1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Ukash west yorkshire virus - can't remove with malwarebytes

Discussion in 'Virus & Other Malware Removal' started by Catherine-N, Sep 12, 2012.

Thread Status:
Not open for further replies.
Advertisement
  1. Catherine-N

    Catherine-N Thread Starter

    Joined:
    Sep 12, 2012
    Messages:
    97
    Hi there,

    On Sunday (3 days ago) my machine came up with the Ukash West Yorkshire Police virus and I couldn't do anything ohter than shut down. I found on another site the suggestion to download the free version of malwarebytes anti malware the free version and to run it in safe mode , which I did. This found around 15 or so problems and I removed them. I then logged off. Today, I logged on and for a few minutes was working in normal mode ok and then the Ukash virus locked me out again. I re-ran in safe mode the malwarebytes programme, and removed the viruses again. I then tried logging on as normal and I was able to work perfectly ok and it seemed to have worked. However, my internet connect is fairly rubbish and at that point was showing limited connection. Anyway, I thought I'd run the malwarebytes programme in the normal mode just to check everything had gone. After a while, I decided to fire up my internet explorer and then set it to repair my internet connection - which it did. A dialogue box then popped up saying a programme on my computer had corrupted my default setting provider for internet explore and that it would fix it. I then got a google page up and typed a search query in. As soon as the page started to search, I lost the whole bottom row of icons on my screen and then the Ukash virus popped up again and locked me out.

    I have followed the instructions on your site as best I can - I am a novice and apologise if what I've completely misunderstood the things I should be doing and appear stupid - I did have a lot of problems trying to get the GMER thing to work - it didn't pop up and ask if I wnated to do a full scan but didn't give me any option for anything else, so I ended up doing I expect full scan as it took about 2 hours...anyway I tried again and fiddled around with the options on the top and the autostart seemed to give a small amount scan info so I've saved that and hope that's the right bit to have done.

    I notice you recommend people update their virus packages regularly - I had just updated mine on Sunday so was really surprised to get a virus in the first place (I have the microsoft security essentials package). I appreciate that my ability may mean that your advice is simply dig deep and plod off to an IT person who you can pay to sort the probelm out, but thought I'd try this site first as it would be good to learn. I've pasted the files below as per your instructions and appreciate any help you can give me, many thanks.

    hijack log:

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 14:56:09, on 12/09/2012
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Safe mode with network support
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    c:\Program Files\Microsoft Security Client\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\taskmgr.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Desktop\HijackThis.exe
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Orange UK
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Conime] %windir%\system32\conime.exe
    O4 - HKLM\..\Run: [EKIJ5000StatusMonitor] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
    O4 - HKLM\..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
    O4 - HKLM\..\Run: [WSManHTTPConfig] C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Local Settings\Application Data\Microsoft\Windows\912\WSManHTTPConfig.exe
    O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: orange search - file://C:\Program Files\ORANGE4\Cache\SelectedContextSearch.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=http://www.orange.co.uk
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
    O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
    O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: Kodak AiO Network Discovery Service - Eastman Kodak Company - C:\Program Files\Kodak\AiO\Center\ekdiscovery.exe
    O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    O23 - Service: Rapport Management Service (RapportMgmtService) - Trusteer Ltd. - C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
    --
    End of file - 5096 bytes

    DDS text file:

    .
    DDS (Ver_2011-08-26.01) - NTFSx86 NETWORK
    Internet Explorer: 8.0.6001.18702
    Run by Administrator at 14:58:20 on 2012-09-12
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.766.401 [GMT 1:00]
    .
    AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
    AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    c:\Program Files\Microsoft Security Client\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.google.co.uk/
    uWindow Title = Microsoft Internet Explorer provided by Orange UK
    uInternet Settings,ProxyOverride = <local>
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_06\bin\ssv.dll
    TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
    EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Conime] %windir%\system32\conime.exe
    mRun: [EKIJ5000StatusMonitor] c:\windows\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe
    mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
    mRun: [WSManHTTPConfig] c:\documents and settings\administrator.catherin-zge1zi\local settings\application data\microsoft\windows\912\WSManHTTPConfig.exe
    mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
    dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
    IE: &Search
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
    IE: orange search - file://c:\program files\orange4\cache\SelectedContextSearch.htm
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_06\bin\ssv.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
    TCP: DhcpNameServer = 192.168.1.1
    TCP: Interfaces\{E5845F11-365B-433F-BB6D-550870630CDB} : DhcpNameServer = 192.168.1.1
    Notify: igfxcui - igfxsrvc.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [2006-3-27 167808]
    S0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2012-3-20 171064]
    S0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [2012-7-29 65848]
    S1 RapportCerberus_42020;RapportCerberus_42020;c:\documents and settings\all users.windows\application data\trusteer\rapport\store\exts\rapportcerberus\baseline\RapportCerberus32_42020.sys [2012-8-11 228376]
    S1 RapportEI;RapportEI;c:\program files\trusteer\rapport\bin\RapportEI.sys [2012-7-29 71480]
    S1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2012-7-29 166840]
    S2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\kodak\aio\center\ekdiscovery.exe [2010-9-13 308656]
    S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-9-9 655944]
    S2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2012-7-29 976728]
    S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-5-7 250056]
    S3 emusba10;E-MU USB-Audio 1.0 Driver;c:\windows\system32\drivers\emusba10.sys --> c:\windows\system32\drivers\emusba10.sys [?]
    S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-9-9 22344]
    S3 RapportIaso;RapportIaso;c:\documents and settings\all users.windows\application data\trusteer\rapport\store\exts\rapportms\39624\RapportIaso.sys [2012-6-6 21520]
    S4 Everet_;Everet_;c:\windows\system32\drivers\ati1btxx.sys [2007-9-22 56623]
    .
    =============== Created Last 30 ================
    .
    2012-09-12 13:11:10 -------- dc----w- c:\documents and settings\administrator.catherin-zge1zi\application data\hellomoto
    2012-09-12 13:09:15 -------- dc----w- c:\program files\Microsoft Windows OneCare Live
    2012-09-09 15:41:01 -------- dc----w- c:\documents and settings\administrator.catherin-zge1zi\application data\Malwarebytes
    2012-09-09 15:40:54 -------- dc----w- c:\documents and settings\all users.windows\application data\Malwarebytes
    2012-09-09 15:40:53 22344 -c--a-w- c:\windows\system32\drivers\mbam.sys
    2012-09-09 15:40:53 -------- dc----w- c:\program files\Malwarebytes' Anti-Malware
    2012-09-09 14:40:17 7022536 -c--a-w- c:\documents and settings\all users.windows\application data\microsoft\microsoft antimalware\definition updates\{105b1e4d-16fe-41ee-b877-4b0fa6322f9a}\mpengine.dll
    2012-09-07 17:43:32 7022536 -c--a-w- c:\documents and settings\all users.windows\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
    .
    ==================== Find3M ====================
    .
    2012-08-29 19:58:01 426184 -c--a-w- c:\windows\system32\FlashPlayerApp.exe
    2012-08-29 19:58:00 70344 -c--a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-07-29 19:52:38 65848 -c--a-w- c:\windows\system32\drivers\RapportKELL.sys
    2012-07-06 13:58:51 78336 -c--a-w- c:\windows\system32\browser.dll
    2012-07-04 14:05:18 139784 -c--a-w- c:\windows\system32\drivers\rdpwd.sys
    2012-07-03 13:40:15 1866112 -c--a-w- c:\windows\system32\win32k.sys
    2012-07-02 17:49:33 916992 -c--a-w- c:\windows\system32\wininet.dll
    2012-07-02 17:49:32 43520 -c--a-w- c:\windows\system32\licmgr10.dll
    2012-07-02 17:49:32 1469440 -c--a-w- c:\windows\system32\inetcpl.cpl
    2012-07-02 12:05:43 385024 -c--a-w- c:\windows\system32\html.iec
    .
    ============= FINISH: 14:59:08.81 ===============

