Solved: Recently acquired malware from usb

Tellytubby · 02-Sep-2010, 06:39 AM #1

Hi all,

I recently stuck a usb in my laptop (running vista) and mindlessly clicked open when the autoplay popped up. Straight after doing so I realised the autoplay window was different to usual and I think I executed some kind of malware. AVG popped up saying it had detected some bad stuff but wasn't able to remove anything. My internet stopped working and there was a suspect rundll.exe in task manager. I tried to end the process but was told access was denied. I tried to right click the process and the only option that comes up is 'Perform Administrative Tasks'.

I also had my mobile phone attached by usb at the time. I'm pretty sure the SD card in the phone was infected. The phone shut down and wouldn't restart until I unplugged the sd card. When I reinserted the card it said it was installing something which failed and the phone said there was untrusted software on the sd card that I could install manually if I wanted.

I'll post my HiJackThis log. Thanks in advance for the assistance - you guys have saved my butt before and I appreciate it very very much.

Regards,
Andrew

--

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 7:37:29 PM, on 2/09/2010
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18943)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\rundll32.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Program Files\CyberLink\Shared Files\brs.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\System32\regsvr32.exe
C:\Windows\System32\mobsync.exe
C:\Users\Andrew\AppData\Local\Google\Update\1.2.183.29\GoogleCrashHandler.e xe
C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Windows\system32\wuauclt.exe
C:\Users\Andrew\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Andrew\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Users\Andrew\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aldi.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://aldi.com.au/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.72.251:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: SMART Notebook Download Plugin - {67BCF957-85FC-4036-8DC4-D4D80E00A77B} - C:\Program Files\SMART Technologies Inc\Notebook Software\NotebookPlugin.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Skytel] Skytel.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [UCam_Menu] "C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\YouCam" update "Software\CyberLink\YouCam\1.0"
O4 - HKLM\..\Run: [UpdatePDRShortCut] "C:\Program Files\HomeCinema\PowerDirector\MUITransfer\MUIStartMenu.exe" "C:\Program Files\HomeCinema\PowerDirector" UpdateWithCreateOnce "Software\CyberLink\PowerDirector\7.0"
O4 - HKLM\..\Run: [PDVD8LanguageShortcut] "C:\Program Files\HomeCinema\PowerDVD8\Language\Language.exe"
O4 - HKLM\..\Run: [BDRegion] C:\Program Files\Cyberlink\Shared Files\brs.exe
O4 - HKLM\..\Run: [UpdatePPShortCut] "C:\Program Files\HomeCinema\PowerProducer\MUITransfer\MUIStartMenu.exe" "C:\Program Files\HomeCinema\PowerProducer" update "Software\CyberLink\PowerProducer\5.0"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [czreopq] rundll32.exe "C:\Users\Andrew\AppData\Roaming\vscbr.dll",pylbyjq
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Google Update] "C:\Users\Andrew\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [CategoryGfxSysClass] regsvr32 /s /u "C:\Users\Andrew\AppData\Local\CategoryGfxSys\CategoryGfxSysClass.dll"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SteamWatchTray] C:\Program Files\SteamWatch\SteamWatchTray.exe
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C156357C-87BF-4C91-AEB6-048F273EE194}: NameServer = 208.67.222.222,208.67.220.220
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: mediaman - {F00B23B6-E372-4227-BCD9-CDC32EA1521E} - C:\Program Files\MediaMan\CoMProt.dll
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\Windows\System32\avgrsstx.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Seagate Service (FreeAgentGoNext Service) - Seagate Technology LLC - C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
O23 - Service: Canon Inkjet Printer/Scanner/Fax Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\Windows\system32\IoctlSvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\Windows\system32\PSIService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: ServiceLayer - Nokia - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: SteamWatch - CL - C:\Program Files\SteamWatch\SteamWatch.exe

--
End of file - 11379 bytes

Tellytubby · 06-Sep-2010, 01:07 AM #2

Polite rule abiding bump.

**dvk01** · 06-Sep-2010, 06:48 AM #3

Delete any existing version of ComboFix you have sitting on your desktop

Please read and follow all these instructions very carefully

Download ComboFix from Here or Hereto your Desktop.

**Note: It is important that it is saved directly to your desktop and run from the desktop and not any other folder on your computer**
--------------------------------------------------------------------
1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Very Important! Temporarily disable your anti-virus and anti-malware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results" or stop combofix running at all
Click on THIS LINK to see instructions on how to temporarily disable many security programs while running combofix. The list does not cover every program. If yours is not listed and you don't know how to disable it, please ask.
Remember to re enable the protection again after combofix has finished

--------------------------------------------------------------------
2. Close any open browsers and any other programs you might have running

Double click on combofix.exe & follow the prompts.

If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?"
Please select yes & let it download the files it needs to do this
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" for further review

****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read HERE why we disable autoruns

Please do not install any new programs or update anything (always allow your antivirus/antispyware to update) unless told to do so while we are fixing your problem. If combofix alerts to a new version and offers to update, please let it. It is essential we always use the latest version.

Please tell us if it has cured the problems or if there are any outstanding issues

Tellytubby · 12:00 PM

Here's the combo fix log:

ComboFix 10-09-04.06 - Andrew 07/09/2010 0:47.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.61.1033.18.3070.1775 [GMT 10:00]
Running from: c:\users\Andrew\Desktop\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2010-08-06 to 2010-09-06 )))))))))))))))))))))))))))))))
.

