BullGuard
 HomeLog InRegisterCommunity CalendarSearch the ForumView The Member ListHelp
Trojan ?
   
BullGuard Antivirus Forum > Virus information > Alerts & New Threats > Trojan ?  
Forum Quick Jump
 
You cannot post new topics in this forum. Locked Topic Printable version of : Trojan ?
58 posts in this thread.
Viewing Page :
 1  2  3 
[ << Previous Thread | Next Thread >> ]

Jintan
Senior Member




Date Joined Dec 2006
Total Posts : 1428
 
   Posted 1/14/2010 3:04 AM (GMT +3)    Quote: Trojan ?Alert an admin about: Trojan ?
Hmmm - ComboFix indicates it corrected the malware file, but this is something of a mystery:

------- Sigcheck -------

[-] 2009-12-07 . 1DF7F42665C94B825322FAE71721130D . 212224 . . [5.1.2600.5512] . . c:\windows\system32\drivers\ndis.sys
[-] 2009-12-07 . 1DF7F42665C94B825322FAE71721130D . 212224 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\ndis.sys
[7] 2008-04-13 . 1DF7F42665C94B825322FAE71721130D . 182656 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ndis.sys
[-] 2004-08-04 . 1DF7F42665C94B825322FAE71721130D . 182912 . . [5.1.2600.5512] . . c:\windows\$NtServicePackUninstall$\ndis.sys

Matching MD5 hashes but different file sizes, which technically is not possible. And leaves us without any verification of what file is the correct one(s). The malware altered boot level driver file is still showing in the ComboFix log, so we will need to do something different to get a handle on what needs to be done there. You are doing well so far though.


Go here and download USEC.at's radix_installer_trial.zip. Then unzip that and click the radixgui.exe to open the scan display.

Then without making any changes click the Check button to start the scan. Once it has completed click the Save Log button and save that to a location you can return to. Then click the "X" to close the Radix scanner.


!!!Caution - the Radix scanner has many settings and options, including many that can cause quick and permanent corruption to your operating system. Avoid the temptation to try any other options, scans or settings when using it.

That log will be too large for posting here, so instead just zip a copy of it, then send it to jintan AT malwarecrypt.com as an attachment. Please place "Submitted Files - banksy/bg/rdx" as the email Subject.
Back to Top
 

banksy
Junior Member


Date Joined Jun 2008
Total Posts : 53
 
   Posted 1/14/2010 7:53 PM (GMT +3)    Quote: Trojan ?Alert an admin about: Trojan ?
jintan, about 5 mins into the scan - a box appeared saying "CRASH" system error - do you want to continue ? - NOT RECOMMENDED.
SO I EXITED THE SCAN..............
 
here`s the log anyway :
 