    attach text file:

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 22/09/2007 19:37:09
    System Uptime: 12/09/2012 14:43:39 (0 hours ago)
    .
    Motherboard: Dell Computer Corp. | | 02X378
    Processor: Intel(R) Pentium(R) 4 CPU 2.00GHz | Microprocessor | 1992/400mhz
    .
    ==== Disk Partitions =========================
    .
    A: is Removable
    C: is FIXED (NTFS) - 19 GiB total, 5.214 GiB free.
    D: is CDROM ()
    E: is Removable
    F: is Removable
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    RP1077: 01/09/2012 12:52:45 - Software Distribution Service 3.0
    RP1078: 02/09/2012 16:46:38 - Software Distribution Service 3.0
    RP1079: 05/09/2012 15:02:30 - Software Distribution Service 3.0
    RP1080: 07/09/2012 18:43:27 - Software Distribution Service 3.0
    RP1081: 09/09/2012 15:39:56 - Software Distribution Service 3.0
    .
    ==== Installed Programs ======================
    .
    ACDSee for PENTAX 3.0
    Adobe Acrobat 4.0
    Adobe Flash Player 11 ActiveX
    Adobe Flash Player 11 Plugin
    Adobe Reader 8.1.2
    Adobe Shockwave Player 11.5
    aiofw
    aioprnt
    aioscnnr
    AmpliTube LE
    C4USelfUpdater
    center
    Compatibility Pack for the 2007 Office system
    Critical Update for Windows Media Player 11 (KB959772)
    GEAR 32bit Driver Installer
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows Internet Explorer 7 (KB947864)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB2158563)
    Hotfix for Windows XP (KB2443685)
    Hotfix for Windows XP (KB2570791)
    Hotfix for Windows XP (KB2633952)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB970653-v3)
    Hotfix for Windows XP (KB976002-v5)
    Hotfix for Windows XP (KB976098-v2)
    Hotfix for Windows XP (KB979306)
    Hotfix for Windows XP (KB981793)
    Intel(R) Extreme Graphics Driver
    Intel(R) PRO Ethernet Adapter and Software
    Java(TM) 6 Update 6
    KODAK AiO Home Centre
    ksDIP
    Malwarebytes Anti-Malware version 1.62.0.1300
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Application Error Reporting
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
    Microsoft National Language Support Downlevel APIs
    Microsoft Office File Validation Add-In
    Microsoft Office Professional Edition 2003
    Microsoft Security Client
    Microsoft Security Essentials
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 4.0 SP2 Parser and SDK
    MSXML 6.0 Parser
    NETGEAR WG111v2 wireless USB 2.0 adapter
    OGA Notifier 2.0.0048.0
    Orange Search Toolbar
    PreReq
    Rapport
    Safari
    SafeCast Shared Components
    Samsung PC Studio 3
    Samsung PC Studio 3 USB Driver Installer
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
    Security Update for Microsoft Windows (KB2564958)
    Security Update for Windows Internet Explorer 7 (KB937143)
    Security Update for Windows Internet Explorer 7 (KB938127)
    Security Update for Windows Internet Explorer 7 (KB939653)
    Security Update for Windows Internet Explorer 7 (KB942615)
    Security Update for Windows Internet Explorer 7 (KB944533)
    Security Update for Windows Internet Explorer 7 (KB950759)
    Security Update for Windows Internet Explorer 7 (KB953838)
    Security Update for Windows Internet Explorer 7 (KB956390)
    Security Update for Windows Internet Explorer 7 (KB958215)
    Security Update for Windows Internet Explorer 7 (KB960714)
    Security Update for Windows Internet Explorer 7 (KB961260)
    Security Update for Windows Internet Explorer 7 (KB963027)
    Security Update for Windows Internet Explorer 8 (KB2183461)
    Security Update for Windows Internet Explorer 8 (KB2360131)
    Security Update for Windows Internet Explorer 8 (KB2416400)
    Security Update for Windows Internet Explorer 8 (KB2482017)
    Security Update for Windows Internet Explorer 8 (KB2497640)
    Security Update for Windows Internet Explorer 8 (KB2510531)
    Security Update for Windows Internet Explorer 8 (KB2530548)
    Security Update for Windows Internet Explorer 8 (KB2544521)
    Security Update for Windows Internet Explorer 8 (KB2559049)
    Security Update for Windows Internet Explorer 8 (KB2586448)
    Security Update for Windows Internet Explorer 8 (KB2618444)
    Security Update for Windows Internet Explorer 8 (KB2647516)
    Security Update for Windows Internet Explorer 8 (KB2675157)
    Security Update for Windows Internet Explorer 8 (KB2699988)
    Security Update for Windows Internet Explorer 8 (KB2722913)
    Security Update for Windows Internet Explorer 8 (KB969897)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB972260)
    Security Update for Windows Internet Explorer 8 (KB974455)
    Security Update for Windows Internet Explorer 8 (KB976325)
    Security Update for Windows Internet Explorer 8 (KB978207)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB911564)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player 11 (KB936782)
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows Media Player 6.4 (KB925398)
    Security Update for Windows Media Player 9 (KB936782)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2160329)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2259922)
    Security Update for Windows XP (KB2279986)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2296199)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB2393802)
    Security Update for Windows XP (KB2412687)
    Security Update for Windows XP (KB2419632)
    Security Update for Windows XP (KB2423089)
    Security Update for Windows XP (KB2436673)
    Security Update for Windows XP (KB2440591)
    Security Update for Windows XP (KB2443105)
    Security Update for Windows XP (KB2476490)
    Security Update for Windows XP (KB2476687)
    Security Update for Windows XP (KB2478960)
    Security Update for Windows XP (KB2478971)
    Security Update for Windows XP (KB2479628)
    Security Update for Windows XP (KB2479943)
    Security Update for Windows XP (KB2481109)
    Security Update for Windows XP (KB2483185)
    Security Update for Windows XP (KB2485376)
    Security Update for Windows XP (KB2485663)
    Security Update for Windows XP (KB2491683)
    Security Update for Windows XP (KB2503658)
    Security Update for Windows XP (KB2503665)
    Security Update for Windows XP (KB2506212)
    Security Update for Windows XP (KB2506223)