2010-09-06 14:55 . 2010-09-06 14:55 -------- d-----w- c:\users\Uni\AppData\Local\temp
2010-09-06 14:55 . 2010-09-06 14:55 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-09-06 14:55 . 2010-09-06 14:55 -------- d-----w- c:\users\Guest\AppData\Local\temp
2010-09-06 14:55 . 2010-09-06 14:55 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-09-06 08:20 . 2010-09-06 08:20 -------- d-----w- c:\program files\iPod
2010-09-06 08:20 . 2010-09-06 08:22 -------- d-----w- c:\program files\iTunes
2010-09-06 08:12 . 2010-09-06 08:13 -------- d-----w- c:\program files\QuickTime
2010-09-06 07:05 . 2010-09-06 07:05 -------- d-----w- c:\users\Andrew\Games
2010-09-02 12:25 . 2010-09-02 12:25 -------- d-----w- c:\users\Andrew\Flavour
2010-09-01 16:11 . 2009-07-14 17:48 64512 ----a-w- c:\windows\system32\WUDFSvc.dll
2010-09-01 16:11 . 2009-07-14 17:48 39936 ----a-w- c:\windows\system32\WUDFCoinstaller.dll
2010-09-01 16:11 . 2009-07-14 17:45 132224 ----a-w- c:\windows\system32\drivers\WUDFRd.sys
2010-09-01 16:11 . 2009-07-14 17:48 567808 ----a-w- c:\windows\system32\WUDFx.dll
2010-09-01 16:11 . 2009-07-14 17:48 162304 ----a-w- c:\windows\system32\WUDFPlatform.dll
2010-09-01 16:11 . 2009-07-14 17:45 92672 ----a-w- c:\windows\system32\drivers\WUDFPf.sys
2010-09-01 16:11 . 2009-07-14 17:45 195584 ----a-w- c:\windows\system32\WUDFHost.exe
2010-08-31 06:51 . 2010-08-31 06:52 -------- d-----w- c:\program files\Common Files\Native Instruments
2010-08-19 07:43 . 2010-08-19 07:43 -------- d-----w- C:\PFiles
2010-08-14 03:43 . 2010-08-14 03:43 -------- d-----w- c:\program files\Transcribe!
2010-08-12 11:44 . 2010-06-18 14:43 302080 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-12 11:44 . 2010-06-18 14:43 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-08-12 04:29 . 2010-06-08 17:00 3598216 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-08-12 04:29 . 2010-06-08 17:00 3545992 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-08-12 04:29 . 2010-06-21 13:18 2036736 ----a-w- c:\windows\system32\win32k.sys
2010-08-12 04:29 . 2010-06-18 16:43 36352 ----a-w- c:\windows\system32\rtutils.dll
2010-08-12 04:29 . 2010-05-27 19:16 81920 ----a-w- c:\windows\system32\iccvid.dll
2010-08-12 04:29 . 2010-06-16 15:59 898952 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-08-12 04:28 . 2010-06-11 15:30 1257472 ----a-w- c:\windows\system32\msxml3.dll
2010-08-11 14:55 . 2010-08-11 14:55 -------- d-----w- c:\program files\Bonjour

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-06 14:38 . 2008-09-22 16:50 -------- d-----w- c:\program files\Microsoft Silverlight
2010-09-06 14:37 . 2010-02-15 13:16 12 ----a-w- c:\windows\bthservsdp.dat
2010-09-06 08:33 . 2009-02-05 12:44 -------- d-----w- c:\program files\Steam
2010-09-06 08:20 . 2009-01-31 00:34 -------- d-----w- c:\program files\Common Files\Apple
2010-09-02 09:40 . 2009-02-05 12:44 -------- d-----w- c:\program files\Common Files\Steam
2010-09-01 16:43 . 2010-09-01 16:43 0 ---ha-w- c:\windows\system32\drivers\Msft_User_PCCSWpdDriver_01_09_00.Wdf
2010-09-01 16:38 . 2009-01-30 15:20 -------- d-----w- c:\users\Andrew\AppData\Roaming\Skype
2010-09-01 14:04 . 2009-01-30 15:22 -------- d-----w- c:\users\Andrew\AppData\Roaming\skypePM
2010-08-31 06:51 . 2009-10-30 14:10 -------- d-----w- c:\program files\Native Instruments
2010-08-18 15:01 . 2010-07-25 04:07 -------- d-----w- c:\users\Andrew\AppData\Roaming\Nokia
2010-08-18 13:34 . 2010-07-18 05:05 -------- d-----w- c:\users\Andrew\AppData\Roaming\MediaMan
2010-08-12 23:58 . 2008-09-22 16:31 -------- d-----w- c:\program files\Microsoft Works
2010-08-12 23:52 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-08-04 12:55 . 2009-02-03 06:18 1 ----a-w- c:\users\Andrew\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\st amp.sys
2010-07-25 05:40 . 2010-07-25 05:39 -------- d-----w- c:\users\Andrew\AppData\Roaming\PC Suite
2010-07-25 05:30 . 2010-07-25 05:30 -------- d-----w- c:\program files\Common Files\PCSuite
2010-07-25 05:30 . 2010-07-25 05:30 -------- d-----w- c:\program files\Common Files\Nokia
2010-07-25 05:30 . 2010-07-24 05:11 -------- d-----w- c:\program files\Nokia
2010-07-25 05:28 . 2010-07-25 05:28 -------- d-----w- c:\program files\PC Connectivity Solution
2010-07-25 04:09 . 2010-07-24 05:19 -------- d-----w- c:\program files\DIFX
2010-07-24 05:33 . 2010-07-24 05:33 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01009.Wdf
2010-07-24 05:33 . 2010-07-24 05:33 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01009_Coinstaller_Critical.Wdf
2010-07-18 05:05 . 2010-07-18 05:05 -------- d-----w- c:\program files\MediaMan
2010-06-26 06:05 . 2010-08-12 04:30 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-26 06:02 . 2010-08-12 04:30 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-06-26 06:02 . 2010-08-12 04:30 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-06-26 04:25 . 2010-08-12 04:30 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-06-15 08:33 . 2010-06-15 08:33 111928 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-06-15 08:33 . 2010-06-15 08:33 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2010-06-15 08:33 . 2010-06-15 08:33 2373712 ----a-w- c:\windows\system32\pbsvc.exe
2010-06-11 15:31 . 2010-08-12 04:30 274432 ----a-w- c:\windows\system32\schannel.dll
2010-06-09 22:11 . 2009-01-14 04:19 140984 ----a-w- c:\users\Andrew\AppData\Local\GDIPFONTCACHEV1.DAT
2009-10-13 08:22 . 2009-10-13 08:22 604 ---ha-w- c:\program files\STLL Notifier
2008-08-18 10:13 . 2008-08-18 10:13 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"Google Update"="c:\users\Andrew\AppData\Local\Google\Update\GoogleUpdate.exe" [2009-01-30 133104]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2008-02-29 1828136]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"CategoryGfxSysClass"="c:\users\Andrew\AppData\Local\CategoryGfxSys\Categor yGfxSysClass.dll" [2009-10-17 98304]
"Skype"="c:\program files\Skype\\Phone\Skype.exe" [2010-05-13 26192168]
"SteamWatchTray"="c:\program files\SteamWatch\SteamWatchTray.exe" [2008-04-10 15360]
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2010-05-14 1479680]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-08-22 13552160]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-08-22 92704]
"RtHDVCpl"="RtHDVCpl.exe" [2007-12-05 4710400]
"Skytel"="Skytel.exe" [2007-11-21 1826816]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-10-09 1025320]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-10-09 102400]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2007-09-13 222504]
"UpdatePDRShortCut"="c:\program files\HomeCinema\PowerDirector\MUITransfer\MUIStartMenu.exe" [2008-01-04 222504]
"PDVD8LanguageShortcut"="c:\program files\HomeCinema\PowerDVD8\Language\Language.exe" [2007-12-14 50472]
"BDRegion"="c:\program files\Cyberlink\Shared Files\brs.exe" [2008-08-08 91432]
"UpdatePPShortCut"="c:\program files\HomeCinema\PowerProducer\MUITransfer\MUIStartMenu.exe" [2008-02-22 222504]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-07-08 2048352]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-30 648072]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-10 149280]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-08-09 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-08-31 421160]

