchronization-{41C6D239-16CF-4538-B90C-A09B472EE71B}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 03:31]
.
.
------- Supplementary Scan -------
.
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: o2.co.uk\*.broadband
Trusted Zone: soe.com
Trusted Zone: sony.com
TCP: DhcpNameServer = 192.168.2.1
FF - ProfilePath - c:\documents and settings\Nicola Scullion\Application Data\Mozilla\Firefox\Profiles\q2v22uz4.default\
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-07-20 11:56
Windows 5.1.2600 Service Pack 3 NTFS
.
detected NTDLL code modification:
ZwQueryDirectoryFile
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(944)
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\infra.dll
c:\program files\Protector Suite QL\homefus2.dll
c:\windows\system32\biologon.dll
c:\program files\Protector Suite QL\homepass.dll
c:\program files\Protector Suite QL\bio.dll
c:\program files\Protector Suite QL\remote.dll
c:\program files\Protector Suite QL\crypto.dll
.
- - - - - - - > 'explorer.exe'(3116)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Protector Suite QL\mysafe.dll
c:\program files\Protector Suite QL\infra.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\EPSON\EBAPI\eEBSVC.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\ThpSrv.exe
c:\windows\system32\wscntfy.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2011-07-20 12:02:10 - machine was rebooted
ComboFix-quarantined-files.txt 2011-07-20 11:02
ComboFix2.txt 2011-07-19 13:32
.
Pre-Run: 6,386,823,168 bytes free
Post-Run: 6,318,055,424 bytes free
.
- - End Of File - - 56A179CD0D874F5015CCD2E70F7579FA
  • 0

#39
Satchfan

Satchfan

    Trusted Helper

  • Malware Removal
  • 585 posts
Hi wig86

The recurrence of one file is not a good sign but I’d like you to run this one to see what happens:

Open ComboFix

Please do the following:

  • close any open browsers.
  • close/disable all anti virus and anti malware programs so that they do not interfere with the running of ComboFix.
  • open notepad and copy/paste the text in the codebox below into it:

File::
c:\documents and settings\Nicola Scullion\Start Menu\Programs\Startup\xuoscywv.exe
c:\windows\Explorermgr.exe

Folder::
c:\program files\powgrvnf

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] 
"Userinit"="c:\windows\system32\userinit.exe,"

Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe

Posted Image

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it produces a log at C:\ComboFix.txt. Post the contents of Combofix.txt in your next reply.

===================================================

I want to see if a corrupt file is preventing safe mode.

Go to Start, Run and type in sfc /scannow and hit the OK button. Insert your CD if/when requested

Satchfan
  • 0

#40
Wig86

Wig86

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
combofix log attached trying the safe mode repari just now.