 
Thanks to all the people who donated and ensured the continued development of this software!
If you want to donate and keep this software alive, please have a look at the About-Tab.
Thanks in advance!
USEC Radix V1, 0, 0, 10 [2009/11/28] at your service.
---- Check started at 14.1.2010 16:39:54 ----
Running on: Microsoft Windows NT 5.1 Build 2600 Service Pack 3
Number of Processors: 1, Active Processor Mask: 00000001
Processor: Intel Level 6 Revision 0701
Allocation granularity: 00010000, Page granularity: 00001000
Application space: 00010000-7FFEFFFF
[X] Filter common false alarms.
16:39:54 - Performing check: "Hidden files":
This check can take some time depending on your harddisk size. You can interrupt it with the ESC key.
16:44:3 - Performing check: "Alternate Data Streams":
This check can take some time depending on your harddisk size. You can interrupt it with the ESC key.
[*]  C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8:$DATA
[*]  C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2:$DATA
[*]  C:\Documents and Settings\All Users\Documents\My Pictures\photos\Thumbs.db:encryptable:$DATA
[*]  C:\Documents and Settings\CONNOR\Favorites\BBC SPORT.url:favicon:$DATA
[*]  C:\Documents and Settings\CONNOR\Favorites\Connor Banks ConnorB7027.url:favicon:$DATA
[*]  C:\Documents and Settings\CONNOR\Favorites\e-Mail.url:favicon:$DATA
[*]  C:\Documents and Settings\CONNOR\Favorites\Free SMS Text Messaging and Business Bulk SMS Solutions from CardBoardFish.url:favicon:$DATA
[*]  C:\Documents and Settings\CONNOR\Favorites\Google.url:favicon:$DATA
[*]  C:\Documents and Settings\CONNOR\Favorites\Links\Suggested Sites.url:favicon:$DATA
[*]  C:\Documents and Settings\CONNOR\Favorites\Liverpoolfc.tv  LFC Reverse Auction. How Low Will It Go.url:favicon:$DATA
[*]  C:\Documents and Settings\CONNOR\Favorites\liverpoolfc.tv Official Web Site.url:favicon:$DATA
[*]  C:\Documents and Settings\CONNOR\Favorites\Login - BT Yahoo!.url:favicon:$DATA
[*]  C:\Documents and Settings\CONNOR\Favorites\Max Dirt Bike - ride your dirt bike over all the obstacles very fast.url:favicon:$DATA
[*]  C:\Documents and Settings\CONNOR\Favorites\Mousebreaker Free Online Flash Games - football games and more!.url:favicon:$DATA
[*]  C:\Documents and Settings\CONNOR\Favorites\YouTube - Broadcast Yourself..url:favicon:$DATA
[*]  C:\Documents and Settings\CONNOR\Local Settings\Application Data\Microsoft\Messenger\connor@shanklygates.co.uk\Sharing Folders\lou_feath@hotmail.co.uk\Thumbs.db:encryptable:$DATA
[-] Error scanning file C:\Documents and Settings\CONNOR\Local Settings\Application Data\Microsoft\Messenger\connor@shanklygates.co.uk\SharingMetadata\lou_feath@hotmail.co.uk\DFSR\Staging\CS{F864B51F-440D-8283-D66B-A50A148A35B9}\01\10-{F864B51F-440D-8283-D66B-A50A148A35B9}-v1-{CA9C: 0x05::0x06: The system cannot find the file specified.
[-] Error scanning file C:\Documents and Settings\CONNOR\Local Settings\Application Data\Microsoft\Messenger\connor@shanklygates.co.uk\SharingMetadata\lou_feath@hotmail.co.uk\DFSR\Staging\CS{F864B51F-440D-8283-D66B-A50A148A35B9}\11\11-{CA9CF4B1-B853-4950-857C-CFAF79B22CD2}-v11-{CA9: 0x05::0x06: The system cannot find the file specified.
[*]  C:\Documents and Settings\CONNOR\My Documents\My Pictures\Thumbs.db:encryptable:$DATA
[*]  C:\Documents and Settings\CONNOR\My Documents\My Received Files\Thumbs.db:encryptable:$DATA
[*]  C:\Documents and Settings\favv\Desktop\Inherit.exe:SummaryInformation:$DATA
[*]  C:\Documents and Settings\favv\Desktop\Inherit.exe:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}:$DATA
[*]  C:\Documents and Settings\favv\Desktop\MUSIC\bits & bats\Thumbs.db:encryptable:$DATA
[*]  C:\Documents and Settings\favv\Desktop\MUSIC\kooks - konk\Thumbs.db:encryptable:$DATA
[*]  C:\Documents and Settings\favv\Desktop\MUSIC\Thumbs.db:encryptable:$DATA
[*]  C:\Documents and Settings\favv\Favorites\e-mail & text\Free SMS Text Messaging from CardBoardFish.url:favicon:$DATA
[*]  C:\Documents and Settings\favv\Favorites\e-mail & text\garfield.banks@yahoo.com.url:favicon:$DATA
[*]  C:\Documents and Settings\favv\Favorites\e-mail & text\Login - BT Yahoo!.url:favicon:$DATA
[*]  C:\Documents and Settings\favv\Favorites\e-mail & text\nando`s e-mail.url:favicon:$DATA
[*]  C:\Documents and Settings\favv\Favorites\film & tv\BBC iPlayer - Home.url:favicon:$DATA
[*]  C:\Documents and Settings\favv\Favorites\film & tv\Blockbuster.co.uk.url:favicon:$DATA
[*]  C:\Documents and Settings\favv\Favorites\film & tv\Cineworld - Cineworld Cinemas Bradford - Film Times, Ticket Prices and Contact Details.url:favicon:$DATA
[*]  C:\Documents and Settings\favv\Favorites\film & tv\http--dvdrental.cd-wow.com-welcome-home.html.url:favicon:$DATA
[*]  C:\Documents and Settings\favv\Favorites\film & tv\LOVEFiLM  DVD rental.url:favicon:$DATA
[*]  C:\Documents and Settings\favv\Favorites\film & tv\Movie Trailers - Film Clips, Celebrity Interviews, Reviews from MyMovies.net.url:favicon:$DATA
[*]  C:\Documents and Settings\favv\Favorites\film & tv\ODEON - Leeds-Bradford.url:favicon:$DATA
[*]  C:\Documents and Settings\favv\Favorites\film & tv\OutNow! dvd  Rental.url:favicon:$DATA
[*]  C:\Documents and Settings\favv\Favorites\film & tv\Radio Times - The Ultimate TV Guide, Radio Listings, Film Reviews.url:favicon:$DATA
[*]  C:\Documents and Settings\favv\Favorites\film & tv\skymovies.com.url:favicon:$DATA
[*]  C:\Documents and Settings\favv\Favorites\film & tv\Tesco DVD Rental.url:favicon:$DATA
[*]  C:\Documents and Settings\favv\Favorites\film & tv\The Internet Movie Database (IMDb).url:favicon:$DATA
[*]  C:\Documents and Settings\favv\Favorites\film & tv\Tv Listings  Listings  What's on TV - Top TV listings guide, plus soaps, news, prizes and previews.url:favicon:$DATA
[*]  C:\Documents and Settings\favv\Favorites\film & tv\YouTube - Broadcast Yourself..url:favicon:$DATA
[*]  C:\Documents and Settings\favv\Favorites\FOOTBALL\BBC SPORT Liverpool.url:favicon:$DATA
[*]  C:\Documents and Settings\favv\Favorites\FOOTBALL\http--www.sportizo.com-football.url:favicon:$DATA
[*]  C:\Documents and Settings\favv\Favorites\FOOTBALL\HUDDERSFIELD RCD JUNIOR FOOTBALL LEAGUE.url:favicon:$DATA
[*]  C:\Documents and Settings\favv\Favorites\FOOTBALL\kitster29 on deviantART.url:favicon:$DATA
[*]  C:\Documents and Settings\favv\Favorites\FOOTBALL\Liverpool  TEAMtalk.url:favicon:$DATA
[*]  C:\Documents and Settings\favv\Favorites\FOOTBALL\Liverpool Echo.url:favicon:$DATA
[*]  C:\Documents and Settings\favv\Favorites\FOOTBALL\Liverpool Sport News  Click Liverpool.url:favicon:$DATA
[*]  C:\Documents and Settings\favv\Favorites\FOOTBALL\Liverpoolfc.tv Official Web Site.url:favicon:$DATA
[*]  C:\Documents and Settings\favv\Favorites\FOOTBALL\MyP2P.eu  Free Live Sports on your PC, Live Football, MLB, NBA, NHL and more....url:favicon:$DATA
[*]  C:\Documents and Settings\favv\Favorites\FOOTBALL\Sky Sports Liverpool.url:favicon:$DATA
[*]  C:\Documents and Settings\favv\Favorites\FOOTBALL\This Is Anfield Liverpool FC Fan Site.url:favicon:$DATA
[*]  C:\Documents and Settings\favv\Favorites\forums\Bullguard Free Antivirus Forum.url:favicon:$DATA
[*]  C:\Documents and Settings\favv\Favorites\forums\Digital Spy Forum.url:favicon:$DATA
[*]  C:\Documents and Settings\favv\Favorites\forums\Digital Video forum.url:favicon:$DATA
[*]  C:\Documents and Settings\favv\Favorites\Links\Audible.co.uk - Downloadable audio books.url:favicon:$DATA
[*]  C:\Documents and Settings\favv\Favorites\Links\BBC - Homepage.url:favicon:$DATA
[*]  C:\Documents and Settings\favv\Favorites\Links\Directory Enquiries - Online Phone Book & Telephone Directory.url:favicon:$DATA
[*]  C:\Documents and Settings\favv\Favorites\Links\Download - NDS ROMs - Nintendo DS.url:favicon:$DATA
[*]  C:\Documents and Settings\favv\Favorites\Links\Free Online Spell Checker - check any text (English, French, Spanish, German, Italian).url:favicon:$DATA
[*]  C:\Documents and Settings\favv\Favorites\Links\Media Convert - free and on line - convert and split sound, ringtones, images, docs - MP3 WMV 3GP AMR FLV SWF AMV MOV WMA AVI M.url:favicon:$DATA
[*]  C:\Documents and Settings\favv\Favorites\Links\Route Planner (GB)  Maps and directions - The AA.url:favicon:$DATA
[*]  C:\Documents and Settings\favv\Favorites\Links\Royal Mail’s online Postcode finder.url:favicon:$DATA
[*]  C:\Documents and Settings\favv\Favorites\Links\Take a Break Magazine  Take a Break Magazine.url:favicon:$DATA
[*]  C:\Documents and Settings\favv\Favorites\MONEY\Egg Security Login.url:favicon:$DATA
[*]  C:\Documents and Settings\favv\Favorites\MONEY\Money Saving Expert Consumer Revenge - Credit Cards, Shopping, Bank Charges, Cheap Flights and more.url:favicon:$DATA
[*]  C:\Documents and Settings\favv\Favorites\MONEY\My Accounts  Tesco Personal Finance.url:favicon:$DATA
[*]  C:\Documents and Settings\favv\Favorites\MONEY\PayPal.url:favicon:$DATA
[*]  C:\Documents and Settings\favv\Favorites\MONEY\Virgin Money Online Banking.url:favicon:$DATA
[*]  C:\Documents and Settings\favv\Favorites\music & gigs\Alive®  Alive.co.uk-bradford  Bradford listings.url:favicon:$DATA
[*]  C:\Documents and Settings\favv\Favorites\music & gigs\AllCDCovers  Browse Our Collection of CD-DVD Covers Album Art.url:favicon:$DATA
[*]  C:\Documents and Settings\favv\Favorites\music & gigs\Bradford Live Music from Ents24.url:favicon:$DATA
[*]  C:\Documents and Settings\favv\Favorites\music & gigs\Cdcovers.cc - World's Largest CD Covers and DVD Covers Album Art Archive.url:favicon:$DATA
[*]  C:\Documents and Settings\favv\Favorites\music & gigs\Gasworks.url:favicon:$DATA
[*]  C:\Documents and Settings\favv\Favorites\music & gigs\hmv.com Music CDs, DVDs, Games & More.url:favicon:$DATA
[*]  C:\Documents and Settings\favv\Favorites\search\Ask Jeeves Web Search.url:favicon:$DATA
[*]  C:\Documents and Settings\favv\Favorites\search\Google.url:favicon:$DATA
[*]  C:\Documents and Settings\favv\Favorites\search\Yahoo! UK & Ireland.url:favicon:$DATA
[*]  C:\Documents and Settings\favv\Favorites\shops\amazon.co.uk.url:favicon:$DATA
[*]  C:\Documents and Settings\favv\Favorites\shops\CCL Computers.url:favicon:$DATA
[*]  C:\Documents and Settings\favv\Favorites\shops\Fat Fingers - eBay typos and spelling mistakes.url:favicon:$DATA
[*]  C:\Documents and Settings\favv\Favorites\shops\Nike Official Store. Shop Nike Footwear, Clothing & Sports Equipment at Nike Store..url:favicon:$DATA
[*]  C:\Documents and Settings\favv\Favorites\shops\Welcome to eBay.url:favicon:$DATA
[*]  C:\Documents and Settings\favv\My Documents\My Pictures\alcudia 2008\Thumbs.db:encryptable:$DATA
[*]  C:\Documents and Settings\favv\My Documents\My Pictures\benidorm `95\Thumbs.db:encryptable:$DATA
[*]  C:\Documents and Settings\favv\My Documents\My Pictures\cd covers\Thumbs.db:encryptable:$DATA
[*]  C:\Documents and Settings\favv\My Documents\My Pictures\halloween @ susans `09\Thumbs.db:encryptable:$DATA
[*]  C:\Documents and Settings\favv\My Documents\My Pictures\hollies 10th @ laser quest\Thumbs.db:encryptable:$DATA
[*]  C:\Documents and Settings\favv\My Documents\My Pictures\ians BBQ 18th july `09\Thumbs.db:encryptable:$DATA
[*]  C:\Documents and Settings\favv\My Documents\My Pictures\mobile photos\Thumbs.db:encryptable:$DATA
[*]  C:\Documents and Settings\favv\My Documents\My Pictures\mums photos\Thumbs.db:encryptable:$DATA
[*]  C:\Documents and Settings\favv\My Documents\My Pictures\new years eve `09\Thumbs.db:encryptable:$DATA
[*]  C:\Documents and Settings\favv\My Documents\My Pictures\photos\Thumbs.db:encryptable:$DATA
[*]  C:\Documents and Settings\favv\My Documents\My Pictures\pics\Thumbs.db:encryptable:$DATA
[*]  C:\Documents and Settings\favv\My Documents\My Pictures\Thumbs.db:encryptable:$DATA
[*]  C:\Documents and Settings\favv\My Documents\My Videos\Thumbs.db:encryptable:$DATA
[*]  C:\Documents and Settings\HOLLIE\Favorites\BBC - CBBC - Home.url:favicon:$DATA
[*]  C:\Documents and Settings\HOLLIE\Favorites\Disney.co.uk  TV  Home.url:favicon:$DATA
[*]  C:\Documents and Settings\HOLLIE\Favorites\Google Image Search.url:favicon:$DATA
[*]  C:\Documents and Settings\HOLLIE\Favorites\Kids Games, Kids Movies, Kids Music, and More - Yahoo! Kids.url:favicon:$DATA
[*]  C:\Documents and Settings\HOLLIE\Favorites\Links\liverpoolfc.tv Official Web Site.url:favicon:$DATA
[*]  C:\Documents and Settings\HOLLIE\Favorites\Links\Login - BT Yahoo!.url:favicon:$DATA
[*]  C:\Documents and Settings\HOLLIE\Favorites\Links\Suggested Sites.url:favicon:$DATA
[*]  C:\Documents and Settings\HOLLIE\Favorites\My cool webby!!!.url:favicon:$DATA
[*]  C:\Documents and Settings\HOLLIE\Favorites\Route Planner Routes, maps and directions - The AA.url:favicon:$DATA
[*]  C:\Documents and Settings\HOLLIE\Favorites\SpongeBob SquarePants.url:favicon:$DATA
[*]  C:\Documents and Settings\HOLLIE\Favorites\Welcome to Shanklygates.co.uk.url:favicon:$DATA
[*]  C:\Documents and Settings\HOLLIE\Favorites\YouTube - Broadcast Yourself..url:favicon:$DATA
[*]  C:\Documents and Settings\HOLLIE\My Documents\My Pictures\New Folder\Thumbs.db:encryptable:$DATA
[*]  C:\Documents and Settings\HOLLIE\My Documents\My Pictures\photos\alcudia 2008\Thumbs.db:encryptable:$DATA
[*]  C:\Documents and Settings\HOLLIE\My Documents\My Pictures\photos\buttershaw v beckfoot - valley parade\Thumbs.db:encryptable:$DATA
[*]  C:\Documents and Settings\HOLLIE\My Documents\My Pictures\photos\caravan may `08\Thumbs.db:encryptable:$DATA
[*]  C:\Documents and Settings\HOLLIE\My Documents\My Pictures\photos\pontins, wales\Thumbs.db:encryptable:$DATA
[*]  C:\Documents and Settings\HOLLIE\My Documents\My Pictures\photos\Thumbs.db:encryptable:$DATA
[*]  C:\Documents and Settings\HOLLIE\My Documents\My Pictures\Thumbs.db:encryptable:$DATA
[*]  C:\Documents and Settings\HOLLIE\My Documents\Thumbs.db:encryptable:$DATA
[*]  C:\Documents and Settings\LIAM\Favorites\Christmas 2009\Saturday Night Peter Amazon.co.uk Peter Kay Books.url:favicon:$DATA
[*]  C:\Documents and Settings\LIAM\Favorites\Christmas 2009\Thanks for Nothing Amazon.co.uk Jack Dee Books.url:favicon:$DATA
[*]  C:\Documents and Settings\LIAM\Favorites\Christmas 2009\Yamaha F310 - Acoustic Guitar - Basic Starter Pack Amazon.co.uk Electronics & Photo.url:favicon:$DATA
[*]  C:\Documents and Settings\LIAM\Favorites\Films\IMDb.url:favicon:$DATA
[*]  C:\Documents and Settings\LIAM\Favorites\Football\Anfield Online.url:favicon:$DATA
[*]  C:\Documents and Settings\LIAM\Favorites\Football\BBC SPORT _ Football.url:favicon:$DATA
[*]  C:\Documents and Settings\LIAM\Favorites\Football\Fantasy Football - You The Manager.url:favicon:$DATA
[*]  C:\Documents and Settings\LIAM\Favorites\Football\Football Shirt Culture.url:favicon:$DATA
[*]  C:\Documents and Settings\LIAM\Favorites\Football\Liverpool  English Premier League  Football News from TEAMtalk.url:favicon:$DATA
[*]  C:\Documents and Settings\LIAM\Favorites\Football\Liverpoolfc.tv.url:favicon:$DATA
[*]  C:\Documents and Settings\LIAM\Favorites\Football\Premier League.url:favicon:$DATA
[*]  C:\Documents and Settings\LIAM\Favorites\Football\Sky Sports  Football News.url:favicon:$DATA
[*]  C:\Documents and Settings\LIAM\Favorites\Football\This Is Anfield.url:favicon:$DATA
[*]  C:\Documents and Settings\LIAM\Favorites\Games\EA UK.url:favicon:$DATA
[*]  C:\Documents and Settings\LIAM\Favorites\Games\Slime Soccer.url:favicon:$DATA
[*]  C:\Documents and Settings\LIAM\Favorites\Games\The Beatles Rock Band.url:favicon:$DATA
[*]  C:\Documents and Settings\LIAM\Favorites\Games\Xbox.com.url:favicon:$DATA
[*]  C:\Documents and Settings\LIAM\Favorites\Links\Facebook  IF 75 PEOPLE JOIN THEN I WILL PUT LIAM BANKS SINGING ON YOUTUBE.url:favicon:$DATA
[*]  C:\Documents and Settings\LIAM\Favorites\Links\Suggested Sites.url:favicon:$DATA
[*]  C:\Documents and Settings\LIAM\Favorites\Links\Welcome to Facebook!  Facebook.url:favicon:$DATA
[*]  C:\Documents and Settings\LIAM\Favorites\Music\Blur.url:favicon:$DATA
[*]  C:\Documents and Settings\LIAM\Favorites\Music\Frank Sinatra.url:favicon:$DATA
[*]  C:\Documents and Settings\LIAM\Favorites\Music\Franz Ferdinand.url:favicon:$DATA
[*]  C:\Documents and Settings\LIAM\Favorites\Music\hmv.url:favicon:$DATA
[*]  C:\Documents and Settings\LIAM\Favorites\Music\Kings Of Leon.url:favicon:$DATA
[*]  C:\Documents and Settings\LIAM\Favorites\Music\NME.url:favicon:$DATA
[*]  C:\Documents and Settings\LIAM\Favorites\Music\Oasis.url:favicon:$DATA
[*]  C:\Documents and Settings\LIAM\Favorites\Music\Q.url:favicon:$DATA
[*]  C:\Documents and Settings\LIAM\Favorites\Music\The Killers.url:favicon:$DATA
[*]  C:\Documents and Settings\LIAM\Favorites\Music\The Strokes.url:favicon:$DATA
[*]  C:\Documents and Settings\LIAM\Favorites\Music\U2.url:favicon:$DATA
[*]  C:\Documents and Settings\LIAM\Favorites\Others\BBC iPlayer.url:favicon:$DATA
[*]  C:\Documents and Settings\LIAM\Favorites\Others\Bradford MLE (Login).url:favicon:$DATA
[*]  C:\Documents and Settings\LIAM\Favorites\Others\CBFSMS.url:favicon:$DATA
[*]  C:\Documents and Settings\LIAM\Favorites\Others\Gametrailers.com.url:favicon:$DATA
[*]  C:\Documents and Settings\LIAM\Favorites\Others\iPhone-iPod Touch - Electronic Arts UK Community.url:favicon:$DATA
[*]  C:\Documents and Settings\LIAM\Favorites\Others\iPod + iTunes.url:favicon:$DATA
[*]  C:\Documents and Settings\LIAM\Favorites\Others\iPod Touch User Guide.url:favicon:$DATA
[*]  C:\Documents and Settings\LIAM\Favorites\Others\Login - BT Yahoo!.url:favicon:$DATA
[*]  C:\Documents and Settings\LIAM\Favorites\Others\LOVEFiLM.url:favicon:$DATA
[*]  C:\Documents and Settings\LIAM\Favorites\Others\Media Convert.url:favicon:$DATA