    Security Update for Windows XP (KB2507618)
    Security Update for Windows XP (KB2507938)
    Security Update for Windows XP (KB2508272)
    Security Update for Windows XP (KB2508429)
    Security Update for Windows XP (KB2509553)
    Security Update for Windows XP (KB2511455)
    Security Update for Windows XP (KB2524375)
    Security Update for Windows XP (KB2535512)
    Security Update for Windows XP (KB2536276-v2)
    Security Update for Windows XP (KB2536276)
    Security Update for Windows XP (KB2544893-v2)
    Security Update for Windows XP (KB2544893)
    Security Update for Windows XP (KB2555917)
    Security Update for Windows XP (KB2562937)
    Security Update for Windows XP (KB2566454)
    Security Update for Windows XP (KB2567053)
    Security Update for Windows XP (KB2567680)
    Security Update for Windows XP (KB2570222)
    Security Update for Windows XP (KB2570947)
    Security Update for Windows XP (KB2584146)
    Security Update for Windows XP (KB2585542)
    Security Update for Windows XP (KB2592799)
    Security Update for Windows XP (KB2598479)
    Security Update for Windows XP (KB2603381)
    Security Update for Windows XP (KB2618451)
    Security Update for Windows XP (KB2619339)
    Security Update for Windows XP (KB2620712)
    Security Update for Windows XP (KB2621440)
    Security Update for Windows XP (KB2624667)
    Security Update for Windows XP (KB2631813)
    Security Update for Windows XP (KB2633171)
    Security Update for Windows XP (KB2639417)
    Security Update for Windows XP (KB2641653)
    Security Update for Windows XP (KB2646524)
    Security Update for Windows XP (KB2647518)
    Security Update for Windows XP (KB2653956)
    Security Update for Windows XP (KB2655992)
    Security Update for Windows XP (KB2659262)
    Security Update for Windows XP (KB2660465)
    Security Update for Windows XP (KB2661637)
    Security Update for Windows XP (KB2676562)
    Security Update for Windows XP (KB2685939)
    Security Update for Windows XP (KB2686509)
    Security Update for Windows XP (KB2691442)
    Security Update for Windows XP (KB2695962)
    Security Update for Windows XP (KB2698365)
    Security Update for Windows XP (KB2705219)
    Security Update for Windows XP (KB2707511)
    Security Update for Windows XP (KB2709162)
    Security Update for Windows XP (KB2712808)
    Security Update for Windows XP (KB2718523)
    Security Update for Windows XP (KB2719985)
    Security Update for Windows XP (KB2723135)
    Security Update for Windows XP (KB2731847)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923689)
    Security Update for Windows XP (KB923789)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951376)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB953839)
    Security Update for Windows XP (KB954211)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956391)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957095)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969898)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977165)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978251)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981957)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982665)
    Security Update for Windows XP (KB982802)
    SoundMAX
    Uniblue PowerSuite
    Uniblue RegistryBooster
    Uniblue SpeedUpMyPC
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Windows Internet Explorer 8 (KB968220)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows Internet Explorer 8 (KB976749)
    Update for Windows Internet Explorer 8 (KB980182)
    Update for Windows XP (KB2141007)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB2467659)
    Update for Windows XP (KB2541763)
    Update for Windows XP (KB2607712)
    Update for Windows XP (KB2616676-v2)
    Update for Windows XP (KB2641690)
    Update for Windows XP (KB2718704)
    Update for Windows XP (KB951072-v2)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB961503)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971029)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    ViewSonic Monitor Drivers
    WebFldrs XP
    Windows Genuine Advantage Notifications (KB905474)
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Internet Explorer 7
    Windows Internet Explorer 8
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows XP Service Pack 3
    .
    ==== Event Viewer Messages From Past Week ========
    .
    12/09/2012 14:54:54, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.135.826.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.8704.0 Error code: 0x8007043c Error description: This service cannot be started in Safe Mode
    12/09/2012 14:27:29, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.135.826.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.8704.0 Error code: 0x8024402c Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.
    12/09/2012 13:27:40, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.135.826.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.8704.0 Error code: 0x8007043c Error description: This service cannot be started in Safe Mode
    12/09/2012 13:27:39, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
    12/09/2012 13:17:01, error: Dhcp [1002] - The IP address lease 192.168.1.9 for the Network Card with network address 001B2F733B47 has been denied by the DHCP server 10.106.183.65 (The DHCP Server sent a DHCPNACK message).
    12/09/2012 13:11:16, error: Dhcp [1002] - The IP address lease 192.168.1.10 for the Network Card with network address 001B2F733B47 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
    09/09/2012 16:36:17, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips intelppm MpFilter RapportKELL StarOpen
    09/09/2012 16:35:34, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    07/09/2012 18:32:18, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
    05/09/2012 14:51:46, error: Service Control Manager [7003] - The Kodak AiO Network Discovery Service service depends on the following nonexistent service: Bonjour Service
    05/09/2012 14:51:44, error: Dhcp [1002] - The IP address lease 192.168.1.9 for the Network Card with network address 001B2F733B47 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
    .
    ==== End Of File ===========================


