Help

[Broni]

You did something wrong.
You either copied my script from email notification, or you didn't copy entire script. Maybe missed "colon" in front of "Processes". Please, retry.

[charliewon]

Broni

Yes i did copy your text because i couldnt copy and paste
I am quite sure that i did copy your text exactly as you had wrote it because i did double cheque that it was correct word for word
I will try again but i am quite sure it was correct first time around

[charliewon]

All processes killed
Error: Unable to interpret <rocessess> in the current context!
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\software\classes\explorerbar.fundyrector\ not found.
Registry key HKEY_LOCAL_MACHINE\software\classes\interface\{480098C6-F6AD-4C61-9B5C-2BAE228A34D1}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{480098C6-F6AD-4C61-9B5C-2BAE228A34D1}\ not found.
Registry delete failed. HKEY_LOCAL_MACHINE\software\classes\typelib\{883DFC00-8A21-411D-956C-73A4E4B7D16F}\ scheduled to be deleted on reboot.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{883DFC00-8A21-411D-956C-73A4E4B7D16F}\ not found.
========== FILES ==========
File/Folder c:\windows\crpf.bin not found.
File/Folder c:\windows\crpf_sdum.bin not found.
File/Folder c:\windows\system32\SYSDRV.DAT not found.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 0 bytes

User: Owner
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: User
->Temp folder emptied: 1389982 bytes
->Temporary Internet Files folder emptied: 173318 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 32768 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 2.00 mb


OTM by OldTimer - Version 3.1.15.0 log created on 07272010_024008

[Broni]

It looks like it worked this time....

Re-run Combofix and post fresh log.

[charliewon]

ComboFix 10-07-29.02 - User 30/07/2010 13:47:51.3.1 - x86
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\qmgr.dll . . . is infected!! . . .Failed to restore. Attempting to replace on reboot

Infected copy of c:\windows\system32\qmgr.dll was found and disinfected
Restored copy from - c:\system volume information\_restore{4E4144CD-9D04-4E0D-BD67-CC74AA9FB4C6}\RP319\A0238643.dll
.
((((((((((((((((((((((((( Files Created from 2010-06-28 to 2010-07-30 )))))))))))))))))))))))))))))))
.