[*]  C:\Documents and Settings\LIAM\Favorites\Others\Mirror.url:favicon:$DATA
[*]  C:\Documents and Settings\LIAM\Favorites\Others\Rolling Stone.url:favicon:$DATA
[*]  C:\Documents and Settings\LIAM\Favorites\Others\Tesco DVD Rental.url:favicon:$DATA
[*]  C:\Documents and Settings\LIAM\Favorites\Others\Text To Speech, TTS English, Spanish, French, Russian, Italian, German, Portuguese, Korean, Japanese, Chinese.url:favicon:$DATA
[*]  C:\Documents and Settings\LIAM\Favorites\Others\Twitter.url:favicon:$DATA
[*]  C:\Documents and Settings\LIAM\Favorites\Others\Welcome to OutNow! Unlimited DVD Rentals, New DVD Releases, Blu-ray, and DVD Reviews at OutNow.co.uk.url:favicon:$DATA
[*]  C:\Documents and Settings\LIAM\Favorites\Others\Wikipedia.url:favicon:$DATA
[*]  C:\Documents and Settings\LIAM\Favorites\Others\Xtranormal.url:favicon:$DATA
[*]  C:\Documents and Settings\LIAM\Favorites\Others\YouTube.url:favicon:$DATA
[*]  C:\Documents and Settings\LIAM\Favorites\Search Engines\Google.url:favicon:$DATA
[*]  C:\Documents and Settings\LIAM\Favorites\Search Engines\MSN UK.url:favicon:$DATA
[*]  C:\Documents and Settings\LIAM\Favorites\Shopping\Amazon.url:favicon:$DATA
[*]  C:\Documents and Settings\LIAM\Favorites\Shopping\Apple Store (U.K.).url:favicon:$DATA
[*]  C:\Documents and Settings\LIAM\Favorites\Shopping\Argos.url:favicon:$DATA
[*]  C:\Documents and Settings\LIAM\Favorites\Shopping\eBay.url:favicon:$DATA
[*]  C:\Documents and Settings\LIAM\Favorites\Shopping\GAME.url:favicon:$DATA
[*]  C:\Documents and Settings\LIAM\Favorites\Shopping\MSN Shopping.url:favicon:$DATA
[*]  C:\Documents and Settings\LIAM\Favorites\Shopping\Welcome to Apple Store - Apple Store (U.K.).url:favicon:$DATA
[*]  C:\Documents and Settings\LIAM\Favorites\Sun Secure Global Desktop Software.url:favicon:$DATA
[*]  C:\Documents and Settings\LIAM\Favorites\ups UPS Returns.url:favicon:$DATA
[*]  C:\Documents and Settings\LIAM\My Documents\adidas-28012\Thumbs.db:encryptable:$DATA
[*]  C:\Documents and Settings\LIAM\My Documents\Bitesize Science (AQA) (D)\Thumbs.db:encryptable:$DATA
[*]  C:\Documents and Settings\LIAM\My Documents\Bluetooth\Image Inbox\Thumbs.db:encryptable:$DATA
[*]  C:\Documents and Settings\LIAM\My Documents\My Karaoke\Karaoke CD+G Creator Examples\Thumbs.db:encryptable:$DATA
[*]  C:\Documents and Settings\LIAM\My Documents\My Music\HOZA BIRTHDAY CD\Thumbs.db:encryptable:$DATA
[*]  C:\Documents and Settings\LIAM\My Documents\My Music\iTunes\Album Artwork\Thumbs.db:encryptable:$DATA
[*]  C:\Documents and Settings\LIAM\My Documents\My Music\iTunes\iTunes Music\Arctic Monkeys\Whatever People Say I Am, That's What I\01 The View From the Afternoon.m4a:SummaryInformation:$DATA
[*]  C:\Documents and Settings\LIAM\My Documents\My Music\iTunes\iTunes Music\Arctic Monkeys\Whatever People Say I Am, That's What I\01 The View From the Afternoon.m4a:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}:$DATA
[*]  C:\Documents and Settings\LIAM\My Documents\My Music\iTunes\iTunes Music\Arctic Monkeys\Whatever People Say I Am, That's What I\07 Riot Van.m4a:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}:$DATA
[*]  C:\Documents and Settings\LIAM\My Documents\My Music\iTunes\iTunes Music\Arctic Monkeys\Who the F___ Are the Arctic Monkeys_ - E\01 The View From the Afternoon.m4a:SummaryInformation:$DATA
[*]  C:\Documents and Settings\LIAM\My Documents\My Music\iTunes\iTunes Music\Arctic Monkeys\Who the F___ Are the Arctic Monkeys_ - E\01 The View From the Afternoon.m4a:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}:$DATA
[*]  C:\Documents and Settings\LIAM\My Documents\My Music\iTunes\iTunes Music\Editors\The Back Room\03 Blood.m4a:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}:$DATA
[*]  C:\Documents and Settings\LIAM\My Documents\My Music\iTunes\iTunes Music\The Beatles\Beatles for Sale\01 No Reply.m4a:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}:$DATA
[*]  C:\Documents and Settings\LIAM\My Documents\My Music\iTunes\iTunes Music\The Beatles\Please Please Me\11 Do You Want to Know a Secret.m4a:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}:$DATA
[*]  C:\Documents and Settings\LIAM\My Documents\My Music\iTunes\iTunes Music\The Beatles\With the Beatles\07 Please Mister Postman.m4a:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}:$DATA
[*]  C:\Documents and Settings\LIAM\My Documents\My Music\iTunes\iTunes Music\The Enemy\We'll Live and Die In These Towns\04 Had Enough.m4a:SummaryInformation:$DATA
[*]  C:\Documents and Settings\LIAM\My Documents\My Music\iTunes\iTunes Music\The Enemy\We'll Live and Die In These Towns\04 Had Enough.m4a:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}:$DATA
[*]  C:\Documents and Settings\LIAM\My Documents\My Music\iTunes\iTunes Music\Thumbs.db:encryptable:$DATA
[*]  C:\Documents and Settings\LIAM\My Documents\My Music\iTunes\iTunes Music\U2\How to Dismantle an Atomic Bomb\10 Original of the Species.m4a:SummaryInformation:$DATA
[*]  C:\Documents and Settings\LIAM\My Documents\My Music\iTunes\iTunes Music\U2\How to Dismantle an Atomic Bomb\10 Original of the Species.m4a:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}:$DATA
[*]  C:\Documents and Settings\LIAM\My Documents\My Music\iTunes\iTunes Music\U2\How to Dismantle an Atomic Bomb\11 Yahweh.m4a:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}:$DATA
[*]  C:\Documents and Settings\LIAM\My Documents\My Music\iTunes\iTunes Music\U2\Zooropa\05 Stay (Faraway, So Close!).m4a:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}:$DATA
[*]  C:\Documents and Settings\LIAM\My Documents\My Music\Thumbs.db:encryptable:$DATA
[*]  C:\Documents and Settings\LIAM\My Documents\My Pictures\iPod Photo Cache\Thumbs.db:encryptable:$DATA
[*]  C:\Documents and Settings\LIAM\My Documents\My Pictures\JN\Thumbs.db:encryptable:$DATA
[*]  C:\Documents and Settings\LIAM\My Documents\My Pictures\KASABIAN SHIRT DESIGNS\Thumbs.db:encryptable:$DATA
[*]  C:\Documents and Settings\LIAM\My Documents\My Pictures\New Folder\Thumbs.db:encryptable:$DATA
[*]  C:\Documents and Settings\LIAM\My Documents\My Pictures\Thumbs.db:encryptable:$DATA
[*]  C:\Documents and Settings\LIAM\My Documents\My Videos\Thumbs.db:encryptable:$DATA
[*]  C:\Documents and Settings\LIAM\My Documents\Thumbs.db:encryptable:$DATA
[*]  C:\Documents and Settings\LIAM\My Documents\video1.mov:SummaryInformation:$DATA
[*]  C:\Documents and Settings\LIAM\My Documents\video1.mov:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}:$DATA
[*]  C:\Documents and Settings\MUVVER\Favorites\Abba Pictures - abba - image no 10743.url:favicon:$DATA
[*]  C:\Documents and Settings\MUVVER\Favorites\AQA 63336 Ask any question and get a free instant answer from Any Question Answered.url:favicon:$DATA
[*]  C:\Documents and Settings\MUVVER\Favorites\BBC iPlayer - Home.url:favicon:$DATA
[*]  C:\Documents and Settings\MUVVER\Favorites\Being made redundant  Directgov - Employment.url:favicon:$DATA
[*]  C:\Documents and Settings\MUVVER\Favorites\Cheap Glasses - Super Saver Prescription Glasses for Only £5 - $8.url:favicon:$DATA
[*]  C:\Documents and Settings\MUVVER\Favorites\Cheap holiday accommodation - Beach hotels, villas, apartments  Somewhere2stay.url:favicon:$DATA
[*]  C:\Documents and Settings\MUVVER\Favorites\Cheapest website to book hol - Cala d'Or Forum - TripAdvisor.url:favicon:$DATA
[*]  C:\Documents and Settings\MUVVER\Favorites\Dental insurance  Compare UK dental insurance - TESCO Bank.url:favicon:$DATA
[*]  C:\Documents and Settings\MUVVER\Favorites\eBay - The UK's Online Marketplace.url:favicon:$DATA
[*]  C:\Documents and Settings\MUVVER\Favorites\eBill - My Account - Help - Virgin Media.url:favicon:$DATA
[*]  C:\Documents and Settings\MUVVER\Favorites\Fantasy Football - You The Manager.url:favicon:$DATA
[*]  C:\Documents and Settings\MUVVER\Favorites\Find and choose ho!!!!als near bd6 1tg.url:favicon:$DATA
[*]  C:\Documents and Settings\MUVVER\Favorites\Free SMS Text Messaging and Business Bulk SMS Solutions from CardBoardFish.url:favicon:$DATA
[*]  C:\Documents and Settings\MUVVER\Favorites\itfactory.co.uk - Cheap laptops Fujitsu Lifebook E-Series Refurbished laptop.url:favicon:$DATA
[*]  C:\Documents and Settings\MUVVER\Favorites\Links\Suggested Sites.url:favicon:$DATA
[*]  C:\Documents and Settings\MUVVER\Favorites\Liverpoolfc.tv Official Web Site.url:favicon:$DATA
[*]  C:\Documents and Settings\MUVVER\Favorites\Login - BT Yahoo!.url:favicon:$DATA
[*]  C:\Documents and Settings\MUVVER\Favorites\Low Cost Holidays  Cheap holiday packages & all inclusive hotel deals.url:favicon:$DATA
[*]  C:\Documents and Settings\MUVVER\Favorites\Money Saving Expert Consumer Revenge - Credit Cards, Shopping, Bank Charges, Cheap Flights and more.url:favicon:$DATA
[*]  C:\Documents and Settings\MUVVER\Favorites\Mortgage payment protection insurance from Best Insurance.url:favicon:$DATA
[*]  C:\Documents and Settings\MUVVER\Favorites\My eBay Summary.url:favicon:$DATA
[*]  C:\Documents and Settings\MUVVER\Favorites\Route Planner Routes, maps and directions - The AA.url:favicon:$DATA
[*]  C:\Documents and Settings\MUVVER\Favorites\Skegness Camp Sites.url:favicon:$DATA
[*]  C:\Documents and Settings\MUVVER\Favorites\STARTONE CG 851 1-8 - U.K. International Cyberstore.url:favicon:$DATA
[*]  C:\Documents and Settings\MUVVER\Favorites\Tesco DVD Rental.url:favicon:$DATA
[*]  C:\Documents and Settings\MUVVER\Favorites\Vacancies — Bradford College.url:favicon:$DATA
[*]  C:\Documents and Settings\MUVVER\Favorites\Virgin Credit Card - UK Credit Cards, 0% balance transfer and discount offers.url:favicon:$DATA
[*]  C:\Documents and Settings\MUVVER\Favorites\Welcome to OutNow! Rent Unlimited Amount of DVDs..url:favicon:$DATA
[*]  C:\Documents and Settings\MUVVER\Favorites\Your right to know about your personal records Social Services - adult care Calderdale Council.url:favicon:$DATA
[*]  C:\Documents and Settings\MUVVER\Favorites\YouTube - Broadcast Yourself..url:favicon:$DATA
[*]  C:\Documents and Settings\MUVVER\My Documents\My Pictures\BUTTERSHAW V BECKFOOT MAY 20TH 2008\Thumbs.db:encryptable:$DATA
[*]  C:\Documents and Settings\MUVVER\My Documents\My Pictures\Img0003\Thumbs.db:encryptable:$DATA
[*]  C:\Documents and Settings\MUVVER\My Documents\My Pictures\Thumbs.db:encryptable:$DATA
[-] Error scanning file C:\pagefile.sys: 0x05::0x06: The process cannot access the file because it is being used by another process.
[*]  C:\Program Files\Abbyy FineReader 6.0 Sprint\Demo\Thumbs.db:encryptable:$DATA
[*]  C:\Program Files\Adobe\Acrobat 5.0\Reader\plug_ins\WEBBUY\HTML\Thumbs.db:encryptable:$DATA
[*]  C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\Oem\Thumbs.db:encryptable:$DATA
[*]  C:\Program Files\Adobe\Photoshop Elements\HTMLPalettes\Welcome\images\Thumbs.db:encryptable:$DATA
[*]  C:\Program Files\Adobe\Photoshop Elements\Tutorials\cars_pano\Thumbs.db:encryptable:$DATA
[*]  C:\Program Files\Common Files\Real\Update_OB\UI\Images\Thumbs.db:encryptable:$DATA
[*]  C:\Program Files\DVD Shrink\DVD Shrink 3.2.exe:SummaryInformation:$DATA
[*]  C:\Program Files\DVD Shrink\DVD Shrink 3.2.exe:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}:$DATA
[*]  C:\Program Files\DVD Shrink\Still Images\Thumbs.db:encryptable:$DATA
[*]  C:\Program Files\DVD Shrink\Web\Images\Thumbs.db:encryptable:$DATA
[*]  C:\Program Files\DVDFab 6.2.5.0\DVDFab.url:favicon:$DATA
[*]  C:\Program Files\Macromedia\Fireworks 8\Configuration\Patterns\Thumbs.db:encryptable:$DATA
[*]  C:\Program Files\Movie Maker\shared\Thumbs.db:encryptable:$DATA
[*]  C:\Program Files\Nikon\NkView6\template\parts\Thumbs.db:encryptable:$DATA
[*]  C:\Program Files\PCI Audio Applications\Bitmap\Thumbs.db:encryptable:$DATA
[*]  C:\System Volume Information\_restore{18F1C887-1B5D-4ADD-B28A-9923490B7F34}\RP27\A0013469.exe:SummaryInformation:$DATA
[*]  C:\System Volume Information\_restore{18F1C887-1B5D-4ADD-B28A-9923490B7F34}\RP27\A0013469.exe:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}:$DATA
[*]  C:\WINDOWS\LS_Scr\goalsss\Thumbs.db:encryptable:$DATA
[*]  C:\WINDOWS\LS_Scr\Thumbs.db:encryptable:$DATA
[*]  C:\WINDOWS\system32\config\systemprofile\Favorites\Links\Suggested Sites.url:favicon:$DATA
[*]  C:\WINDOWS\system32\debug.exe:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}:$DATA
[*]  C:\WINDOWS\TASKMAN.EXE:SummaryInformation:$DATA
[*]  C:\WINDOWS\TASKMAN.EXE:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}:$DATA
[*]  C:\WINDOWS\Web\printers\images\Thumbs.db:encryptable:$DATA
[*]  C:\WINDOWS\Web\Wallpaper\Thumbs.db:encryptable:$DATA
267 streams found.
16:47:3 - Performing check: "Hidden processes":
(01) PID: 0 [00000000] (Idle)
(53) PID: 4 [83331A00] (System)
(191) PID: 332 [82DD36B0] (ServiceLayer.exe)
(175) PID: 360 [831EE7A0] (svchost.exe)
(191) PID: 416 [82FAC810] (svchost.exe)
(07) PID: 424 [82F4BDA0] (smss.exe)
(191) PID: 480 [82EF6580] (csrss.exe)
(175) PID: 504 [82E31DA0] (winlogon.exe)
(191) PID: 548 [82FBC248] (services.exe)
(191) PID: 564 [82E0C9F8] (lsass.exe)
(175) PID: 720 [82E08DA0] (svchost.exe)
(191) PID: 764 [82E9DDA0] (svchost.exe)
(191) PID: 832 [82F69DA0] (svchost.exe)
(191) PID: 864 [82EA1348] (svchost.exe)
(191) PID: 1008 [82F51DA0] (svchost.exe)
(191) PID: 1052 [82E5BDA0] (svchost.exe)
(175) PID: 1068 [82F62360] (svchost.exe)
(191) PID: 1192 [82E79608] (spoolsv.exe)
(175) PID: 1320 [830371C8] (svchost.exe)
(191) PID: 1328 [82F77500] (svchost.exe)
(191) PID: 1336 [82FDF360] (svchost.exe)
(191) PID: 1812 [82FBCAE8] (AppleMobileDeviceService.exe)
(191) PID: 1828 [82E26CA8] (mDNSResponder.exe)
(191) PID: 1856 [82E5CC30] (svchost.exe)
(175) PID: 1876 [82FAD898] (E_S40RP7.EXE)
(191) PID: 1924 [82E0CDA0] (jqs.exe)
(175) PID: 2056 [82EC83C8] (NclUSBSrv.exe)
(191) PID: 2144 [8312FB28] (NclRSSrv.exe)
(191) PID: 2204 [82F66DA0] (alg.exe)
(175) PID: 2828 [8325BDA0] (Generic.exe)
(191) PID: 2888 [829C9280] (iexplore.exe)
(191) PID: 3004 [831B5908] (epmworker.exe)
(191) PID: 3128 [82F6C648] (explorer.exe)
(175) PID: 3220 [82ECD950] (wscntfy.exe)
(175) PID: 3244 [82ECC860] (PDVDServ.exe)
(191) PID: 3272 [82DF1848] (mixer.exe)
(191) PID: 3308 [82ED58A0] (rundll32.exe)
(191) PID: 3316 [82F7F6D0] (Vm_sti.exe)
(175) PID: 3344 [82E6EDA0] (Application Launcher.exe)
(175) PID: 3352 [82EA2B10] (QTTask.exe)
(191) PID: 3364 [82FB62C8] (iTunesHelper.exe)
(175) PID: 3380 [82DD2BE0] (jusched.exe)
(175) PID: 3416 [82E894E8] (realsched.exe)
(175) PID: 3424 [82DBBDA0] (msmsgs.exe)
(191) PID: 3432 [82F248C8] (PPLive.exe)
(191) PID: 3456 [82EA7500] (PCSuite.exe)
(175) PID: 3468 [830388A8] (ctfmon.exe)
(191) PID: 3540 [82F446A0] (NkvMon.exe)
(191) PID: 3760 [82EBF320] (iexplore.exe)
(191) PID: 3880 [82FE7990] (iPodService.exe)
(175) PID: 4140 [829AB9F0] (infocard.exe)
(187) PID: 5012 [829C7020] (radixgui.exe)
16:47:10 - Performing check: "Selftest":
Doing a short selftest...
 -> Checking IAT
PID 5012  - C:\Documents and Settings\favv\Desktop\radixgui.exe
-------------------------------------------------------------------------------
ntdll.dll           (7C900000 - 7C9B2000)
kernel32.dll        (7C800000 - 7C8F6000)
USER32.dll          (7E410000 - 7E4A1000)
GDI32.dll           (77F10000 - 77F59000)
comdlg32.dll        (763B0000 - 763F9000)
ADVAPI32.dll        (77DD0000 - 77E6B000)
RPCRT4.dll          (77E70000 - 77F02000)
Secur32.dll         (77FE0000 - 77FF1000)
COMCTL32.dll        (5D090000 - 5D12A000)
SHELL32.dll         (7C9C0000 - 7D1D7000)
msvcrt.dll          (77C10000 - 77C68000)
SHLWAPI.dll         (77F60000 - 77FD6000)
ole32.dll           (774E0000 - 7761D000)
VERSION.dll         (77C00000 - 77C08000)
dbghelp.dll         (59A60000 - 59B01000)
IMM32.DLL           (76390000 - 763AD000)
comctl32.dll        (773D0000 - 774D3000)
wintrust.dll        (76C30000 - 76C5E000)
CRYPT32.dll         (77A80000 - 77B15000)
MSASN1.dll          (77B20000 - 77B32000)
IMAGEHLP.dll        (76C90000 - 76CB8000)
NTMARTA.DLL         (77690000 - 776B1000)
SAMLIB.dll          (71BF0000 - 71C03000)
WLDAP32.dll         (76F60000 - 76F8C000)
uxtheme.dll         (5AD70000 - 5ADA8000)
MSCTF.dll           (74720000 - 7476C000)
apphelp.dll         (77B40000 - 77B62000)
msctfime.ime        (755C0000 - 755EE000)
OLEAUT32.DLL        (77120000 - 771AB000)
Selftest complete.
16:47:13 - Performing check: "MBR":
Partition Table:
+----+-----+------Start------+--------End------+----------+----------+----+
| Nr | Act | Head Sect Track | Head Sect Track |  Offset  |  Length  | OS |
+----+-----+-----------------+-----------------+----------+----------+----+
| 1  |  Y  | 001   01  0000  | 254   63  0255  | 0000003F | 0995C65B | 07 |
| 2  |  N  | 000   00  0000  | 000   00  0000  | 00000000 | 00000000 | 00 |
| 3  |  N  | 000   00  0000  | 000   00  0000  | 00000000 | 00000000 | 00 |
| 4  |  N  | 000   00  0000  | 000   00  0000  | 00000000 | 00000000 | 00 |
+----+-----+-----------------+-----------------+----------+----------+----+
MBR seems to be OK.
16:47:14 - Performing check: "Patched modules":
Module information:
Idx Base     Size     Module           Service          Pre Sig Patched
000 804D7000 00216780 ntoskrnl.exe                      YES YES****************************************************
*** A Program Fault occurred:                    ***
*** Error code C0000005: ACCESS VIOLATION        ***
****************************************************
***   Address: 0043BAB6       Flags: 00000000    ***
***   EAX=00000000  EBX=00000104  ECX=00000041   ***
***   EDX=7EFEFEFF  EBP=832A6500  ESI=00000000   ***
***   EDI=0013D2F0  ESP=0013D264  EIP=0043BAB6   ***
****************************************************
Memory dump for EDI:
 