    ark text file:

    GMER 1.0.15.15641 - http://www.gmer.net
    Autostart scan 2012-09-12 19:15:23
    Windows 5.1.2600 Service Pack 3

    HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon >>>
    @UserinitC:\WINDOWS\system32\userinit.exe, = C:\WINDOWS\system32\userinit.exe,
    @GinaDLLRtlGina2.dll = RtlGina2.dll
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ >>>
    dimsntfy@DLLName = %SystemRoot%\System32\dimsntfy.dll
    igfxcui@DLLName = igfxsrvc.dll
    WgaLogon@DLLName = WgaLogon.dll
    HKLM\SYSTEM\CurrentControlSet\Services\ >>>
    C-DillaCdaC11BA@ = C:\WINDOWS\system32\drivers\CDAC11BA.EXE
    Kodak AiO Network Discovery Service@ = C:\Program Files\Kodak\AiO\Center\ekdiscovery.exe
    MBAMService@ = "C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe"
    MsMpSvc@ = "c:\Program Files\Microsoft Security Client\MsMpEng.exe"
    RapportMgmtService@ = "C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe"
    ScsiPort@ = %SystemRoot%\system32\drivers\scsiport.sys
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
    @HotKeysCmdsC:\WINDOWS\system32\hkcmd.exe = C:\WINDOWS\system32\hkcmd.exe
    @Conime%windir%\system32\conime.exe = %windir%\system32\conime.exe
    @EKIJ5000StatusMonitorC:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe = C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
    @MSC"c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey = "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
    @WSManHTTPConfigC:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Local Settings\Application Data\Microsoft\Windows\912\WSManHTTPConfig.exe = C:\Documents and Settings\Administrator.CATHERIN-ZGE1ZI\Local Settings\Application Data\Microsoft\Windows\912\WSManHTTPConfig.exe
    @Malwarebytes' Anti-Malware"C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray = "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run >>>
    @ctfmon.exeC:\WINDOWS\system32\ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
    @MSMSGS"C:\Program Files\Messenger\msmsgs.exe" /background = "C:\Program Files\Messenger\msmsgs.exe" /background
    HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad@WPDShServiceObj = C:\WINDOWS\system32\WPDShServiceObj.dll
    HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
    @{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Display Panning CPL Extension*/(null) =
    @{30D02401-6A81-11d0-8274-00C04FD5AE38} /*IE Search Band*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
    @{32683183-48a0-441b-a342-7c2a440a9478} /*Media Band*/(null) =
    @{E7E4BC40-E76A-11CE-A9BB-00AA004AE837} /*Shell DocObject Viewer*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
    @{FBF23B40-E3F0-101B-8488-00AA003E56F8} /*InternetShortcut*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
    @{3C374A40-BAE4-11CF-BF7D-00AA006946EE} /*Microsoft Url History Service*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
    @{FF393560-C2A7-11CF-BFF4-444553540000} /*History*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
    @{7BD29E00-76C1-11CF-9DD0-00A0C9034933} /*Temporary Internet Files*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
    @{7BD29E01-76C1-11CF-9DD0-00A0C9034933} /*Temporary Internet Files*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
    @{CFBFAE00-17A6-11D0-99CB-00C04FD64497} /*Microsoft Url Search Hook*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
    @{3DC7A020-0ACD-11CF-A9BB-00AA004AE837} /*The Internet*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
    @{871C5380-42A0-1069-A2EA-08002B30309D} /*Internet Name Space*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
    @{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Previous Versions Property Page*/C:\WINDOWS\system32\twext.dll = C:\WINDOWS\system32\twext.dll
    @{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Previous Versions*/C:\WINDOWS\system32\twext.dll = C:\WINDOWS\system32\twext.dll
    @{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/C:\WINDOWS\system32\extmgr.dll = C:\WINDOWS\system32\extmgr.dll
    @{BDEADF00-C265-11D0-BCED-00A0C90AB50F} /*Web Folders*/C:\Program Files\Common Files\Microsoft Shared\Web Folders\MSONSEXT.DLL = C:\Program Files\Common Files\Microsoft Shared\Web Folders\MSONSEXT.DLL
    @{0006F045-0000-0000-C000-000000000046} /*Microsoft Office Outlook Custom Icon Handler*/C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL = C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL
    @{e82a2d71-5b2f-43a0-97b8-81be15854de8} /*ShellLink for Application References*/c:\WINDOWS\system32\dfshim.dll = c:\WINDOWS\system32\dfshim.dll
    @{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75} /*Shell Icon Handler for Application References*/c:\WINDOWS\system32\dfshim.dll = c:\WINDOWS\system32\dfshim.dll
    @{07C45BB1-4A8C-4642-A1F5-237E7215FF66} /*IE Microsoft BrowserBand*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
    @{1C1EDB47-CE22-4bbb-B608-77B48F83C823} /*IE Fade Task*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
    @{205D7A97-F16D-4691-86EF-F3075DCCA57D} /*IE Menu Desk Bar*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
    @{3028902F-6374-48b2-8DC6-9725E775B926} /*IE AutoComplete*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
    @{43886CD5-6529-41c4-A707-7B3C92C05E68} /*IE Navigation Bar*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
    @{44C76ECD-F7FA-411c-9929-1B77BA77F524} /*IE Menu Site*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
    @{4B78D326-D922-44f9-AF2A-07805C2A3560} /*IE Menu Band*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
    @{6038EF75-ABFC-4e59-AB6F-12D397F6568D} /*IE Microsoft History AutoComplete List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
    @{6B4ECC4F-16D1-4474-94AB-5A763F2A54AE} /*IE Tracking Shell Menu*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
    @{6CF48EF8-44CD-45d2-8832-A16EA016311B} /*IE IShellFolderBand*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
    @{73CFD649-CD48-4fd8-A272-2070EA56526B} /*IE BandProxy*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
    @{98FF6D4B-6387-4b0a-8FBD-C5C4BB17B4F8} /*IE MRU AutoComplete List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
    @{9A096BB5-9DC3-4D1C-8526-C3CBF991EA4E} /*IE RSS Feeder Folder*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
    @{9D958C62-3954-4b44-8FAB-C4670C1DB4C2} /*IE Microsoft Shell Folder AutoComplete List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
    @{B31C5FAE-961F-415b-BAF0-E697A5178B94} /*IE Microsoft Multiple AutoComplete List Container*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
    @{BC476F4C-D9D7-4100-8D4E-E043F6DEC409} /*Microsoft Browser Architecture*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
    @{BFAD62EE-9D54-4b2a-BF3B-76F90697BD2A} /*IE Shell Rebar BandSite*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
    @{E6EE9AAC-F76B-4947-8260-A9F136138E11} /*IE Shell Band Site Menu*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
    @{F2CF5485-4E02-4f68-819C-B92DE9277049} /*&Links*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
    @{F83DAC1C-9BB9-4f2b-B619-09819DA81B0E} /*IE Registry Tree Options Utility*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
    @{FAC3CBF6-8697-43d0-BAB9-DCD1FCE19D75} /*IE User Assist*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
    @{FDE7673D-2E19-4145-8376-BBD58C4BC7BA} /*IE Custom MRU AutoCompleted List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
    @{00020D75-0000-0000-C000-000000000046} /*Microsoft Office Outlook Desktop Icon Handler*/C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL = C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL
    @{35786D3C-B075-49b9-88DD-029876E11C01} /*Portable Devices*/%SystemRoot%\system32\wpdshext.dll = %SystemRoot%\system32\wpdshext.dll
    @{D6791A63-E7E2-4fee-BF52-5DED8E86E9B8} /*Portable Devices Menu*/%SystemRoot%\system32\wpdshext.dll = %SystemRoot%\system32\wpdshext.dll
    @{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} /*Shell Extensions for RealOne Player*/(null) =
    @{45670FA8-ED97-4F44-BC93-305082590BFB} /*Microsoft.XPS.Shell.Metadata.1*/%SystemRoot%\System32\XPSSHHDR.DLL = %SystemRoot%\System32\XPSSHHDR.DLL
    @{44121072-A222-48f2-A58A-6D9AD51EBBE9} /*Microsoft.XPS.Shell.Thumbnail.1*/%SystemRoot%\System32\XPSSHHDR.DLL = %SystemRoot%\System32\XPSSHHDR.DLL
    @{42042206-2D85-11D3-8CFF-005004838597} /*Microsoft Office HTML Icon Handler*/C:\Program Files\Microsoft Office\OFFICE11\msohev.dll = C:\Program Files\Microsoft Office\OFFICE11\msohev.dll
    @{11016101-E366-4D22-BC06-4ADA335C892B} /*IE History and Feeds Shell Data Source for Windows Search*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
    @{8856f961-340a-11d0-a96b-00c04fd705a2} /*Microsoft Web Browser*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
    @{993BE281-6695-4BA5-8A2A-7AACBFAAB69E} /*Microsoft Office Metadata Handler*/C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll = C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll
    @{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97} /*Microsoft Office Thumbnail Handler*/C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll = C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll
    @{09A47860-11B0-4DA5-AFA5-26D86198A780} /*EPP*/c:\PROGRA~1\MI239C~1\shellext.dll = c:\PROGRA~1\MI239C~1\shellext.dll
    HKLM\Software\Classes\*\shellex\ContextMenuHandlers\EPP@{09A47860-11B0-4DA5-AFA5-26D86198A780} = c:\PROGRA~1\MI239C~1\shellext.dll
    HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\EPP@{09A47860-11B0-4DA5-AFA5-26D86198A780} = c:\PROGRA~1\MI239C~1\shellext.dll
    HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\MBAMShlExt@{57CE581A-0CB6-4266-9CA0-19364C90A0B3} = C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>
    @{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll = C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    @{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll = C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
    HKLM\Software\Microsoft\Internet Explorer\Main >>>
    @Default_Page_URLhttp://go.microsoft.com/fwlink/?LinkId=69157 = http://go.microsoft.com/fwlink/?LinkId=69157
    @Start Pagehttp://go.microsoft.com/fwlink/?LinkId=69157 = http://go.microsoft.com/fwlink/?LinkId=69157
    @Local PageC:\WINDOWS\system32\blank.htm = C:\WINDOWS\system32\blank.htm
    HKCU\Software\Microsoft\Internet Explorer\Main@Start Page = http://www.google.co.uk/
    HKLM\Software\Classes\PROTOCOLS\Filter\text/xml@CLSID = C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
    HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
    dvd@CLSID = C:\WINDOWS\system32\msvidctl.dll
    its@CLSID = C:\WINDOWS\System32\itss.dll
    lid@CLSID = C:\WINDOWS\System32\msvidctl.dll
    mhtml@CLSID = %SystemRoot%\System32\inetcomm.dll
    ms-its@CLSID = C:\WINDOWS\System32\itss.dll
    mso-offdap@CLSID = C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
    mso-offdap11@CLSID = C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
    tv@CLSID = C:\WINDOWS\system32\msvidctl.dll
    HKLM\Software\Classes\PROTOCOLS\Handler\wia@CLSID = C:\WINDOWS\System32\wiascr.dll
    ---- EOF - GMER 1.0.15 ----