ComboFix 11-07-20.02 - Nicola Scullion 20/07/2011 13:04:22.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1015.477 [GMT 1:00]
Running from: c:\documents and settings\Nicola Scullion\Desktop\abc123.exe
Command switches used :: c:\documents and settings\Nicola Scullion\Desktop\CFScript.txt
AV: Norton Internet Security *Disabled/Outdated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *Disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
* Created a new restore point
.
FILE ::
"c:\documents and settings\Nicola Scullion\Start Menu\Programs\Startup\xuoscywv.exe"
"c:\windows\Explorermgr.exe"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Nicola Scullion\Start Menu\Programs\Startup\xuoscywv.exe
c:\windows\Explorermgr.exe
c:\program files\powgrvnf . . . . Failed to delete
.
.
((((((((((((((((((((((((( Files Created from 2011-06-20 to 2011-07-20 )))))))))))))))))))))))))))))))
.
.
2011-07-18 17:08 . 2011-07-18 17:08 -------- d-----w- c:\documents and settings\Nicola Scullion\Application Data\FCTB000061465
2011-07-18 16:18 . 2011-07-18 16:18 -------- d-----w- c:\program files\Nectar Search Toolbar
2011-07-18 11:38 . 2011-07-18 12:23 210884 ----a-w- c:\windows\system32\notepadmgr.exe
2011-07-17 23:27 . 2011-07-17 23:27 -------- d-----w- c:\program files\SeaMonkey
2011-07-17 23:21 . 2011-07-17 23:22 -------- d-----w- c:\documents and settings\Nicola Scullion\Application Data\Maxthon3
2011-07-17 23:21 . 2011-07-17 23:21 -------- d-----w- c:\program files\Maxthon3
2011-07-14 21:41 . 2011-07-14 21:41 -------- d-----w- c:\program files\Foxit Software
2011-07-11 20:16 . 2011-07-11 20:31 20552 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-07-11 20:16 . 2011-07-11 20:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2011-07-01 11:07 . 2011-07-01 11:07 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
2011-07-01 11:07 . 2011-07-01 11:07 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-09 21:06 . 2011-06-03 08:18 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-02 15:31 . 2007-05-30 09:21 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 16:19 . 2007-05-30 08:13 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-25 16:11 . 2007-05-30 08:13 916480 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 16:11 . 2007-05-30 08:13 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-04-25 16:11 . 2007-05-30 08:13 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-04-25 12:01 . 2007-05-30 08:13 385024 ----a-w- c:\windows\system32\html.iec
2011-04-21 13:37 . 2007-05-30 08:13 105472 ----a-w- c:\windows\system32\drivers\mup.sys
2011-07-01 11:07 . 2011-04-09 00:48 142296 ------w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{ada2ac0d-15c6-4611-ba5d-5b0a8b52fd6d}"= "c:\program files\Nectar Search Toolbar\Helper.dll" [2011-07-18 575432]
.
[HKEY_CLASSES_ROOT\clsid\{ada2ac0d-15c6-4611-ba5d-5b0a8b52fd6d}]
[HKEY_CLASSES_ROOT\FreeCauseURLSearchHook.FCToolbarURLSearchHook.1]
[HKEY_CLASSES_ROOT\TypeLib\{8021825B-2FBA-43AA-8FC9-1289DCD80B76}]
[HKEY_CLASSES_ROOT\FreeCauseURLSearchHook.FCToolbarURLSearchHook]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2011-01-17 14:54 175912 ------w- c:\program files\ConduitEngine\prxConduitEngine.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b2e293ee-fd7e-4c71-a714-5f4750d8d7b7}]
2011-01-17 14:54 175912 ------w- c:\program files\myBabylon_English\prxtbmyB2.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B7C2F0D8-2209-4693-A15D-5A537211D48B}]
2011-07-18 16:18 1781695 ----a-w- c:\program files\Nectar Search Toolbar\Toolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{b2e293ee-fd7e-4c71-a714-5f4750d8d7b7}"= "c:\program files\myBabylon_English\prxtbmyB2.dll" [2011-01-17 175912]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\prxConduitEngine.dll" [2011-01-17 175912]
"{8020143D-5926-4394-A04D-DD0B649DA121}"= "c:\program files\Nectar Search Toolbar\Toolbar.dll" [2011-07-18 1781695]
.
[HKEY_CLASSES_ROOT\clsid\{b2e293ee-fd7e-4c71-a714-5f4750d8d7b7}]
.
[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
.
[HKEY_CLASSES_ROOT\clsid\{8020143d-5926-4394-a04d-dd0b649da121}]
[HKEY_CLASSES_ROOT\FCTB000061465.IEToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{22466F1F-0B10-41B0-A971-3A28599AA7C7}]
[HKEY_CLASSES_ROOT\FCTB000061465.IEToolbar]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{B2E293EE-FD7E-4C71-A714-5F4750D8D7B7}"= "c:\program files\myBabylon_English\prxtbmyB2.dll" [2011-01-17 175912]
"{8020143D-5926-4394-A04D-DD0B649DA121}"= "c:\program files\Nectar Search Toolbar\Toolbar.dll" [2011-07-18 1781695]
.
[HKEY_CLASSES_ROOT\clsid\{b2e293ee-fd7e-4c71-a714-5f4750d8d7b7}]
.
[HKEY_CLASSES_ROOT\clsid\{8020143d-5926-4394-a04d-dd0b649da121}]
[HKEY_CLASSES_ROOT\FCTB000061465.IEToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{22466F1F-0B10-41B0-A971-3A28599AA7C7}]