2102-01-04 02:08 . 2102-01-04 02:08 253688 -c--a-w- c:\windows\system32\cssdll32.dll
2102-01-04 02:07 . 2009-11-20 08:12 -------- dc----w- c:\program files\COMODO
2102-01-03 13:32 . 2102-01-03 13:32 -------- dc----w- c:\program files\Trend Micro
2102-01-02 01:39 . 2102-01-02 01:39 -------- dc----w- c:\documents and settings\User\Application Data\Malwarebytes
2102-01-02 01:33 . 2009-06-17 11:27 38160 -c--a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2102-01-02 01:33 . 2102-01-02 01:39 -------- dc----w- c:\program files\Malwarebytes' Anti-Malware
2102-01-02 01:33 . 2102-01-02 01:33 -------- dc----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2102-01-02 01:33 . 2009-06-17 11:27 19096 -c--a-w- c:\windows\system32\drivers\mbam.sys
2102-01-01 14:51 . 2102-01-03 15:06 117760 -c--a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2102-01-01 14:50 . 2102-01-01 14:50 -------- dc----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2102-01-01 14:50 . 2102-01-01 14:50 -------- dcsh--w- c:\documents and settings\Administrator\IETldCache
2102-01-01 14:44 . 2010-03-25 14:51 117760 -c--a-w- c:\documents and settings\User\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2102-01-01 14:44 . 2102-01-01 14:44 -------- dc----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2102-01-01 14:40 . 2102-01-03 18:55 -------- dc----w- c:\program files\SUPERAntiSpyware
2102-01-01 14:40 . 2102-01-01 14:40 -------- dc----w- c:\documents and settings\User\Application Data\SUPERAntiSpyware.com
2102-01-01 14:39 . 2102-01-01 14:39 -------- dc----w- c:\program files\Common Files\Wise Installation Wizard
2010-07-25 13:13 . 2010-07-25 13:13 89261 -c--a-w- C:\ComboFix.zip
2010-07-19 14:04 . 2002-08-29 12:00 89600 -c--a-w- c:\windows\system32\slbiop.dll
2010-07-19 14:03 . 2002-08-29 12:00 774144 -c--a-w- c:\windows\system32\mmc.exe
2010-07-19 14:02 . 2002-08-29 12:00 9216 -c--a-w- c:\windows\system32\icaapi.dll
2010-07-19 14:01 . 2002-08-29 12:00 50620 -c--a-w- c:\windows\system32\command.com
2010-07-07 05:55 . 2010-07-07 05:55 168792 -c--a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-07-01 11:07 . 2010-07-01 11:07 434176 -c--a-w- c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportMS\17053\RapportMS.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2102-01-03 19:47 . 2009-06-15 02:17 -------- dc----w- c:\documents and settings\All Users\Application Data\avg8
2010-07-20 12:39 . 2008-11-18 12:53 -------- dc----w- c:\program files\Vuze
2010-07-20 12:39 . 2008-11-18 12:53 -------- dc----w- c:\documents and settings\User\Application Data\Azureus
2010-07-19 05:38 . 2009-06-20 20:57 1474832 -c--a-w- c:\windows\system32\drivers\sfi.dat
2010-07-18 19:33 . 2010-07-18 19:33 7970816 -c--a-w- c:\documents and settings\User\ntuser.tmp
2010-07-13 08:15 . 2008-11-21 13:27 -------- dc----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-07-12 17:37 . 2008-11-24 05:43 44780 -c--a-w- c:\documents and settings\User\Application Data\wklnhst.dat
2010-07-10 07:12 . 2009-11-30 11:50 -------- dc----w- c:\documents and settings\User\Application Data\vlc
2010-06-25 16:25 . 2010-06-25 16:21 -------- dc----w- c:\program files\Gran Diccionario Oxford
2010-06-24 20:38 . 2009-05-29 06:43 17659 -c--a-w- c:\windows\system32\drivers\InetLock.sys
2010-06-24 17:14 . 2010-06-24 17:11 -------- dc----w- c:\program files\Atomic Alarm Clock
2010-06-19 10:26 . 2010-06-19 10:25 -------- dc----w- c:\program files\WorldUnlock Codes Calculator
2010-05-15 10:20 . 2008-11-18 10:33 75088 -c--a-w- c:\documents and settings\User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2002-04-16 11:27 . 2002-04-16 11:27 5 -csha-w- c:\windows\system32\CdI5T.drv
.

------- Sigcheck -------

Cryptography Services Error !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2009-06-25 1414144]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"SkinClock"="c:\program files\Atomic Alarm Clock\AtomicAlarmClock.exe" [2009-03-13 572928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-08-02 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-08-02 7110656]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2010-05-19 37888]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-10 417792]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2010-01-28 1800464]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\PFPortChecker\\PFPortChecker.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=

R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\DRIVERS\cmdguard.sys [2010-02-13 134344]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-06-17 38160]
R3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2009-03-19 136704]
R3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [2009-03-19 8320]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-05-26 7408]
R3 SiS7012;Service for AC'97 Sample Driver (WDM);c:\windows\system32\drivers\sis7012.sys [2004-11-03 267136]
S0 CFRMD;CFRMD;c:\windows\system32\drivers\cfrmd.sys [2009-10-27 132424]
S1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\DRIVERS\cmdhlp.sys [2010-01-28 25160]
S1 RapportKELL;RapportKELL;c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [2010-07-01 59240]
S1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [2010-07-01 166632]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-05-26 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-05-26 72944]
S2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [2010-07-01 840936]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
vvdsvc REG_MULTI_SZ vvdsvc
.
Contents of the 'Scheduled Tasks' folder

2010-05-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.msn.co.uk/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {8E825BF4-22A0-45C0-97BC-63D13655E7DD} = 194.168.4.100,194.168.8.100
.
- - - - ORPHANS REMOVED - - - -

