Advertisement

There's no such thing as a stupid question, but they're the easiest to answer.
Login
Search

Advertisement

Virus & Other Malware Removal Virus & Other Malware Removal
Search Search
Search for:
Tech Support Guy > > >

Solved: Ukash west yorkshire virus - can't remove with malwarebytes


(!)

Catherine-N's Avatar
Catherine-N Catherine-N is offline
Computer Specs
Member with 97 posts.
THREAD STARTER
 
Join Date: Sep 2012
Experience: Beginner
12-Sep-2012, 02:31 PM #1
Smile Ukash west yorkshire virus - can't remove with malwarebytes
Hi there,

On Sunday (3 days ago) my machine came up with the Ukash West Yorkshire Police virus and I couldn't do anything ohter than shut down. I found on another site the suggestion to download the free version of malwarebytes anti malware the free version and to run it in safe mode , which I did. This found around 15 or so problems and I removed them. I then logged off. Today, I logged on and for a few minutes was working in normal mode ok and then the Ukash virus locked me out again. I re-ran in safe mode the malwarebytes programme, and removed the viruses again. I then tried logging on as normal and I was able to work perfectly ok and it seemed to have worked. However, my internet connect is fairly rubbish and at that point was showing limited connection. Anyway, I thought I'd run the malwarebytes programme in the normal mode just to check everything had gone. After a while, I decided to fire up my internet explorer and then set it to repair my internet connection - which it did. A dialogue box then popped up saying a programme on my computer had corrupted my default setting provider for internet explore and that it would fix it. I then got a google page up and typed a search query in. As soon as the page started to search, I lost the whole bottom row of icons on my screen and then the Ukash virus popped up again and locked me out.

I have followed the instructions on your site as best I can - I am a novice and apologise if what I've completely misunderstood the things I should be doing and appear stupid - I did have a lot of problems trying to get the GMER thing to work - it didn't pop up and ask if I wnated to do a full scan but didn't give me any option for anything else, so I ended up doing I expect full scan as it took about 2 hours...anyway I tried again and fiddled around with the options on the top and the autostart seemed to give a small amount scan info so I've saved that and hope that's the right bit to have done.

I notice you recommend people update their virus packages regularly - I had just updated mine on Sunday so was really surprised to get a virus in the first place (I have the microsoft security essentials package). I appreciate that my ability may mean that your advice is simply dig deep and plod off to an IT person who you can pay to sort the probelm out, but thought I'd try this site first as it would be good to learn. I've pasted the files below as per your instructions and appreciate any help you can give me, many thanks.

hijack log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 14:56:09, on 12/09/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Safe mode with network support
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Orange UK
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Conime] %windir%\system32\conime.exe
O4 - HKLM\..\Run: [EKIJ5000StatusMonitor] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
O4 - HKLM\..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [WSManHTTPConfig] C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Local Settings\Application Data\Microsoft\Windows\912\WSManHTTPConfig.exe
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: orange search - file://C:\Program Files\ORANGE4\Cache\SelectedContextSearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.orange.co.uk
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Kodak AiO Network Discovery Service - Eastman Kodak Company - C:\Program Files\Kodak\AiO\Center\ekdiscovery.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Rapport Management Service (RapportMgmtService) - Trusteer Ltd. - C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
--
End of file - 5096 bytes

DDS text file:

.
DDS (Ver_2011-08-26.01) - NTFSx86 NETWORK
Internet Explorer: 8.0.6001.18702
Run by Administrator at 14:58:20 on 2012-09-12
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.766.401 [GMT 1:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.co.uk/
uWindow Title = Microsoft Internet Explorer provided by Orange UK
uInternet Settings,ProxyOverride = <local>
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_06\bin\ssv.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Conime] %windir%\system32\conime.exe
mRun: [EKIJ5000StatusMonitor] c:\windows\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [WSManHTTPConfig] c:\documents and settings\administrator.catherin-zge1zi\local settings\application data\microsoft\windows\912\WSManHTTPConfig.exe
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: orange search - file://c:\program files\orange4\cache\SelectedContextSearch.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_06\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{E5845F11-365B-433F-BB6D-550870630CDB} : DhcpNameServer = 192.168.1.1
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
============= SERVICES / DRIVERS ===============
.
R3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [2006-3-27 167808]
S0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2012-3-20 171064]
S0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [2012-7-29 65848]
S1 RapportCerberus_42020;RapportCerberus_42020;c:\documents and settings\all users.windows\application data\trusteer\rapport\store\exts\rapportcerberus\baseline\RapportCerberus32 _42020.sys [2012-8-11 228376]
S1 RapportEI;RapportEI;c:\program files\trusteer\rapport\bin\RapportEI.sys [2012-7-29 71480]
S1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2012-7-29 166840]
S2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\kodak\aio\center\ekdiscovery.exe [2010-9-13 308656]
S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-9-9 655944]
S2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2012-7-29 976728]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-5-7 250056]
S3 emusba10;E-MU USB-Audio 1.0 Driver;c:\windows\system32\drivers\emusba10.sys --> c:\windows\system32\drivers\emusba10.sys [?]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-9-9 22344]
S3 RapportIaso;RapportIaso;c:\documents and settings\all users.windows\application data\trusteer\rapport\store\exts\rapportms\39624\RapportIaso.sys [2012-6-6 21520]
S4 Everet_;Everet_;c:\windows\system32\drivers\ati1btxx.sys [2007-9-22 56623]
.
=============== Created Last 30 ================
.
2012-09-12 13:11:10 -------- dc----w- c:\documents and settings\administrator.catherin-zge1zi\application data\hellomoto
2012-09-12 13:09:15 -------- dc----w- c:\program files\Microsoft Windows OneCare Live
2012-09-09 15:41:01 -------- dc----w- c:\documents and settings\administrator.catherin-zge1zi\application data\Malwarebytes
2012-09-09 15:40:54 -------- dc----w- c:\documents and settings\all users.windows\application data\Malwarebytes
2012-09-09 15:40:53 22344 -c--a-w- c:\windows\system32\drivers\mbam.sys
2012-09-09 15:40:53 -------- dc----w- c:\program files\Malwarebytes' Anti-Malware
2012-09-09 14:40:17 7022536 -c--a-w- c:\documents and settings\all users.windows\application data\microsoft\microsoft antimalware\definition updates\{105b1e4d-16fe-41ee-b877-4b0fa6322f9a}\mpengine.dll
2012-09-07 17:43:32 7022536 -c--a-w- c:\documents and settings\all users.windows\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
.
==================== Find3M ====================
.
2012-08-29 19:58:01 426184 -c--a-w- c:\windows\system32\FlashPlayerApp.exe
2012-08-29 19:58:00 70344 -c--a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-29 19:52:38 65848 -c--a-w- c:\windows\system32\drivers\RapportKELL.sys
2012-07-06 13:58:51 78336 -c--a-w- c:\windows\system32\browser.dll
2012-07-04 14:05:18 139784 -c--a-w- c:\windows\system32\drivers\rdpwd.sys
2012-07-03 13:40:15 1866112 -c--a-w- c:\windows\system32\win32k.sys
2012-07-02 17:49:33 916992 -c--a-w- c:\windows\system32\wininet.dll
2012-07-02 17:49:32 43520 -c--a-w- c:\windows\system32\licmgr10.dll
2012-07-02 17:49:32 1469440 -c--a-w- c:\windows\system32\inetcpl.cpl
2012-07-02 12:05:43 385024 -c--a-w- c:\windows\system32\html.iec
.
============= FINISH: 14:59:08.81 ===============