[HKEY_CLASSES_ROOT\FCTB000061465.IEToolbar]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-03-26 198160]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,,c:\program files\powgrvnf\xuoscywv.exe"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2006-05-05 16:48 40448 ----a-w- c:\windows\system32\psqlpwd.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TosBtNP]
2006-07-22 02:54 65536 ----a-w- c:\windows\system32\TosBtNP.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0bootdelete
.
SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
@="Driver Group"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth Manager.lnk
backup=c:\windows\pss\Bluetooth Manager.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Directrec Configuration Tool.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Directrec Configuration Tool.lnk
backup=c:\windows\pss\Directrec Configuration Tool.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CFSServ.exe]
CFSServ.exe -NoClient [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ThpSrv]
c:\windows\system32\thpsrv [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\000StTHK]
2001-06-23 03:28 24576 ----a-w- c:\windows\system32\000StTHK.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\00THotkey]
2006-08-07 11:58 253952 ----a-w- c:\windows\system32\00THotkey.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
2007-11-07 18:18 148760 ----a-w- c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-03 19:43 69632 ----a-w- c:\windows\Alcmtr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
2004-03-24 05:40 414046 ----a-w- c:\program files\Apoint2K\Apoint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2009-08-13 15:51 177440 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DDWMon]
2007-04-26 10:49 713221 ----a-w- c:\program files\TOSHIBA\TOSHIBA Direct Disc Writer\DDWMon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DpUtil]
2005-08-05 14:54 155648 ----a-w- c:\program files\TOSHIBA\DualPointUtility\TEDTray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EEventManager]
2009-04-07 09:13 673616 ------w- c:\progra~1\EPSONS~1\EVENTM~1\EEventManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Epson Stylus SX510W(Network)]
2008-11-20 06:00 199680 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\E_FATIFIE.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON SX510W Series]
2008-11-20 06:00 199680 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\E_FATIFIE.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-11-16 20:32 136176 ------w- c:\documents and settings\Nicola Scullion\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2007-04-09 22:00 162584 ----a-w- c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
2007-02-12 12:37 174872 ----a-w- c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2007-04-09 22:01 138008 ----a-w- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ITSecMng]
2009-07-22 12:40 83336 ----a-w- c:\program files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-03-07 14:33 421160 ------w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2007-04-09 22:01 138008 ----a-w- c:\windows\system32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PSQLLauncher]
2006-05-05 16:36 244070 ----a-w- c:\program files\Protector Suite QL\launcher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2007-04-12 18:33 16132608 ----a-w- c:\windows\RTHDCPL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmoothView]
2007-05-11 09:06 360812 ----a-w- c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 10:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2008-06-30 23:15 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TAudEffect]
2006-08-09 18:48 344144 ----a-w- c:\program files\TOSHIBA\TAudEffect\TAudEff.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TFNF5]
2006-04-11 01:14 622592 ----a-w- c:\windows\system32\TFNF5.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2009-03-26 23:54 198160 ------w- c:\program files\Common Files\Real\Update_OB\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\topi]
2007-04-02 11:48 577536 ----a-w- c:\program files\TOSHIBA\Toshiba Online Product Information\TOPI.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TOSCDSPD]
2005-04-11 10:26 283044 ----a-w- c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TOSDCR]
2005-12-12 17:54 57344 ----a-w- c:\windows\system32\TOSDCR.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TosHKCW.exe]
2005-05-17 10:42 266713 ----a-w- c:\program files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TouchED]
2005-08-31 13:46 102400 ----a-w- c:\program files\TOSHIBA\TouchED\TouchED.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPSMain]
2007-04-18 12:34 299008 ----a-w- c:\windows\system32\TPSMain.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPSODDCtl]
2007-04-18 12:34 102400 ----a-w- c:\windows\system32\TPSODDCtl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=2 (0x2)