BHO-{201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\AskBarDis\bar\bin\askBar.dll
Toolbar-{3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\AskBarDis\bar\bin\askBar.dll
WebBrowser-{3041D03E-FD4B-44E0-B742-2D9B88305F98} - c:\program files\AskBarDis\bar\bin\askBar.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-30 14:40
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\ExplorerBar.FunRedirector\CLSID]
@DACL=(02 0000)
@="{CDBFB47B-58A8-4111-BF95-06178DCE326D}"

[HKEY_LOCAL_MACHINE\software\Classes\ExplorerBar.FunRedirector\CurVer]
@DACL=(02 0000)
@="ExplorerBar.FunRedirector.1"

[HKEY_LOCAL_MACHINE\software\Classes\ExplorerBar.FunRedirector.1\CLSID]
@DACL=(02 0000)
@="{CDBFB47B-58A8-4111-BF95-06178DCE326D}"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(828)
c:\windows\System32\ODBC32.dll
c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
c:\windows\System32\msctfime.ime

- - - - - - - > 'lsass.exe'(892)
c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll

- - - - - - - > 'explorer.exe'(4880)
c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
c:\program files\Trusteer\Rapport\bin\rooksbas.dll
c:\windows\System32\msctfime.ime
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Windows Desktop Search\WindowsSearch.exe
.
**************************************************************************
.
Completion time: 2010-07-30 14:42:24 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-30 13:42

Pre-Run: 2,179,133,440 bytes free
Post-Run: 2,198,298,624 bytes free

- - End Of File - - 37B5B646915592780745383102127E7C

[Broni]

Please, check, if your computer date is correct.

1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code:

RegLockDel::
[HKEY_LOCAL_MACHINE\software\Classes\ExplorerBar.FunRedirector]

3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.




6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt

[charliewon]

Broni
Have followed everything exactly to the letter but as i have posted in a previous post i cannot drag anything anywhere on the desktop of the infected computer
I zip the logs that you tell me to copy on my usb then extract them to the infected computer but i am still unable to drag anything into combofix

[Broni]

Run script from command line:

Click Start > Run and copy/paste the following line in the runbox and press enter:

combofix "&#37;userprofile%\desktop\cfscript.txt"

Note. CFScript.txt MUST be located on the desktop for this to work.

[charliewon]

Broni
Thanks for all your help
You must realise from my earlier posts that i have no task bar or start on my computer
I cannot drag anything anywhere
Perhaps you know of somw otherway for me to do this
I have done some research and tried ctrl+esc that should bring up the start menu but this does not work either
Thanks

[Broni]

Does CTRL+ALT+DEL bring up Task Manager?
If so, click on "New Task" and you can run my command from there.

[charliewon]

ComboFix 10-07-29.02 - User 01/08/2010 9:53.4.1 - x86
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\User\desktop\cfscript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\qmgr.dll . . . is infected!! . . .Failed to restore. Attempting to replace on reboot

Infected copy of c:\windows\system32\qmgr.dll was found and disinfected
Restored copy from - c:\system volume information\_restore{4E4144CD-9D04-4E0D-BD67-CC74AA9FB4C6}\RP319\A0238643.dll
.
((((((((((((((((((((((((( Files Created from 2010-07-01 to 2010-08-01 )))))))))))))))))))))))))))))))
.