attach text file:

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 22/09/2007 19:37:09
System Uptime: 12/09/2012 14:43:39 (0 hours ago)
.
Motherboard: Dell Computer Corp. | | 02X378
Processor: Intel(R) Pentium(R) 4 CPU 2.00GHz | Microprocessor | 1992/400mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 19 GiB total, 5.214 GiB free.
D: is CDROM ()
E: is Removable
F: is Removable
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP1077: 01/09/2012 12:52:45 - Software Distribution Service 3.0
RP1078: 02/09/2012 16:46:38 - Software Distribution Service 3.0
RP1079: 05/09/2012 15:02:30 - Software Distribution Service 3.0
RP1080: 07/09/2012 18:43:27 - Software Distribution Service 3.0
RP1081: 09/09/2012 15:39:56 - Software Distribution Service 3.0
.
==== Installed Programs ======================
.
ACDSee for PENTAX 3.0
Adobe Acrobat 4.0
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader 8.1.2
Adobe Shockwave Player 11.5
aiofw
aioprnt
aioscnnr
AmpliTube LE
C4USelfUpdater
center
Compatibility Pack for the 2007 Office system
Critical Update for Windows Media Player 11 (KB959772)
GEAR 32bit Driver Installer
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB2633952)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976002-v5)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
Intel(R) Extreme Graphics Driver
Intel(R) PRO Ethernet Adapter and Software
Java(TM) 6 Update 6
KODAK AiO Home Centre
ksDIP
Malwarebytes Anti-Malware version 1.62.0.1300
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Office File Validation Add-In
Microsoft Office Professional Edition 2003
Microsoft Security Client
Microsoft Security Essentials
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
MSXML 6.0 Parser
NETGEAR WG111v2 wireless USB 2.0 adapter
OGA Notifier 2.0.0048.0
Orange Search Toolbar
PreReq
Rapport
Safari
SafeCast Shared Components
Samsung PC Studio 3
Samsung PC Studio 3 USB Driver Installer
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft Windows (KB2564958)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2530548)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2559049)
Security Update for Windows Internet Explorer 8 (KB2586448)
Security Update for Windows Internet Explorer 8 (KB2618444)
Security Update for Windows Internet Explorer 8 (KB2647516)
Security Update for Windows Internet Explorer 8 (KB2675157)
Security Update for Windows Internet Explorer 8 (KB2699988)
Security Update for Windows Internet Explorer 8 (KB2722913)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2491683)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567053)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2584146)
Security Update for Windows XP (KB2585542)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB2598479)
Security Update for Windows XP (KB2603381)
Security Update for Windows XP (KB2618451)
Security Update for Windows XP (KB2619339)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2621440)
Security Update for Windows XP (KB2624667)
Security Update for Windows XP (KB2631813)
Security Update for Windows XP (KB2633171)
Security Update for Windows XP (KB2639417)
Security Update for Windows XP (KB2641653)
Security Update for Windows XP (KB2646524)
Security Update for Windows XP (KB2647518)
Security Update for Windows XP (KB2653956)
Security Update for Windows XP (KB2655992)
Security Update for Windows XP (KB2659262)
Security Update for Windows XP (KB2660465)
Security Update for Windows XP (KB2661637)
Security Update for Windows XP (KB2676562)
Security Update for Windows XP (KB2685939)
Security Update for Windows XP (KB2686509)
Security Update for Windows XP (KB2691442)
Security Update for Windows XP (KB2695962)
Security Update for Windows XP (KB2698365)
Security Update for Windows XP (KB2705219)
Security Update for Windows XP (KB2707511)
Security Update for Windows XP (KB2709162)
Security Update for Windows XP (KB2712808)
Security Update for Windows XP (KB2718523)
Security Update for Windows XP (KB2719985)
Security Update for Windows XP (KB2723135)
Security Update for Windows XP (KB2731847)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
SoundMAX
Uniblue PowerSuite
Uniblue RegistryBooster
Uniblue SpeedUpMyPC
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB968220)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2607712)
Update for Windows XP (KB2616676-v2)
Update for Windows XP (KB2641690)
Update for Windows XP (KB2718704)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
ViewSonic Monitor Drivers
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
.
==== Event Viewer Messages From Past Week ========
.
12/09/2012 14:54:54, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.135.826.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.8704.0 Error code: 0x8007043c Error description: This service cannot be started in Safe Mode
12/09/2012 14:27:29, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.135.826.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.8704.0 Error code: 0x8024402c Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.
12/09/2012 13:27:40, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.135.826.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.8704.0 Error code: 0x8007043c Error description: This service cannot be started in Safe Mode
12/09/2012 13:27:39, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
12/09/2012 13:17:01, error: Dhcp [1002] - The IP address lease 192.168.1.9 for the Network Card with network address 001B2F733B47 has been denied by the DHCP server 10.106.183.65 (The DHCP Server sent a DHCPNACK message).
12/09/2012 13:11:16, error: Dhcp [1002] - The IP address lease 192.168.1.10 for the Network Card with network address 001B2F733B47 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
09/09/2012 16:36:17, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips intelppm MpFilter RapportKELL StarOpen
09/09/2012 16:35:34, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
07/09/2012 18:32:18, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
05/09/2012 14:51:46, error: Service Control Manager [7003] - The Kodak AiO Network Discovery Service service depends on the following nonexistent service: Bonjour Service
05/09/2012 14:51:44, error: Dhcp [1002] - The IP address lease 192.168.1.9 for the Network Card with network address 001B2F733B47 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
.
==== End Of File ===========================


ark text file:

GMER 1.0.15.15641 - http://www.gmer.net
Autostart scan 2012-09-12 19:15:23
Windows 5.1.2600 Service Pack 3

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon >>>
@UserinitC:\WINDOWS\system32\userinit.exe, = C:\WINDOWS\system32\userinit.exe,
@GinaDLLRtlGina2.dll = RtlGina2.dll
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ >>>
dimsntfy@DLLName = %SystemRoot%\System32\dimsntfy.dll
igfxcui@DLLName = igfxsrvc.dll
WgaLogon@DLLName = WgaLogon.dll
HKLM\SYSTEM\CurrentControlSet\Services\ >>>
C-DillaCdaC11BA@ = C:\WINDOWS\system32\drivers\CDAC11BA.EXE
Kodak AiO Network Discovery Service@ = C:\Program Files\Kodak\AiO\Center\ekdiscovery.exe
MBAMService@ = "C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe"
MsMpSvc@ = "c:\Program Files\Microsoft Security Client\MsMpEng.exe"
RapportMgmtService@ = "C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe"
ScsiPort@ = %SystemRoot%\system32\drivers\scsiport.sys
HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@HotKeysCmdsC:\WINDOWS\system32\hkcmd.exe = C:\WINDOWS\system32\hkcmd.exe
@Conime%windir%\system32\conime.exe = %windir%\system32\conime.exe
@EKIJ5000StatusMonitorC:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MU I.exe = C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
@MSC"c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey = "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
@WSManHTTPConfigC:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Local Settings\Application Data\Microsoft\Windows\912\WSManHTTPConfig.exe = C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Local Settings\Application Data\Microsoft\Windows\912\WSManHTTPConfig.exe
@Malwarebytes' Anti-Malware"C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray = "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
HKCU\Software\Microsoft\Windows\CurrentVersion\Run >>>
@ctfmon.exeC:\WINDOWS\system32\ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
@MSMSGS"C:\Program Files\Messenger\msmsgs.exe" /background = "C:\Program Files\Messenger\msmsgs.exe" /background
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad@ WPDShServiceObj = C:\WINDOWS\system32\WPDShServiceObj.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Display Panning CPL Extension*/(null) =
@{30D02401-6A81-11d0-8274-00C04FD5AE38} /*IE Search Band*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{32683183-48a0-441b-a342-7c2a440a9478} /*Media Band*/(null) =
@{E7E4BC40-E76A-11CE-A9BB-00AA004AE837} /*Shell DocObject Viewer*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{FBF23B40-E3F0-101B-8488-00AA003E56F8} /*InternetShortcut*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{3C374A40-BAE4-11CF-BF7D-00AA006946EE} /*Microsoft Url History Service*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{FF393560-C2A7-11CF-BFF4-444553540000} /*History*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{7BD29E00-76C1-11CF-9DD0-00A0C9034933} /*Temporary Internet Files*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{7BD29E01-76C1-11CF-9DD0-00A0C9034933} /*Temporary Internet Files*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{CFBFAE00-17A6-11D0-99CB-00C04FD64497} /*Microsoft Url Search Hook*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{3DC7A020-0ACD-11CF-A9BB-00AA004AE837} /*The Internet*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{871C5380-42A0-1069-A2EA-08002B30309D} /*Internet Name Space*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Previous Versions Property Page*/C:\WINDOWS\system32\twext.dll = C:\WINDOWS\system32\twext.dll
@{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Previous Versions*/C:\WINDOWS\system32\twext.dll = C:\WINDOWS\system32\twext.dll
@{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/C:\WINDOWS\system32\extmgr.dll = C:\WINDOWS\system32\extmgr.dll
@{BDEADF00-C265-11D0-BCED-00A0C90AB50F} /*Web Folders*/C:\Program Files\Common Files\Microsoft Shared\Web Folders\MSONSEXT.DLL = C:\Program Files\Common Files\Microsoft Shared\Web Folders\MSONSEXT.DLL
@{0006F045-0000-0000-C000-000000000046} /*Microsoft Office Outlook Custom Icon Handler*/C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL = C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL
@{e82a2d71-5b2f-43a0-97b8-81be15854de8} /*ShellLink for Application References*/c:\WINDOWS\system32\dfshim.dll = c:\WINDOWS\system32\dfshim.dll
@{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75} /*Shell Icon Handler for Application References*/c:\WINDOWS\system32\dfshim.dll = c:\WINDOWS\system32\dfshim.dll
@{07C45BB1-4A8C-4642-A1F5-237E7215FF66} /*IE Microsoft BrowserBand*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{1C1EDB47-CE22-4bbb-B608-77B48F83C823} /*IE Fade Task*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{205D7A97-F16D-4691-86EF-F3075DCCA57D} /*IE Menu Desk Bar*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{3028902F-6374-48b2-8DC6-9725E775B926} /*IE AutoComplete*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{43886CD5-6529-41c4-A707-7B3C92C05E68} /*IE Navigation Bar*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{44C76ECD-F7FA-411c-9929-1B77BA77F524} /*IE Menu Site*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{4B78D326-D922-44f9-AF2A-07805C2A3560} /*IE Menu Band*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{6038EF75-ABFC-4e59-AB6F-12D397F6568D} /*IE Microsoft History AutoComplete List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{6B4ECC4F-16D1-4474-94AB-5A763F2A54AE} /*IE Tracking Shell Menu*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{6CF48EF8-44CD-45d2-8832-A16EA016311B} /*IE IShellFolderBand*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{73CFD649-CD48-4fd8-A272-2070EA56526B} /*IE BandProxy*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{98FF6D4B-6387-4b0a-8FBD-C5C4BB17B4F8} /*IE MRU AutoComplete List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{9A096BB5-9DC3-4D1C-8526-C3CBF991EA4E} /*IE RSS Feeder Folder*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{9D958C62-3954-4b44-8FAB-C4670C1DB4C2} /*IE Microsoft Shell Folder AutoComplete List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{B31C5FAE-961F-415b-BAF0-E697A5178B94} /*IE Microsoft Multiple AutoComplete List Container*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{BC476F4C-D9D7-4100-8D4E-E043F6DEC409} /*Microsoft Browser Architecture*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{BFAD62EE-9D54-4b2a-BF3B-76F90697BD2A} /*IE Shell Rebar BandSite*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{E6EE9AAC-F76B-4947-8260-A9F136138E11} /*IE Shell Band Site Menu*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{F2CF5485-4E02-4f68-819C-B92DE9277049} /*&Links*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{F83DAC1C-9BB9-4f2b-B619-09819DA81B0E} /*IE Registry Tree Options Utility*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{FAC3CBF6-8697-43d0-BAB9-DCD1FCE19D75} /*IE User Assist*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{FDE7673D-2E19-4145-8376-BBD58C4BC7BA} /*IE Custom MRU AutoCompleted List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{00020D75-0000-0000-C000-000000000046} /*Microsoft Office Outlook Desktop Icon Handler*/C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL = C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL
@{35786D3C-B075-49b9-88DD-029876E11C01} /*Portable Devices*/%SystemRoot%\system32\wpdshext.dll = %SystemRoot%\system32\wpdshext.dll
@{D6791A63-E7E2-4fee-BF52-5DED8E86E9B8} /*Portable Devices Menu*/%SystemRoot%\system32\wpdshext.dll = %SystemRoot%\system32\wpdshext.dll
@{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} /*Shell Extensions for RealOne Player*/(null) =
@{45670FA8-ED97-4F44-BC93-305082590BFB} /*Microsoft.XPS.Shell.Metadata.1*/%SystemRoot%\System32\XPSSHHDR.DLL = %SystemRoot%\System32\XPSSHHDR.DLL
@{44121072-A222-48f2-A58A-6D9AD51EBBE9} /*Microsoft.XPS.Shell.Thumbnail.1*/%SystemRoot%\System32\XPSSHHDR.DLL = %SystemRoot%\System32\XPSSHHDR.DLL
@{42042206-2D85-11D3-8CFF-005004838597} /*Microsoft Office HTML Icon Handler*/C:\Program Files\Microsoft Office\OFFICE11\msohev.dll = C:\Program Files\Microsoft Office\OFFICE11\msohev.dll
@{11016101-E366-4D22-BC06-4ADA335C892B} /*IE History and Feeds Shell Data Source for Windows Search*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{8856f961-340a-11d0-a96b-00c04fd705a2} /*Microsoft Web Browser*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{993BE281-6695-4BA5-8A2A-7AACBFAAB69E} /*Microsoft Office Metadata Handler*/C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll = C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll
@{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97} /*Microsoft Office Thumbnail Handler*/C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll = C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll
@{09A47860-11B0-4DA5-AFA5-26D86198A780} /*EPP*/c:\PROGRA~1\MI239C~1\shellext.dll = c:\PROGRA~1\MI239C~1\shellext.dll
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\EPP@{09A47860-11B0-4DA5-AFA5-26D86198A780} = c:\PROGRA~1\MI239C~1\shellext.dll
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\EPP@{09A47860-11B0-4DA5-AFA5-26D86198A780} = c:\PROGRA~1\MI239C~1\shellext.dll
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\MBAMShlExt@{57CE58 1A-0CB6-4266-9CA0-19364C90A0B3} = C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>
@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll = C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
@{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll = C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://go.microsoft.com/fwlink/?LinkId=69157 = http://go.microsoft.com/fwlink/?LinkId=69157
@Start Pagehttp://go.microsoft.com/fwlink/?LinkId=69157 = http://go.microsoft.com/fwlink/?LinkId=69157
@Local PageC:\WINDOWS\system32\blank.htm = C:\WINDOWS\system32\blank.htm
HKCU\Software\Microsoft\Internet Explorer\Main@Start Page = http://www.google.co.uk/
HKLM\Software\Classes\PROTOCOLS\Filter\text/xml@CLSID = C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
dvd@CLSID = C:\WINDOWS\system32\msvidctl.dll
its@CLSID = C:\WINDOWS\System32\itss.dll
lid@CLSID = C:\WINDOWS\System32\msvidctl.dll
mhtml@CLSID = %SystemRoot%\System32\inetcomm.dll
ms-its@CLSID = C:\WINDOWS\System32\itss.dll
mso-offdap@CLSID = C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
mso-offdap11@CLSID = C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
tv@CLSID = C:\WINDOWS\system32\msvidctl.dll
HKLM\Software\Classes\PROTOCOLS\Handler\wia@CLSID = C:\WINDOWS\System32\wiascr.dll
---- EOF - GMER 1.0.15 ----