 F0 01 CF 01 A8 DA 1C 00 CF 05 00 00 76 00 00 00     ðϨÚÏv
 DD 28 EA 01 C0 F1 E9 01 54 FB 44 00 40 FB 44 00     Ý(êÀñéTûD@ûD
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00     ...............
Memory dump for ESP:
 
 65 00 6E 00 74 00 73 00 20 00 61 00 6E 00 64 00     ents and
 20 00 53 00 65 00 74 00 74 00 69 00 6E 00 67 00      Setting
 73 00 5C 00 66 00 61 00 76 00 76 00 5C 00 44 00     s\favv\D
 65 00 73 00 6B 00 74 00 6F 00 70 00 5C 00 72 00     esktop\r
 B4 5E 00 00 20 DD 07 00 20 DD 07 00 D0 43 F6 77     ´^ Ý ÝÐCöw
 FF FF 00 00 6C DD 07 00 04 00 00 00 02 00 00 00     ÿÿlÝ
 60 E8 07 00 08 95 9C 7C DD 43 F6 77 08 95 9C 7C     `è•œ|ÝCöw•œ|
 04 00 00 00 00 00 00 00 6C DD 07 00 00 00 00 00     lÝ
 00 00 00 00 14 DD 13 00 F4 D6 13 00 3F AF 41 00     ÝôÖ?¯A
 F0 D2 13 00 00 00 00 00 04 01 00 00 49 98 42 7E     ðÒI˜B~
 80 04 06 00 5C 04 05 00 6E 43 42 7E 10 5B 93 02     €\nCB~[“
 AC DA 1C 00 00 00 00 00 E8 D2 13 00 00 00 00 00     ¬ÚèÒ
 01 00 00 00 E2 01 00 00 20 00 CF 01 00 00 00 00     â Ï
 02 00 00 00 C5 C7 00 00 FF 25 80 34 55 80 16 00     ÅÇÿ%€4U€
 48 C3 E9 01 84 DA E9 01 00 00 16 00 F0 01 CF 01     HÃé„ÚéðÏ
 A8 DA 1C 00 CF 05 00 00 76 00 00 00 DD 28 EA 01     ........v....(.
Target platform: Microsoft Windows NT 5.1 Build 2600 Service Pack 3
Please wait...
--# FV EIP----- RetAddr- FramePtr StackPtr Symbol
  0 .V 0043bab6 00000000 832a6500 0013d264     Mod:  radixgui[radixgui.exe], base: 00400000h
    Sym:  type: -nosymbols-, file:
 
i didn`t zip & e-mail because of the abrupt end to the scan & it probably not being complete.
awaiting your reply - thanks, banksy.

Post Edited (banksy) : 14-01-2010 17:22:24 GMT

Back to Top
 

Jintan
Senior Member




Date Joined Dec 2006
Total Posts : 1428
 
   Posted 1/15/2010 2:38 AM (GMT +3)    Quote: Trojan ?Alert an admin about: Trojan ?
You chose correctly in not opting to continue. Gonna need something on our side there getting the accurate info though.


Go here and download reglooks.exe to your Desktop. Doubleclick on it to run it and when it has finished scanning, a log named result.txt will open in Notepad. Copy the log and post it in this thread.

---------------

Go here, scroll down and download RootRepeal.zip to your Desktop. Unzip that, and then click RootRepeal.exe to open the scanner. Next click on the Report tab, and then click on Scan. A Window will open asking what to include in the scan. Check all of the below and then click Ok.

Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services


You will then be asked which drive to scan. Check C: and click Ok again. The scan will start. It will take a little while so please be patient. When the scan has finished, click on Save Report. Name the log RootRepeal.txt and save it to your Documents folder (it should default there). When you have done this, please copy and paste it in this thread.
Back to Top
 

banksy
Junior Member


Date Joined Jun 2008
Total Posts : 53
 
   Posted 1/15/2010 7:01 PM (GMT +3)    Quote: Trojan ?Alert an admin about: Trojan ?
reglooks log :

REGLOOKS logfile - version 0.985
Scan started: 15/01/2010 15:50:43.06

--- INFORMATION ---

Manufacturer: System Manufacturer - Model: System Name
Operating System: Microsoft Windows XP Professional -- 5.1.2600 -- Service Pack 3 --
Processor: AMD Duron(tm) Processor
Number of Processors: 1
Work Station
Bootmode: Normal boot
Total RAM: 735 MB (free 310 MB - 42%)

Computername: HOME
Domain: MSHOME
User: favv (Administrator account)

Bootdevice: \Device\HarddiskVolume1
Systemdrive: C:
Windowsdirectory: C:\WINDOWS
Systemdirectory: C:\WINDOWS\system32

Internet Explorer Version: 8.0.6001.18702




--- SIGCHECK ---

C:\WINDOWS\explorer.exe -- [1033728] -- [14/04/2008 00:12] -- sigcheck OK
C:\WINDOWS\system32\appmgmts.dll -- [167936] -- [14/04/2008 00:11] -- sigcheck OK
C:\WINDOWS\system32\browser.dll -- [77824] -- [14/04/2008 00:11] -- sigcheck OK
C:\WINDOWS\system32\comres.dll -- [792064] -- [14/04/2008 00:11] -- sigcheck OK
C:\WINDOWS\system32\comctl32.dll -- [617472] -- [14/04/2008 00:11] -- sigcheck OK
C:\WINDOWS\system32\cryptsvc.dll -- [62464] -- [14/04/2008 00:11] -- sigcheck OK
C:\WINDOWS\system32\ctfmon.exe -- [15360] -- [14/04/2008 00:12] -- sigcheck OK
C:\WINDOWS\system32\es.dll -- [253952] -- [07/07/2008 20:26] -- sigcheck OK
C:\WINDOWS\system32\eventlog.dll -- [56320] -- [14/04/2008 00:11] -- sigcheck OK
C:\WINDOWS\system32\ias.dll NOT found
C:\WINDOWS\system32\imm32.dll -- [110080] -- [14/04/2008 00:11] -- sigcheck OK
C:\WINDOWS\system32\kernel32.dll -- [989696] -- [21/03/2009 14:06] -- sigcheck OK
C:\WINDOWS\system32\linkinfo.dll -- [19968] -- [14/04/2008 00:11] -- sigcheck OK
C:\WINDOWS\system32\lpk.dll -- [22016] -- [14/04/2008 00:11] -- sigcheck OK
C:\WINDOWS\system32\lsass.exe -- [13312] -- [14/04/2008 00:12] -- sigcheck OK
C:\WINDOWS\system32\mfc40u.dll -- [927504] -- [14/04/2008 00:11] -- sigcheck OK
C:\WINDOWS\system32\msgsvc.dll -- [33792] -- [14/04/2008 00:11] -- sigcheck OK
C:\WINDOWS\system32\mshtml.dll -- [5940736] -- [29/10/2009 07:45] -- sigcheck OK
C:\WINDOWS\system32\mspmsnsv.dll -- [27136] -- [18/10/2006 20:47] -- sigcheck OK
C:\WINDOWS\system32\mswsock.dll -- [245248] -- [20/06/2008 17:46] -- sigcheck OK
C:\WINDOWS\system32\netlogon.dll -- [407040] -- [14/04/2008 00:12] -- sigcheck OK
C:\WINDOWS\system32\netman.dll -- [198144] -- [14/04/2008 00:12] -- sigcheck OK
C:\WINDOWS\system32\ntkrnlpa.exe -- [2066048] -- [04/08/2009 14:20] -- sigcheck OK
C:\WINDOWS\system32\ntmssvc.dll -- [435200] -- [14/04/2008 00:12] -- sigcheck OK
C:\WINDOWS\system32\ntoskrnl.exe -- [2189184] -- [04/08/2009 19:44] -- sigcheck OK
C:\WINDOWS\system32\pchsvc.dll NOT found
C:\WINDOWS\system32\powrprof.dll -- [17408] -- [14/04/2008 00:12] -- sigcheck OK
C:\WINDOWS\system32\qmgr.dll -- [409088] -- [14/04/2008 00:12] -- sigcheck OK
C:\WINDOWS\system32\rasauto.dll -- [88576] -- [14/04/2008 00:12] -- sigcheck OK
C:\WINDOWS\system32\regsvc.dll -- [59904] -- [14/04/2008 00:12] -- sigcheck OK
C:\WINDOWS\system32\rpcss.dll -- [401408] -- [09/02/2009 12:10] -- sigcheck OK
C:\WINDOWS\system32\scecli.dll -- [181248] -- [14/04/2008 00:12] -- sigcheck OK
C:\WINDOWS\system32\schedsvc.dll -- [192512] -- [14/04/2008 00:12] -- sigcheck OK
C:\WINDOWS\system32\services.exe -- [110592] -- [06/02/2009 11:11] -- sigcheck OK
C:\WINDOWS\system32\sfc.dll -- [5120] -- [14/04/2008 00:12] -- sigcheck OK
C:\WINDOWS\system32\sfcfiles.dll -- [1614848] -- [14/04/2008 00:12] -- sigcheck OK
C:\WINDOWS\system32\spoolsv.exe -- [57856] -- [14/04/2008 00:12] -- sigcheck OK
C:\WINDOWS\system32\srsvc.dll -- [171008] -- [14/04/2008 00:12] -- sigcheck OK
C:\WINDOWS\system32\ssdpsrv.dll -- [71680] -- [14/04/2008 00:12] -- sigcheck OK
C:\WINDOWS\system32\svchost.exe -- [14336] -- [14/04/2008 00:12] -- sigcheck OK
C:\WINDOWS\system32\tapisrv.dll -- [249856] -- [14/04/2008 00:12] -- sigcheck OK
C:\WINDOWS\system32\termsrv.dll -- [295424] -- [14/04/2008 00:12] -- sigcheck OK
C:\WINDOWS\system32\upnphost.dll -- [185856] -- [14/04/2008 00:12] -- sigcheck OK
C:\WINDOWS\system32\user32.dll -- [578560] -- [14/04/2008 00:12] -- sigcheck OK
C:\WINDOWS\system32\userinit.exe -- [26112] -- [14/04/2008 00:12] -- sigcheck OK
C:\WINDOWS\system32\wininet.dll -- [916480] -- [29/10/2009 07:45] -- sigcheck OK
C:\WINDOWS\system32\winlogon.exe -- [507904] -- [14/04/2008 00:12] -- sigcheck OK
C:\WINDOWS\system32\ws2_32.dll -- [82432] -- [14/04/2008 00:12] -- sigcheck OK
C:\WINDOWS\system32\wscntfy.exe -- [13824] -- [14/04/2008 00:12] -- sigcheck OK
C:\WINDOWS\system32\wuauclt.exe -- [53472] -- [06/08/2009 18:24] -- sigcheck OK
C:\WINDOWS\system32\xmlprov.dll -- [129024] -- [14/04/2008 00:12] -- sigcheck OK
C:\WINDOWS\system32\drivers\acpiec.sys -- [11648] -- [08/11/2003 12:00] -- sigcheck OK
C:\WINDOWS\system32\drivers\aec.sys -- [142592] -- [13/04/2008 16:39] -- sigcheck OK
C:\WINDOWS\system32\drivers\asyncmac.sys -- [14336] -- [13/04/2008 18:57] -- sigcheck OK
C:\WINDOWS\system32\drivers\atapi.sys -- [96512] -- [13/04/2008 18:40] -- sigcheck OK
C:\WINDOWS\system32\drivers\beep.sys -- [4224] -- [08/11/2003 12:00] -- sigcheck OK
C:\WINDOWS\system32\drivers\classpnp.sys -- [49536] -- [13/04/2008 19:16] -- sigcheck OK
C:\WINDOWS\system32\drivers\disk.sys -- [36352] -- [13/04/2008 18:40] -- sigcheck OK
C:\WINDOWS\system32\drivers\iaStor.sys NOT found
C:\WINDOWS\system32\drivers\ip6fw.sys -- [36608] -- [13/04/2008 18:53] -- sigcheck OK
C:\WINDOWS\system32\drivers\kbdclass.sys -- [24576] -- [13/04/2008 18:39] -- sigcheck OK
C:\WINDOWS\$NtServicePackUninstall$\ndis.sys -- sigcheck FAILED
[C:\WINDOWS\$NtServicePackUninstall$\ndis.sys] 1DF7F42665C94B825322FAE71721130D -- [182912] -- [04/08/2004 06:14]
C:\WINDOWS\ServicePackFiles\i386\ndis.sys -- [182656] -- [13/04/2008 19:20] -- sigcheck OK
C:\WINDOWS\system32\dllcache\ndis.sys -- [212224] -- [07/12/2009 23:23] -- sigcheck OK
C:\WINDOWS\system32\drivers\ndis.sys -- [212224] -- [07/12/2009 23:23] -- sigcheck OK

C:\WINDOWS\system32\drivers\ntfs.sys -- [574976] -- [13/04/2008 19:15] -- sigcheck OK
C:\WINDOWS\system32\drivers\tcpip.sys -- [361600] -- [20/06/2008 11:51] -- sigcheck OK


--- SSODL regkeys ---

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}" -- File: %SystemRoot%\system32\SHELL32.dll -- [?]
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}" -- File: %SystemRoot%\system32\SHELL32.dll -- [?]
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}" -- File: %Systemroot%\system32\webcheck.dll -- [?]
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}" -- File: %systemroot%\system32\stobject.dll -- [?]
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}" -- File: C:\WINDOWS\system32\WPDShServiceObj.dll -- [133632] -- [18/10/2006 20:47]


--- STS regkeys ---

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader" -- File: %SystemRoot%\System32\browseui.dll -- [?]
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon" -- File: %SystemRoot%\System32\browseui.dll -- [?]