    Many thanks.
     
  2. Catherine-N

    Catherine-N Thread Starter

    Joined:
    Sep 12, 2012
    Messages:
    97
  3. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    101,669
    Please visit Combofix Guide & Instructions for instructions for installing the Recovery Console and downloading and running ComboFix.

    The only thing different from the instructions there is that when downloading and saving the ComboFix.exe I would like you to rename it to puppy.exe please.

    Post the log from ComboFix when you've accomplished that.

    Important notes regarding ComboFix:

    ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. This can easily be changed once we're finished.

    ComboFix also prevents autorun of ALL CDs, floppies and USB devices (don't worry, the keyboard and mouse will still function) to assist with malware removal & increase security. If this is an issue or makes it difficult for you, please let me know. This can be undone manually when we're finished. Read HERE for an article written by dvk01 on why we disable autoruns.
     
  4. Catherine-N

    Catherine-N Thread Starter

    Joined:
    Sep 12, 2012
    Messages:
    97
    Thanks Cookiegirl.

    I followed the steps & two things*

    1. When it reached the stage where it was going auto show the log - it took my pc out of safe mode and then the Ukash screen came up again and locked me out.

    I shut down & restarted in safe mode again. I looked in C/puppy and am guessing the most recently created file is the one I should paste


    2. When i logged onto to tech guy in safe mode I discovered I have lost my keyboard - an e comes out as french accented, t doesn't do anything i and a both have accents on them...

    I'm going to type the log in manually from my iphone, so i hope i've got the spaces and returns & whatnot right. Here goes anyway!!

    ComboFix 12-09-18.07 - Administrator 19/09/2012. 18:33:25.1.1 - x86 NETWORK
    Microsoft Windows XP Professional. 5.1.2600.3.1252.1.1033.18.766.517 [GMT 1:00]=Running from: C:\Documents and settings\Administrator.CATHERIN-ZGE1ZI\Desktop\puppy.exe
    AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBC}
    AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}


    (((((((((((((((((((((((((((((((((((((((. *Other Deletions. *)))))))))))))))))))))))))))))))))))))))))))))))))


    C:\Documents and Settings\Administrator.CATHERIN.ZGE1ZI\My Documents\~WRL0436.tmp
    C:\Documents and Settings\Administrator.CATHERIN.ZGE1ZI\My Documents\~WRL0717.tmp
    C:\Documents and Settings\Administrator.CATHERIN.ZGE1ZI\My Documents\~WRL1193.tmp
    C:\Documents and Settings\Administrator.CATHERIN.ZGE1ZI\My Documents\~WRL2012.tmp
    C:\Documents and Settings\Administrator.CATHERIN.ZGE1ZI\My Documents\~WRL3307.tmp
    C:\Documents and Settings\Administrator.CATHERIN.ZGE1ZI\Recent\Thumbs.db
    C:\Documents and Settings\Administrator.CATHERIN.ZGE1ZI\WINDOWS
    C:\Documents and Settings\All Users.WINDOWS\Application Data\xmlD.tmp
    C:\Documents and Settings\All Users.WINDOWS\Application Data\xmlE.tmp
    C:\Documents and Settings\All Users.WINDOWS\Application Data\xmlF.tmp
    C:\WINDOWS\Downloaded Program Files\f3initialsetup1.0.1.0.inf
    C:\WINDOWS\system32\RtlGina2.dll
    C:\WINDOWS\system32\SET33.tmp
    C:\WINDOWS\system32\SET37.tmp
    C:\WINDOWS\system32\SET3F.tmp


    Ok think that was it. Thanks for your help!
     
  5. Catherine-N

    Catherine-N Thread Starter

    Joined:
    Sep 12, 2012
    Messages:
    97
    Ps - sorry - Cookiegal...:)
     
  6. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    101,669
    There would be much more to the log than that. It would be located at C:\combofix.txt.
     