2102-01-04 02:08 . 2102-01-04 02:08 253688 -c--a-w- c:\windows\system32\cssdll32.dll
2102-01-04 02:07 . 2009-11-20 08:12 -------- dc----w- c:\program files\COMODO
2102-01-03 13:32 . 2102-01-03 13:32 -------- dc----w- c:\program files\Trend Micro
2102-01-02 01:39 . 2102-01-02 01:39 -------- dc----w- c:\documents and settings\User\Application Data\Malwarebytes
2102-01-02 01:33 . 2009-06-17 11:27 38160 -c--a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2102-01-02 01:33 . 2102-01-02 01:39 -------- dc----w- c:\program files\Malwarebytes' Anti-Malware
2102-01-02 01:33 . 2102-01-02 01:33 -------- dc----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2102-01-02 01:33 . 2009-06-17 11:27 19096 -c--a-w- c:\windows\system32\drivers\mbam.sys
2102-01-01 14:51 . 2102-01-03 15:06 117760 -c--a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2102-01-01 14:50 . 2102-01-01 14:50 -------- dc----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2102-01-01 14:50 . 2102-01-01 14:50 -------- dcsh--w- c:\documents and settings\Administrator\IETldCache
2102-01-01 14:44 . 2010-03-25 14:51 117760 -c--a-w- c:\documents and settings\User\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2102-01-01 14:44 . 2102-01-01 14:44 -------- dc----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2102-01-01 14:40 . 2102-01-03 18:55 -------- dc----w- c:\program files\SUPERAntiSpyware
2102-01-01 14:40 . 2102-01-01 14:40 -------- dc----w- c:\documents and settings\User\Application Data\SUPERAntiSpyware.com
2102-01-01 14:39 . 2102-01-01 14:39 -------- dc----w- c:\program files\Common Files\Wise Installation Wizard
2010-07-31 18:04 . 2010-07-31 18:04 72704 -c--a-w- c:\documents and settings\User\Application Data\Azureus\updates\inst_1\aereg.dll
2010-07-31 18:04 . 2010-07-31 18:04 348160 -c--a-w- c:\documents and settings\User\Application Data\Azureus\updates\inst_1\msvcr71.dll
2010-07-31 18:04 . 2010-07-31 18:04 227328 -c--a-w- c:\documents and settings\User\Application Data\Azureus\updates\inst_1\Azureus.exe
2010-07-31 18:04 . 2010-07-31 18:04 199616 -c--a-w- c:\documents and settings\User\Application Data\Azureus\updates\inst_1\AzureusUpdater.exe
2010-07-31 06:49 . 2010-07-31 06:49 503808 -c--a-w- c:\documents and settings\User\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-6ee14bda-n\msvcp71.dll
2010-07-31 06:49 . 2010-07-31 06:49 499712 -c--a-w- c:\documents and settings\User\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-6ee14bda-n\jmc.dll
2010-07-31 06:49 . 2010-07-31 06:49 348160 -c--a-w- c:\documents and settings\User\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-6ee14bda-n\msvcr71.dll
2010-07-25 13:13 . 2010-07-25 13:13 89261 -c--a-w- C:\ComboFix.zip
2010-07-19 14:04 . 2002-08-29 12:00 89600 -c--a-w- c:\windows\system32\slbiop.dll
2010-07-19 14:03 . 2002-08-29 12:00 774144 -c--a-w- c:\windows\system32\mmc.exe
2010-07-19 14:02 . 2002-08-29 12:00 9216 -c--a-w- c:\windows\system32\icaapi.dll
2010-07-19 14:01 . 2002-08-29 12:00 50620 -c--a-w- c:\windows\system32\command.com
2010-07-07 05:55 . 2010-07-07 05:55 168792 -c--a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2102-01-03 19:47 . 2009-06-15 02:17 -------- dc----w- c:\documents and settings\All Users\Application Data\avg8
2010-07-31 18:10 . 2008-11-18 12:53 -------- dc----w- c:\documents and settings\User\Application Data\Azureus
2010-07-31 18:04 . 2009-11-30 11:50 -------- dc----w- c:\documents and settings\User\Application Data\vlc
2010-07-20 12:39 . 2008-11-18 12:53 -------- dc----w- c:\program files\Vuze
2010-07-19 05:38 . 2009-06-20 20:57 1474832 -c--a-w- c:\windows\system32\drivers\sfi.dat
2010-07-18 19:33 . 2010-07-18 19:33 7970816 -c--a-w- c:\documents and settings\User\ntuser.tmp
2010-07-13 08:15 . 2008-11-21 13:27 -------- dc----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-07-12 17:37 . 2008-11-24 05:43 44780 -c--a-w- c:\documents and settings\User\Application Data\wklnhst.dat
2010-07-01 11:07 . 2010-07-01 11:07 434176 -c--a-w- c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportMS\17053\RapportMS.dll
2010-06-25 16:25 . 2010-06-25 16:21 -------- dc----w- c:\program files\Gran Diccionario Oxford
2010-06-24 20:38 . 2009-05-29 06:43 17659 -c--a-w- c:\windows\system32\drivers\InetLock.sys
2010-06-24 17:14 . 2010-06-24 17:11 -------- dc----w- c:\program files\Atomic Alarm Clock
2010-06-19 10:26 . 2010-06-19 10:25 -------- dc----w- c:\program files\WorldUnlock Codes Calculator
2010-05-15 10:20 . 2008-11-18 10:33 75088 -c--a-w- c:\documents and settings\User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2002-04-16 11:27 . 2002-04-16 11:27 5 -csha-w- c:\windows\system32\CdI5T.drv
.