"TVersityMediaServer"=2 (0x2)
"TOSHIBA Bluetooth Service"=2 (0x2)
"TODDSrv"=2 (0x2)
"Tmesrv"=2 (0x2)
"Symantec Core LC"=3 (0x3)
"SupportSoft RemoteAssist"=2 (0x2)
"SQLWriter"=3 (0x3)
"sprtsvc_O2"=2 (0x2)
"SeaPort"=2 (0x2)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"iPod Service"=3 (0x3)
"ImapiService"=3 (0x3)
"GoogleDesktopManager-061008-081103"=3 (0x3)
"fsssvc"=3 (0x3)
"DM1Service"=2 (0x2)
"CFSvcs"=2 (0x2)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"AgereModemAudio"=2 (0x2)
"AcrSch2Svc"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\helpctr.exe"=
"c:\\Documents and Settings\\Nicola Scullion\\Local Settings\\Application Data\\CrossLoop\\vncviewer.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Nectar Search Toolbar\\TroubleShooter.exe"=
"c:\\Program Files\\Nectar Search Toolbar\\ToolbarUpdate.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"5910:TCP"= 5910:TCP:vnc5910
.
R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\drivers\thpdrv.sys [22/03/2007 13:07 20992]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [09/03/2007 15:23 6528]
R1 TMEI3E;TMEI3E;c:\windows\system32\drivers\TMEI3E.sys [30/05/2007 16:23 5888]
R2 FdRedir;FdRedir;c:\program files\Common Files\Protector Suite QL\Drivers\FdRedir.sys [05/05/2006 18:00 13568]
R2 FileDisk2;FileDisk Protector Kernel Driver;c:\program files\Common Files\Protector Suite QL\Drivers\filedisk.sys [05/05/2006 17:59 33024]
R2 smihlp;SMI helper driver;c:\program files\Protector Suite QL\smihlp.sys [05/05/2006 17:33 3456]
R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [26/03/2007 12:22 105856]
R2 trudf;TOSHIBA DVD-RAM UDF File System Driver;c:\windows\system32\drivers\trudf.sys [19/02/2007 12:15 134016]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [31/05/2007 16:10 35968]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys --> c:\windows\system32\Drivers\avgldx86.sys [?]
S1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\Drivers\avgtdix.sys --> c:\windows\system32\Drivers\avgtdix.sys [?]
S2 CrossLoopService;CrossLoop Service;"c:\documents and settings\Nicola Scullion\Local Settings\Application Data\CrossLoop\CrossLoopService.exe" --service --> c:\documents and settings\Nicola Scullion\Local Settings\Application Data\CrossLoop\CrossLoopService.exe [?]
S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [11/07/2011 21:16 20552]
S3 TEchoCan;Toshiba Audio Effect;c:\windows\system32\drivers\TEchoCan.sys [30/05/2007 16:26 435072]
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 10:50]
.
2011-07-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2200450885-670807637-2469435395-1008Core.job
- c:\documents and settings\Nicola Scullion\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-11-16 20:32]
.
2011-07-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2200450885-670807637-2469435395-1008UA.job
- c:\documents and settings\Nicola Scullion\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-11-16 20:32]
.
2011-07-19 c:\windows\Tasks\ParetoLogic Registration.job
- c:\program files\Common Files\ParetoLogic\UUS2\UUS.dll [2009-01-13 14:59]
.
2011-07-17 c:\windows\Tasks\ParetoLogic Update Version2.job
- c:\program files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe [2009-01-13 14:59]
.
2011-07-20 c:\windows\Tasks\User_Feed_Synchronization-{41C6D239-16CF-4538-B90C-A09B472EE71B}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 03:31]
.
.
------- Supplementary Scan -------
.
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: o2.co.uk\*.broadband
Trusted Zone: soe.com
Trusted Zone: sony.com
TCP: DhcpNameServer = 192.168.2.1
FF - ProfilePath - c:\documents and settings\Nicola Scullion\Application Data\Mozilla\Firefox\Profiles\q2v22uz4.default\
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-07-20 13:17
Windows 5.1.2600 Service Pack 3 NTFS
.
detected NTDLL code modification:
ZwQueryDirectoryFile
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(948)
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\infra.dll
c:\program files\Protector Suite QL\homefus2.dll
c:\windows\system32\biologon.dll
c:\program files\Protector Suite QL\homepass.dll
c:\program files\Protector Suite QL\bio.dll
c:\program files\Protector Suite QL\remote.dll
c:\program files\Protector Suite QL\crypto.dll
.
- - - - - - - > 'explorer.exe'(3892)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Protector Suite QL\mysafe.dll
c:\program files\Protector Suite QL\infra.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\EPSON\EBAPI\eEBSVC.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\ThpSrv.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2011-07-20 13:22:10 - machine was rebooted
ComboFix-quarantined-files.txt 2011-07-20 12:22
ComboFix2.txt 2011-07-20 11:02
ComboFix3.txt 2011-07-19 13:32
.
Pre-Run: 10,372,734,976 bytes free
Post-Run: 10,131,722,240 bytes free
.
- - End Of File - - 30EBF1D2CB681FF1917B37375EAF7642
  • 0