  7. Catherine-N

    Catherine-N Thread Starter

    Joined:
    Sep 12, 2012
    Messages:
    97
    Thanks Cookiegal - but that was the name of the file...just located in C:\puppy\combofix.txt - which I figured was because I'd saved the programme as puppy?

    I've just logged on again anyway and done a search of combofix.txt and the only file that came up is that one in the puppy folder on the C drive. What's weird is that my keyboard is working again now!

    Could it be because the combofix didn't get to automatically open the file and the Ukash virus screen came on again that maybe it didn't complete the process? Or maybe part fo the file got wiped?

    Should I run the combofix again? Is there anyway I can ensure it restarts in safe mode as otherwise the virus just stops it completing?

    Appriacate your help & advice.
    Thanks
    Catherine.
     
  8. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    101,669
    The log should not be in the puppy folder. It should be in the root (C:) drive.

    Download and run the following tool to help allow other programs to run. (Courtesy of BleepingComputer.com)
    There are 4 different versions. If one of them won't run then download and try to run the other one. Do not reboot after running this program.

    Vista and Win7 users need to right click and choose Run as Admin
    You only need to get one of them to run, not all of them.
    1. rkill.exe
    2. rkill.com
    3. rkill.scr
    4. rkill.pif

    The run ComboFix again please. Be sure to disable your security programs before running ComboFix.
     
  9. Catherine-N

    Catherine-N Thread Starter

    Joined:
    Sep 12, 2012
    Messages:
    97
    Ok - seems to have worked with the first link - here's the file that popped up:

    ComboFix 12-09-20.01 - Administrator 20/09/2012 16:16:15.2.1 - x86 NETWORK
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.766.446 [GMT 1:00]
    Running from: c:\documents and settings\Administrator.CATHERIN-ZGE1ZI\Desktop\puppy.exe
    AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
    AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    ---- Previous Run -------
    .
    c:\documents and settings\Administrator.CATHERIN-ZGE1ZI\My Documents\~WRL0436.tmp
    c:\documents and settings\Administrator.CATHERIN-ZGE1ZI\My Documents\~WRL0717.tmp
    c:\documents and settings\Administrator.CATHERIN-ZGE1ZI\My Documents\~WRL1193.tmp
    c:\documents and settings\Administrator.CATHERIN-ZGE1ZI\My Documents\~WRL2012.tmp
    c:\documents and settings\Administrator.CATHERIN-ZGE1ZI\My Documents\~WRL3307.tmp
    c:\documents and settings\Administrator.CATHERIN-ZGE1ZI\Recent\Thumbs.db
    c:\documents and settings\All Users.WINDOWS\Application Data\xmlD.tmp
    c:\documents and settings\All Users.WINDOWS\Application Data\xmlE.tmp
    c:\documents and settings\All Users.WINDOWS\Application Data\xmlF.tmp
    c:\windows\Downloaded Program Files\f3initialsetup1.0.1.0.inf
    c:\windows\system32\RtlGina2.dll
    c:\windows\system32\SET33.tmp
    c:\windows\system32\SET37.tmp
    c:\windows\system32\SET3F.tmp
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-08-20 to 2012-09-20 )))))))))))))))))))))))))))))))
    .
    .
    2012-09-19 16:57 . 2012-08-22 23:15 7022536 -c--a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{84A1B710-62B5-47B1-B504-7784DA9D5136}\mpengine.dll
    2012-09-12 13:11 . 2012-09-12 13:32 -------- dc----w- c:\documents and settings\Administrator.CATHERIN-ZGE1ZI\Application Data\hellomoto
    2012-09-12 13:09 . 2012-09-12 13:09 -------- dc----w- c:\program files\Microsoft Windows OneCare Live
    2012-09-09 15:41 . 2012-09-09 15:41 -------- dc----w- c:\documents and settings\Administrator.CATHERIN-ZGE1ZI\Application Data\Malwarebytes
    2012-09-09 15:40 . 2012-09-09 15:40 -------- dc----w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
    2012-09-09 15:40 . 2012-09-09 15:40 -------- dc----w- c:\program files\Malwarebytes' Anti-Malware
    2012-09-09 15:40 . 2012-07-03 12:46 22344 -c--a-w- c:\windows\system32\drivers\mbam.sys
    2012-09-09 14:40 . 2012-08-22 23:15 7022536 -c--a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-08-29 19:58 . 2012-05-07 10:15 426184 -c--a-w- c:\windows\system32\FlashPlayerApp.exe
    2012-08-29 19:58 . 2011-12-18 18:29 70344 -c--a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-07-29 19:52 . 2012-07-29 19:52 65848 -c--a-w- c:\windows\system32\drivers\RapportKELL.sys
    2012-07-06 13:58 . 2001-08-23 12:00 78336 -c--a-w- c:\windows\system32\browser.dll
    2012-07-04 14:05 . 2007-09-22 18:25 139784 -c--a-w- c:\windows\system32\drivers\rdpwd.sys
    2012-07-03 13:40 . 2001-08-23 12:00 1866112 -c--a-w- c:\windows\system32\win32k.sys
    2012-07-02 17:49 . 2001-08-23 12:00 916992 -c--a-w- c:\windows\system32\wininet.dll
    2012-07-02 17:49 . 2001-08-23 12:00 43520 -c--a-w- c:\windows\system32\licmgr10.dll
    2012-07-02 17:49 . 2001-08-23 12:00 1469440 -c--a-w- c:\windows\system32\inetcpl.cpl
    2012-07-02 12:05 . 2007-09-22 19:10 385024 -c--a-w- c:\windows\system32\html.iec
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-06-21 126976]
    "Conime"="c:\windows\system32\conime.exe" [2008-04-14 27648]
    "EKIJ5000StatusMonitor"="c:\windows\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2010-09-02 1638400]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200]
    "WSManHTTPConfig"="c:\documents and settings\Administrator.CATHERIN-ZGE1ZI\Local Settings\Application Data\Microsoft\Windows\912\WSManHTTPConfig.exe" [2012-09-09 89600]
    "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160]
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Kodak\\AiO\\Center\\AiOHomeCenter.exe"=
    "c:\\Program Files\\Kodak\\AiO\\Center\\Kodak.Statistics.exe"=
    "c:\\Program Files\\Kodak\\AiO\\Center\\NetworkPrinterDiscovery.exe"=
    "c:\\Program Files\\Kodak\\AiO\\Firmware\\KodakAiOUpdater.exe"=
    "c:\\Documents and Settings\\All Users.WINDOWS\\Application Data\\Kodak\\Installer\\Setup.exe"=
    "c:\\WINDOWS\\network diagnostic\\xpnetdiag.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "9322:TCP"= 9322:TCP:EKDiscovery
    "5353:UDP"= 5353:UDP:Bonjour Port 5353
    .
    R3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [27/03/2006 17:53 167808]
    S0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [29/07/2012 20:52 65848]
    S1 RapportCerberus_42020;RapportCerberus_42020;c:\documents and settings\All Users.WINDOWS\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus32_42020.sys [11/08/2012 15:26 228376]
    S1 RapportEI;RapportEI;c:\program files\Trusteer\Rapport\bin\RapportEI.sys [29/07/2012 20:52 71480]
    S1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [29/07/2012 20:52 166840]
    S2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\Kodak\AiO\Center\ekdiscovery.exe [13/09/2010 18:18 308656]
    S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [09/09/2012 16:40 655944]
    S2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [29/07/2012 20:52 976728]
    S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [07/05/2012 11:15 250056]
    S3 emusba10;E-MU USB-Audio 1.0 Driver;c:\windows\system32\DRIVERS\emusba10.sys --> c:\windows\system32\DRIVERS\emusba10.sys [?]
    S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [09/09/2012 16:40 22344]
    S3 RapportIaso;RapportIaso;c:\documents and settings\All Users.WINDOWS\Application Data\Trusteer\Rapport\store\exts\RapportMS\39624\RapportIaso.sys [06/06/2012 17:52 21520]
    S4 Everet_;Everet_;c:\windows\system32\drivers\ati1btxx.sys [22/09/2007 20:11 56623]
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-09-09 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-07 19:58]
    .
    2012-09-19 c:\windows\Tasks\User_Feed_Synchronization-{13B53172-B98C-4AF0-AC9B-BD5D56344E2C}.job
    - c:\windows\system32\msfeedssync.exe [2006-10-17 03:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.co.uk/
    uInternet Settings,ProxyOverride = <local>
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    IE: orange search - file://c:\program files\ORANGE4\Cache\SelectedContextSearch.htm
    TCP: DhcpNameServer = 192.168.1.1
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-09-20 16:26
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-1659004503-1897051121-682003330-500\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (Administrator)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,9d,44,22,f2,ee,ea,06,46,92,8a,c5,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,57,c8,4e,54,da,d8,7b,42,80,f8,6f,\
    "6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,13,2f,59,e9,78,d7,52,47,b9,53,cb,\
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'explorer.exe'(184)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\program files\Common Files\Microsoft Shared\OFFICE11\MSOXEV.DLL
    .
    Completion time: 2012-09-20 16:29:12
    ComboFix-quarantined-files.txt 2012-09-20 15:29
    .
    Pre-Run: 5,552,099,328 bytes free
    Post-Run: 5,539,196,928 bytes free
    .
    - - End Of File - - 612E1057337AFC23909419E1B839D164
     