------- Sigcheck -------

Cryptography Services Error !!
.
((((((((((((((((((((((((((((( SnapShot@2010-07-30_13.37.18 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-08-01 09:49 . 2010-08-01 09:49 16384 c:\windows\Temp\Perflib_Perfdata_13c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2009-06-25 1414144]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"SkinClock"="c:\program files\Atomic Alarm Clock\AtomicAlarmClock.exe" [2009-03-13 572928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-08-02 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-08-02 7110656]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2010-05-19 37888]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-10 417792]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2010-01-28 1800464]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\PFPortChecker\\PFPortChecker.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=

R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\DRIVERS\cmdguard.sys [2010-02-13 134344]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-06-17 38160]
R3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2009-03-19 136704]
R3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [2009-03-19 8320]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-05-26 7408]
R3 SiS7012;Service for AC'97 Sample Driver (WDM);c:\windows\system32\drivers\sis7012.sys [2004-11-03 267136]
S0 CFRMD;CFRMD;c:\windows\system32\drivers\cfrmd.sys [2009-10-27 132424]
S1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\DRIVERS\cmdhlp.sys [2010-01-28 25160]
S1 RapportKELL;RapportKELL;c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [2010-07-01 59240]
S1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [2010-07-01 166632]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-05-26 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-05-26 72944]
S2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [2010-07-01 840936]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
vvdsvc REG_MULTI_SZ vvdsvc
.
Contents of the 'Scheduled Tasks' folder

2010-05-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.msn.co.uk/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {8E825BF4-22A0-45C0-97BC-63D13655E7DD} = 194.168.4.100,194.168.8.100
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-01 10:53
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\ExplorerBar.FunRedirector.1\CLSID]
@DACL=(02 0000)
@="{CDBFB47B-58A8-4111-BF95-06178DCE326D}"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(828)
c:\windows\System32\ODBC32.dll
c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
c:\windows\System32\msctfime.ime

- - - - - - - > 'lsass.exe'(892)
c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll

- - - - - - - > 'explorer.exe'(4592)
c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
c:\program files\Trusteer\Rapport\bin\rooksbas.dll
c:\windows\System32\msctfime.ime
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Windows Desktop Search\WindowsSearch.exe
.
**************************************************************************
.
Completion time: 2010-08-01 10:55:03 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-01 09:55
ComboFix2.txt 2010-07-30 13:49

Pre-Run: 2,176,405,504 bytes free
Post-Run: 2,184,323,072 bytes free

- - End Of File - - C9E19C23A61738ED618FA76A26235564

[Broni]

Use same method to run Combofix one more time...

1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code:

RegLockDel::
[HKEY_LOCAL_MACHINE\software\Classes\ExplorerBar.FunRedirector.1\CLSID]

3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.