Advertisements


#41
Wig86

Wig86

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
sfc /scannow ran through to 100% and then seem to complete and close should i have been given a log or is that what you expected ?
  • 0

#42
Satchfan

Satchfan

    Trusted Helper

  • Malware Removal
  • 585 posts
I don't think scannow has found anything.

Download Dr.Web CureIt to the desktop:

  • doubleclick the drweb-cureit icon to start the program
  • press start
  • allow the program to run the initial express scan
  • this will scan the files currently running in memory. If something is found, click the YES button when it asks you if you want to cure it. This is only a short scan.


Note:
A pop up may appear during this phase suggesting you purchase their program - click the X at the top right corner of this pop-up to close it.


  • once the scan is complete, the results will be displayed
  • If infections are found you will be able to save a report
  • on the menu bar, click file and choose report list.
  • save the report to your desktop. The report will be called DrWeb.csv
  • Note:this report will need to be renamed to Dr.Web.txt in order to post it on the forum
  • close Dr.Web Cureit
  • please post the Dr.Web.txt report in your next reply
Satchfan
  • 0

#43
Wig86

Wig86

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
Process in memory: C:\Program Files\Mozilla Firefox\firefox.exe:508;;Trojan.Rmnet;Eradicated.;
notepadmgr.exe;C:\WINDOWS\system32;Trojan.PWS.Siggen.19532;Incurable.Moved.;
aswMBR.exe;D:\My Documents;Win32.Rmnet.8;Cured.;
Amanda Weir's photos.htm\VBScript.12;D:\My Documents\Downloads\Amanda Weir's photos.htm;VBS.Rmnet.2;;
Amanda Weir's photos.htm;D:\My Documents\Downloads;Container contains infected objects;Moved.;
belkinsetupassistant.exe;D:\My Documents\Downloads;Win32.Rmnet.8;Cured.;
epson324758eu.exe;D:\My Documents\Downloads;Win32.Rmnet.8;Cured.;
epson325334eu.exe;D:\My Documents\Downloads;Win32.Rmnet.8;Cured.;
job-details.html\VBScript.10;D:\My Documents\Downloads\job-details.html;VBS.Rmnet.2;;
job-details.html;D:\My Documents\Downloads;Container contains infected objects;Moved.;
OTL(1).exe;D:\My Documents\Downloads;Win32.Rmnet.8;Cured.;
OTL.exe;D:\My Documents\Downloads;Win32.Rmnet.8;Cured.;
OTLmgr.exe;D:\My Documents\Downloads;Trojan.PWS.Siggen.19532;Incurable.Moved.;
RogueKiller.exe;D:\My Documents\Downloads;Win32.Rmnet.8;Cured.;
TFC.exe;D:\My Documents\Downloads;Win32.Rmnet.8;Cured.;
TFC.exe;D:\My Documents\Downloads;Trojan.Siggen2.50776;Incurable.Moved.;
winlogonexe.exe;D:\My Documents\Downloads;Win32.Rmnet.8;Cured.;
setup.exe;D:\My Documents\Downloads\inSSIDer2-x86-Installer;Win32.Rmnet.8;Cured.;
wrapaa_PersonSummary_wscall.ASP.htm\VBScript.1;D:\My Documents\jobs\wrapaa_PersonSummary_wscall.ASP.htm;VBS.Rmnet.2;;
wrapaa_PersonSummary_wscall.ASP.htm;D:\My Documents\jobs;Container contains infected objects;Moved.;
mammy.htm\VBScript.13;D:\My Documents\My Pictures\mammy.htm;VBS.Rmnet.2;;
mammy.htm;D:\My Documents\My Pictures;Container contains infected objects;Moved.;
ai.htm\VBScript.0;D:\My Documents\My Pictures\mammy_files\ai.htm;VBS.Rmnet.2;;
ai.htm;D:\My Documents\My Pictures\mammy_files;Container contains infected objects;Moved.;
ai_002.htm\VBScript.0;D:\My Documents\My Pictures\mammy_files\ai_002.htm;VBS.Rmnet.2;;
ai_002.htm;D:\My Documents\My Pictures\mammy_files;Container contains infected objects;Moved.;
im in white.htm\VBScript.33;D:\My Documents\My Pictures\pics\im in white.htm;VBS.Rmnet.2;;
im in white.htm;D:\My Documents\My Pictures\pics;Container contains infected objects;Moved.;
photo.php.htm\VBScript.33;D:\My Documents\My Pictures\pics\photo.php.htm;VBS.Rmnet.2;;
photo.php.htm;D:\My Documents\My Pictures\pics;Container contains infected objects;Moved.;
ai.htm\VBScript.0;D:\My Documents\My Pictures\pics\im in white_files\ai.htm;VBS.Rmnet.2;;
ai.htm;D:\My Documents\My Pictures\pics\im in white_files;Container contains infected objects;Moved.;
ai_002.htm\VBScript.0;D:\My Documents\My Pictures\pics\im in white_files\ai_002.htm;VBS.Rmnet.2;;
ai_002.htm;D:\My Documents\My Pictures\pics\im in white_files;Container contains infected objects;Moved.;
ai.htm\VBScript.0;D:\My Documents\My Pictures\pics\photo.php_files\ai.htm;VBS.Rmnet.2;;