c:\users\Uni\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-12-15 384000]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\syste m]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDef end]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSv c]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^SMART Board Tools.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\SMART Board Tools.lnk
backup=c:\windows\pss\SMART Board Tools.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^Andrew^AppData^Roaming^Microsoft^Windows^Star t Menu^Programs^Startup^OpenOffice.org 3.0.lnk]
path=c:\users\Andrew\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.0.lnk
backup=c:\windows\pss\OpenOffice.org 3.0.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-03-24 18:17 952768 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-04-04 05:42 36272 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
2008-03-17 16:06 1848648 ----a-w- c:\program files\Canon\MyPrinter\BJMYPRT.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenu]
2008-12-11 16:31 722256 ----a-w- c:\program files\Canon\SolutionMenu\CNSLMAIN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-01-30 14:43 133104 ----atw- c:\users\Andrew\AppData\Local\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 00:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2006-12-10 10:52 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-08-31 22:32 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MaxMenuMgr]
2009-09-25 12:31 185640 ----a-w- c:\program files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PlayMovie]
2008-07-04 22:48 172032 ----a-w- c:\program files\HomeCinema\PlayMovie\PMVService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-08-09 19:15 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl8]
2008-03-21 03:23 83240 ------w- c:\program files\HomeCinema\PowerDVD8\PDVD8Serv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMART Board Service]
2007-11-01 19:48 1283336 ----a-w- c:\program files\SMART Technologies Inc\SMART Board Software\SMARTBoardService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2010-08-31 10:24 1242448 ----a-w- c:\program files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 uxddrv;Dynamically loaded UxdDrv;f:\diagnose\WSTENG32\2PART\uxddrv.sys [x]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v040 0.exe [2010-03-18 753504]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-08-29 335240]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-05-11 108552]
S2 {49DE1C67-83F8-4102-99E0-C16DCC7EEC796};{49DE1C67-83F8-4102-99E0-C16DCC7EEC796};c:\program files\HomeCinema\PlayMovie\000.fcl [2008-08-26 41456]
S2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};c:\program files\HomeCinema\PowerDVD8\000.fcl [2008-06-27 61424]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-08-29 297752]
S2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [2009-09-25 189736]
S2 SteamWatch;SteamWatch;c:\program files\SteamWatch\SteamWatch.exe [2008-04-10 18944]
S3 DCamUSBGene;GenesysLogic USB2.0 PC Camera;c:\windows\system32\DRIVERS\usbgene.sys [2007-06-26 131584]
S3 netr28;Ralink 802.11n Wireless Driver for Windows Vista;c:\windows\system32\DRIVERS\netr28.sys [2009-01-19 517120]
S3 SMARTVHidMini2000x86;SMART HID Device;c:\windows\system32\DRIVERS\SMARTVHidMini2000x86.sys [2007-11-13 14480]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
bthsvcs REG_MULTI_SZ BthServ
.
Contents of the 'Scheduled Tasks' folder

2010-09-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4207305771-619240016-1049760594-1000Core.job
- c:\users\Andrew\AppData\Local\Google\Update\GoogleUpdate.exe [2009-01-30 14:43]

2010-09-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4207305771-619240016-1049760594-1000UA.job
- c:\users\Andrew\AppData\Local\Google\Update\GoogleUpdate.exe [2009-01-30 14:43]

2010-09-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4207305771-619240016-1049760594-1001Core.job
- c:\users\Uni\AppData\Local\Google\Update\GoogleUpdate.exe [2009-04-21 10:24]

2010-09-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4207305771-619240016-1049760594-1001UA.job
- c:\users\Uni\AppData\Local\Google\Update\GoogleUpdate.exe [2009-04-21 10:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aldi.com/
mStart Page = hxxp://aldi.com.au/
uInternet Settings,ProxyServer = 192.168.72.251:8080
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: {C156357C-87BF-4C91-AEB6-048F273EE194} = 208.67.222.222,208.67.220.220
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-czreopq - c:\users\Andrew\AppData\Roaming\vscbr.dll
SafeBoot-WudfPf
SafeBoot-WudfRd

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-07 00:55
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{49DE1C67-83F8-4102-99E0-C16DCC7EEC796}]
"ImagePath"="\??\c:\program files\HomeCinema\PlayMovie\000.fcl"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054}]
"ImagePath"="\??\c:\program files\HomeCinema\PowerDVD8\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(2524)
c:\users\Andrew\AppData\Local\CategoryGfxSys\CategoryGfxSysClass.dll
.
Completion time: 2010-09-07 00:58:34
ComboFix-quarantined-files.txt 2010-09-06 14:58

Pre-Run: 115,120,242,688 bytes free
Post-Run: 115,448,487,936 bytes free

- - End Of File - - F4A2E69F4E374CB594E6BDAEF8285278

**dvk01** · 06-Sep-2010, 03:13 PM #5

combofix fixed soem entries but there is a strange file running I want to examine

Download the attached CFScript.txt and save it to your desktop ( click on the link underneath this post & if you are using internet explorer when the "File download" pop up comes press SAVE and choose desktop in the list of selections in that window & press save)
Disable any antivirus/antimalware/firewall realtime protection or script blocking in the same way you did previously before running combofix & remember to re-enable it when it has finished
Close any open browsers
Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply

Note: these instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system and will not fix your problem. If you have a similar problem start your own topic in the malware fixing forum

This will create a zip file inside C:\QooBox\quarantine named something like [38]-Submit_2008-01-17@17.50.zip

at the end it will pop up an alert & open your browser and ask you to send the zip file

please follow those instructions. We need to see the zip file before we can carry on with the fix