Many thanks.
Catherine-N's Avatar
Catherine-N Catherine-N is offline
Computer Specs
Member with 97 posts.
THREAD STARTER
 
Join Date: Sep 2012
Experience: Beginner
18-Sep-2012, 03:39 PM #2
Bump
Cookiegal's Avatar
Administrator & Malware Removal Specialist with 97,489 posts.
 
Join Date: Aug 2003
19-Sep-2012, 08:46 AM #3
Please visit Combofix Guide & Instructions for instructions for installing the Recovery Console and downloading and running ComboFix.

The only thing different from the instructions there is that when downloading and saving the ComboFix.exe I would like you to rename it to puppy.exe please.

Post the log from ComboFix when you've accomplished that.

Important notes regarding ComboFix:

ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. This can easily be changed once we're finished.

ComboFix also prevents autorun of ALL CDs, floppies and USB devices (don't worry, the keyboard and mouse will still function) to assist with malware removal & increase security. If this is an issue or makes it difficult for you, please let me know. This can be undone manually when we're finished. Read HERE for an article written by dvk01 on why we disable autoruns.
__________________
Microsoft MVP - Consumer Security
Catherine-N's Avatar
Catherine-N Catherine-N is offline
Computer Specs
Member with 97 posts.
THREAD STARTER
 
Join Date: Sep 2012
Experience: Beginner
19-Sep-2012, 02:37 PM #4
Combo fix step
Thanks Cookiegirl.