  10. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    101,669
    Open Notepad and copy and paste the text in the code box below into it:

    Code:
    Folder::
    c:\documents and settings\Administrator.CATHERIN-ZGE1ZI\Application Data\hellomoto
     
    Save the file to your desktop and name it CFScript.txt

    Referring to the picture below, drag CFScript.txt into ComboFix.exe

    [​IMG]


    This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.
     
  11. Catherine-N

    Catherine-N Thread Starter

    Joined:
    Sep 12, 2012
    Messages:
    97
    Hi Cookiegal - ok - followed your instructions - here's the log it created:

    ComboFix 12-09-20.03 - Administrator 21/09/2012 19:38:23.3.1 - x86 NETWORK
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.766.443 [GMT 1:00]
    Running from: c:\documents and settings\Administrator.CATHERIN-ZGE1ZI\Desktop\puppy.exe
    Command switches used :: c:\documents and settings\Administrator.CATHERIN-ZGE1ZI\Desktop\CFScript.txt
    AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
    AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\Administrator.CATHERIN-ZGE1ZI\Application Data\hellomoto
    c:\documents and settings\Administrator.CATHERIN-ZGE1ZI\Application Data\hellomoto\BukF.dat
    c:\documents and settings\Administrator.CATHERIN-ZGE1ZI\Application Data\hellomoto\TujP.dat
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-08-21 to 2012-09-21 )))))))))))))))))))))))))))))))
    .
    .
    2012-09-20 15:13 . 2012-09-20 15:29 -------- dc----w- C:\puppy
    2012-09-19 16:57 . 2012-08-22 23:15 7022536 -c--a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{84A1B710-62B5-47B1-B504-7784DA9D5136}\mpengine.dll
    2012-09-12 13:09 . 2012-09-12 13:09 -------- dc----w- c:\program files\Microsoft Windows OneCare Live
    2012-09-09 15:41 . 2012-09-09 15:41 -------- dc----w- c:\documents and settings\Administrator.CATHERIN-ZGE1ZI\Application Data\Malwarebytes
    2012-09-09 15:40 . 2012-09-09 15:40 -------- dc----w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
    2012-09-09 15:40 . 2012-09-09 15:40 -------- dc----w- c:\program files\Malwarebytes' Anti-Malware
    2012-09-09 15:40 . 2012-07-03 12:46 22344 -c--a-w- c:\windows\system32\drivers\mbam.sys
    2012-09-09 14:40 . 2012-08-22 23:15 7022536 -c--a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-08-29 19:58 . 2012-05-07 10:15 426184 -c--a-w- c:\windows\system32\FlashPlayerApp.exe
    2012-08-29 19:58 . 2011-12-18 18:29 70344 -c--a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-07-29 19:52 . 2012-07-29 19:52 65848 -c--a-w- c:\windows\system32\drivers\RapportKELL.sys
    2012-07-06 13:58 . 2001-08-23 12:00 78336 -c--a-w- c:\windows\system32\browser.dll
    2012-07-04 14:05 . 2007-09-22 18:25 139784 -c--a-w- c:\windows\system32\drivers\rdpwd.sys
    2012-07-03 13:40 . 2001-08-23 12:00 1866112 -c--a-w- c:\windows\system32\win32k.sys
    2012-07-02 17:49 . 2001-08-23 12:00 916992 -c--a-w- c:\windows\system32\wininet.dll
    2012-07-02 17:49 . 2001-08-23 12:00 43520 -c--a-w- c:\windows\system32\licmgr10.dll
    2012-07-02 17:49 . 2001-08-23 12:00 1469440 -c--a-w- c:\windows\system32\inetcpl.cpl
    2012-07-02 12:05 . 2007-09-22 19:10 385024 -c--a-w- c:\windows\system32\html.iec
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-06-21 126976]
    "Conime"="c:\windows\system32\conime.exe" [2008-04-14 27648]
    "EKIJ5000StatusMonitor"="c:\windows\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2010-09-02 1638400]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200]
    "WSManHTTPConfig"="c:\documents and settings\Administrator.CATHERIN-ZGE1ZI\Local Settings\Application Data\Microsoft\Windows\912\WSManHTTPConfig.exe" [2012-09-09 89600]
    "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160]
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Kodak\\AiO\\Center\\AiOHomeCenter.exe"=
    "c:\\Program Files\\Kodak\\AiO\\Center\\Kodak.Statistics.exe"=
    "c:\\Program Files\\Kodak\\AiO\\Center\\NetworkPrinterDiscovery.exe"=
    "c:\\Program Files\\Kodak\\AiO\\Firmware\\KodakAiOUpdater.exe"=
    "c:\\Documents and Settings\\All Users.WINDOWS\\Application Data\\Kodak\\Installer\\Setup.exe"=
    "c:\\WINDOWS\\network diagnostic\\xpnetdiag.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "9322:TCP"= 9322:TCP:EKDiscovery
    "5353:UDP"= 5353:UDP:Bonjour Port 5353
    .
    R3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [27/03/2006 17:53 167808]
    S0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [29/07/2012 20:52 65848]
    S1 RapportCerberus_42020;RapportCerberus_42020;c:\documents and settings\All Users.WINDOWS\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus32_42020.sys [11/08/2012 15:26 228376]
    S1 RapportEI;RapportEI;c:\program files\Trusteer\Rapport\bin\RapportEI.sys [29/07/2012 20:52 71480]
    S1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [29/07/2012 20:52 166840]
    S2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\Kodak\AiO\Center\ekdiscovery.exe [13/09/2010 18:18 308656]
    S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [09/09/2012 16:40 655944]
    S2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [29/07/2012 20:52 976728]
    S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [07/05/2012 11:15 250056]
    S3 emusba10;E-MU USB-Audio 1.0 Driver;c:\windows\system32\DRIVERS\emusba10.sys --> c:\windows\system32\DRIVERS\emusba10.sys [?]
    S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [09/09/2012 16:40 22344]
    S3 RapportIaso;RapportIaso;c:\documents and settings\All Users.WINDOWS\Application Data\Trusteer\Rapport\store\exts\RapportMS\39624\RapportIaso.sys [06/06/2012 17:52 21520]
    S4 Everet_;Everet_;c:\windows\system32\drivers\ati1btxx.sys [22/09/2007 20:11 56623]
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-09-09 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-07 19:58]
    .
    2012-09-19 c:\windows\Tasks\User_Feed_Synchronization-{13B53172-B98C-4AF0-AC9B-BD5D56344E2C}.job
    - c:\windows\system32\msfeedssync.exe [2006-10-17 03:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.co.uk/
    uInternet Settings,ProxyOverride = <local>
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    IE: orange search - file://c:\program files\ORANGE4\Cache\SelectedContextSearch.htm
    TCP: DhcpNameServer = 192.168.1.1
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-09-21 19:48
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-1659004503-1897051121-682003330-500\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (Administrator)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,9d,44,22,f2,ee,ea,06,46,92,8a,c5,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,57,c8,4e,54,da,d8,7b,42,80,f8,6f,\
    "6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,13,2f,59,e9,78,d7,52,47,b9,53,cb,\
    .
    Completion time: 2012-09-21 19:50:24
    ComboFix-quarantined-files.txt 2012-09-21 18:50
    ComboFix2.txt 2012-09-20 15:29
    .
    Pre-Run: 5,502,648,320 bytes free
    Post-Run: 5,530,439,680 bytes free
    .
    - - End Of File - - AA18AF5BFAFD49609C307D96222F2836
     