--- USERINIT regkey ---

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
File: C:\WINDOWS\system32\userinit.exe -- [26112] -- [14/04/2008 00:12]


--- SHELL regkey ---

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"="Explorer.exe"
File: C:\WINDOWS\Explorer.exe -- [1033728] -- [14/04/2008 00:12]


--- SYSTEM regkey ---

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


--- APPINIT_DLLS regkey ---

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
no AppInit_DLLs regkey found


--- NOTIFY regkey ---

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
-- File: C:\WINDOWS\system32\crypt32.dll -- [599040] -- [14/04/2008 00:11]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
-- File: C:\WINDOWS\system32\cryptnet.dll -- [64512] -- [14/04/2008 00:11]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
-- File: C:\WINDOWS\system32\cscdll.dll -- [101888] -- [14/04/2008 00:11]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy]
-- File: %SystemRoot%\System32\dimsntfy.dll -- [?]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
-- File: C:\WINDOWS\system32\wlnotify.dll -- [92672] -- [14/04/2008 00:12]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
-- File: C:\WINDOWS\system32\wlnotify.dll -- [92672] -- [14/04/2008 00:12]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
-- File: C:\WINDOWS\system32\sclgntfy.dll -- [20480] -- [14/04/2008 00:12]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
-- File: C:\WINDOWS\system32\WlNotify.dll -- [92672] -- [14/04/2008 00:12]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
-- File: C:\WINDOWS\system32\wlnotify.dll -- [92672] -- [14/04/2008 00:12]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
-- File: C:\WINDOWS\system32\wlnotify.dll -- [92672] -- [14/04/2008 00:12]


--- RUN / LOAD regkeys ---

[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
no run / load keys found


--- SHELLEXECUTEHOOKS regkey ---

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"="" -- File: shell32.dll -- [?]


--- HKLM AUTORUN regkeys ---

[HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor]
no AutoRun regkey found


--- HKCU AUTORUN regkeys ---

[HKEY_CURRENT_USER\Software\Microsoft\Command Processor]
no AutoRun regkey found


--- HKLM\RUN regkey ---

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl" -- File "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" -- [32768] -- [31/10/2003 19:42]
"NeroFilterCheck" -- File C:\WINDOWS\system32\NeroCheck.exe -- [155648] -- [09/07/2001 10:50]
"C-Media Mixer" -- File: Mixer.exe /startup -- [?]
"BluetoothAuthenticationAgent" -- File: rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent -- [?]
"BigDogPath" -- File: C:\WINDOWS\VM_STI.EXE CANYON CN-WCAM23 PC-Camera -- [?]
"AppleSyncNotifier" -- File C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe -- [177440] -- [13/08/2009 14:51]
"Sony Ericsson PC Suite" -- File: "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions -- [?]
"QuickTime Task" -- File: "C:\Program Files\QuickTime\QTTask.exe" -atboottime -- [?]
"iTunesHelper" -- File "C:\Program Files\iTunes\iTunesHelper.exe" -- [141600] -- [28/10/2009 20:21]
"SunJavaUpdateSched" -- File "C:\Program Files\Java\jre6\bin\jusched.exe" -- [149280] -- [11/10/2009 04:17]
"TkBellExe" -- File: "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot -- [?]


--- HKLM\RUNONCE regkey ---

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
no runonce values found


--- HKLM\RUNONCEEX regkey ---

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]
no runonceex values found


--- HKLM\RUNSERVICES regkey ---

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
key not found


--- HKLM\RUNSERVICESONCE regkey ---

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]
no runservicesonce values found


--- HKCU\RUN regkey ---

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS" -- File: "C:\Program Files\Messenger\msmsgs.exe" /background -- [?]
"PPLive" -- File: "C:\Program Files\PPLive\PPLive.exe" /LoadModule ppvod.dll -- [?]
"PC Suite Tray" -- File: "C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray -- [?]
"ctfmon.exe" -- File C:\WINDOWS\system32\ctfmon.exe -- [15360] -- [14/04/2008 00:12]


--- HKCU\RUNONCE regkey ---

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
no runonce values found


--- HKCU\RUNONCEEX regkey ---

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]
key not found


--- HKCU\RUNSERVICES regkey ---

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
no runservices values found


--- HKCU\RUNSERVICESONCE regkey ---

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]
no runservicesonce values found


--- HKU\.DEFAULT\Run regkeys - Default user ---

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr" -- File: "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background -- [?]


--- HKU\S-1-5-18\Run regkeys - user SYSTEM ---

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr" -- File: "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background -- [?]


--- HKU\S-1-5-19\Run regkeys - User Lokale service ---

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
key not found


--- HKU\S-1-5-20\Run regkeys - User Lokale service ---

[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
key not found


--- HKLM\Explorer\Run regkeys ---

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
no run values found


--- HKCU\Explorer\Run regkeys ---

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
no run values found


--- Image File Execution regkeys ---

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
no debuggers found


--- BROWSER HELPER OBJECTS regkeys ---

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
-- File: C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx -- [37808] -- [02/03/2001 11:02]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3049C3E9-B461-4BC5-8870-4C09146192CA}]
-- File: c:\program files\real\realplayer\rpbrowserrecordplugin.dll -- [329312] -- [22/09/2009 15:53]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
-- File: C:\Program Files\AVG\AVG8\avgssie.dll -- [X]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}]
-- CLSID not found
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
-- File: C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll -- [408440] -- [17/02/2009 16:11]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}]
-- File: C:\Program Files\Windows Live Toolbar\msntb.dll -- [546320] -- [19/10/2007 10:20]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
-- File: C:\Program Files\Java\jre6\bin\jp2ssv.dll -- [41760] -- [11/10/2009 04:17]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
-- File: C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll -- [73728] -- [11/10/2009 04:17]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E99421FB-68DD-40F0-B4AC-B7027CAE2F1A}]
-- File: C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll -- [?]


--- TOOLBAR regkeys ---

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} -- File: C:\Program Files\Windows Live Toolbar\msntb.dll -- [546320] -- [19/10/2007 10:20]
{EE5D279F-081B-4404-994D-C6B60AAEBA6D} -- File: C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll -- [?]


--- HKLM\URLSEARCHHOOKS regkeys ---

[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\URLSearchHooks]
no urlsearchhooks found


--- HKCU\URLSEARCHHOOKS regkeys ---

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
{CFBFAE00-17A6-11D0-99CB-00C04FD64497} -- File: C:\WINDOWS\system32\ieframe.dll -- [11069952] -- [29/10/2009 07:45]


--- SRCEENSAVER regkey ---

[HKEY_CURRENT_USER\Control Panel\Desktop]
scrnsave.exe value not found


--- ALTERNATESHELL regkey ---

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot]
File: C:\WINDOWS\system32\cmd.exe -- [389120] -- [14/04/2008 00:12]


--- SECURITYPROVIDERS regkey ---

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
File: C:\WINDOWS\system32\msapsspc.dll -- [86016] -- [14/04/2008 00:11]
File: C:\WINDOWS\system32\schannel.dll -- [147456] -- [25/06/2009 08:25]
File: C:\WINDOWS\system32\digest.dll -- [68608] -- [14/04/2008 00:11]
File: C:\WINDOWS\system32\msnsspc.dll -- [290816] -- [14/04/2008 00:12]


--- Active Setup\Installed Components regkey ---

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\<{12d0ed0d-0ee0-4f90-8827-78cefb8f4988}]
-- File: C:\WINDOWS\system32\ieudinit.exe -- [36864] -- [08/03/2009 03:32]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}]
-- File: C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig -- [?]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
-- File: "C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP -- [?]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS]
-- File: RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP -- [?]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
-- File: %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE -- [?]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{08B0E5C0-4FCB-11CF-AAA5-00401C608555}]
-- filepath not found
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1325db73-d9f1-48f8-8895-6d814ec58889}]
-- filepath not found
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{233C1507-6A77-46A4-9443-F871F945D258}]
-- filepath not found
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2A202491-F00D-11cf-87CC-0020AFEECF20}]
-- filepath not found
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}]
-- File: %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll -- [?]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
-- File: "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install -- [?]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}]
-- File: rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT -- [?]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}]
-- filepath not found
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{4d64f3ba-f112-4efe-a02e-96680859937c}]
-- filepath not found
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}]
-- File: rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser -- [?]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5b7bf89d-d196-4c32-a303-a57b8ab7f18d}]
-- filepath not found
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5F95E1AF-2620-4f15-BDF9-7FDCE4607E17}]
-- filepath not found
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
-- File: rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub -- [?]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}]
-- File: regsvr32.exe /s /n /i:U shell32.dll -- [?]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}]
-- File: C:\WINDOWS\system32\ie4uinit.exe -BaseSettings -- [?]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}]
-- File: C:\WINDOWS\system32\ie4uinit.exe -BaseSettings -- [?]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}]
-- File: c:\WINDOWS\system32\Rundll32.exe c:\WINDOWS\system32\mscories.dll,Install -- [?]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}]
-- filepath not found
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{DAA94A2A-2A8D-4D3B-9DB8-56FBECED082D}]
-- filepath not found
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{dd772a76-bef3-44d7-8b39-502c8504c1f1}]
-- filepath not found
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{f15ee071-deb7-4cbb-951f-431c98338d8e}]
-- filepath not found


--- Services regkey ---

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Ca533av]
-- File: System32\Drivers\Ca533av.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EPSON_PM_RPCV4_01]
-- File: C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE -- [113664] -- [11/01/2007 04:02]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ggflt]
-- File: system32\DRIVERS\ggflt.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ggsemc]
-- File: system32\DRIVERS\ggsemc.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\JavaQuickStarterService]
-- File: "C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf" -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetTcpPortSharing]
-- File: "c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe" -- [132096] -- [29/07/2008 18:16]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pccsmcfd]
-- File: system32\DRIVERS\pccsmcfd.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\s115bus]
-- File: system32\DRIVERS\s115bus.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\s115mdfl]
-- File: system32\DRIVERS\s115mdfl.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\s115mgmt]
-- File: system32\DRIVERS\s115mgmt.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\s115obex]
-- File: system32\DRIVERS\s115obex.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SABProcEnum]
-- File: \??\C:\Program Files\Internet Explorer\SABProcEnum.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SDTHelper]
-- File: \??\C:\Documents and Settings\favv\Desktop\sdthlpr.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SE27bus]
-- File: system32\DRIVERS\SE27bus.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SE27mdfl]
-- File: system32\DRIVERS\SE27mdfl.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SE27mgmt]
-- File: system32\DRIVERS\SE27mgmt.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\se27nd5]
-- File: system32\DRIVERS\se27nd5.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SE27obex]
-- File: system32\DRIVERS\SE27obex.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\se27unic]
-- File: system32\DRIVERS\se27unic.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\StarOpen]
-- filepath not found
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\swwd]
-- filepath not found
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\upperdev]
-- File: system32\DRIVERS\usbser_lowerflt.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VXD]
-- filepath not found
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\w800bus]
-- File: system32\DRIVERS\w800bus.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\w800mdfl]
-- File: system32\DRIVERS\w800mdfl.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\w800mgmt]
-- File: system32\DRIVERS\w800mgmt.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\w800obex]
-- File: system32\DRIVERS\w800obex.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ZSMC301b]
-- File: System32\Drivers\usbVM31b.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{0EEBD70A-905A-4831-B878-B6CF0FD8DD7F}]
-- filepath not found
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{29505413-AC7A-4453-A72D-D27C14D1A7D8}]
-- filepath not found
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{60CC5DA7-6E0F-41D1-941C-92BF60DD4DA8}]
-- filepath not found
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{7FFC0A77-4F51-4BF9-BE17-F40422D27880}]
-- filepath not found
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{7FFD11EA-684D-4293-8509-12FA1BBCAE59}]
-- filepath not found
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{CF5E6EBC-2931-4BB0-8533-ACC16367171D}]
-- filepath not found


--- SAFEBOOT MINIMAL SERVICES ---

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal
Wdf01000.sys
{533C5B84-EC70-11D2-9505-00C04F79DEAF}


--- SAFEBOOT Network SERVICES ---

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network
DnsCache
Wdf01000.sys


--- BOOTEXECUTE regkey ---

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager]
"BootExecute"= autocheck autochk *\0\0


--- PENDINGFILERENAMEOPERATIONS regkey ---

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager]
PendingFileRenameOperations key not found


--- WOW-CMDLINE regkeys ---

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WOW]
"cmdline" = %SystemRoot%\system32\ntvdm.exe
"cmdline" = %SystemRoot%\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386


--- NETSVCS regkey ---

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost] -- NETSVCS
0WmdmPmSN


--- DNS SERVER regkeys ---

no "NameServer" values found


--- File associations ---

.BAT files: ("%1" %*)
.COM files: ("%1" %*)
.EXE files: ("%1" %*)
.HLP files: (%SystemRoot%\System32\winhlp32.exe %1)
.INF files: (%SystemRoot%\System32\NOTEPAD.EXE %1)
.INI files: (%SystemRoot%\System32\NOTEPAD.EXE %1)
.JS files: (%SystemRoot%\System32\WScript.exe "%1" %*)
.PIF files: ("%1" %*)
.REG files: (regedit.exe "%1")
.SCR files: ("%1" /S)
.TXT files: (%SystemRoot%\system32\NOTEPAD.EXE %1)
.VBS files: (%SystemRoot%\System32\WScript.exe "%1" %*)


--- STARTUP FOLDERS ---

C:\Documents and Settings\favv\Start Menu\Programs\Startup\desktop.ini -- [84] -- [19/04/2008 17:56]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Corel Family and Friends Reminders.LNK -- [1735] -- [20/04/2008 21:27]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini -- [84] -- [19/04/2008 17:56]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NkvMon.exe.lnk -- [1567] -- [20/04/2008 15:20]
C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini -- [84] -- [19/04/2008 17:56]
C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini -- [84] -- [19/04/2008 17:56]


--- TASK SCHEDULER JOBS ---

C:\WINDOWS\tasks\AppleSoftwareUpdate.job -- [280] -- [04/01/2010 17:36]


Scan completed: 15/01/2010 15:55:19.71
FINISHED

doing rootrepeal now - cheers, banksy.
Back to Top
 

banksy
Junior Member


Date Joined Jun 2008
Total Posts : 53
 
   Posted 1/15/2010 8:03 PM (GMT +3)    Quote: Trojan ?Alert an admin about: Trojan ?
rootrepeal log as follows :

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2010/01/15 16:04
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF4773000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7D3C000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xEC821000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: c:\windows\$ntservicepackuninstall$\ndis.sys
Status: Size mismatch (API: 182656, Raw: 182912)

Path: C:\Documents and Settings\LocalService\Cookies\system@live.txt
Status: Could not get file information (Error 0xc0000008)

Path: c:\windows\system32\dllcache\ndis.sys
Status: Size mismatch (API: 182656, Raw: 212224)