ai.htm;D:\My Documents\My Pictures\pics\photo.php_files;Container contains infected objects;Moved.;
ai_002.htm\VBScript.0;D:\My Documents\My Pictures\pics\photo.php_files\ai_002.htm;VBS.Rmnet.2;;
ai_002.htm;D:\My Documents\My Pictures\pics\photo.php_files;Container contains infected objects;Moved.;
ArtDeco.htm\VBScript.0;D:\My Documents\My Stationery\ArtDeco.htm;VBS.Rmnet.2;;
ArtDeco.htm;D:\My Documents\My Stationery;Container contains infected objects;Moved.;
Bamboo.htm\VBScript.0;D:\My Documents\My Stationery\Bamboo.htm;VBS.Rmnet.2;;
Bamboo.htm;D:\My Documents\My Stationery;Container contains infected objects;Moved.;
BlueTiles.htm\VBScript.0;D:\My Documents\My Stationery\BlueTiles.htm;VBS.Rmnet.2;;
BlueTiles.htm;D:\My Documents\My Stationery;Container contains infected objects;Moved.;
Bubbles.htm\VBScript.0;D:\My Documents\My Stationery\Bubbles.htm;VBS.Rmnet.2;;
Bubbles.htm;D:\My Documents\My Stationery;Container contains infected objects;Moved.;
Cheddar.htm\VBScript.0;D:\My Documents\My Stationery\Cheddar.htm;VBS.Rmnet.2;;
Cheddar.htm;D:\My Documents\My Stationery;Container contains infected objects;Moved.;
ColorStripe.htm\VBScript.0;D:\My Documents\My Stationery\ColorStripe.htm;VBS.Rmnet.2;;
ColorStripe.htm;D:\My Documents\My Stationery;Container contains infected objects;Moved.;
Dinosaur.htm\VBScript.0;D:\My Documents\My Stationery\Dinosaur.htm;VBS.Rmnet.2;;
Dinosaur.htm;D:\My Documents\My Stationery;Container contains infected objects;Moved.;
Drawing.htm\VBScript.0;D:\My Documents\My Stationery\Drawing.htm;VBS.Rmnet.2;;
Drawing.htm;D:\My Documents\My Stationery;Container contains infected objects;Moved.;
Garden.htm\VBScript.0;D:\My Documents\My Stationery\Garden.htm;VBS.Rmnet.2;;
Garden.htm;D:\My Documents\My Stationery;Container contains infected objects;Moved.;
HandPrints.htm\VBScript.0;D:\My Documents\My Stationery\HandPrints.htm;VBS.Rmnet.2;;
HandPrints.htm;D:\My Documents\My Stationery;Container contains infected objects;Moved.;
LED.htm\VBScript.0;D:\My Documents\My Stationery\LED.htm;VBS.Rmnet.2;;
LED.htm;D:\My Documents\My Stationery;Container contains infected objects;Moved.;
Money.htm\VBScript.0;D:\My Documents\My Stationery\Money.htm;VBS.Rmnet.2;;
Money.htm;D:\My Documents\My Stationery;Container contains infected objects;Moved.;
Mosiac1.htm\VBScript.0;D:\My Documents\My Stationery\Mosiac1.htm;VBS.Rmnet.2;;
Mosiac1.htm;D:\My Documents\My Stationery;Container contains infected objects;Moved.;
Mosiac2.htm\VBScript.0;D:\My Documents\My Stationery\Mosiac2.htm;VBS.Rmnet.2;;
Mosiac2.htm;D:\My Documents\My Stationery;Container contains infected objects;Moved.;
Music.htm\VBScript.0;D:\My Documents\My Stationery\Music.htm;VBS.Rmnet.2;;
Music.htm;D:\My Documents\My Stationery;Container contains infected objects;Moved.;
Snowboard.htm\VBScript.0;D:\My Documents\My Stationery\Snowboard.htm;VBS.Rmnet.2;;
Snowboard.htm;D:\My Documents\My Stationery;Container contains infected objects;Moved.;
Southwest.htm\VBScript.0;D:\My Documents\My Stationery\Southwest.htm;VBS.Rmnet.2;;
Southwest.htm;D:\My Documents\My Stationery;Container contains infected objects;Moved.;
YellowTiles.htm\VBScript.0;D:\My Documents\My Stationery\YellowTiles.htm;VBS.Rmnet.2;;
YellowTiles.htm;D:\My Documents\My Stationery;Container contains infected objects;Moved.;
xuoscywv.exe;C:\;Trojan.PWS.Siggen.19532;Incurable.Moved.;
xuoscywv.exe;c:\documents and settings\nicola scullion\start menu\programs\startup;Trojan.PWS.Siggen.19532;Incurable.Moved.;
epson web-to-page.dll;c:\program files\epson\epson web-to-page;Win32.Rmnet.8;Cured.;
sqlvdi.dll;c:\program files\microsoft sql server\80\com;Win32.Rmnet.8;Cured.;
helper.dll;c:\program files\nectar search toolbar;Win32.Rmnet.8;Cured.;
toolbar.dll;c:\program files\nectar search toolbar;Win32.Rmnet.8;Cured.;
xuoscywv.exe;c:\program files\powgrvnf;Trojan.PWS.Siggen.19532;Incurable.Moved.;
mysafe.dll;c:\program files\protector suite ql;Win32.Rmnet.8;Cured.;
qtcf.dll;c:\program files\quicktime\qtsystem;Win32.Rmnet.8;Cured.;
toscdspd.exe;c:\program files\toshiba\toscdspd;Win32.Rmnet.8;Cured.;
wmpnetwk.exe;c:\program files\windows media player;Win32.Rmnet.8;Cured.;
rarext.dll;c:\program files\winrar;Win32.Rmnet.8;Cured.;
  • 0