  12. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    101,669
    Download OTS.exe to your Desktop.
    1. Close any open browsers.
    2. If your Real protection or Antivirus interferes with OTS, allow it to run.
    3. Double-click on OTS.exe to start the program.
    4. At the top put a check mark in the box beside "Scan All Users".
    5. Under the Additional Scans section put a check in the box next to Disabled MS Config Items, NetSvcs and EventViewer logs (Last 10 errors)
    6. Now click the Run Scan button on the toolbar.
    7. Let it run unhindered until it finishes.
    8. When the scan is complete Notepad will open with the report file loaded in it.
    9. Save that notepad file.
    Use the Reply button, scroll down to the attachments section and attach the notepad file here.
     
  13. Catherine-N

    Catherine-N Thread Starter

    Joined:
    Sep 12, 2012
    Messages:
    97
    Goodmorning Cookiegal! Ok, followed the next steps and have attached the notepad file as instructed (well - at least I think I've attached it properly...)

    Have a great day!
     

    Attached Files:

    • OTS.Txt
      File size:
      68.2 KB
      Views:
      2
  14. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    101,669
    Start OTS. Copy/Paste the information in the code box below into the pane where it says "Paste fix here" and then click the "Run Fix" button.

    The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the OK button and Notepad will open with a log of actions taken during the fix. Post that information back here please.

    Code:
    [Kill All Processes]
    [Unregister Dlls]
    [Registry - Safe List]
    < Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-1659004503-1897051121-682003330-500\] > -> HKEY_USERS\S-1-5-21-1659004503-1897051121-682003330-500\Software\Microsoft\Internet Explorer\Toolbar\
    YN -> WebBrowser\\"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
    [Files/Folders - Created Within 30 Days]
    NY ->  5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
    NY ->  1 C:\WINDOWS\System32\drivers\*.tmp files -> C:\WINDOWS\System32\drivers\*.tmp
    NY ->  1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
    [Files/Folders - Modified Within 30 Days]
    NY ->  5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
    NY ->  1 C:\WINDOWS\System32\drivers\*.tmp files -> C:\WINDOWS\System32\drivers\*.tmp
    NY ->  1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
    [Empty Temp Folders]
    [EmptyFlash]
    [EmptyJava]
    [Start Explorer]
    [Reboot] 
     
  15. Catherine-N

    Catherine-N Thread Starter

    Joined:
    Sep 12, 2012
    Messages:
    97
    Hi Cookiegal - well I feel a bit depressed now....I followed the instructions and pasted the fix, but when it finished, a message box telling me it was finished didn't pop up and so the Notepad didn't open. What happened was a message popped up telling me the system required a reboot and did I want to etc - it didn't give me any option to say no, there was only one button I could click to continue, so had to let it reboot.

    Once back up and in safemode, on the desktop I could see a new thing called Thumbs.db - I thought, maybe that's the text file and it's called db for some special reason. So I clicked on that and a message popped up saying something along the lines of I was attempting to open a certain sort of file and it was used for certain things and I could damage things if I went ahead and did I want to go ahead -so I clicked cancel as obviously it wasn't the text file & didn't want to damage anything.

    I then thought I'll do a search of all the files created today using .tx as my search reference. This came up with loads of txt files - 15 of them in the document & settings folders \ cookies. Then there was one file in the C:\windows folder called ntbtlog.txt (is that the one ?) and one called WGAErrlog.txt in the C:\Windows\temp folder and finally one txt file called drivetable.txt in C:\system volume information\_restore{a load of letters & numbers}

    Are any of those the file I need? Thanks, Catherine.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/1068691