6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt

[charliewon]

ComboFix 10-08-01.02 - User 02/08/2010 12:04:04.5.1 - x86
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\User\desktop\cfscript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\qmgr.dll . . . is infected!! . . .Failed to restore. Attempting to replace on reboot

Infected copy of c:\windows\system32\qmgr.dll was found and disinfected
Restored copy from - c:\system volume information\_restore{4E4144CD-9D04-4E0D-BD67-CC74AA9FB4C6}\RP319\A0238643.dll
.
((((((((((((((((((((((((( Files Created from 2010-07-02 to 2010-08-02 )))))))))))))))))))))))))))))))
.

2102-01-04 02:08 . 2102-01-04 02:08 253688 -c--a-w- c:\windows\system32\cssdll32.dll
2102-01-04 02:07 . 2009-11-20 08:12 -------- dc----w- c:\program files\COMODO
2102-01-03 13:32 . 2102-01-03 13:32 -------- dc----w- c:\program files\Trend Micro
2102-01-02 01:39 . 2102-01-02 01:39 -------- dc----w- c:\documents and settings\User\Application Data\Malwarebytes
2102-01-02 01:33 . 2009-06-17 11:27 38160 -c--a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2102-01-02 01:33 . 2102-01-02 01:39 -------- dc----w- c:\program files\Malwarebytes' Anti-Malware
2102-01-02 01:33 . 2102-01-02 01:33 -------- dc----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2102-01-02 01:33 . 2009-06-17 11:27 19096 -c--a-w- c:\windows\system32\drivers\mbam.sys
2102-01-01 14:51 . 2102-01-03 15:06 117760 -c--a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2102-01-01 14:50 . 2102-01-01 14:50 -------- dc----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2102-01-01 14:50 . 2102-01-01 14:50 -------- dcsh--w- c:\documents and settings\Administrator\IETldCache
2102-01-01 14:44 . 2010-03-25 14:51 117760 -c--a-w- c:\documents and settings\User\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2102-01-01 14:44 . 2102-01-01 14:44 -------- dc----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2102-01-01 14:40 . 2102-01-03 18:55 -------- dc----w- c:\program files\SUPERAntiSpyware
2102-01-01 14:40 . 2102-01-01 14:40 -------- dc----w- c:\documents and settings\User\Application Data\SUPERAntiSpyware.com
2102-01-01 14:39 . 2102-01-01 14:39 -------- dc----w- c:\program files\Common Files\Wise Installation Wizard
2010-07-31 18:04 . 2010-07-31 18:04 72704 -c--a-w- c:\documents and settings\User\Application Data\Azureus\updates\inst_1\aereg.dll
2010-07-31 18:04 . 2010-07-31 18:04 348160 -c--a-w- c:\documents and settings\User\Application Data\Azureus\updates\inst_1\msvcr71.dll
2010-07-31 18:04 . 2010-07-31 18:04 227328 -c--a-w- c:\documents and settings\User\Application Data\Azureus\updates\inst_1\Azureus.exe
2010-07-31 18:04 . 2010-07-31 18:04 199616 -c--a-w- c:\documents and settings\User\Application Data\Azureus\updates\inst_1\AzureusUpdater.exe
2010-07-31 06:49 . 2010-07-31 06:49 503808 -c--a-w- c:\documents and settings\User\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-6ee14bda-n\msvcp71.dll
2010-07-31 06:49 . 2010-07-31 06:49 499712 -c--a-w- c:\documents and settings\User\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-6ee14bda-n\jmc.dll
2010-07-31 06:49 . 2010-07-31 06:49 348160 -c--a-w- c:\documents and settings\User\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-6ee14bda-n\msvcr71.dll
2010-07-25 13:13 . 2010-07-25 13:13 89261 -c--a-w- C:\ComboFix.zip
2010-07-19 14:04 . 2002-08-29 12:00 89600 -c--a-w- c:\windows\system32\slbiop.dll
2010-07-19 14:03 . 2002-08-29 12:00 774144 -c--a-w- c:\windows\system32\mmc.exe
2010-07-19 14:02 . 2002-08-29 12:00 9216 -c--a-w- c:\windows\system32\icaapi.dll
2010-07-19 14:01 . 2002-08-29 12:00 50620 -c--a-w- c:\windows\system32\command.com
2010-07-07 05:55 . 2010-07-07 05:55 168792 -c--a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2102-01-03 19:47 . 2009-06-15 02:17 -------- dc----w- c:\documents and settings\All Users\Application Data\avg8
2010-07-31 18:10 . 2008-11-18 12:53 -------- dc----w- c:\documents and settings\User\Application Data\Azureus
2010-07-31 18:04 . 2009-11-30 11:50 -------- dc----w- c:\documents and settings\User\Application Data\vlc
2010-07-20 12:39 . 2008-11-18 12:53 -------- dc----w- c:\program files\Vuze
2010-07-19 05:38 . 2009-06-20 20:57 1474832 -c--a-w- c:\windows\system32\drivers\sfi.dat
2010-07-18 19:33 . 2010-07-18 19:33 7970816 -c--a-w- c:\documents and settings\User\ntuser.tmp
2010-07-13 08:15 . 2008-11-21 13:27 -------- dc----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-07-12 17:37 . 2008-11-24 05:43 44780 -c--a-w- c:\documents and settings\User\Application Data\wklnhst.dat
2010-07-01 11:07 . 2010-07-01 11:07 434176 -c--a-w- c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportMS\17053\RapportMS.dll
2010-06-25 16:25 . 2010-06-25 16:21 -------- dc----w- c:\program files\Gran Diccionario Oxford
2010-06-24 20:38 . 2009-05-29 06:43 17659 -c--a-w- c:\windows\system32\drivers\InetLock.sys
2010-06-24 17:14 . 2010-06-24 17:11 -------- dc----w- c:\program files\Atomic Alarm Clock
2010-06-19 10:26 . 2010-06-19 10:25 -------- dc----w- c:\program files\WorldUnlock Codes Calculator
2010-05-15 10:20 . 2008-11-18 10:33 75088 -c--a-w- c:\documents and settings\User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2002-04-16 11:27 . 2002-04-16 11:27 5 -csha-w- c:\windows\system32\CdI5T.drv
.