#44
Satchfan

Satchfan

    Trusted Helper

  • Malware Removal
  • 585 posts
Hi wig86

As I suspected, the scan shows the presence of a serious viral infection known as Ramnit..

At this time Ramnit can not be cleaned and the only option is a reformat, not just a windows repair install.

Infection information

Win32/Ramnit is a file infector which infects .exe, and .HTML/HTM files, and opens a back door that compromises your computer. Using this backdoor, a remote attacker can access and instruct the infected computer to download and execute more malicious files.

Why the only sure way to remove it effectively is to reformat and reinstall the OS.

The malware injects code in legitimate files similar to the Virut virus and in many cases the infected files (which could number in the thousands) cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files often become corrupted and the system may become unstable or irreparable. The longer Ramnit.A remains on a computer, the more files it infects and corrupts so the degree of damage can vary.

In most instances it may have caused so much damage to your system files that it cannot be completely cleaned or repaired. Security vendors that claim to be able to remove file infectors cannot guarantee that all traces of it will be removed as they may not find all the remnants. If something goes awry during the malware removal process there is always a risk the computer may become unstable or unbootable and you could loose access to all your data.

Some good information:

Ramnit.A
and here

You can find plenty more information if you Google it.

Because your computer has likely been compromised by the backdoor Trojan and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if your anti-virus reports that the malware appears to have been removed.

I would suggest you do this:

  • use another, uninfected computer to change all your internet passwords, especially ones with financial implications such as banks, paypal, ebay, etc. You should also change the passwords for any other site you use.
  • call your credit card company or any other institution which may be affected, (your bank(s) already know, of course), and advise them that your login/password or credit card information may have been stolen and ask what steps to take with regard to your account.
  • consider what other private information could possibly have been taken from your computer and take appropriate steps

When you’ve done the above, reformat the system partition and reinstall Windows – it is the only 100% sure answer.

When should I re-format? How should I reinstall?
Where to draw the line? When to recommend a format and reinstall?


I'm sorry not to have better news but I did suspect this when ComboFix and SafeBootfix were unsuccessful.

Please let me know if you have any more questions..

Thanks

Satchfan
  • 0

#45
Wig86

Wig86

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
Thanks very much for you help regarding this matter i plan to format over the weekend. thanks for posting the links also and explaining everything to me.

Hope you have a good weekend

thanks
Allan
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP