[Emma_uk]

no it gives same error wont update.

do i need the latest jave ..

[Advertisements]

What about if you try to install the Version 6 update 11 from the file you downloaded before. Does that work?

[RatHat]

What about if you try to install the Version 6 update 11 from the file you downloaded before. Does that work?

[Emma_uk]

jre-6u11

Im afraid not

[RatHat]

OK, want to live with it? Java is updated to include security updates against known exploits. It is fairly important to keep it updated, but if you surf safely and stay away from P2P programs, you should be OK.

What do you think?

[Emma_uk]

You giving up

If there are security issues i'd really like to get it sorted if at all possible

I try to surf safely but cant guarantee what other members af the family do

[RatHat]

No, I wont give up Emma.

hope we can put a line under this virus issue today and clean up all these files i have

Thought you might be though!

OK, I am going to have to ask the techs about this one, and see if they have any ideas. In the meantime, I would like you to make doubly sure you are clean.

Please download DrWeb-CureIt & save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with DrWeb-CureIt as follows:

• Double-click on drweb-cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
• Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
• Once the short scan has finished, Click Options > Change settings
• Choose the "Scan tab" and UNcheck "Heuristic analysis"
• Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)
• Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
• When done, a message will be displayed at the bottom advising if any viruses were found.
• Click "Yes to all" if it asks if you want to cure/move the file.
• When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".
  (This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
• Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
• Save the DrWeb.csv report to your desktop.
• Exit Dr.Web Cureit when done.
• Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
• After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


When you have posted me the log, you can clean up the tools we have used.

Firstly uninstall GMER:

• Go to Start, then Run and type in the following: %windir%\gmer_uninstall.cmd

• Click OK. A comand window will open:

• Press any key to close it.
• Now you can delete the gmer folder from your desktop

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Now lets uninstall Combofix:

• Click START then RUN
• Now type Combofix /u in the runbox and click OK. Note the space between the X and the /u, it needs to be there.
  

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Finally, click Here to download OTCleanIt
Double-click OTCleanIt.exe to run it.
Click the Clean up button
Click Yes to the reboot.

Now delete any logs that you have left over on your desktop. If we need to download any more tools we can easily later.

[Emma_uk]

It gave some positives, but i think there from the utilities we installed , am i correct ?



ComboFix.exe\32788R22FWJFW\psexec.cfexe;C:\Documents and Settings\admin\Desktop\ComboFix.exe;Program.PsExec.171;;
ComboFix.exe;C:\Documents and Settings\admin\Desktop;Archive contains infected objects;Moved.;
SDFix.exe\SDFix\apps\Process.exe;C:\Documents and Settings\admin\Desktop\SDFix.exe;Tool.Prockill;;
SDFix.exe;C:\Documents and Settings\admin\Desktop;Archive contains infected objects;Moved.;
SmitfraudFix.exe\SmitfraudFix\Process.exe;C:\Documents and Settings\admin\Desktop\SmitfraudFix.exe;Tool.Prockill;;
SmitfraudFix.exe\SmitfraudFix\restart.exe;C:\Documents and Settings\admin\Desktop\SmitfraudFix.exe;Trojan.Shutdown.134;;
SmitfraudFix.exe;C:\Documents and Settings\admin\Desktop;Archive contains infected objects;Moved.;
Process.exe;C:\Documents and Settings\admin\Desktop\SmitfraudFix;Tool.Prockill;Incurable.Moved.;
restart.exe;C:\Documents and Settings\admin\Desktop\SmitfraudFix;Trojan.Shutdown.134;Deleted.;
Process.exe;C:\SDFix\apps;Tool.Prockill;Incurable.Moved.;
A0164570.EXE;C:\System Volume Information\_restore{1A2E542A-B4FA-4FE1-ADA7-F7DED0643FF0}\RP295;Program.PsExec.170;Incurable.Moved.;
A0165634.EXE;C:\System Volume Information\_restore{1A2E542A-B4FA-4FE1-ADA7-F7DED0643FF0}\RP296;Program.PsExec.170;Incurable.Moved.;
A0166407.exe\SDFix\apps\Process.exe;C:\System Volume Information\_restore{1A2E542A-B4FA-4FE1-ADA7-F7DED0643FF0}\RP304\A0166407.exe;Tool.Prockill;;
A0166407.exe;C:\System Volume Information\_restore{1A2E542A-B4FA-4FE1-ADA7-F7DED0643FF0}\RP304;Archive contains infected objects;Moved.;
A0166420.exe;C:\System Volume Information\_restore{1A2E542A-B4FA-4FE1-ADA7-F7DED0643FF0}\RP304;Tool.Prockill;Incurable.Moved.;
A0166422.exe;C:\System Volume Information\_restore{1A2E542A-B4FA-4FE1-ADA7-F7DED0643FF0}\RP304;Trojan.Shutdown.134;Deleted.;
A0166434.exe\SmitfraudFix\Process.exe;C:\System Volume Information\_restore{1A2E542A-B4FA-4FE1-ADA7-F7DED0643FF0}\RP304\A0166434.exe;Tool.Prockill;;
A0166434.exe\SmitfraudFix\restart.exe;C:\System Volume Information\_restore{1A2E542A-B4FA-4FE1-ADA7-F7DED0643FF0}\RP304\A0166434.exe;Trojan.Shutdown.134;;
A0166434.exe;C:\System Volume Information\_restore{1A2E542A-B4FA-4FE1-ADA7-F7DED0643FF0}\RP304;Archive contains infected objects;Moved.;
A0169536.exe;C:\System Volume Information\_restore{1A2E542A-B4FA-4FE1-ADA7-F7DED0643FF0}\RP304;Tool.Prockill;Incurable.Moved.;
A0170787.exe\32788R22FWJFW\psexec.cfexe;C:\System Volume Information\_restore{1A2E542A-B4FA-4FE1-ADA7-F7DED0643FF0}\RP318\A0170787.exe;Program.PsExec.171;;
A0170787.exe;C:\System Volume Information\_restore{1A2E542A-B4FA-4FE1-ADA7-F7DED0643FF0}\RP318;Archive contains infected objects;Moved.;
A0170788.exe\SDFix\apps\Process.exe;C:\System Volume Information\_restore{1A2E542A-B4FA-4FE1-ADA7-F7DED0643FF0}\RP318\A0170788.exe;Tool.Prockill;;
A0170788.exe;C:\System Volume Information\_restore{1A2E542A-B4FA-4FE1-ADA7-F7DED0643FF0}\RP318;Archive contains infected objects;Moved.;
A0170789.exe\SmitfraudFix\Process.exe;C:\System Volume Information\_restore{1A2E542A-B4FA-4FE1-ADA7-F7DED0643FF0}\RP318\A0170789.exe;Tool.Prockill;;
A0170789.exe\SmitfraudFix\restart.exe;C:\System Volume Information\_restore{1A2E542A-B4FA-4FE1-ADA7-F7DED0643FF0}\RP318\A0170789.exe;Trojan.Shutdown.134;;
A0170789.exe;C:\System Volume Information\_restore{1A2E542A-B4FA-4FE1-ADA7-F7DED0643FF0}\RP318;Archive contains infected objects;Moved.;
A0170790.exe;C:\System Volume Information\_restore{1A2E542A-B4FA-4FE1-ADA7-F7DED0643FF0}\RP318;Trojan.Shutdown.134;Deleted.;

[Emma_uk]

tried to unistal combifix but think dr web quarantibned or deleted it and i right ?

[Emma_uk]

Did a Kapersky online scan & it found a couple of things

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, December 16, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, December 16, 2008 12:55:25
Records in database: 1465606
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
G:\
H:\

Scan statistics:
Files scanned: 62982
Threat name: 3
Infected objects: 3
Suspicious objects: 0
Duration of the scan: 00:58:25


File name / Threat name / Threats count
C:\System Volume Information\_restore{1A2E542A-B4FA-4FE1-ADA7-F7DED0643FF0}\RP295\A0164556.dll Infected: Packed.Win32.Krap.d 1
C:\System Volume Information\_restore{1A2E542A-B4FA-4FE1-ADA7-F7DED0643FF0}\RP295\A0164557.dll Infected: Trojan.Win32.Agent.auxj 1
G:\Software\wAppz_CloneDVD4\Clone DVD 4.01.2516.EXE Infected: Worm.Win32.AutoRun.qhi 1

The selected area was scanned.

[RatHat]

There is only one file to worry about there, so lets get rid of it.

Re-download Combofix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. If you are unsure of how to disable these programs, please refer to this page for details.

1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
G:\Software\wAppz_CloneDVD4\Clone DVD 4.01.2516.EXE

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.



5. After reboot, (in case it asks to reboot), please post the Combofix.txt report into your next reply.


Now I got a reply from someone with a lot more experience than me regarding Java:

I don't know why JAVA jumped from 7 to 10, then to 11. If 7 works, I would let it be.

So I think we are safe with the version that you have installed.

[Emma_uk]

Thats good news about java

heres the combifix report



ComboFix 08-12-16.03 - admin 2008-12-17 9:04:34.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1983.1440 [GMT 0:00]
Running from: c:\documents and settings\admin\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\admin\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\admin\Cookies\UKNTT.POF
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\o4Patch.exe
c:\windows\system32\SrchSTS.exe

.
((((((((((((((((((((((((( Files Created from 2008-11-17 to 2008-12-17 )))))))))))))))))))))))))))))))
.

2008-12-16 12:34 . 2008-12-16 12:44 <DIR> d-------- c:\documents and settings\admin\DoctorWeb
2008-12-16 11:25 . 2008-12-16 11:25 0 --a------ c:\windows\system32\REN4E.tmp
2008-12-16 11:25 . 2008-12-16 11:25 0 --a------ c:\windows\system32\REN4D.tmp
2008-12-16 11:25 . 2008-12-16 11:25 0 --a------ c:\windows\system32\REN49.tmp
2008-12-16 11:24 . 2008-12-16 11:24 <DIR> d-------- c:\program files\Common Files\Java
2008-12-16 10:42 . 2008-12-16 10:50 <DIR> d-------- c:\program files\Unlocker
2008-12-16 10:42 . 2008-12-16 10:43 <DIR> d-------- c:\documents and settings\admin\Application Data\Desktopicon
2008-12-15 15:39 . 2008-12-16 11:25 <DIR> d-------- c:\program files\Java
2008-12-15 15:39 . 2008-12-15 15:39 0 --a------ c:\windows\system32\REN157.tmp
2008-12-15 15:39 . 2008-12-15 15:39 0 --a------ c:\windows\system32\REN156.tmp
2008-12-15 15:39 . 2008-12-15 15:39 0 --a------ c:\windows\system32\REN155.tmp
2008-12-15 15:39 . 2008-12-15 15:39 0 --a------ c:\windows\system32\REN138.tmp
2008-12-15 15:39 . 2008-12-15 15:39 0 --a------ c:\windows\system32\REN137.tmp
2008-12-15 15:39 . 2008-12-15 15:39 0 --a------ c:\windows\system32\REN136.tmp
2008-12-15 13:57 . 2008-12-15 13:57 0 --a------ c:\windows\system32\REN113.tmp
2008-12-15 13:57 . 2008-12-15 13:57 0 --a------ c:\windows\system32\REN112.tmp
2008-12-15 13:57 . 2008-12-15 13:57 0 --a------ c:\windows\system32\REN111.tmp
2008-12-15 13:56 . 2008-12-15 13:56 0 --a------ c:\windows\system32\RENF4.tmp
2008-12-15 13:56 . 2008-12-15 13:56 0 --a------ c:\windows\system32\RENF3.tmp
2008-12-15 13:56 . 2008-12-15 13:56 0 --a------ c:\windows\system32\RENF2.tmp
2008-12-15 12:36 . 2001-08-17 22:37 24,576 --a--c--- c:\windows\system32\dllcache\agcgauge.ax
2008-12-15 11:43 . 2008-12-15 11:43 0 --a------ c:\windows\system32\REN4C.tmp
2008-12-15 11:43 . 2008-12-15 11:43 0 --a------ c:\windows\system32\REN4B.tmp
2008-12-15 11:43 . 2008-12-15 11:43 0 --a------ c:\windows\system32\REN4A.tmp
2008-12-15 11:42 . 2008-12-15 11:42 0 --a------ c:\windows\system32\REN2D.tmp
2008-12-15 11:42 . 2008-12-15 11:42 0 --a------ c:\windows\system32\REN2C.tmp
2008-12-15 11:42 . 2008-12-15 11:42 0 --a------ c:\windows\system32\REN2B.tmp
2008-12-15 09:41 . 2008-12-16 09:20 <DIR> d-------- c:\documents and settings\admin\Application Data\IDM
2008-12-15 09:40 . 2008-12-15 11:06 <DIR> d-------- c:\program files\Internet Download Manager
2008-12-15 09:23 . 2008-12-15 09:23 0 --a------ c:\windows\system32\REN82.tmp
2008-12-15 09:23 . 2008-12-15 09:23 0 --a------ c:\windows\system32\REN81.tmp
2008-12-15 09:23 . 2008-12-15 09:23 0 --a------ c:\windows\system32\REN80.tmp
2008-12-14 17:00 . 2008-12-14 17:00 <DIR> d-------- c:\program files\Windows Installer Clean Up
2008-12-14 17:00 . 2008-12-14 17:00 <DIR> d-------- c:\program files\MSECACHE
2008-12-14 13:40 . 2008-12-14 13:40 <DIR> d-------- c:\program files\Common Files\Insight Software Solutions
2008-12-14 13:40 . 2008-12-14 13:40 <DIR> d-------- c:\program files\Capture Express
2008-12-14 13:40 . 2008-12-14 13:40 <DIR> d-------- c:\documents and settings\All Users\Application Data\Insight Software Solutions
2008-12-14 13:40 . 2008-12-14 13:40 <DIR> d-------- c:\documents and settings\All Users\Application Data\Insight Software
2008-12-14 00:02 . 2008-12-14 00:02 268 --ah----- C:\sqmdata01.sqm
2008-12-14 00:02 . 2008-12-14 00:02 244 --ah----- C:\sqmnoopt01.sqm
2008-12-13 16:27 . 2008-12-13 16:27 <DIR> d-------- C:\fsaua.data
2008-12-13 09:59 . 2008-12-12 00:57 78,336 --a------ c:\windows\system32\Agent.OMZ.Fix.exe
2008-12-12 09:36 . 2008-12-12 09:36 578,560 --a--c--- c:\windows\system32\dllcache\user32.dll
2008-12-12 09:34 . 2008-12-12 09:34 <DIR> d-------- c:\windows\ERUNT
2008-12-11 19:39 . 2008-12-11 19:39 268 --ah----- C:\sqmdata00.sqm
2008-12-11 19:39 . 2008-12-11 19:39 244 --ah----- C:\sqmnoopt00.sqm
2008-12-11 16:34 . 2008-12-11 16:34 0 --a------ c:\windows\nsreg.dat
2008-12-11 11:02 . 2008-12-11 11:02 <DIR> d-------- c:\program files\Trend Micro
2008-12-11 07:43 . 2008-06-08 12:44 <DIR> d-------- c:\documents and settings\Administrator\WINDOWS
2008-12-11 07:43 . 2008-12-11 07:43 <DIR> d-------- c:\documents and settings\Administrator
2008-12-10 19:24 . 2008-12-10 19:24 <DIR> d-------- c:\documents and settings\admin\Application Data\Malwarebytes
2008-12-10 19:22 . 2008-12-10 19:27 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-10 19:22 . 2008-12-10 19:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-10 19:22 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-10 19:22 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-10 17:58 . 2008-12-10 17:57 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-10 13:47 . 2008-12-10 13:47 0 --a------ c:\windows\system32\8104297.jun
2008-12-09 19:30 . 2006-02-28 12:00 4,224 --a------ c:\windows\system32\drivers\beep.sys
2008-12-09 19:30 . 2006-02-28 12:00 4,224 --a--c--- c:\windows\system32\dllcache\beep.sys
2008-12-09 18:40 . 2008-12-09 18:40 <DIR> d-------- C:\Binaries
2008-12-09 18:25 . 2008-12-10 14:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-08 18:54 . 2006-01-04 01:00 65,536 --a------ c:\windows\system32\ICE_JNIRegistry.dll
2008-12-06 14:25 . 2008-12-06 14:40 <DIR> d-------- c:\documents and settings\admin\Application Data\GrabPro
2008-12-06 14:24 . 2008-12-06 17:52 <DIR> d-------- c:\documents and settings\admin\Application Data\Orbit
2008-12-06 14:11 . 2008-12-06 14:16 237,568 --a------ c:\windows\system32\rmc_rtspdl.dll
2008-12-06 14:11 . 2008-12-06 14:16 156,672 --a------ c:\windows\system32\rmc_fixasf.exe
2008-12-06 14:09 . 2008-12-06 14:16 323,584 --a------ c:\windows\system32\AUDIOGENIE2.DLL
2008-12-06 14:08 . 2008-12-06 14:08 <DIR> d-------- c:\windows\Replay Media Catcher
2008-12-04 16:19 . 2008-12-11 08:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\Ulead Systems
2008-12-01 19:12 . 2008-12-03 16:44 <DIR> d-------- c:\documents and settings\All Users\Application Data\River Past G5
2008-12-01 19:12 . 2008-12-01 19:12 <DIR> d-------- c:\documents and settings\admin\Application Data\River Past G5
2008-12-01 14:54 . 2008-12-01 14:54 <DIR> d-------- c:\documents and settings\admin\Application Data\dvdcss
2008-11-30 20:16 . 2008-11-30 20:19 20,358 --a------ c:\windows\vgirl.prf
2008-11-27 09:41 . 2008-12-11 17:53 <DIR> d-------- c:\documents and settings\admin\Application Data\Apple Computer
2008-11-26 17:32 . 2008-11-26 17:32 <DIR> d-------- c:\program files\Common Files\Apple
2008-11-26 17:32 . 2008-11-26 17:32 <DIR> d-------- c:\program files\Apple Software Update
2008-11-26 17:32 . 2008-11-26 17:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple Computer
2008-11-26 17:32 . 2008-11-26 17:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple
2008-11-26 17:28 . 2008-11-26 17:33 <DIR> d-------- c:\program files\QuickTime
2008-11-24 16:30 . 2000-04-30 18:12 92,160 --a------ c:\windows\system32\BarCod32.OCX
2008-11-24 11:10 . 2008-11-24 11:10 <DIR> d-------- c:\documents and settings\admin\Application Data\vlc
2008-11-22 17:39 . 2008-11-22 17:39 0 --a------ c:\documents and settings\admin\Application Data\wklnhst.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-17 09:04 --------- d-----w c:\documents and settings\admin\Application Data\DMCache
2008-12-16 22:06 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-15 21:05 --------- d-----w c:\documents and settings\admin\Application Data\VSO
2008-12-11 08:14 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-11 08:11 --------- d-----w c:\documents and settings\All Users\Application Data\DriverScanner
2008-12-11 08:11 --------- d-----w c:\documents and settings\admin\Application Data\Uniblue
2008-12-09 15:36 --------- d-----w c:\program files\Your Uninstaller 2008
2008-12-04 19:14 --------- d-----w c:\documents and settings\LocalService\Application Data\SACore
2008-12-04 16:03 --------- d-----w c:\documents and settings\admin\Application Data\Canon
2008-11-17 20:40 --------- d-----w c:\documents and settings\admin\Application Data\LimeWire
2008-11-16 17:44 --------- d-----w c:\program files\McAfee
2008-11-12 11:37 --------- d-----w c:\documents and settings\All Users\Application Data\13242
2008-11-05 08:30 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-10-29 16:47 --------- d-----w c:\documents and settings\admin\Application Data\CyberLink
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 20:45 --------- d-----w c:\program files\MSBuild
2008-10-23 20:44 --------- d-----w c:\program files\Reference Assemblies
2008-10-23 19:49 --------- d-----w c:\documents and settings\All Users\Application Data\ATI
2008-10-23 19:49 --------- d-----w c:\documents and settings\admin\Application Data\ATI
2008-10-23 18:56 --------- d-----w c:\program files\Microsoft IntelliPoint
2008-10-23 18:51 --------- d-----w c:\program files\ATI Technologies
2008-10-23 18:34 --------- dc-h--w c:\documents and settings\All Users\Application Data\{D5ABFFAD-D592-4F98-B02B-587125B4801F}
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll
2008-10-16 14:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 14:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 14:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 14:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 14:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 14:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 14:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 14:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 14:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-06 16:02 98,304 ----a-w c:\windows\system32\CmdLineExt.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-09-30 16:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [2008-07-15 931248]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Privacy Suite"="c:\program files\CyberScrub Privacy Suite\CSPSeraser.exe" [2008-07-23 876680]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-12-08 32768]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-29 155648]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-26 413696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Capture Express.lnk - c:\program files\Capture Express\capexp.exe [2008-12-14 5373952]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\McAfee\SiteAdvisor\McSACore.exe" [2008-10-04 203280]
S3 ST330;ST330;c:\windows\system32\drivers\st330.sys [2008-06-02 30464]
S3 STBUS;STBUS;c:\windows\system32\drivers\stbus.sys [2008-06-02 12672]
S3 stppp;Speedtouch PPP Adapter Adapter;c:\windows\system32\DRIVERS\stppp.sys [2008-06-02 32000]
S3 Z302Mic;Vimicro Z302 Mic Audio Filter Driver;c:\windows\system32\drivers\UsbMicfilt.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fb2a7764-e932-11db-a0f9-00508d9d5209}]
\Shell\AutoRun\command - F:\autorun.exe
.
Contents of the 'Scheduled Tasks' folder

2008-10-15 c:\windows\Tasks\McDefragTask.job
- c:\windows\system32\defrag.exe [2008-04-14 00:12]

2007-04-12 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2008-07-09 17:10]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
HKLM-Run-UnlockerAssistant - c:\program files\Unlocker\UnlockerAssistant.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\Internet Download Manager\IEGetVL.htm
IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-17 09:05:53
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(716)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2008-12-17 9:06:44
ComboFix-quarantined-files.txt 2008-12-17 09:06:41

Pre-Run: 227,032,371,200 bytes free
Post-Run: 227,106,314,240 bytes free

208 --- E O F --- 2008-12-11 07:18:36

[Emma_uk]

Did another Kapersky and it looks like it got away

There slippery little buggers arnt they ?

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Wednesday, December 17, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, December 17, 2008 06:02:17
Records in database: 1467765
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
G:\
H:\

Scan statistics:
Files scanned: 61771
Threat name: 3
Infected objects: 3
Suspicious objects: 0
Duration of the scan: 00:58:15


File name / Threat name / Threats count
C:\System Volume Information\_restore{1A2E542A-B4FA-4FE1-ADA7-F7DED0643FF0}\RP295\A0164556.dll Infected: Packed.Win32.Krap.d 1
C:\System Volume Information\_restore{1A2E542A-B4FA-4FE1-ADA7-F7DED0643FF0}\RP295\A0164557.dll Infected: Trojan.Win32.Agent.auxj 1
G:\System Volume Information\_restore{1A2E542A-B4FA-4FE1-ADA7-F7DED0643FF0}\RP318\A0170953.EXE Infected: Worm.Win32.AutoRun.qhi 1

The selected area was scanned.

[RatHat]

I am glad that we are OK with Java now! Those files that Kaspersky found are in System Restore and are harmless unless you restore your system to a previous point, we will clean them out later.

Firstly though, lets get rid of those temp files from your System32 folder.

1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
c:\windows\system32\REN4E.tmp
c:\windows\system32\REN4D.tmp
c:\windows\system32\REN49.tmp
c:\windows\system32\REN157.tmp
c:\windows\system32\REN156.tmp
c:\windows\system32\REN155.tmp
c:\windows\system32\REN138.tmp
c:\windows\system32\REN137.tmp
c:\windows\system32\REN136.tmp
c:\windows\system32\REN113.tmp
c:\windows\system32\REN112.tmp
c:\windows\system32\REN111.tmp
c:\windows\system32\RENF4.tmp
c:\windows\system32\RENF3.tmp
c:\windows\system32\RENF2.tmp
c:\windows\system32\REN4C.tmp
c:\windows\system32\REN4B.tmp
c:\windows\system32\REN4A.tmp
c:\windows\system32\REN2D.tmp
c:\windows\system32\REN2C.tmp
c:\windows\system32\REN2B.tmp
c:\windows\system32\REN82.tmp
c:\windows\system32\REN81.tmp
c:\windows\system32\REN80.tmp

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.



5. After reboot, (in case it asks to reboot), please post the Combofix.txt report into your next reply.

[Emma_uk]

ComboFix 08-12-16.03 - admin 2008-12-17 11:15:57.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1983.1317 [GMT 0:00]
Running from: c:\documents and settings\admin\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\admin\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active


FILE ::
c:\windows\system32\REN111.tmp
c:\windows\system32\REN112.tmp
c:\windows\system32\REN113.tmp
c:\windows\system32\REN136.tmp
c:\windows\system32\REN137.tmp
c:\windows\system32\REN138.tmp
c:\windows\system32\REN155.tmp
c:\windows\system32\REN156.tmp
c:\windows\system32\REN157.tmp
c:\windows\system32\REN2B.tmp
c:\windows\system32\REN2C.tmp
c:\windows\system32\REN2D.tmp
c:\windows\system32\REN49.tmp
c:\windows\system32\REN4A.tmp
c:\windows\system32\REN4B.tmp
c:\windows\system32\REN4C.tmp
c:\windows\system32\REN4D.tmp
c:\windows\system32\REN4E.tmp
c:\windows\system32\REN80.tmp
c:\windows\system32\REN81.tmp
c:\windows\system32\REN82.tmp
c:\windows\system32\RENF2.tmp
c:\windows\system32\RENF3.tmp
c:\windows\system32\RENF4.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\REN111.tmp
c:\windows\system32\REN112.tmp
c:\windows\system32\REN113.tmp
c:\windows\system32\REN136.tmp
c:\windows\system32\REN137.tmp
c:\windows\system32\REN138.tmp
c:\windows\system32\REN155.tmp
c:\windows\system32\REN156.tmp
c:\windows\system32\REN157.tmp
c:\windows\system32\REN2B.tmp
c:\windows\system32\REN2C.tmp
c:\windows\system32\REN2D.tmp
c:\windows\system32\REN49.tmp
c:\windows\system32\REN4A.tmp
c:\windows\system32\REN4B.tmp
c:\windows\system32\REN4C.tmp
c:\windows\system32\REN4D.tmp
c:\windows\system32\REN4E.tmp
c:\windows\system32\REN80.tmp
c:\windows\system32\REN81.tmp
c:\windows\system32\REN82.tmp
c:\windows\system32\RENF2.tmp
c:\windows\system32\RENF3.tmp
c:\windows\system32\RENF4.tmp

.
((((((((((((((((((((((((( Files Created from 2008-11-17 to 2008-12-17 )))))))))))))))))))))))))))))))
.

2008-12-16 12:34 . 2008-12-16 12:44 <DIR> d-------- c:\documents and settings\admin\DoctorWeb
2008-12-16 11:24 . 2008-12-16 11:24 <DIR> d-------- c:\program files\Common Files\Java
2008-12-16 10:42 . 2008-12-16 10:50 <DIR> d-------- c:\program files\Unlocker
2008-12-16 10:42 . 2008-12-16 10:43 <DIR> d-------- c:\documents and settings\admin\Application Data\Desktopicon
2008-12-15 15:39 . 2008-12-16 11:25 <DIR> d-------- c:\program files\Java
2008-12-15 12:36 . 2001-08-17 22:37 24,576 --a--c--- c:\windows\system32\dllcache\agcgauge.ax
2008-12-15 09:41 . 2008-12-16 09:20 <DIR> d-------- c:\documents and settings\admin\Application Data\IDM
2008-12-15 09:40 . 2008-12-15 11:06 <DIR> d-------- c:\program files\Internet Download Manager
2008-12-14 17:00 . 2008-12-14 17:00 <DIR> d-------- c:\program files\Windows Installer Clean Up
2008-12-14 17:00 . 2008-12-14 17:00 <DIR> d-------- c:\program files\MSECACHE
2008-12-14 13:40 . 2008-12-14 13:40 <DIR> d-------- c:\program files\Common Files\Insight Software Solutions
2008-12-14 13:40 . 2008-12-14 13:40 <DIR> d-------- c:\program files\Capture Express
2008-12-14 13:40 . 2008-12-14 13:40 <DIR> d-------- c:\documents and settings\All Users\Application Data\Insight Software Solutions
2008-12-14 13:40 . 2008-12-14 13:40 <DIR> d-------- c:\documents and settings\All Users\Application Data\Insight Software
2008-12-14 00:02 . 2008-12-14 00:02 268 --ah----- C:\sqmdata01.sqm
2008-12-14 00:02 . 2008-12-14 00:02 244 --ah----- C:\sqmnoopt01.sqm
2008-12-13 16:27 . 2008-12-13 16:27 <DIR> d-------- C:\fsaua.data
2008-12-13 09:59 . 2008-12-12 00:57 78,336 --a------ c:\windows\system32\Agent.OMZ.Fix.exe
2008-12-12 09:36 . 2008-12-12 09:36 578,560 --a--c--- c:\windows\system32\dllcache\user32.dll
2008-12-12 09:34 . 2008-12-12 09:34 <DIR> d-------- c:\windows\ERUNT
2008-12-11 19:39 . 2008-12-11 19:39 268 --ah----- C:\sqmdata00.sqm
2008-12-11 19:39 . 2008-12-11 19:39 244 --ah----- C:\sqmnoopt00.sqm
2008-12-11 16:34 . 2008-12-11 16:34 0 --a------ c:\windows\nsreg.dat
2008-12-11 11:02 . 2008-12-11 11:02 <DIR> d-------- c:\program files\Trend Micro
2008-12-11 07:43 . 2008-06-08 12:44 <DIR> d-------- c:\documents and settings\Administrator\WINDOWS
2008-12-11 07:43 . 2008-12-11 07:43 <DIR> d-------- c:\documents and settings\Administrator
2008-12-10 19:24 . 2008-12-10 19:24 <DIR> d-------- c:\documents and settings\admin\Application Data\Malwarebytes
2008-12-10 19:22 . 2008-12-10 19:27 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-10 19:22 . 2008-12-10 19:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-10 19:22 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-10 19:22 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-10 17:58 . 2008-12-10 17:57 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-10 13:47 . 2008-12-10 13:47 0 --a------ c:\windows\system32\8104297.jun
2008-12-09 19:30 . 2006-02-28 12:00 4,224 --a------ c:\windows\system32\drivers\beep.sys
2008-12-09 19:30 . 2006-02-28 12:00 4,224 --a--c--- c:\windows\system32\dllcache\beep.sys
2008-12-09 18:40 . 2008-12-09 18:40 <DIR> d-------- C:\Binaries
2008-12-09 18:25 . 2008-12-10 14:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-08 18:54 . 2006-01-04 01:00 65,536 --a------ c:\windows\system32\ICE_JNIRegistry.dll
2008-12-06 14:25 . 2008-12-06 14:40 <DIR> d-------- c:\documents and settings\admin\Application Data\GrabPro
2008-12-06 14:24 . 2008-12-06 17:52 <DIR> d-------- c:\documents and settings\admin\Application Data\Orbit
2008-12-06 14:11 . 2008-12-06 14:16 237,568 --a------ c:\windows\system32\rmc_rtspdl.dll
2008-12-06 14:11 . 2008-12-06 14:16 156,672 --a------ c:\windows\system32\rmc_fixasf.exe
2008-12-06 14:09 . 2008-12-06 14:16 323,584 --a------ c:\windows\system32\AUDIOGENIE2.DLL
2008-12-06 14:08 . 2008-12-06 14:08 <DIR> d-------- c:\windows\Replay Media Catcher
2008-12-04 16:19 . 2008-12-11 08:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\Ulead Systems
2008-12-01 19:12 . 2008-12-03 16:44 <DIR> d-------- c:\documents and settings\All Users\Application Data\River Past G5
2008-12-01 19:12 . 2008-12-01 19:12 <DIR> d-------- c:\documents and settings\admin\Application Data\River Past G5
2008-12-01 14:54 . 2008-12-01 14:54 <DIR> d-------- c:\documents and settings\admin\Application Data\dvdcss
2008-11-30 20:16 . 2008-11-30 20:19 20,358 --a------ c:\windows\vgirl.prf
2008-11-27 09:41 . 2008-12-11 17:53 <DIR> d-------- c:\documents and settings\admin\Application Data\Apple Computer
2008-11-26 17:32 . 2008-11-26 17:32 <DIR> d-------- c:\program files\Common Files\Apple
2008-11-26 17:32 . 2008-11-26 17:32 <DIR> d-------- c:\program files\Apple Software Update
2008-11-26 17:32 . 2008-11-26 17:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple Computer
2008-11-26 17:32 . 2008-11-26 17:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple
2008-11-26 17:28 . 2008-11-26 17:33 <DIR> d-------- c:\program files\QuickTime
2008-11-24 16:30 . 2000-04-30 18:12 92,160 --a------ c:\windows\system32\BarCod32.OCX
2008-11-24 11:10 . 2008-11-24 11:10 <DIR> d-------- c:\documents and settings\admin\Application Data\vlc
2008-11-22 17:39 . 2008-11-22 17:39 0 --a------ c:\documents and settings\admin\Application Data\wklnhst.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-17 11:16 --------- d-----w c:\documents and settings\admin\Application Data\DMCache
2008-12-17 11:02 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-15 21:05 --------- d-----w c:\documents and settings\admin\Application Data\VSO
2008-12-11 08:14 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-11 08:11 --------- d-----w c:\documents and settings\All Users\Application Data\DriverScanner
2008-12-11 08:11 --------- d-----w c:\documents and settings\admin\Application Data\Uniblue
2008-12-09 15:36 --------- d-----w c:\program files\Your Uninstaller 2008
2008-12-04 19:14 --------- d-----w c:\documents and settings\LocalService\Application Data\SACore
2008-12-04 16:03 --------- d-----w c:\documents and settings\admin\Application Data\Canon
2008-11-17 20:40 --------- d-----w c:\documents and settings\admin\Application Data\LimeWire
2008-11-16 17:44 --------- d-----w c:\program files\McAfee
2008-11-12 11:37 --------- d-----w c:\documents and settings\All Users\Application Data\13242
2008-11-05 08:30 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-10-29 16:47 --------- d-----w c:\documents and settings\admin\Application Data\CyberLink
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 20:45 --------- d-----w c:\program files\MSBuild
2008-10-23 20:44 --------- d-----w c:\program files\Reference Assemblies
2008-10-23 19:49 --------- d-----w c:\documents and settings\All Users\Application Data\ATI
2008-10-23 19:49 --------- d-----w c:\documents and settings\admin\Application Data\ATI
2008-10-23 18:56 --------- d-----w c:\program files\Microsoft IntelliPoint
2008-10-23 18:51 --------- d-----w c:\program files\ATI Technologies
2008-10-23 18:34 --------- dc-h--w c:\documents and settings\All Users\Application Data\{D5ABFFAD-D592-4F98-B02B-587125B4801F}
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll
2008-10-16 14:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 14:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 14:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 14:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 14:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 14:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 14:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 14:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 14:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-06 16:02 98,304 ----a-w c:\windows\system32\CmdLineExt.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-09-30 16:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [2008-07-15 931248]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Privacy Suite"="c:\program files\CyberScrub Privacy Suite\CSPSeraser.exe" [2008-07-23 876680]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-12-08 32768]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-29 155648]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-26 413696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Capture Express.lnk - c:\program files\Capture Express\capexp.exe [2008-12-14 5373952]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\McAfee\SiteAdvisor\McSACore.exe" [2008-10-04 203280]
S3 ST330;ST330;c:\windows\system32\drivers\st330.sys [2008-06-02 30464]
S3 STBUS;STBUS;c:\windows\system32\drivers\stbus.sys [2008-06-02 12672]
S3 stppp;Speedtouch PPP Adapter Adapter;c:\windows\system32\DRIVERS\stppp.sys [2008-06-02 32000]
S3 Z302Mic;Vimicro Z302 Mic Audio Filter Driver;c:\windows\system32\drivers\UsbMicfilt.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fb2a7764-e932-11db-a0f9-00508d9d5209}]
\Shell\AutoRun\command - F:\autorun.exe