I followed the steps & two things*

1. When it reached the stage where it was going auto show the log - it took my pc out of safe mode and then the Ukash screen came up again and locked me out.

I shut down & restarted in safe mode again. I looked in C/puppy and am guessing the most recently created file is the one I should paste


2. When i logged onto to tech guy in safe mode I discovered I have lost my keyboard - an e comes out as french accented, t doesn't do anything i and a both have accents on them...

I'm going to type the log in manually from my iphone, so i hope i've got the spaces and returns & whatnot right. Here goes anyway!!

ComboFix 12-09-18.07 - Administrator 19/09/2012. 18:33:25.1.1 - x86 NETWORK
Microsoft Windows XP Professional. 5.1.2600.3.1252.1.1033.18.766.517 [GMT 1:00]=Running from: C:\Documents and settings\Administrator.CATHERIN-ZGE1ZI\Desktop\puppy.exe
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBC}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}


(((((((((((((((((((((((((((((((((((((((. *Other Deletions. *)))))))))))))))))))))))))))))))))))))))))))))))))


C:\Documents and Settings\Administrator.CATHERIN.ZGE1ZI\My Documents\~WRL0436.tmp
C:\Documents and Settings\Administrator.CATHERIN.ZGE1ZI\My Documents\~WRL0717.tmp
C:\Documents and Settings\Administrator.CATHERIN.ZGE1ZI\My Documents\~WRL1193.tmp
C:\Documents and Settings\Administrator.CATHERIN.ZGE1ZI\My Documents\~WRL2012.tmp
C:\Documents and Settings\Administrator.CATHERIN.ZGE1ZI\My Documents\~WRL3307.tmp
C:\Documents and Settings\Administrator.CATHERIN.ZGE1ZI\Recent\Thumbs.db
C:\Documents and Settings\Administrator.CATHERIN.ZGE1ZI\WINDOWS
C:\Documents and Settings\All Users.WINDOWS\Application Data\xmlD.tmp
C:\Documents and Settings\All Users.WINDOWS\Application Data\xmlE.tmp
C:\Documents and Settings\All Users.WINDOWS\Application Data\xmlF.tmp
C:\WINDOWS\Downloaded Program Files\f3initialsetup1.0.1.0.inf
C:\WINDOWS\system32\RtlGina2.dll
C:\WINDOWS\system32\SET33.tmp
C:\WINDOWS\system32\SET37.tmp
C:\WINDOWS\system32\SET3F.tmp


Ok think that was it. Thanks for your help!
Catherine-N's Avatar
Catherine-N Catherine-N is offline
Computer Specs
Member with 97 posts.
THREAD STARTER
 
Join Date: Sep 2012
Experience: Beginner
19-Sep-2012, 02:40 PM #5
Ps - sorry - Cookiegal...
Cookiegal's Avatar
Administrator & Malware Removal Specialist with 97,489 posts.
 
Join Date: Aug 2003
19-Sep-2012, 03:42 PM #6
There would be much more to the log than that. It would be located at C:\combofix.txt.
Catherine-N's Avatar
Catherine-N Catherine-N is offline
Computer Specs
Member with 97 posts.
THREAD STARTER
 
Join Date: Sep 2012
Experience: Beginner
19-Sep-2012, 07:42 PM #7
Thanks Cookiegal - but that was the name of the file...just located in C:\puppy\combofix.txt - which I figured was because I'd saved the programme as puppy?

I've just logged on again anyway and done a search of combofix.txt and the only file that came up is that one in the puppy folder on the C drive. What's weird is that my keyboard is working again now!

Could it be because the combofix didn't get to automatically open the file and the Ukash virus screen came on again that maybe it didn't complete the process? Or maybe part fo the file got wiped?

Should I run the combofix again? Is there anyway I can ensure it restarts in safe mode as otherwise the virus just stops it completing?

Appriacate your help & advice.
Thanks
Catherine.
Cookiegal's Avatar
Administrator & Malware Removal Specialist with 97,489 posts.
 
Join Date: Aug 2003
19-Sep-2012, 07:53 PM #8
The log should not be in the puppy folder. It should be in the root (C:) drive.

Download and run the following tool to help allow other programs to run. (Courtesy of BleepingComputer.com)
There are 4 different versions. If one of them won't run then download and try to run the other one. Do not reboot after running this program.

Vista and Win7 users need to right click and choose Run as Admin
You only need to get one of them to run, not all of them.
  1. rkill.exe
  2. rkill.com
  3. rkill.scr
  4. rkill.pif

The run ComboFix again please. Be sure to disable your security programs before running ComboFix.
Catherine-N's Avatar
Catherine-N Catherine-N is offline
Computer Specs
Member with 97 posts.
THREAD STARTER
 
Join Date: Sep 2012
Experience: Beginner
20-Sep-2012, 11:44 AM #9
Ok - seems to have worked with the first link - here's the file that popped up:

ComboFix 12-09-20.01 - Administrator 20/09/2012 16:16:15.2.1 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.766.446 [GMT 1:00]
Running from: c:\documents and settings\Administrator.CATHERIN-ZGE1ZI\Desktop\puppy.exe
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\documents and settings\Administrator.CATHERIN-ZGE1ZI\My Documents\~WRL0436.tmp
c:\documents and settings\Administrator.CATHERIN-ZGE1ZI\My Documents\~WRL0717.tmp
c:\documents and settings\Administrator.CATHERIN-ZGE1ZI\My Documents\~WRL1193.tmp
c:\documents and settings\Administrator.CATHERIN-ZGE1ZI\My Documents\~WRL2012.tmp
c:\documents and settings\Administrator.CATHERIN-ZGE1ZI\My Documents\~WRL3307.tmp
c:\documents and settings\Administrator.CATHERIN-ZGE1ZI\Recent\Thumbs.db
c:\documents and settings\All Users.WINDOWS\Application Data\xmlD.tmp
c:\documents and settings\All Users.WINDOWS\Application Data\xmlE.tmp
c:\documents and settings\All Users.WINDOWS\Application Data\xmlF.tmp
c:\windows\Downloaded Program Files\f3initialsetup1.0.1.0.inf
c:\windows\system32\RtlGina2.dll
c:\windows\system32\SET33.tmp
c:\windows\system32\SET37.tmp
c:\windows\system32\SET3F.tmp
.
.
((((((((((((((((((((((((( Files Created from 2012-08-20 to 2012-09-20 )))))))))))))))))))))))))))))))
.
.
2012-09-19 16:57 . 2012-08-22 23:15 7022536 -c--a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{84A1B710-62B5-47B1-B504-7784DA9D5136}\mpengine.dll
2012-09-12 13:11 . 2012-09-12 13:32 -------- dc----w- c:\documents and settings\Administrator.CATHERIN-ZGE1ZI\Application Data\hellomoto
2012-09-12 13:09 . 2012-09-12 13:09 -------- dc----w- c:\program files\Microsoft Windows OneCare Live
2012-09-09 15:41 . 2012-09-09 15:41 -------- dc----w- c:\documents and settings\Administrator.CATHERIN-ZGE1ZI\Application Data\Malwarebytes
2012-09-09 15:40 . 2012-09-09 15:40 -------- dc----w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2012-09-09 15:40 . 2012-09-09 15:40 -------- dc----w- c:\program files\Malwarebytes' Anti-Malware
2012-09-09 15:40 . 2012-07-03 12:46 22344 -c--a-w- c:\windows\system32\drivers\mbam.sys
2012-09-09 14:40 . 2012-08-22 23:15 7022536 -c--a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-29 19:58 . 2012-05-07 10:15 426184 -c--a-w- c:\windows\system32\FlashPlayerApp.exe
2012-08-29 19:58 . 2011-12-18 18:29 70344 -c--a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-29 19:52 . 2012-07-29 19:52 65848 -c--a-w- c:\windows\system32\drivers\RapportKELL.sys
2012-07-06 13:58 . 2001-08-23 12:00 78336 -c--a-w- c:\windows\system32\browser.dll
2012-07-04 14:05 . 2007-09-22 18:25 139784 -c--a-w- c:\windows\system32\drivers\rdpwd.sys
2012-07-03 13:40 . 2001-08-23 12:00 1866112 -c--a-w- c:\windows\system32\win32k.sys
2012-07-02 17:49 . 2001-08-23 12:00 916992 -c--a-w- c:\windows\system32\wininet.dll
2012-07-02 17:49 . 2001-08-23 12:00 43520 -c--a-w- c:\windows\system32\licmgr10.dll
2012-07-02 17:49 . 2001-08-23 12:00 1469440 -c--a-w- c:\windows\system32\inetcpl.cpl
2012-07-02 12:05 . 2007-09-22 19:10 385024 -c--a-w- c:\windows\system32\html.iec
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-06-21 126976]
"Conime"="c:\windows\system32\conime.exe" [2008-04-14 27648]
"EKIJ5000StatusMonitor"="c:\windows\System32\spool\DRIVERS\W32X86\3\EKIJ500 0MUI.exe" [2010-09-02 1638400]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200]
"WSManHTTPConfig"="c:\documents and settings\Administrator.CATHERIN-ZGE1ZI\Local Settings\Application Data\Microsoft\Windows\912\WSManHTTPConfig.exe" [2012-09-09 89600]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSv c]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\AiO\\Center\\AiOHomeCenter.exe"=
"c:\\Program Files\\Kodak\\AiO\\Center\\Kodak.Statistics.exe"=
"c:\\Program Files\\Kodak\\AiO\\Center\\NetworkPrinterDiscovery.exe"=
"c:\\Program Files\\Kodak\\AiO\\Firmware\\KodakAiOUpdater.exe"=
"c:\\Documents and Settings\\All Users.WINDOWS\\Application Data\\Kodak\\Installer\\Setup.exe"=
"c:\\WINDOWS\\network diagnostic\\xpnetdiag.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Glob allyOpenPorts\List]
"9322:TCP"= 9322:TCP:EKDiscovery
"5353:UDP"= 5353:UDP:Bonjour Port 5353
.
R3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [27/03/2006 17:53 167808]
S0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [29/07/2012 20:52 65848]
S1 RapportCerberus_42020;RapportCerberus_42020;c:\documents and settings\All Users.WINDOWS\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus32 _42020.sys [11/08/2012 15:26 228376]
S1 RapportEI;RapportEI;c:\program files\Trusteer\Rapport\bin\RapportEI.sys [29/07/2012 20:52 71480]
S1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [29/07/2012 20:52 166840]
S2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\Kodak\AiO\Center\ekdiscovery.exe [13/09/2010 18:18 308656]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [09/09/2012 16:40 655944]
S2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [29/07/2012 20:52 976728]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [07/05/2012 11:15 250056]
S3 emusba10;E-MU USB-Audio 1.0 Driver;c:\windows\system32\DRIVERS\emusba10.sys --> c:\windows\system32\DRIVERS\emusba10.sys [?]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [09/09/2012 16:40 22344]
S3 RapportIaso;RapportIaso;c:\documents and settings\All Users.WINDOWS\Application Data\Trusteer\Rapport\store\exts\RapportMS\39624\RapportIaso.sys [06/06/2012 17:52 21520]
S4 Everet_;Everet_;c:\windows\system32\drivers\ati1btxx.sys [22/09/2007 20:11 56623]
.
Contents of the 'Scheduled Tasks' folder
.
2012-09-09 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-07 19:58]
.
2012-09-19 c:\windows\Tasks\User_Feed_Synchronization-{13B53172-B98C-4AF0-AC9B-BD5D56344E2C}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 03:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: orange search - file://c:\program files\ORANGE4\Cache\SelectedContextSearch.htm
TCP: DhcpNameServer = 192.168.1.1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-09-20 16:26
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1659004503-1897051121-682003330-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01 ,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,9d,44,22,f2,ee,ea,06,46,92,8a,c5, \
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01 ,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,57,c8,4e,54,da,d8,7b,42,80,f8,6f, \
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01 ,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,13,2f,59,e9,78,d7,52,47,b9,53,cb, \
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(184)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\program files\Common Files\Microsoft Shared\OFFICE11\MSOXEV.DLL
.
Completion time: 2012-09-20 16:29:12
ComboFix-quarantined-files.txt 2012-09-20 15:29
.
Pre-Run: 5,552,099,328 bytes free
Post-Run: 5,539,196,928 bytes free
.
- - End Of File - - 612E1057337AFC23909419E1B839D164
Cookiegal's Avatar
Administrator & Malware Removal Specialist with 97,489 posts.
 