Path: c:\windows\system32\drivers\ndis.sys
Status: Size mismatch (API: 182656, Raw: 212224)

Path: c:\documents and settings\favv\local settings\temp\~df11aa.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\favv\local settings\temp\~df5ea.tmp
Status: Allocation size mismatch (API: 49152, Raw: 16384)

Path: C:\Documents and Settings\CONNOR\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys
Status: Size mismatch (API: 182656, Raw: 0)

Path: C:\Documents and Settings\favv\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys
Status: Size mismatch (API: 182656, Raw: 0)

Path: C:\Documents and Settings\HOLLIE\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys
Status: Size mismatch (API: 182656, Raw: 0)

Path: C:\Documents and Settings\LIAM\Application Data\Macromedia\Flash Player\#SharedObjects\7KXZKWP5\video.google.com\s
Status: Size mismatch (API: 182656, Raw: 0)

Path: C:\Documents and Settings\LIAM\Application Data\Macromedia\Flash Player\#SharedObjects\7KXZKWP5\void.snocap.com\s
Status: Size mismatch (API: 182656, Raw: 0)

Path: C:\Documents and Settings\LIAM\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys
Status: Size mismatch (API: 182656, Raw: 0)

Path: C:\Documents and Settings\LIAM\My Documents\My Music\iTunes\iTunes Music\U2\How to Dismantle an Atomic Bomb\10ORIG~1.M4A:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\LocalService\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys
Status: Size mismatch (API: 182656, Raw: 0)

Path: C:\Documents and Settings\MUVVER\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys
Status: Size mismatch (API: 182656, Raw: 0)

Path: C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys
Status: Size mismatch (API: 182656, Raw: 0)

Path: C:\Documents and Settings\CONNOR\Local Settings\Application Data\Microsoft\Messenger\connor@shanklygates.co.uk\SharingMetadata\lou_feath@hotmail.co.uk\DFSR\Staging\CS{F864B51F-440D-8283-D66B-A50A148A35B9}\11\11-{CA9CF4B1-B853-4950-857C-CFAF79B22CD2}-v11-{CA9CF4B1-B853-4950-857C-CFAF79B22CD2}-v11-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Stealth Objects
-------------------
Object: Hidden Module [Name: svchost.exe]
Process: svchost.exe (PID: 1092) Address: 0x01000000 Size: 20480

Object: Hidden Module [Name: svchost.exe]
Process: svchost.exe (PID: 1276) Address: 0x01000000 Size: 20480

Object: Hidden Module [Name: svchost.exe]
Process: svchost.exe (PID: 2212) Address: 0x01000000 Size: 20480

Object: Hidden Module [Name: svchost.exe]
Process: svchost.exe (PID: 2256) Address: 0x01000000 Size: 20480

==EOF==

cheers, banksy.
Back to Top
 

Jintan
Senior Member




Date Joined Dec 2006
Total Posts : 1428
 
   Posted 1/16/2010 3:27 AM (GMT +3)    Quote: Trojan ?Alert an admin about: Trojan ?
All wrapped around the issue of ndis.sys there. and the file info on that is just not reliable.

Locate another computer that has XP Pro, Service Pack 3 (perhaps a friend or family member), and have them provide you with a clean copy of their ndis.sys file. They will find it here on their systems:

c:\windows\system32\drivers\ndis.sys

Once you have that file, place a copy of it in that "drivers" folder. Agree to any prompts to overwrite the existing file. Reboot, and run and post back a new Reglooks log please.
Back to Top
 

banksy
Junior Member


Date Joined Jun 2008
Total Posts : 53
 
   Posted 1/16/2010 2:04 PM (GMT +3)    Quote: Trojan ?Alert an admin about: Trojan ?
how do i get it from their computer to mine ?
jintan, i`ve had a look on my widows xp cd & there is a file named "NDIS.SY_" in the "I386" folder on there - is it any help ?
otherwise i have a laptop with windows xp pro service pack 3 on.
banksy.

 

Post Edited (banksy) : 16-01-2010 11:41:21 GMT

Back to Top
 

banksy
Junior Member


Date Joined Jun 2008
Total Posts : 53
 
   Posted 1/16/2010 7:03 PM (GMT +3)    Quote: Trojan ?Alert an admin about: Trojan ?
i have copied ndis.sys from my laptop to a cd-r, but when i try & copy/paste it to the drivers folder i get : "cannot copy ndis : access is denied. make sure the disk is not full or write-protected and that the file is not currently in use".
banksy.

Post Edited (banksy) : 16-01-2010 16:05:23 GMT

Back to Top
 

Jintan
Senior Member




Date Joined Dec 2006
Total Posts : 1428
 
   Posted 1/17/2010 2:12 AM (GMT +3)    Quote: Trojan ?Alert an admin about: Trojan ?
In reviewing the logs in this thread I see now I didn't catch that ComboFix earlier indicated another file, atapi.sys was being altered. Either along with ndis.sys, or the infected atapi.sys is causing the malware log results. Let's locate a clean copy of that as well, then use that CD you just mentioned to access the Recovery Console and exchange file there. For now, place that clean copy of ndis.sys directly in the C folder, so it will then be C:\ndis.sys (if one is already there delete it first).


Click here and download jpshortstuff's SystemLook to your desktop, then click that file to open the scan display. In the open textbox, copy and paste the following (inside the Code box below):

:filefind
atapi.sys


Then click Look. Once the scan completes Notepad will open - copy/paste those contents back here please. That will also be saved as a log where you have the scan file, named SystemLook.txt.
Back to Top
 

banksy
Junior Member


Date Joined Jun 2008
Total Posts : 53
 
   Posted 1/17/2010 3:38 AM (GMT +3)    Quote: Trojan ?Alert an admin about: Trojan ?
systemlook log :

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 00:24 on 17/01/2010 by favv (Administrator - Elevation successful)

========== filefind ==========

Searching for "atapi.sys"
C:\WINDOWS\$NtServicePackUninstall$\atapi.sys -----c 95360 bytes [12:43 31/08/2008] [05:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\ERDNT\cache\atapi.sys --a--- 96512 bytes [12:50 08/01/2010] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\ServicePackFiles\i386\atapi.sys ------ 96512 bytes [05:59 04/08/2004] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\dllcache\atapi.sys --a--c 96512 bytes [12:00 08/11/2003] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\drivers\atapi.sys ------ 96512 bytes [12:00 08/11/2003] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674

-=End Of File=-

do you mean the windows xp cd ?
the cd-r with the copy of ndis.sys wont allow me to paste it, as i mentioned above.
cheers, banksy.
Back to Top
 

Jintan
Senior Member




Date Joined Dec 2006
Total Posts : 1428
 
   Posted 1/17/2010 6:00 PM (GMT +3)    Quote: Trojan ?Alert an admin about: Trojan ?
Let's see if Windows will do the work for us there.


Make sure you can View Hidden Files. Also uncheck "Hide Extensions for Known File Types"

Right click My Computer, left click Explore to open Explorer.

Using the plus (+) symbols to expand the lists, navigate to C:\Windows and create a new folder and call it lastgood. If lastgood or lastgood.tmp folders already exists, please rename the folder to oldlastgood.

When you have done this, open the lastgood folder and create a folder called System32, and in that create a folder named drivers.

So after that you should have:

C:\Windows\lastgood\System32\drivers

In that new "drivers" folder place a copy of that clean ndis.sys file you got from the other computer.

Then navigate to the following file, copy it and also place a copy of it in that new "drivers" folder:\

C:\WINDOWS\ServicePackFiles\i386\atapi.sys

So after that you should have:

C:\Windows\lastgood\System32\drivers\ndis.sys
C:\Windows\lastgood\System32\drivers\atapi.sys

---------------

Then restart the computer, and as it boots up tap the F8 key about once per half-second, to access the startup menu (where you can make Safe Mode selections). From that menu select the following:

Last Known Good Configuration

After the bootup completes run a new ComboFix scan, and post that log please.
Back to Top
 

banksy
Junior Member


Date Joined Jun 2008
Total Posts : 53
 
   Posted 1/17/2010 8:41 PM (GMT +3)    Quote: Trojan ?Alert an admin about: Trojan ?
i`ve created "lastgood" folder but, as i`ve said the copy of "ndis.sys" from the laptop seems to be protected....
when i try & paste it says :
"cannot copy ndis : access is denied. make sure the disk is not full or write-protected and that the file is not currently in use".
banksy.
Back to Top
 

Jintan
Senior Member




Date Joined Dec 2006
Total Posts : 1428
 
   Posted 1/18/2010 1:29 AM (GMT +3)    Quote: Trojan ?Alert an admin about: Trojan ?
I hadn't anticipated the file to be locked from copying to the new folder.

Rename that clean ndis.sys file to larry.com, and place that in your C drive folder, so it is then C:\larry.com

Then make a copy of that i386\atapi.sys file, rename it to moe.com and place that also directly in the C drive folder. You should then have (yes, the names are from the old comedy team):

C:\larry.com
C:\moe.com

--------------

Then load the XP CD into the CD-ROM drive and restart the system. On reboot watch for and agree to any prompts to boot from the CD. If the system only reboots to Windows stop and post back here and we will discuss steps to make changes in the BIOS.

After the installation software inspects the system and loads all necessary device drivers you will see the "Welcome To Setup" screen, with the following menu:

This portion of the Setup program prepares Microsoft Windows XP to run on your computer:

   To setup Windows XP now, press ENTER.

   To repair a Windows XP installation using Recovery Console, press R.

   To quit Setup without installing Windows XP, press F3.


Press "R" to start the Recovery Console setup. After you start the Windows Recovery Console, you receive the following message:

Microsoft Windows(R) Recovery Console

The Recovery Console provides system repair and recovery functionality.
Type EXIT to quit the Recovery Console and restart the computer.

1: C:\WINDOWS

Which Windows Installation would you like to log on to
(To cancel, press ENTER)?


After you enter the number for the appropriate Windows installation (usually #1), Windows will then prompt you to enter the Administrator account password if one was created (if one was not created then just press Enter).

At the prompt type the following, pressing Enter after each:

copy C:\larry.com C:\Windows\System32\drivers\ndis.sys

copy C:\moe.com C:\Windows\System32\drivers\atapi.sys

exit


Agree to any messages to overwrite the existing files. When you hit Enter after typing exit your computer will reboot. Do Not press any key until the system has completely rebooted, then after the reboot be sure to remove your XP CD from the CD-ROM drive.

Then run and post back a new ComboFix scan log please.

Post Edited (Jintan) : 17-01-2010 22:33:33 GMT

Back to Top
 

banksy
Junior Member


Date Joined Jun 2008
Total Posts : 53
 
   Posted 1/18/2010 4:19 AM (GMT +3)    Quote: Trojan ?Alert an admin about: Trojan ?
hi jintan,
my pc doesn`t reboot direct fron cd when i restart but it always gives me 2 options :

1. start microsoft windows recovery console

or

2. start microsoft windows xp professional

option 2 is the default but i have a 2 or 3 seconds to change options before it starts - should just go to option 1 ?

also, ive created larry.com & moe.com & they are in my c drive, but larry.com has become : larry.com.sys (system file 178kb) & moe.com is called moe.com (MS-DOS Application 95kb)
is this ok ?
banksy.
Back to Top
 

Jintan
Senior Member




Date Joined Dec 2006
Total Posts : 1428
 
   Posted 1/18/2010 4:45 AM (GMT +3)    Quote: Trojan ?Alert an admin about: Trojan ?
That larry.com.sys issue could be related to your file views there. Make sure you can View Hidden Files. Also uncheck "Hide Extensions for Known File Types"

Then see if you can just rename that to larry.com. If not, use the following, with this newer file name:

copy C:\larry.com.sys C:\Windows\System32\drivers\ndis.sys

copy C:\moe.com C:\Windows\System32\drivers\atapi.sys

exit



And instead of us doing extra steps to get the system to look to the CD first, just reboot, and from that option screen select:

Microsoft Windows Recovery Console

That will also take you to the Recovery Console command prompt, where you can then do those file copying steps.
Back to Top
 

banksy
Junior Member


Date Joined Jun 2008
Total Posts : 53
 
   Posted 1/18/2010 7:50 PM (GMT +3)    Quote: Trojan ?Alert an admin about: Trojan ?
hi jintan,
changed larry.com.sys to larry.com
ran windows recovery console as advised
combofix log as follows :


ComboFix 10-01-17.04 - favv 18/01/2010 16:32:40.4.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.735.416 [GMT 0:00]
Running from: c:\documents and settings\favv\Desktop\456out.com
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\favv\Application Data\inst.exe

.
((((((((((((((((((((((((( Files Created from 2009-12-18 to 2010-01-18 )))))))))))))))))))))))))))))))
.