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder

2008-10-15 c:\windows\Tasks\McDefragTask.job
- c:\windows\system32\defrag.exe [2008-04-14 00:12]

2007-04-12 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2008-07-09 17:10]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\Internet Download Manager\IEGetVL.htm
IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-17 11:17:45
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(716)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2008-12-17 11:18:49
ComboFix-quarantined-files.txt 2008-12-17 11:18:46

Pre-Run: 226,990,387,200 bytes free
Post-Run: 227,077,810,176 bytes free

228 --- E O F --- 2008-12-11 07:18:36

[RatHat]

OK Emma, now for the good new. It looks like your log is clean again, and I can let you get back to normal again!

Now lets uninstall Combofix:

• Click START then RUN
• Now type Combofix /u in the runbox and click OK. Note the space between the X and the /u, it needs to be there.
  

OK, lets carry out a few preventative steps to make sure you reduce the risk of further infections.

You can also delete DrWeb, and any other files, or logs remaining. Keep ATF cleaner though, it is very useful.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


An essential is to keep your computer updated with the latest operating system patches and security fixes. Windows Updates are constantly being revised to combat the newest hacks and threats, Microsoft releases security updates that help your computer from becoming vunerable. It is best if you have these set to download automatically.

Automatic Updates for Windows

• Click Start.
• Select Settings and then Control Panel.
• Select Automatic Updates.
• Click Automatic (recommended)
• Choose a day and a time when you know the computer will be on and connected to the internet.
• Click Apply then OK.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


OK, now lets download some preventative programs that will help to keep the nasties away! We will start with Anti Spyware programs. I would advise getting a couple of them at least, and running each at least once a month.

Anti Spyware

• SpywareBlaster to help prevent spyware from installing in the first place. A tutorial can be found here.
• SpywareGuard to catch and block spyware before it can execute. A tutorial can be found here.
• IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email. A tutorial can be found here.
• Spybot Search & Destroy a powerful tool which can "search and destroy" nasties that make it onto your system. Now with an Immunize section that will help prevent future infections. A tutorial can be found here.
• AdAware another very powerful tool which searches and kills nasties that infect your system. A tutorial can be found here. AdAware and Spybot Search & Destroy compliment each other very well.

Note: If you find your system slows down after installing any of these, just uninstall it, or disable it from running at startup.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Nearly done! If you like to use chat, MSN and Yahoo have vunerabilities that can leave you open to infections. There are however a couple of very good, Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN):

Instant Messengers

• Trillian or,
• Miranda-IM

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Lastly, it is a good idea to clear out all your temp files every now and again. This will help your computer from bogging down and slowing. It also can assist in getting rid of files that may contain malicious code that could re-infect your computer.

Temp File Cleaners

• ATF Cleaner A very powerful cleaning program. Note: You may have this already as part of the fixes you have run.
• CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Note: Do NOT run this program if you have XP Professional 64 bit edition.

To find out more information about how you got infected in the first place, you can read this article.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I will keep this log open for the next couple of days, so if you have any further problems post another reply here.

OK, all the best, and stay safe!

Best regards,
RatHat