Join Date: Aug 2003
20-Sep-2012, 06:59 PM #10
Open Notepad and copy and paste the text in the code box below into it:

Code:
Folder::
c:\documents and settings\Administrator.CATHERIN-ZGE1ZI\Application Data\hellomoto
Save the file to your desktop and name it CFScript.txt

Referring to the picture below, drag CFScript.txt into ComboFix.exe




This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.
Catherine-N's Avatar
Catherine-N Catherine-N is offline
Computer Specs
Member with 97 posts.
THREAD STARTER
 
Join Date: Sep 2012
Experience: Beginner
21-Sep-2012, 02:52 PM #11
Hi Cookiegal - ok - followed your instructions - here's the log it created:

ComboFix 12-09-20.03 - Administrator 21/09/2012 19:38:23.3.1 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.766.443 [GMT 1:00]
Running from: c:\documents and settings\Administrator.CATHERIN-ZGE1ZI\Desktop\puppy.exe
Command switches used :: c:\documents and settings\Administrator.CATHERIN-ZGE1ZI\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator.CATHERIN-ZGE1ZI\Application Data\hellomoto
c:\documents and settings\Administrator.CATHERIN-ZGE1ZI\Application Data\hellomoto\BukF.dat
c:\documents and settings\Administrator.CATHERIN-ZGE1ZI\Application Data\hellomoto\TujP.dat
.
.
((((((((((((((((((((((((( Files Created from 2012-08-21 to 2012-09-21 )))))))))))))))))))))))))))))))
.
.
2012-09-20 15:13 . 2012-09-20 15:29 -------- dc----w- C:\puppy
2012-09-19 16:57 . 2012-08-22 23:15 7022536 -c--a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{84A1B710-62B5-47B1-B504-7784DA9D5136}\mpengine.dll
2012-09-12 13:09 . 2012-09-12 13:09 -------- dc----w- c:\program files\Microsoft Windows OneCare Live
2012-09-09 15:41 . 2012-09-09 15:41 -------- dc----w- c:\documents and settings\Administrator.CATHERIN-ZGE1ZI\Application Data\Malwarebytes
2012-09-09 15:40 . 2012-09-09 15:40 -------- dc----w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2012-09-09 15:40 . 2012-09-09 15:40 -------- dc----w- c:\program files\Malwarebytes' Anti-Malware
2012-09-09 15:40 . 2012-07-03 12:46 22344 -c--a-w- c:\windows\system32\drivers\mbam.sys
2012-09-09 14:40 . 2012-08-22 23:15 7022536 -c--a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-29 19:58 . 2012-05-07 10:15 426184 -c--a-w- c:\windows\system32\FlashPlayerApp.exe
2012-08-29 19:58 . 2011-12-18 18:29 70344 -c--a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-29 19:52 . 2012-07-29 19:52 65848 -c--a-w- c:\windows\system32\drivers\RapportKELL.sys
2012-07-06 13:58 . 2001-08-23 12:00 78336 -c--a-w- c:\windows\system32\browser.dll
2012-07-04 14:05 . 2007-09-22 18:25 139784 -c--a-w- c:\windows\system32\drivers\rdpwd.sys
2012-07-03 13:40 . 2001-08-23 12:00 1866112 -c--a-w- c:\windows\system32\win32k.sys
2012-07-02 17:49 . 2001-08-23 12:00 916992 -c--a-w- c:\windows\system32\wininet.dll
2012-07-02 17:49 . 2001-08-23 12:00 43520 -c--a-w- c:\windows\system32\licmgr10.dll
2012-07-02 17:49 . 2001-08-23 12:00 1469440 -c--a-w- c:\windows\system32\inetcpl.cpl
2012-07-02 12:05 . 2007-09-22 19:10 385024 -c--a-w- c:\windows\system32\html.iec
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-06-21 126976]
"Conime"="c:\windows\system32\conime.exe" [2008-04-14 27648]
"EKIJ5000StatusMonitor"="c:\windows\System32\spool\DRIVERS\W32X86\3\EKIJ500 0MUI.exe" [2010-09-02 1638400]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200]
"WSManHTTPConfig"="c:\documents and settings\Administrator.CATHERIN-ZGE1ZI\Local Settings\Application Data\Microsoft\Windows\912\WSManHTTPConfig.exe" [2012-09-09 89600]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSv c]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\AiO\\Center\\AiOHomeCenter.exe"=
"c:\\Program Files\\Kodak\\AiO\\Center\\Kodak.Statistics.exe"=
"c:\\Program Files\\Kodak\\AiO\\Center\\NetworkPrinterDiscovery.exe"=
"c:\\Program Files\\Kodak\\AiO\\Firmware\\KodakAiOUpdater.exe"=
"c:\\Documents and Settings\\All Users.WINDOWS\\Application Data\\Kodak\\Installer\\Setup.exe"=
"c:\\WINDOWS\\network diagnostic\\xpnetdiag.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Glob allyOpenPorts\List]
"9322:TCP"= 9322:TCP:EKDiscovery
"5353:UDP"= 5353:UDP:Bonjour Port 5353
.
R3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [27/03/2006 17:53 167808]
S0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [29/07/2012 20:52 65848]
S1 RapportCerberus_42020;RapportCerberus_42020;c:\documents and settings\All Users.WINDOWS\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus32 _42020.sys [11/08/2012 15:26 228376]
S1 RapportEI;RapportEI;c:\program files\Trusteer\Rapport\bin\RapportEI.sys [29/07/2012 20:52 71480]
S1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [29/07/2012 20:52 166840]
S2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\Kodak\AiO\Center\ekdiscovery.exe [13/09/2010 18:18 308656]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [09/09/2012 16:40 655944]
S2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [29/07/2012 20:52 976728]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [07/05/2012 11:15 250056]
S3 emusba10;E-MU USB-Audio 1.0 Driver;c:\windows\system32\DRIVERS\emusba10.sys --> c:\windows\system32\DRIVERS\emusba10.sys [?]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [09/09/2012 16:40 22344]
S3 RapportIaso;RapportIaso;c:\documents and settings\All Users.WINDOWS\Application Data\Trusteer\Rapport\store\exts\RapportMS\39624\RapportIaso.sys [06/06/2012 17:52 21520]
S4 Everet_;Everet_;c:\windows\system32\drivers\ati1btxx.sys [22/09/2007 20:11 56623]
.
Contents of the 'Scheduled Tasks' folder
.
2012-09-09 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-07 19:58]
.
2012-09-19 c:\windows\Tasks\User_Feed_Synchronization-{13B53172-B98C-4AF0-AC9B-BD5D56344E2C}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 03:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: orange search - file://c:\program files\ORANGE4\Cache\SelectedContextSearch.htm
TCP: DhcpNameServer = 192.168.1.1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-09-21 19:48
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1659004503-1897051121-682003330-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01 ,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,9d,44,22,f2,ee,ea,06,46,92,8a,c5, \
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01 ,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,57,c8,4e,54,da,d8,7b,42,80,f8,6f, \
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01 ,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,13,2f,59,e9,78,d7,52,47,b9,53,cb, \
.
Completion time: 2012-09-21 19:50:24
ComboFix-quarantined-files.txt 2012-09-21 18:50
ComboFix2.txt 2012-09-20 15:29
.
Pre-Run: 5,502,648,320 bytes free
Post-Run: 5,530,439,680 bytes free
.
- - End Of File - - AA18AF5BFAFD49609C307D96222F2836
Cookiegal's Avatar
Administrator & Malware Removal Specialist with 97,489 posts.
 