If there is no pop up alert or open browser then

please go to http://www.thespykiller.co.uk/index.php?board=1.0 and upload these files so I can examine them and if needed distribute them to antivirus companies.
Just press new topic, fill in the needed details and just give a link to your post here & then press the browse button and then navigate to & select the files on your computer, If there is more than 1 file then press the more attachments button for each extra file and browse and select etc and then when all the files are listed in the windows press send to upload the files ( do not post HJT logs there as they will not get dealt with)

Files to submit:
the zip file inside C:\QooBox\quarantine created by combofix named something like [38]-Submit_2008-01-17@17.50.zip

or to
http://www.bleepingcomputer.com/subm...php?channel=38

Tellytubby · 06-Sep-2010, 11:38 PM #6

Upload at end seemed successful. Here's the new log:

ComboFix 10-09-06.03 - Andrew 07/09/2010 12:14:45.3.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.61.1033.18.3070.1657 [GMT 10:00]
Running from: c:\users\Andrew\Desktop\ComboFix.exe
Command switches used :: c:\users\Andrew\Desktop\CFScript.txt
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

file zipped: c:\users\Andrew\AppData\Local\CategoryGfxSys\CategoryGfxSysClass.dll
.

((((((((((((((((((((((((( Files Created from 2010-08-07 to 2010-09-07 )))))))))))))))))))))))))))))))
.

2010-09-07 02:29 . 2010-09-07 02:29 -------- d-----w- c:\users\Uni\AppData\Local\temp
2010-09-07 02:29 . 2010-09-07 02:29 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-09-07 02:29 . 2010-09-07 02:29 -------- d-----w- c:\users\Guest\AppData\Local\temp
2010-09-07 02:29 . 2010-09-07 02:29 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-09-06 08:20 . 2010-09-06 08:20 -------- d-----w- c:\program files\iPod
2010-09-06 08:20 . 2010-09-06 08:22 -------- d-----w- c:\program files\iTunes
2010-09-06 08:12 . 2010-09-06 08:13 -------- d-----w- c:\program files\QuickTime
2010-09-06 07:05 . 2010-09-06 07:05 -------- d-----w- c:\users\Andrew\Games
2010-09-02 12:25 . 2010-09-02 12:25 -------- d-----w- c:\users\Andrew\Flavour
2010-09-01 16:11 . 2009-07-14 17:48 64512 ----a-w- c:\windows\system32\WUDFSvc.dll
2010-09-01 16:11 . 2009-07-14 17:48 39936 ----a-w- c:\windows\system32\WUDFCoinstaller.dll
2010-09-01 16:11 . 2009-07-14 17:45 132224 ----a-w- c:\windows\system32\drivers\WUDFRd.sys
2010-09-01 16:11 . 2009-07-14 17:48 567808 ----a-w- c:\windows\system32\WUDFx.dll
2010-09-01 16:11 . 2009-07-14 17:48 162304 ----a-w- c:\windows\system32\WUDFPlatform.dll
2010-09-01 16:11 . 2009-07-14 17:45 92672 ----a-w- c:\windows\system32\drivers\WUDFPf.sys
2010-09-01 16:11 . 2009-07-14 17:45 195584 ----a-w- c:\windows\system32\WUDFHost.exe
2010-08-31 06:51 . 2010-08-31 06:52 -------- d-----w- c:\program files\Common Files\Native Instruments
2010-08-19 07:43 . 2010-08-19 07:43 -------- d-----w- C:\PFiles
2010-08-14 03:43 . 2010-08-14 03:43 -------- d-----w- c:\program files\Transcribe!
2010-08-12 11:44 . 2010-06-18 14:43 302080 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-12 11:44 . 2010-06-18 14:43 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-08-12 04:29 . 2010-06-08 17:00 3598216 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-08-12 04:29 . 2010-06-08 17:00 3545992 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-08-12 04:29 . 2010-06-21 13:18 2036736 ----a-w- c:\windows\system32\win32k.sys
2010-08-12 04:29 . 2010-06-18 16:43 36352 ----a-w- c:\windows\system32\rtutils.dll
2010-08-12 04:29 . 2010-05-27 19:16 81920 ----a-w- c:\windows\system32\iccvid.dll
2010-08-12 04:29 . 2010-06-16 15:59 898952 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-08-12 04:28 . 2010-06-11 15:30 1257472 ----a-w- c:\windows\system32\msxml3.dll
2010-08-11 14:55 . 2010-08-11 14:55 -------- d-----w- c:\program files\Bonjour