2010-01-18 15:47 . 2010-01-18 15:47 -------- d-----w- c:\program files\DVDFab 6
2010-01-18 00:50 . 2008-04-13 18:40 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-01-18 00:50 . 2008-04-13 18:40 96512 ----a-w- C:\moe.com
2010-01-18 00:46 . 2008-04-13 19:20 182656 ----a-w- c:\windows\system32\drivers\ndis.sys
2010-01-18 00:46 . 2008-04-13 19:20 182656 ----a-w- C:\larry.com
2010-01-13 20:20 . 2010-01-13 20:20 -------- d-----w- c:\windows\system32\config\systemprofile\Tracing
2010-01-13 16:54 . 2010-01-13 17:22 -------- d-----w- C:\456out227994
2010-01-13 16:52 . 2010-01-13 16:52 -------- d-----w- C:\456out
2010-01-13 14:53 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-01-08 01:49 . 2008-04-14 00:12 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2010-01-08 01:49 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2010-01-06 13:56 . 2010-01-06 13:58 -------- d-----w- C:\rsit
2009-12-29 21:47 . 2009-12-29 21:47 -------- d-----w- c:\documents and settings\HOLLIE\Local Settings\Application Data\WMTools Downloaded Files
2009-12-29 10:57 . 2009-12-29 10:57 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2009-12-23 19:31 . 2009-12-23 19:52 -------- d-----w- c:\program files\CDRWIN 6
2009-12-23 19:30 . 2009-12-23 19:30 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-12-22 15:51 . 2009-12-22 15:51 -------- d-----w- c:\documents and settings\LIAM\Application Data\Doblon
2009-12-22 15:23 . 2009-12-23 18:31 -------- d-----w- c:\program files\Common Files\Doblon
2009-12-22 15:23 . 2009-12-23 18:31 -------- d-----w- c:\program files\Doblon
2009-12-22 15:22 . 2009-12-22 15:22 13110096 ----a-w- c:\documents and settings\LIAM\karaokecdgcreatorsetup.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-18 16:18 . 2009-08-29 14:50 -------- d-----w- c:\documents and settings\All Users\Application Data\PPLive
2010-01-18 15:48 . 2008-07-14 17:01 -------- d-----w- c:\documents and settings\favv\Application Data\Vso
2010-01-18 15:47 . 2008-07-14 17:01 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2010-01-18 15:47 . 2008-07-14 17:01 47360 ----a-w- c:\documents and settings\favv\Application Data\pcouffin.sys
2010-01-18 15:47 . 2008-07-14 17:01 47360 ----a-w- c:\documents and settings\favv\Application Data\pcouffin.sys
2010-01-18 00:31 . 2008-07-14 08:13 -------- d-----w- c:\program files\dvdfab decrypter temp
2010-01-17 17:08 . 2008-07-14 17:22 -------- d-----w- c:\program files\dvd shrink temp
2010-01-17 15:09 . 2008-05-19 19:32 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink
2010-01-14 20:41 . 2009-01-12 21:39 -------- d-----w- c:\documents and settings\LIAM\Application Data\StarOffice8
2010-01-10 20:25 . 2008-04-21 15:33 57544 ----a-w- c:\documents and settings\LIAM\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-08 14:22 . 2009-05-20 16:21 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-01-06 15:44 . 2008-06-04 17:01 -------- d-----w- c:\program files\Trend Micro
2009-12-29 21:47 . 2008-04-21 15:09 57544 ----a-w- c:\documents and settings\HOLLIE\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-23 20:31 . 2009-01-12 19:32 -------- d-----w- c:\documents and settings\LIAM\Application Data\uTorrent
2009-12-22 14:40 . 2009-08-27 21:52 -------- d-----w- c:\program files\Common Files\DVDVideoSoft
2009-12-22 14:39 . 2008-05-10 13:55 -------- d-----w- c:\program files\DVDVideoSoft
2009-12-11 19:31 . 2009-04-26 00:28 -------- d-----w- c:\program files\SlySoft
2009-12-10 17:19 . 2009-12-07 23:17 -------- d-----w- c:\documents and settings\All Users\Application Data\96787542
2009-12-09 23:54 . 2009-12-08 22:01 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-12-07 23:48 . 2009-12-07 23:48 -------- d-----w- c:\documents and settings\favv\Application Data\uTorrent
2009-11-24 16:05 . 2008-05-24 11:10 -------- d-----w- c:\program files\Windows Live
2009-11-24 16:03 . 2009-11-24 16:03 -------- d-----w- c:\program files\Microsoft
2009-11-21 21:39 . 2009-11-21 21:39 -------- d-----w- c:\documents and settings\favv\Application Data\Samsung
2009-11-21 20:30 . 2009-11-21 17:13 5632 ----a-w- c:\windows\system32\drivers\StarOpen.sys
2009-11-21 17:12 . 2009-11-21 17:12 -------- d-----w- c:\program files\Samsung
2009-11-21 17:12 . 2008-04-19 18:17 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-21 15:51 . 2003-11-08 12:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-21 15:39 . 2009-07-30 20:12 -------- d-----w- c:\documents and settings\favv\Application Data\StarOffice8
2009-11-20 16:05 . 2009-04-02 21:16 51360 ---ha-w- c:\windows\system32\mlfcache.dat
2009-11-19 23:07 . 2008-05-23 20:14 57544 ----a-w- c:\documents and settings\favv\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-18 22:59 . 2009-11-18 22:59 31 ---ha-w- c:\windows\UKCpInfo.sys
2009-11-14 09:30 . 2009-11-14 09:30 95232 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Installer\CommonCustomActions\pcswpcsi.exe
2009-11-14 09:30 . 2009-11-14 09:30 61440 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Installer\CommonCustomActions\UninstPCSFEMsi.exe
2009-11-14 09:30 . 2009-11-14 09:30 8192 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Installer\CommonCustomActions\UninstCCD.exe
2009-11-14 09:30 . 2009-11-14 09:30 10240 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Installer\CommonCustomActions\UninstPCS.exe
2009-11-14 09:30 . 2009-11-14 09:31 34429264 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Nokia_PC_Suite_7_1_40_1_eng.exe
2009-11-05 16:44 . 2009-11-05 16:44 152576 ----a-w- c:\documents and settings\favv\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-01 13:06 . 2009-11-01 13:06 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-10-29 07:45 . 2006-06-23 10:33 916480 ------w- c:\windows\system32\wininet.dll
2009-10-21 05:38 . 2004-08-04 07:56 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-04 07:56 25088 ----a-w- c:\windows\system32\httpapi.dll
2008-07-31 00:02 . 2008-07-31 00:01 48 --sh--w- c:\windows\SAEC1CAB9.tmp
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"PPLive"="c:\program files\PPLive\PPLive.exe" [2009-08-05 161072]
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2009-11-11 1451520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 32768]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"C-Media Mixer"="Mixer.exe" [2002-07-12 1581056]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"BigDogPath"="c:\windows\VM_STI.EXE" [2004-08-20 40960]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2006-11-24 487424]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-28 141600]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-22 198160]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]

c:\documents and settings\LIAM\Start Menu\Programs\Startup\
StarOffice 8.lnk - c:\program files\Sun\StarOffice 8\program\quickstart.exe [2005-6-21 122880]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Corel Family and Friends Reminders.LNK - c:\program files\Corel\Print House Magic\cffrem.exe [2008-4-20 666112]
NkvMon.exe.lnk - c:\program files\Nikon\NkView6\NkvMon.exe [2008-4-20 241664]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\PPLive\\PPLive.exe"=
"c:\\WINDOWS\\network diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=

S2 Ca533av;GSmart LCD 2 Video Camera Device;c:\windows\system32\Drivers\Ca533av.sys --> c:\windows\system32\Drivers\Ca533av.sys [?]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [02/09/2009 19:47 13224]
S3 s115bus;Sony Ericsson Device 115 driver (WDM);c:\windows\system32\drivers\s115bus.sys [25/03/2009 18:44 83208]
S3 s115mdfl;Sony Ericsson Device 115 USB WMC Modem Filter;c:\windows\system32\drivers\s115mdfl.sys [25/03/2009 18:44 15112]
S3 s115mdm;Sony Ericsson Device 115 USB WMC Modem Driver;c:\windows\system32\drivers\s115mdm.sys [25/03/2009 18:44 108680]
S3 s115mgmt;Sony Ericsson Device 115 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s115mgmt.sys [25/03/2009 18:45 100488]
S3 s115obex;Sony Ericsson Device 115 USB WMC OBEX Interface;c:\windows\system32\drivers\s115obex.sys [25/03/2009 18:44 98568]
S3 SDTHelper;Helper driver for SDT-Tool;c:\documents and settings\favv\Desktop\SDTHLPR.sys [14/01/2010 16:38 13545]
.
Contents of the 'Scheduled Tasks' folder

2010-01-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.liverpoolfc.tv/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZCxdm801YYGB
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: Save YouTube Video as MP3 - c:\program files\Common Files\DVDVideoSoft\Dll\IEContextMenuY.dll/scriptY2MP3.htm
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-18 16:43
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,60,63,19,e0,57,ac,f8,4d,b7,60,01,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,60,63,19,e0,57,ac,f8,4d,b7,60,01,\

[HKEY_USERS\S-1-5-21-1801674531-73586283-682003330-1008\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*ù*¹*%\OpenWithList]
@Class="Shell"
.
Completion time: 2010-01-18 16:47:02
ComboFix-quarantined-files.txt 2010-01-18 16:46
ComboFix2.txt 2010-01-13 17:22
ComboFix3.txt 2010-01-08 12:51

Pre-Run: 9,900,789,760 bytes free
Post-Run: 9,917,095,936 bytes free

- - End Of File - - D282FCCEF81DE06B9A279EC2E97D1E1E

cheers, banksy.
Back to Top
 

Jintan
Senior Member




Date Joined Dec 2006
Total Posts : 1428
 
   Posted 1/18/2010 8:55 PM (GMT +3)    Quote: Trojan ?Alert an admin about: Trojan ?
That did the trick - good job. Some Registry keys that need addressing now, and we will scan to check things as well.


Go to Start -> Run -> type regedit (and OK)


In the Registry Editor, navigate to the following key (use the "+" symbols in the left panel to expand the tree entries):

HKEY_USERS\S-1-5-21-1801674531-73586283-682003330-1008\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*ù*¹*%

I am not quite sure what ".*ù*¹*%" will appear as there, but it should show as a group of unreadable characters like the key here. Just right click that ".*ù*¹*%" and select Delete. Agree to the warning, then close the Registry Editor.

-----------------

Be sure to continue to temporarily disable any protective software when running the scan tools we use here.


Open notepad (go to Start, Run, type notepad and press Enter) and copy/paste the text in the codebox below into it:

Reglock::
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]


Save this to your desktop as CFScript.txt


You should now have both ComboFix and that CFScript.txt on the desktop. Just left click/hold on the CFScript.txt file, and drag it into ComboFix to start the scan.

ComboFix will now run as it did before. Allow the scan to run. When completed a text window will appear - please copy/paste the contents back here. This log can also be found at C:\ComboFix.txt.

A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

----------------

Download Malwarebytes' Anti-Malware from Here or Here.

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform quick scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
* The log is automatically saved by Malwarebytes and can be viewed by clicking the Logs tab in Malwarebytes.
* Copy and Paste the entire report in your next reply. If it calls for a reboot to complete the repairs do that as well then.

----------

Disable your antivirus program and go here and run an online scan using ESET Online Scanner (you will need to use Internet Explorer for this scan, or download the installer to run it in a different browser). If you accept the Terms of Use, check the box and click Start. After the ActiveX Control has loaded, it will take a couple minutes for the scanner to get ready. Next, check the following boxes:

Remove found threats
Scan unwanted applications


Next to "Current scan targets: Operating memory, Local drives", click the "Change" word. Make sure you place a check next to all disk drives, including any external drives that are attached (no need to check off the floppy or DVD/CD-Rom drives).

Click Start. This scan may take a while, so please be patient. A log may open when the scan is complete (if not, go to C:\Program Files\EsetOnlineScanner\ and open the file log.txt). Click Edit - Select All then copy/paste that log back here please.


If you have any problems getting Eset started, one work-around is to have an open Internet connection, and then click here and download the esetsmartinstaller_enu.exe Eset installer. Then click that file, and follow the same previous steps to run the scan.


Post that log, the C:\ComboFix.txt log and the Malwarebytes log please.
Back to Top
 

banksy
Junior Member


Date Joined Jun 2008
Total Posts : 53
 
   Posted 1/18/2010 9:43 PM (GMT +3)    Quote: Trojan ?Alert an admin about: Trojan ?
combofix log (inc : CFScript.txt) :

ComboFix 10-01-18.01 - favv 18/01/2010 18:23:57.5.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.735.353 [GMT 0:00]
Running from: c:\documents and settings\favv\Desktop\456out.com
Command switches used :: c:\docume~1\favv\Desktop\CFScript.txt
.

((((((((((((((((((((((((( Files Created from 2009-12-18 to 2010-01-18 )))))))))))))))))))))))))))))))
.

2010-01-18 18:18 . 2010-01-18 18:18 -------- d-----w- c:\documents and settings\favv\Application Data\Malwarebytes
2010-01-18 18:18 . 2010-01-07 16:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-18 18:18 . 2010-01-18 18:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-18 18:18 . 2010-01-18 18:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-18 18:18 . 2010-01-07 16:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-18 15:47 . 2010-01-18 15:47 -------- d-----w- c:\program files\DVDFab 6
2010-01-18 00:50 . 2008-04-13 18:40 96512 ----a-w- C:\moe.com
2010-01-18 00:50 . 2008-04-13 18:40 96512 ------w- c:\windows\system32\drivers\atapi.sys
2010-01-18 00:46 . 2008-04-13 19:20 182656 ----a-w- C:\larry.com
2010-01-18 00:46 . 2008-04-13 19:20 182656 ------w- c:\windows\system32\drivers\ndis.sys
2010-01-13 20:20 . 2010-01-13 20:20 -------- d-----w- c:\windows\system32\config\systemprofile\Tracing
2010-01-13 16:54 . 2010-01-13 17:22 -------- d-----w- C:\456out227994
2010-01-13 16:52 . 2010-01-13 16:52 -------- d-----w- C:\456out
2010-01-13 14:53 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-01-08 01:49 . 2008-04-14 00:12 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2010-01-08 01:49 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2010-01-06 13:56 . 2010-01-06 13:58 -------- d-----w- C:\rsit
2009-12-29 21:47 . 2009-12-29 21:47 -------- d-----w- c:\documents and settings\HOLLIE\Local Settings\Application Data\WMTools Downloaded Files
2009-12-29 10:57 . 2009-12-29 10:57 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2009-12-23 19:31 . 2009-12-23 19:52 -------- d-----w- c:\program files\CDRWIN 6
2009-12-23 19:30 . 2009-12-23 19:30 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-12-22 15:51 . 2009-12-22 15:51 -------- d-----w- c:\documents and settings\LIAM\Application Data\Doblon
2009-12-22 15:23 . 2009-12-23 18:31 -------- d-----w- c:\program files\Common Files\Doblon
2009-12-22 15:23 . 2009-12-23 18:31 -------- d-----w- c:\program files\Doblon
2009-12-22 15:22 . 2009-12-22 15:22 13110096 ----a-w- c:\documents and settings\LIAM\karaokecdgcreatorsetup.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-18 18:13 . 2008-05-19 19:32 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink
2010-01-18 17:59 . 2008-07-14 17:22 -------- d-----w- c:\program files\dvd shrink temp
2010-01-18 17:57 . 2008-07-14 08:13 -------- d-----w- c:\program files\dvdfab decrypter temp
2010-01-18 16:18 . 2009-08-29 14:50 -------- d-----w- c:\documents and settings\All Users\Application Data\PPLive
2010-01-18 15:48 . 2008-07-14 17:01 -------- d-----w- c:\documents and settings\favv\Application Data\Vso
2010-01-18 15:47 . 2008-07-14 17:01 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2010-01-18 15:47 . 2008-07-14 17:01 47360 ----a-w- c:\documents and settings\favv\Application Data\pcouffin.sys
2010-01-18 15:47 . 2008-07-14 17:01 47360 ----a-w- c:\documents and settings\favv\Application Data\pcouffin.sys
2010-01-14 20:41 . 2009-01-12 21:39 -------- d-----w- c:\documents and settings\LIAM\Application Data\StarOffice8
2010-01-10 20:25 . 2008-04-21 15:33 57544 ----a-w- c:\documents and settings\LIAM\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-08 14:22 . 2009-05-20 16:21 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-01-06 15:44 . 2008-06-04 17:01 -------- d-----w- c:\program files\Trend Micro
2009-12-29 21:47 . 2008-04-21 15:09 57544 ----a-w- c:\documents and settings\HOLLIE\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-23 20:31 . 2009-01-12 19:32 -------- d-----w- c:\documents and settings\LIAM\Application Data\uTorrent
2009-12-22 14:40 . 2009-08-27 21:52 -------- d-----w- c:\program files\Common Files\DVDVideoSoft
2009-12-22 14:39 . 2008-05-10 13:55 -------- d-----w- c:\program files\DVDVideoSoft
2009-12-11 19:31 . 2009-04-26 00:28 -------- d-----w- c:\program files\SlySoft
2009-12-10 17:19 . 2009-12-07 23:17 -------- d-----w- c:\documents and settings\All Users\Application Data\96787542
2009-12-09 23:54 . 2009-12-08 22:01 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-12-07 23:48 . 2009-12-07 23:48 -------- d-----w- c:\documents and settings\favv\Application Data\uTorrent
2009-11-24 16:05 . 2008-05-24 11:10 -------- d-----w- c:\program files\Windows Live
2009-11-24 16:03 . 2009-11-24 16:03 -------- d-----w- c:\program files\Microsoft
2009-11-21 21:39 . 2009-11-21 21:39 -------- d-----w- c:\documents and settings\favv\Application Data\Samsung
2009-11-21 20:30 . 2009-11-21 17:13 5632 ----a-w- c:\windows\system32\drivers\StarOpen.sys
2009-11-21 17:12 . 2009-11-21 17:12 -------- d-----w- c:\program files\Samsung
2009-11-21 17:12 . 2008-04-19 18:17 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-21 15:51 . 2003-11-08 12:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-21 15:39 . 2009-07-30 20:12 -------- d-----w- c:\documents and settings\favv\Application Data\StarOffice8
2009-11-20 16:05 . 2009-04-02 21:16 51360 ---ha-w- c:\windows\system32\mlfcache.dat
2009-11-19 23:07 . 2008-05-23 20:14 57544 ----a-w- c:\documents and settings\favv\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-18 22:59 . 2009-11-18 22:59 31 ---ha-w- c:\windows\UKCpInfo.sys
2009-11-14 09:30 . 2009-11-14 09:30 95232 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Installer\CommonCustomActions\pcswpcsi.exe
2009-11-14 09:30 . 2009-11-14 09:30 61440 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Installer\CommonCustomActions\UninstPCSFEMsi.exe
2009-11-14 09:30 . 2009-11-14 09:30 8192 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Installer\CommonCustomActions\UninstCCD.exe
2009-11-14 09:30 . 2009-11-14 09:30 10240 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Installer\CommonCustomActions\UninstPCS.exe
2009-11-14 09:30 . 2009-11-14 09:31 34429264 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Nokia_PC_Suite_7_1_40_1_eng.exe
2009-11-05 16:44 . 2009-11-05 16:44 152576 ----a-w- c:\documents and settings\favv\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-01 13:06 . 2009-11-01 13:06 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-10-29 07:45 . 2006-06-23 10:33 916480 ------w- c:\windows\system32\wininet.dll
2009-10-21 05:38 . 2004-08-04 07:56 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-04 07:56 25088 ----a-w- c:\windows\system32\httpapi.dll
2008-07-31 00:02 . 2008-07-31 00:01 48 --sh--w- c:\windows\SAEC1CAB9.tmp
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"PPLive"="c:\program files\PPLive\PPLive.exe" [2009-08-05 161072]
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2009-11-11 1451520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 32768]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"C-Media Mixer"="Mixer.exe" [2002-07-12 1581056]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"BigDogPath"="c:\windows\VM_STI.EXE" [2004-08-20 40960]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2006-11-24 487424]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-28 141600]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-22 198160]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]