Join Date: Aug 2003
21-Sep-2012, 06:01 PM #12
Download OTS.exe to your Desktop.
  1. Close any open browsers.
  2. If your Real protection or Antivirus interferes with OTS, allow it to run.
  3. Double-click on OTS.exe to start the program.
  4. At the top put a check mark in the box beside "Scan All Users".
  5. Under the Additional Scans section put a check in the box next to Disabled MS Config Items, NetSvcs and EventViewer logs (Last 10 errors)
  6. Now click the Run Scan button on the toolbar.
  7. Let it run unhindered until it finishes.
  8. When the scan is complete Notepad will open with the report file loaded in it.
  9. Save that notepad file.
Use the Reply button, scroll down to the attachments section and attach the notepad file here.
Catherine-N's Avatar
Catherine-N Catherine-N is offline
Computer Specs
Member with 97 posts.
THREAD STARTER
 
Join Date: Sep 2012
Experience: Beginner
22-Sep-2012, 05:59 AM #13
Goodmorning!
Goodmorning Cookiegal! Ok, followed the next steps and have attached the notepad file as instructed (well - at least I think I've attached it properly...)

Have a great day!
Attachment Blocked
Attachments in the HJT forum are often designed to solve a specific issue and not meant to be used without instructions specific to your computer. If you want help specific to your computer, please post a HiJackThis Log. If you started this thread, please make sure you are logged in to be able to view attachments.
Cookiegal's Avatar
Administrator & Malware Removal Specialist with 97,489 posts.
 
Join Date: Aug 2003
22-Sep-2012, 02:47 PM #14
Start OTS. Copy/Paste the information in the code box below into the pane where it says "Paste fix here" and then click the "Run Fix" button.

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the OK button and Notepad will open with a log of actions taken during the fix. Post that information back here please.

Code:
[Kill All Processes]
[Unregister Dlls]
[Registry - Safe List]
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-1659004503-1897051121-682003330-500\] > -> HKEY_USERS\S-1-5-21-1659004503-1897051121-682003330-500\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
[Files/Folders - Created Within 30 Days]
NY ->  5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
NY ->  1 C:\WINDOWS\System32\drivers\*.tmp files -> C:\WINDOWS\System32\drivers\*.tmp
NY ->  1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
[Files/Folders - Modified Within 30 Days]
NY ->  5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
NY ->  1 C:\WINDOWS\System32\drivers\*.tmp files -> C:\WINDOWS\System32\drivers\*.tmp
NY ->  1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
[Empty Temp Folders]
[EmptyFlash]
[EmptyJava]
[Start Explorer]
[Reboot]
Catherine-N's Avatar
Catherine-N Catherine-N is offline
Computer Specs
Member with 97 posts.
THREAD STARTER
 
Join Date: Sep 2012
Experience: Beginner
23-Sep-2012, 06:44 AM #15
Hi Cookiegal - well I feel a bit depressed now....I followed the instructions and pasted the fix, but when it finished, a message box telling me it was finished didn't pop up and so the Notepad didn't open. What happened was a message popped up telling me the system required a reboot and did I want to etc - it didn't give me any option to say no, there was only one button I could click to continue, so had to let it reboot.

Once back up and in safemode, on the desktop I could see a new thing called Thumbs.db - I thought, maybe that's the text file and it's called db for some special reason. So I clicked on that and a message popped up saying something along the lines of I was attempting to open a certain sort of file and it was used for certain things and I could damage things if I went ahead and did I want to go ahead -so I clicked cancel as obviously it wasn't the text file & didn't want to damage anything.

I then thought I'll do a search of all the files created today using .tx as my search reference. This came up with loads of txt files - 15 of them in the document & settings folders \ cookies. Then there was one file in the C:\windows folder called ntbtlog.txt (is that the one ?) and one called WGAErrlog.txt in the C:\Windows\temp folder and finally one txt file called drivetable.txt in C:\system volume information\_restore{a load of letters & numbers}

Are any of those the file I need? Thanks, Catherine.
As Seen On

BBC, Reader's Digest, PC Magazine, Today Show, Money Magazine
WELCOME TO TECH SUPPORT GUY!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.


(clock)
THIS THREAD HAS EXPIRED.
Are you having the same problem? We have volunteers ready to answer your question, but first you'll have to join for free. Need help getting started? Check out our Welcome Guide.

Search Tech Support Guy

Find the solution to your
computer problem!




Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools


WELCOME
You Are Using: Server ID
Trusted Website Back to the Top ↑