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-06 14:38 . 2008-09-22 16:50 -------- d-----w- c:\program files\Microsoft Silverlight
2010-09-06 14:37 . 2010-02-15 13:16 12 ----a-w- c:\windows\bthservsdp.dat
2010-09-06 08:33 . 2009-02-05 12:44 -------- d-----w- c:\program files\Steam
2010-09-06 08:20 . 2009-01-31 00:34 -------- d-----w- c:\program files\Common Files\Apple
2010-09-02 09:40 . 2009-02-05 12:44 -------- d-----w- c:\program files\Common Files\Steam
2010-09-01 16:43 . 2010-09-01 16:43 0 ---ha-w- c:\windows\system32\drivers\Msft_User_PCCSWpdDriver_01_09_00.Wdf
2010-09-01 16:38 . 2009-01-30 15:20 -------- d-----w- c:\users\Andrew\AppData\Roaming\Skype
2010-09-01 14:04 . 2009-01-30 15:22 -------- d-----w- c:\users\Andrew\AppData\Roaming\skypePM
2010-08-31 06:51 . 2009-10-30 14:10 -------- d-----w- c:\program files\Native Instruments
2010-08-18 15:01 . 2010-07-25 04:07 -------- d-----w- c:\users\Andrew\AppData\Roaming\Nokia
2010-08-18 13:34 . 2010-07-18 05:05 -------- d-----w- c:\users\Andrew\AppData\Roaming\MediaMan
2010-08-12 23:58 . 2008-09-22 16:31 -------- d-----w- c:\program files\Microsoft Works
2010-08-12 23:52 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-08-04 12:55 . 2009-02-03 06:18 1 ----a-w- c:\users\Andrew\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\st amp.sys
2010-07-25 05:40 . 2010-07-25 05:39 -------- d-----w- c:\users\Andrew\AppData\Roaming\PC Suite
2010-07-25 05:30 . 2010-07-25 05:30 -------- d-----w- c:\program files\Common Files\PCSuite
2010-07-25 05:30 . 2010-07-25 05:30 -------- d-----w- c:\program files\Common Files\Nokia
2010-07-25 05:30 . 2010-07-24 05:11 -------- d-----w- c:\program files\Nokia
2010-07-25 05:28 . 2010-07-25 05:28 -------- d-----w- c:\program files\PC Connectivity Solution
2010-07-25 04:09 . 2010-07-24 05:19 -------- d-----w- c:\program files\DIFX
2010-07-24 05:33 . 2010-07-24 05:33 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01009.Wdf
2010-07-24 05:33 . 2010-07-24 05:33 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01009_Coinstaller_Critical.Wdf
2010-07-18 05:05 . 2010-07-18 05:05 -------- d-----w- c:\program files\MediaMan
2010-06-26 06:05 . 2010-08-12 04:30 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-26 06:02 . 2010-08-12 04:30 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-06-26 06:02 . 2010-08-12 04:30 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-06-26 04:25 . 2010-08-12 04:30 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-06-15 08:33 . 2010-06-15 08:33 111928 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-06-15 08:33 . 2010-06-15 08:33 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2010-06-15 08:33 . 2010-06-15 08:33 2373712 ----a-w- c:\windows\system32\pbsvc.exe
2010-06-11 15:31 . 2010-08-12 04:30 274432 ----a-w- c:\windows\system32\schannel.dll
2010-06-09 22:11 . 2009-01-14 04:19 140984 ----a-w- c:\users\Andrew\AppData\Local\GDIPFONTCACHEV1.DAT
2009-10-13 08:22 . 2009-10-13 08:22 604 ---ha-w- c:\program files\STLL Notifier
2008-08-18 10:13 . 2008-08-18 10:13 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((( SnapShot@2010-09-06_14.55.49 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-10-02 19:28 . 2010-09-07 02:09 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\ Cookies\index.dat
- 2008-10-02 19:28 . 2010-09-06 14:38 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\ Cookies\index.dat
+ 2010-06-07 15:18 . 2010-09-07 02:09 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\index.dat
- 2010-06-07 15:18 . 2010-09-06 14:38 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\index.dat
- 2008-10-02 19:28 . 2010-09-06 14:38 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Hi story\History.IE5\index.dat
+ 2008-10-02 19:28 . 2010-09-07 02:09 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Hi story\History.IE5\index.dat
+ 2009-11-27 00:54 . 2010-09-07 01:59 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows \Cookies\index.dat
- 2009-11-27 00:54 . 2010-09-02 07:49 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows \Cookies\index.dat
+ 2009-11-27 00:54 . 2010-09-07 01:59 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\T emporary Internet Files\Content.IE5\index.dat
- 2009-11-27 00:54 . 2010-09-02 07:49 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\T emporary Internet Files\Content.IE5\index.dat
- 2009-11-27 00:54 . 2010-09-02 07:49 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\H istory\History.IE5\index.dat
+ 2009-11-27 00:54 . 2010-09-07 01:59 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\H istory\History.IE5\index.dat
+ 2008-09-22 14:34 . 2010-09-07 01:59 359258 c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S4.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"Google Update"="c:\users\Andrew\AppData\Local\Google\Update\GoogleUpdate.exe" [2009-01-30 133104]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2008-02-29 1828136]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"CategoryGfxSysClass"="c:\users\Andrew\AppData\Local\CategoryGfxSys\Categor yGfxSysClass.dll" [2009-10-17 98304]
"Skype"="c:\program files\Skype\\Phone\Skype.exe" [2010-05-13 26192168]
"SteamWatchTray"="c:\program files\SteamWatch\SteamWatchTray.exe" [2008-04-10 15360]
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2010-05-14 1479680]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-08-22 13552160]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-08-22 92704]
"RtHDVCpl"="RtHDVCpl.exe" [2007-12-05 4710400]
"Skytel"="Skytel.exe" [2007-11-21 1826816]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-10-09 1025320]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-10-09 102400]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2007-09-13 222504]
"UpdatePDRShortCut"="c:\program files\HomeCinema\PowerDirector\MUITransfer\MUIStartMenu.exe" [2008-01-04 222504]
"PDVD8LanguageShortcut"="c:\program files\HomeCinema\PowerDVD8\Language\Language.exe" [2007-12-14 50472]
"BDRegion"="c:\program files\Cyberlink\Shared Files\brs.exe" [2008-08-08 91432]
"UpdatePPShortCut"="c:\program files\HomeCinema\PowerProducer\MUITransfer\MUIStartMenu.exe" [2008-02-22 222504]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-07-08 2048352]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-30 648072]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-10 149280]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-08-09 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-08-31 421160]

c:\users\Uni\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-12-15 384000]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\syste m]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDef end]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSv c]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^SMART Board Tools.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\SMART Board Tools.lnk
backup=c:\windows\pss\SMART Board Tools.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^Andrew^AppData^Roaming^Microsoft^Windows^Star t Menu^Programs^Startup^OpenOffice.org 3.0.lnk]
path=c:\users\Andrew\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.0.lnk
backup=c:\windows\pss\OpenOffice.org 3.0.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-03-24 18:17 952768 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-04-04 05:42 36272 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
2008-03-17 16:06 1848648 ----a-w- c:\program files\Canon\MyPrinter\BJMYPRT.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenu]
2008-12-11 16:31 722256 ----a-w- c:\program files\Canon\SolutionMenu\CNSLMAIN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-01-30 14:43 133104 ----atw- c:\users\Andrew\AppData\Local\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 00:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2006-12-10 10:52 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-08-31 22:32 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MaxMenuMgr]
2009-09-25 12:31 185640 ----a-w- c:\program files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PlayMovie]
2008-07-04 22:48 172032 ----a-w- c:\program files\HomeCinema\PlayMovie\PMVService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-08-09 19:15 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl8]
2008-03-21 03:23 83240 ------w- c:\program files\HomeCinema\PowerDVD8\PDVD8Serv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMART Board Service]
2007-11-01 19:48 1283336 ----a-w- c:\program files\SMART Technologies Inc\SMART Board Software\SMARTBoardService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2010-08-31 10:24 1242448 ----a-w- c:\program files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 uxddrv;Dynamically loaded UxdDrv;f:\diagnose\WSTENG32\2PART\uxddrv.sys [x]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v040 0.exe [2010-03-18 753504]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-08-29 335240]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-05-11 108552]
S2 {49DE1C67-83F8-4102-99E0-C16DCC7EEC796};{49DE1C67-83F8-4102-99E0-C16DCC7EEC796};c:\program files\HomeCinema\PlayMovie\000.fcl [2008-08-26 41456]
S2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};c:\program files\HomeCinema\PowerDVD8\000.fcl [2008-06-27 61424]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-08-29 297752]
S2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [2009-09-25 189736]
S2 SteamWatch;SteamWatch;c:\program files\SteamWatch\SteamWatch.exe [2008-04-10 18944]
S3 DCamUSBGene;GenesysLogic USB2.0 PC Camera;c:\windows\system32\DRIVERS\usbgene.sys [2007-06-26 131584]
S3 netr28;Ralink 802.11n Wireless Driver for Windows Vista;c:\windows\system32\DRIVERS\netr28.sys [2009-01-19 517120]
S3 SMARTVHidMini2000x86;SMART HID Device;c:\windows\system32\DRIVERS\SMARTVHidMini2000x86.sys [2007-11-13 14480]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
bthsvcs REG_MULTI_SZ BthServ
.
Contents of the 'Scheduled Tasks' folder