c:\documents and settings\LIAM\Start Menu\Programs\Startup\
StarOffice 8.lnk - c:\program files\Sun\StarOffice 8\program\quickstart.exe [2005-6-21 122880]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Corel Family and Friends Reminders.LNK - c:\program files\Corel\Print House Magic\cffrem.exe [2008-4-20 666112]
NkvMon.exe.lnk - c:\program files\Nikon\NkView6\NkvMon.exe [2008-4-20 241664]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\PPLive\\PPLive.exe"=
"c:\\WINDOWS\\network diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=

S2 Ca533av;GSmart LCD 2 Video Camera Device;c:\windows\system32\Drivers\Ca533av.sys --> c:\windows\system32\Drivers\Ca533av.sys [?]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [02/09/2009 19:47 13224]
S3 s115bus;Sony Ericsson Device 115 driver (WDM);c:\windows\system32\drivers\s115bus.sys [25/03/2009 18:44 83208]
S3 s115mdfl;Sony Ericsson Device 115 USB WMC Modem Filter;c:\windows\system32\drivers\s115mdfl.sys [25/03/2009 18:44 15112]
S3 s115mdm;Sony Ericsson Device 115 USB WMC Modem Driver;c:\windows\system32\drivers\s115mdm.sys [25/03/2009 18:44 108680]
S3 s115mgmt;Sony Ericsson Device 115 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s115mgmt.sys [25/03/2009 18:45 100488]
S3 s115obex;Sony Ericsson Device 115 USB WMC OBEX Interface;c:\windows\system32\drivers\s115obex.sys [25/03/2009 18:44 98568]
S3 SDTHelper;Helper driver for SDT-Tool;c:\documents and settings\favv\Desktop\SDTHLPR.sys [14/01/2010 16:38 13545]
.
Contents of the 'Scheduled Tasks' folder

2010-01-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.liverpoolfc.tv/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZCxdm801YYGB
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: Save YouTube Video as MP3 - c:\program files\Common Files\DVDVideoSoft\Dll\IEContextMenuY.dll/scriptY2MP3.htm
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-18 18:33
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2536)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-01-18 18:36:45
ComboFix-quarantined-files.txt 2010-01-18 18:36
ComboFix2.txt 2010-01-18 16:47
ComboFix3.txt 2010-01-13 17:22
ComboFix4.txt 2010-01-08 12:51

Pre-Run: 14,587,105,280 bytes free
Post-Run: 14,573,834,240 bytes free

- - End Of File - - 41B9B0008FF38D6997E29B0FE0242E14

doing "Malwarebytes' Anti-Malware" now.........
cheers, banksy.
Back to Top
 

banksy
Junior Member


Date Joined Jun 2008
Total Posts : 53
 
   Posted 1/18/2010 11:17 PM (GMT +3)    Quote: Trojan ?Alert an admin about: Trojan ?
malwarebytes` anti-malware log as follows :

Malwarebytes' Anti-Malware 1.44
Database version: 3593
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

18/01/2010 19:16:29
mbam-log-2010-01-18 (19-16-28).txt

Scan type: Quick Scan
Objects scanned: 142752
Time elapsed: 8 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 14
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 10

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{cf54be1c-9359-4395-8533-1657cf209cfe} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{d518921a-4a03-425e-9873-b9a71756821e} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Videocan (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\dpevflbg.bqkx (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MenuExt\&Search\(default) (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\All Users\Application Data\96787542 (Rogue.Multiple) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\spool\prtprocs\w32x86\00001905.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\spool\prtprocs\w32x86\00001aa1.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\spool\prtprocs\w32x86\00002066.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\spool\prtprocs\w32x86\00003b6f.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\spool\prtprocs\w32x86\000043b4.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\spool\prtprocs\w32x86\00004f44.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\spool\prtprocs\w32x86\000056bd.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\spool\prtprocs\w32x86\00006d66.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\spool\prtprocs\w32x86\00007bfa.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.

doing ESET online scanner now,
cheers, banksy.
Back to Top
 

banksy
Junior Member


Date Joined Jun 2008
Total Posts : 53
 
   Posted 1/19/2010 2:23 AM (GMT +3)    Quote: Trojan ?Alert an admin about: Trojan ?
eset online scanner log :

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# IEXPLORE.EXE=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=27ea9d65c7eb554ca9f05454969bdcdb
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-01-18 09:40:27
# local_time=2010-01-18 09:40:27 (+0000, GMT Standard Time)
# country="United Kingdom"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 1057585 1057585 0 0
# compatibility_mode=8192 67108863 100 0 4159 4159 0 0
# scanned=95887
# found=26
# cleaned=26
# scan_time=4159
C:\Documents and Settings\LIAM\My Documents\Setup.exe Win32/Adware.180Solutions application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\LIAM\My Documents\zSetup.exe a variant of Win32/Adware.180Solutions application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files\Windows Live\Messenger\msimg32.dll Win32/Toolbar.MyWebSearch application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files\Windows Live\Messenger\riched20.dll Win32/Toolbar.MyWebSearch application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Program Files\Hotbar\bin\11.0.78.0\CoreSrv.dll.vir Win32/Adware.HotBar.E application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Program Files\Hotbar\bin\11.0.78.0\HostIE.dll.vir Win32/Adware.HotBar.E application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Program Files\Hotbar\bin\11.0.78.0\HostOL.dll.vir Win32/Adware.HotBar.E application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Program Files\Hotbar\bin\11.0.78.0\HotbarSA.exe.vir probably a variant of Win32/Adware.180Solutions application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Program Files\Hotbar\bin\11.0.78.0\HotbarSADF.exe.vir Win32/Adware.HotBar.E application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Program Files\Hotbar\bin\11.0.78.0\HotbarSAHook.dll.vir a variant of Win32/Adware.HotBar.E application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Program Files\Hotbar\bin\11.0.78.0\HotbarUninstaller.exe.vir multiple threats (deleted - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Program Files\Hotbar\bin\11.0.78.0\Srv.exe.vir Win32/Adware.HotBar.E application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Program Files\Hotbar\bin\11.0.78.0\Toolbar.dll.vir Win32/Adware.HotBar.E application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\ndis.sys.vir Win32/Protector.B virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{18F1C887-1B5D-4ADD-B28A-9923490B7F34}\RP24\A0012268.dll Win32/Adware.HotBar.E application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{18F1C887-1B5D-4ADD-B28A-9923490B7F34}\RP24\A0012271.dll Win32/Adware.HotBar.E application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{18F1C887-1B5D-4ADD-B28A-9923490B7F34}\RP24\A0012272.dll Win32/Adware.HotBar.E application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{18F1C887-1B5D-4ADD-B28A-9923490B7F34}\RP24\A0012273.exe probably a variant of Win32/Adware.180Solutions application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{18F1C887-1B5D-4ADD-B28A-9923490B7F34}\RP24\A0012275.exe Win32/Adware.HotBar.E application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{18F1C887-1B5D-4ADD-B28A-9923490B7F34}\RP24\A0012276.dll a variant of Win32/Adware.HotBar.E application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{18F1C887-1B5D-4ADD-B28A-9923490B7F34}\RP24\A0012277.exe multiple threats (deleted - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{18F1C887-1B5D-4ADD-B28A-9923490B7F34}\RP24\A0012278.exe Win32/Adware.HotBar.E application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{18F1C887-1B5D-4ADD-B28A-9923490B7F34}\RP24\A0012279.dll Win32/Adware.HotBar.E application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{18F1C887-1B5D-4ADD-B28A-9923490B7F34}\RP32\A0015332.dll Win32/Toolbar.MyWebSearch application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{18F1C887-1B5D-4ADD-B28A-9923490B7F34}\RP32\A0015333.dll Win32/Toolbar.MyWebSearch application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\dllcache\ndis.sys Win32/Protector.B virus (cleaned - quarantined) 00000000000000000000000000000000 C

jintan, i wasn`t sure whether to delete the quarantined files - so i didn`t, but they are in a folder within the eset online scanner folder - should i delete them ?
cheers again, banksy.
Back to Top
 

Jintan
Senior Member




Date Joined Dec 2006
Total Posts : 1428
 
   Posted 1/19/2010 5:02 AM (GMT +3)    Quote: Trojan ?Alert an admin about: Trojan ?
Other than a few installer files bundled with an adware component, the majority of what eset just found are just infection ComboFix already removed to it's Qoobox quarantine, and then infection that had been held harmless in System Restore. We will address those, and you can install Eset using Add/Remove Programs, and if offered by that check off the option to delete the quarantine as well.

No malware being picked up at this time. Before we move on to some last steps here, post back how things are running please.
Back to Top
 

banksy
Junior Member


Date Joined Jun 2008
Total Posts : 53
 
   Posted 1/19/2010 7:41 PM (GMT +3)    Quote: Trojan ?Alert an admin about: Trojan ?
things seem to be running ok, sometimes the internet is quite slow compared with the laptop (which runs wireless from the router connected to this pc) i dont know if that means anything.
i`ve noticed that in my C:\WINDOWS folder there is OVER 260 folders called "$NtUninstall....." each one has its own number, they are all various sizes, the full name of one (picked at random) is : $NtUinstallKB885835$ it is 1.46 MB in size.
i dont know what they are or where they`ve come from !
do you know what they are ?
thanks again, banksy.
Back to Top
 

Jintan
Senior Member




Date Joined Dec 2006
Total Posts : 1428
 
   Posted 1/20/2010 3:01 AM (GMT +3)    Quote: Trojan ?Alert an admin about: Trojan ?
You are seeing the normally hidden system files - those are Windows update backup files saved to allow you to uninstall any of the updates if you need to. If you reverse the procedures here you can have them hidden again.

To make sure temp file storage bogging down isn't slowing things let's clean that.

Download CCleaner from one of the links here. Click the downloaded file to start the install. At the options display I suggest unchecking the bottom four options, unless for some reason you want it to install a Yahoo toolbar.

Then click Run Cleaner, okay the warning and allow CCleaner to remove temp files. I truly recommend against using any of the options displayed on CCleaner's left panel, as some of these have the potential to cause serious problems. Let's me know if that helped things there please.
Back to Top
 

banksy
Junior Member


Date Joined Jun 2008
Total Posts : 53
 
   Posted 1/20/2010 3:44 AM (GMT +3)    Quote: Trojan ?Alert an admin about: Trojan ?
cheers, jintan.
done ccleaner,
do i need to keep all the downloaded programmes from my desktop eg.(hijackthis,avenger,combofix,malwarebytes,rootrepeal,reglooks,rsit,radix,systemlook) also folders created en-route (quoobox,456out) - not to mention : larry & moe lol
banksy.
Back to Top
 

Jintan
Senior Member




Date Joined Dec 2006
Total Posts : 1428
 
   Posted 1/21/2010 2:25 AM (GMT +3)    Quote: Trojan ?Alert an admin about: Trojan ?
You may need to delete some files manually, like those two of the three stooges-named files, but yes, it is a good idea now to uninstall or delete everything our work added there.


Eset, if you don't plan to use it again, uninstalls through Add/Remove Programs.


You can also at this time delete the files/folders of the tools we used. To assist with some of that download OTC.exe by OldTimer to your desktop. This will help by automatically removing some of the tools we used.

Just click OTC.exe, then click CleanUp, and select Yes. When it finishes removing some of the tools and files we used there just agree to the reboot, and OTC should self-delete once the system has rebooted (if not just delete the OTC.exe file).

-------------------------

Then a good idea is to reset the System Restore. To do this, right-click My Computer and select Properties. Click the System Restore tab in the window that appears, and check the box that says "Turn off System Restore on all drives" and click Apply.

You will be asked if you are sure, click Yes. This will delete the restore points. Then click OK in the Properties window and reboot your computer.

When your desktop appears, right-click My Computer and select Properties once more. Uncheck the "Turn off System Restore..." box and click Apply. OK.


In addition, I like to recommend reviewing the information Here to make sure you stay malware free.
Back to Top
 
You cannot post new topics in this forum. Locked Topic Printable version of : Trojan ?
58 posts in this thread.
Viewing Page :
 1  2  3 
 
Forum Information
Currently it is Saturday, September 20, 2014 10:55 AM (GMT +3)
There are a total of 60,607 posts in 13,318 threads.
In the last 3 days there were 1 new threads and 6 reply posts. View Active Threads
Who's Online
This forum has 36377 registered members. Please welcome our newest member, Emma S.
4 Guest(s), 0 Registered Member(s) are currently online.  Details
5 Latest Threads
I definitely have Malware, I've tried everything I know how to do (1)9/19/2014 6:47:25 PM (Robert Mateescu)
Bullguard Backup: 3 GB of files are "missing" but freespace calcuation seems to think they (8)9/17/2014 12:44:35 PM (Robert Mateescu)
This Connection is Untrusted (7)9/17/2014 12:02:41 PM (Robert Mateescu)