2010-09-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4207305771-619240016-1049760594-1000Core.job
- c:\users\Andrew\AppData\Local\Google\Update\GoogleUpdate.exe [2009-01-30 14:43]

2010-09-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4207305771-619240016-1049760594-1000UA.job
- c:\users\Andrew\AppData\Local\Google\Update\GoogleUpdate.exe [2009-01-30 14:43]

2010-09-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4207305771-619240016-1049760594-1001Core.job
- c:\users\Uni\AppData\Local\Google\Update\GoogleUpdate.exe [2009-04-21 10:24]

2010-09-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4207305771-619240016-1049760594-1001UA.job
- c:\users\Uni\AppData\Local\Google\Update\GoogleUpdate.exe [2009-04-21 10:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aldi.com/
mStart Page = hxxp://aldi.com.au/
uInternet Settings,ProxyServer = 192.168.72.251:8080
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: {C156357C-87BF-4C91-AEB6-048F273EE194} = 208.67.222.222,208.67.220.220
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-07 12:29
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\windows\TEMP\cfdab521-16fa-4540-9911-d5f195326c7e.tmp 1261 bytes

scan completed successfully
hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{49DE1C67-83F8-4102-99E0-C16DCC7EEC796}]
"ImagePath"="\??\c:\program files\HomeCinema\PlayMovie\000.fcl"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054}]
"ImagePath"="\??\c:\program files\HomeCinema\PowerDVD8\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(6036)
c:\users\Andrew\AppData\Local\CategoryGfxSys\CategoryGfxSysClass.dll
.
Completion time: 2010-09-07 12:35:03
ComboFix-quarantined-files.txt 2010-09-07 02:34
ComboFix2.txt 2010-09-06 14:58

Pre-Run: 115,484,282,880 bytes free
Post-Run: 114,810,015,744 bytes free

- - End Of File - - 667159EBBBF1842D2405ECF862FFF83C
Upload was successful

**dvk01** · 07-Sep-2010, 04:17 AM #7

The file I examined is malware so we will remove it & its registry entries

Download the attached CFScript.txt and save it to your desktop ( click on the link underneath this post & if you are using internet explorer when the "File download" pop up comes press SAVE and choose desktop in the list of selections in that window & press save)

Disable any antivirus/antimalware/firewall realtime protection or script blocking in the same way you did previously before running combofix & remember to re-enable it when it has finished

Close any open browsers
Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply .

Note: these instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system and will not fix your problem. If you have a similar problem start your own topic in the malware fixing forum

Tellytubby · 07-Sep-2010, 06:43 AM #8

Here it is:

ComboFix 10-09-06.03 - Andrew 07/09/2010 18:50:17.4.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.61.1033.18.3070.1601 [GMT 10:00]
Running from: c:\users\Andrew\Desktop\ComboFix.exe
Command switches used :: c:\users\Andrew\Desktop\CFScript.txt
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

FILE ::
"c:\users\Andrew\AppData\Local\CategoryGfxSys\CategoryGfxSysClass.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Andrew\AppData\Local\CategoryGfxSys\CategoryGfxSysClass.dll

.
((((((((((((((((((((((((( Files Created from 2010-08-07 to 2010-09-07 )))))))))))))))))))))))))))))))
.

2010-09-07 08:58 . 2010-09-07 08:58 -------- d-----w- c:\users\Uni\AppData\Local\temp
2010-09-07 08:58 . 2010-09-07 08:58 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-09-07 08:58 . 2010-09-07 08:58 -------- d-----w- c:\users\Guest\AppData\Local\temp
2010-09-07 08:58 . 2010-09-07 08:58 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-09-06 08:20 . 2010-09-06 08:20 -------- d-----w- c:\program files\iPod
2010-09-06 08:20 . 2010-09-06 08:22 -------- d-----w- c:\program files\iTunes
2010-09-06 08:12 . 2010-09-06 08:13 -------- d-----w- c:\program files\QuickTime
2010-09-06 07:05 . 2010-09-06 07:05 -------- d-----w- c:\users\Andrew\Games
2010-09-02 12:25 . 2010-09-02 12:25 -------- d-----w- c:\users\Andrew\Flavour
2010-09-01 16:11 . 2009-07-14 17:48 64512 ----a-w- c:\windows\system32\WUDFSvc.dll
2010-09-01 16:11 . 2009-07-14 17:48 39936 ----a-w- c:\windows\system32\WUDFCoinstaller.dll
2010-09-01 16:11 . 2009-07-14 17:45 132224 ----a-w- c:\windows\system32\drivers\WUDFRd.sys
2010-09-01 16:11 . 2009-07-14 17:48 567808 ----a-w- c:\windows\system32\WUDFx.dll
2010-09-01 16:11 . 2009-07-14 17:48 162304 ----a-w- c:\windows\system32\WUDFPlatform.dll
2010-09-01 16:11 . 2009-07-14 17:45 92672 ----a-w- c:\windows\system32\drivers\WUDFPf.sys
2010-09-01 16:11 . 2009-07-14 17:45 195584 ----a-w- c:\windows\system32\WUDFHost.exe
2010-08-31 06:51 . 2010-08-31 06:52 -------- d-----w- c:\program files\Common Files\Native Instruments
2010-08-19 07:43 . 2010-08-19 07:43 -------- d-----w- C:\PFiles
2010-08-14 03:43 . 2010-08-14 03:43 -------- d-----w- c:\program files\Transcribe!
2010-08-12 11:44 . 2010-06-18 14:43 302080 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-12 11:44 . 2010-06-18 14:43 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-08-12 04:29 . 2010-06-08 17:00 3598216 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-08-12 04:29 . 2010-06-08 17:00 3545992 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-08-12 04:29 . 2010-06-21 13:18 2036736 ----a-w- c:\windows\system32\win32k.sys
2010-08-12 04:29 . 2010-06-18 16:43 36352 ----a-w- c:\windows\system32\rtutils.dll
2010-08-12 04:29 . 2010-05-27 19:16 81920 ----a-w- c:\windows\system32\iccvid.dll
2010-08-12 04:29 . 2010-06-16 15:59 898952 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-08-12 04:28 . 2010-06-11 15:30 1257472 ----a-w- c:\windows\system32\msxml3.dll
2010-08-11 14:55 . 2010-08-11 14:55 -------- d-----w- c:\program files\Bonjour

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-07 08:58 . 2010-02-15 13:16 12 ----a-w- c:\windows\bthservsdp.dat
2010-09-06 14:38 . 2008-09-22 16:50 -------- d-----w- c:\program files\Microsoft Silverlight
2010-09-06 08:33 . 2009-02-05 12:44 -------- d-----w- c:\program files\Steam
2010-09-06 08:20 . 2009-01-31 00:34 -------- d-----w- c:\program files\Common Files\Apple
2010-09-02 09:40 . 2009-02-05 12:44 -------- d-----w- c:\program files\Common Files\Steam
2010-09-01 16:43 . 2010-09-01 16:43 0 ---ha-w- c:\windows\system32\drivers\Msft_User_PCCSWpdDriver_01_09_00.Wdf
2010-09-01 16:38 . 2009-01-30 15:20 -------- d-----w- c:\users\Andrew\AppData\Roaming\Skype
2010-09-01 14:04 . 2009-01-30 15:22 -------- d-----w- c:\users\Andrew\AppData\Roaming\skypePM
2010-08-31 06:51 . 2009-10-30 14:10 -------- d-----w- c:\program files\Native Instruments
2010-08-18 15:01 . 2010-07-25 04:07 -------- d-----w- c:\users\Andrew\AppData\Roaming\Nokia
2010-08-18 13:34 . 2010-07-18 05:05 -------- d-----w- c:\users\Andrew\AppData\Roaming\MediaMan
2010-08-12 23:58 . 2008-09-22 16:31 -------- d-----w- c:\program files\Microsoft Works
2010-08-12 23:52 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-08-04 12:55 . 2009-02-03 06:18 1 ----a-w- c:\users\Andrew\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\st amp.sys
2010-07-25 05:40 . 2010-07-25 05:39 -------- d-----w- c:\users\Andrew\AppData\Roaming\PC Suite
2010-07-25 05:30 . 2010-07-25 05:30 -------- d-----w- c:\program files\Common Files\PCSuite
2010-07-25 05:30 . 2010-07-25 05:30 -------- d-----w- c:\program files\Common Files\Nokia
2010-07-25 05:30 . 2010-07-24 05:11 -------- d-----w- c:\program files\Nokia
2010-07-25 05:28 . 2010-07-25 05:28 -------- d-----w- c:\program files\PC Connectivity Solution
2010-07-25 04:09 . 2010-07-24 05:19 -------- d-----w- c:\program files\DIFX
2010-07-24 05:33 . 2010-07-24 05:33 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01009.Wdf
2010-07-24 05:33 . 2010-07-24 05:33 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01009_Coinstaller_Critical.Wdf
2010-07-18 05:05 . 2010-07-18 05:05 -------- d-----w- c:\program files\MediaMan
2010-06-26 06:05 . 2010-08-12 04:30 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-26 06:02 . 2010-08-12 04:30 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-06-26 06:02 . 2010-08-12 04:30 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-06-26 04:25 . 2010-08-12 04:30 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-06-15 08:33 . 2010-06-15 08:33 111928 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-06-15 08:33 . 2010-06-15 08:33 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2010-06-15 08:33 . 2010-06-15 08:33 2373712 ----a-w- c:\windows\system32\pbsvc.exe
2010-06-11 15:31 . 2010-08-12 04:30 274432 ----a-w- c:\windows\system32\schannel.dll
2010-06-09 22:11 . 2009-01-14 04:19 140984 ----a-w- c:\users\Andrew\AppData\Local\GDIPFONTCACHEV1.DAT
2009-10-13 08:22 . 2009-10-13 08:22 604 ---ha-w- c:\program files\STLL Notifier
2008-08-18 10:13 . 2008-08-18 10:13 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"Google Update"="c:\users\Andrew\AppData\Local\Google\Update\GoogleUpdate.exe" [2009-01-30 133104]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2008-02-29 1828136]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"Skype"="c:\program files\Skype\\Phone\Skype.exe" [2010-05-13 26192168]
"SteamWatchTray"="c:\program files\SteamWatch\SteamWatchTray.exe" [2008-04-10 15360]
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2010-05-14 1479680]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-08-22 13552160]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-08-22 92704]
"RtHDVCpl"="RtHDVCpl.exe" [2007-12-05 4710400]
"Skytel"="Skytel.exe" [2007-11-21 1826816]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-10-09 1025320]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-10-09 102400]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2007-09-13 222504]
"UpdatePDRShortCut"="c:\program files\HomeCinema\PowerDirector\MUITransfer\MUIStartMenu.exe" [2008-01-04 222504]
"PDVD8LanguageShortcut"="c:\program files\HomeCinema\PowerDVD8\Language\Language.exe" [2007-12-14 50472]
"BDRegion"="c:\program files\Cyberlink\Shared Files\brs.exe" [2008-08-08 91432]
"UpdatePPShortCut"="c:\program files\HomeCinema\PowerProducer\MUITransfer\MUIStartMenu.exe" [2008-02-22 222504]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-07-08 2048352]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-30 648072]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-10 149280]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-08-09 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-08-31 421160]

c:\users\Uni\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-12-15 384000]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\syste m]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDef end]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSv c]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^SMART Board Tools.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\SMART Board Tools.lnk
backup=c:\windows\pss\SMART Board Tools.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^Andrew^AppData^Roaming^Microsoft^Windows^Star t Menu^Programs^Startup^OpenOffice.org 3.0.lnk]
path=c:\users\Andrew\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.0.lnk
backup=c:\windows\pss\OpenOffice.org 3.0.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-03-24 18:17 952768 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-04-04 05:42 36272 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
2008-03-17 16:06 1848648 ----a-w- c:\program files\Canon\MyPrinter\BJMYPRT.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenu]
2008-12-11 16:31 722256 ----a-w- c:\program files\Canon\SolutionMenu\CNSLMAIN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-01-30 14:43 133104 ----atw- c:\users\Andrew\AppData\Local\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 00:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2006-12-10 10:52 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-08-31 22:32 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MaxMenuMgr]
2009-09-25 12:31 185640 ----a-w- c:\program files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PlayMovie]
2008-07-04 22:48 172032 ----a-w- c:\program files\HomeCinema\PlayMovie\PMVService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-08-09 19:15 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl8]
2008-03-21 03:23 83240 ------w- c:\program files\HomeCinema\PowerDVD8\PDVD8Serv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMART Board Service]
2007-11-01 19:48 1283336 ----a-w- c:\program files\SMART Technologies Inc\SMART Board Software\SMARTBoardService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2010-08-31 10:24 1242448 ----a-w- c:\program files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 uxddrv;Dynamically loaded UxdDrv;f:\diagnose\WSTENG32\2PART\uxddrv.sys [x]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v040 0.exe [2010-03-18 753504]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-08-29 335240]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-05-11 108552]
S2 {49DE1C67-83F8-4102-99E0-C16DCC7EEC796};{49DE1C67-83F8-4102-99E0-C16DCC7EEC796};c:\program files\HomeCinema\PlayMovie\000.fcl [2008-08-26 41456]
S2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};c:\program files\HomeCinema\PowerDVD8\000.fcl [2008-06-27 61424]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-08-29 297752]
S2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [2009-09-25 189736]
S2 SteamWatch;SteamWatch;c:\program files\SteamWatch\SteamWatch.exe [2008-04-10 18944]
S3 DCamUSBGene;GenesysLogic USB2.0 PC Camera;c:\windows\system32\DRIVERS\usbgene.sys [2007-06-26 131584]
S3 netr28;Ralink 802.11n Wireless Driver for Windows Vista;c:\windows\system32\DRIVERS\netr28.sys [2009-01-19 517120]
S3 SMARTVHidMini2000x86;SMART HID Device;c:\windows\system32\DRIVERS\SMARTVHidMini2000x86.sys [2007-11-13 14480]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
bthsvcs REG_MULTI_SZ BthServ
.
Contents of the 'Scheduled Tasks' folder

2010-09-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4207305771-619240016-1049760594-1000Core.job
- c:\users\Andrew\AppData\Local\Google\Update\GoogleUpdate.exe [2009-01-30 14:43]

2010-09-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4207305771-619240016-1049760594-1000UA.job
- c:\users\Andrew\AppData\Local\Google\Update\GoogleUpdate.exe [2009-01-30 14:43]

2010-09-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4207305771-619240016-1049760594-1001Core.job
- c:\users\Uni\AppData\Local\Google\Update\GoogleUpdate.exe [2009-04-21 10:24]

2010-09-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4207305771-619240016-1049760594-1001UA.job
- c:\users\Uni\AppData\Local\Google\Update\GoogleUpdate.exe [2009-04-21 10:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aldi.com/
mStart Page = hxxp://aldi.com.au/
uInternet Settings,ProxyServer = 192.168.72.251:8080
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: {C156357C-87BF-4C91-AEB6-048F273EE194} = 208.67.222.222,208.67.220.220
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-07 19:36
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{49DE1C67-83F8-4102-99E0-C16DCC7EEC796}]
"ImagePath"="\??\c:\program files\HomeCinema\PlayMovie\000.fcl"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054}]
"ImagePath"="\??\c:\program files\HomeCinema\PowerDVD8\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(2632)
c:\program files\Nokia\Nokia PC Suite 7\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL
c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_eng.nlr
c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Canon\IJPLM\IJPLMSVC.EXE
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\windows\system32\IoctlSvc.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PSIService.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\WUDFHost.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\windows defender\MpCmdRun.exe
.
**************************************************************************
.
Completion time: 2010-09-07 19:41:23 - machine was rebooted
ComboFix-quarantined-files.txt 2010-09-07 09:41
ComboFix2.txt 2010-09-07 02:35
ComboFix3.txt 2010-09-06 14:58

Pre-Run: 114,845,097,984 bytes free
Post-Run: 114,405,974,016 bytes free

- - End Of File - - 8C43324047791E89D9184FAB7DDD0E61

**dvk01** · 07-Sep-2010, 08:14 AM #9

how is it now

are you having any problems still or have we cleared them up

Tellytubby · 07-Sep-2010, 09:08 AM **#10**

I'm not noticing any specific symptoms. I assume the malware is still dormant on the usb. Is it possible to clean it safely?

**dvk01** · 07-Sep-2010, 01:42 PM **#11**

first uodate to vista SP2 http://support.microsoft.com/kb/935791
then tell us when you have done taht

SP2 should disable autorun so it will be safe to plug in teh external USB drive & if it doesn't autot=run trhen we can clean it up with combofix & an antivirus scan

Tellytubby · 07-Sep-2010, 07:42 PM **#12**

Alrighty,

SP2 is locked and loaded. Next step boss?

**dvk01** · 08-Sep-2010, 04:26 AM **#13**

plug in the external drive & run combofix

post the new combofix log

Tellytubby · 08-Sep-2010, 05:09 AM **#14**

I believe an sd card was infected as well. Should I do the same thing for it? Can I do them at the same time or is it a better idea to do them one after the other (the USB then the SD card or vice versa)

**dvk01** · 08-Sep-2010, 06:06 AM **#15**

plug in anything that might be infected, so we can attempt to clean them at teh same time

with an SD card, it iis normally safer to format it to make sure but lets see if any malware does show on it or the external HD

Similar Threads
Title	Thread Starter	Forum	Replies	Last Post
Keylogger malware from hell?	mdev	Virus & Other Malware Removal	1	09-Jul-2010 01:12 AM
Solved: Windows Installation from USB drive?	Lone_Dawg	All Other Software	4	04-Mar-2009 12:24 PM
Solved: Computer trying to Boot from USB stick	MikeeF	Windows Vista	2	17-Feb-2009 12:12 PM
XP total lock out from USB virus	steampunk	Virus & Other Malware Removal	0	26-Nov-2008 02:17 PM
Solved: Unable to remove Malware from PC - help! :-)	bazzart	Virus & Other Malware Removal	9	10-Aug-2008 07:04 PM

Tag Cloud
access acer asus batch bios bsod computer crash desktop driver drivers error ethernet excel freeze gaming gpu hard drive hardware hdmi internet laptop malware memory modem monitor motherboard network printer problem ram registry router slow software sound trojan ubuntu 11.10 uninstall usb video virus vista wifi windows windows 7 windows 7 32 bit windows 7 64 bit windows xp wireless

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Search
Search for:

Find the solution to yourcomputer problem!

Find the solution to your
computer problem!