------- Sigcheck -------

Cryptography Services Error !!
.
((((((((((((((((((((((((((((( SnapShot@2010-07-30_13.37.18 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-08-02 11:54 . 2010-08-02 11:54 16384 c:\windows\Temp\Perflib_Perfdata_144.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2009-06-25 1414144]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"SkinClock"="c:\program files\Atomic Alarm Clock\AtomicAlarmClock.exe" [2009-03-13 572928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-08-02 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-08-02 7110656]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2010-05-19 37888]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-10 417792]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2010-01-28 1800464]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\PFPortChecker\\PFPortChecker.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=

R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\DRIVERS\cmdguard.sys [2010-02-13 134344]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-06-17 38160]
R3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2009-03-19 136704]
R3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [2009-03-19 8320]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-05-26 7408]
R3 SiS7012;Service for AC'97 Sample Driver (WDM);c:\windows\system32\drivers\sis7012.sys [2004-11-03 267136]
S0 CFRMD;CFRMD;c:\windows\system32\drivers\cfrmd.sys [2009-10-27 132424]
S1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\DRIVERS\cmdhlp.sys [2010-01-28 25160]
S1 RapportKELL;RapportKELL;c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [2010-07-01 59240]
S1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [2010-07-01 166632]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-05-26 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-05-26 72944]
S2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [2010-07-01 840936]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
vvdsvc REG_MULTI_SZ vvdsvc
.
Contents of the 'Scheduled Tasks' folder

2010-05-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.msn.co.uk/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {8E825BF4-22A0-45C0-97BC-63D13655E7DD} = 194.168.4.100,194.168.8.100
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-02 12:57
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(828)
c:\windows\System32\ODBC32.dll
c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
c:\windows\System32\msctfime.ime

- - - - - - - > 'lsass.exe'(892)
c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll

- - - - - - - > 'explorer.exe'(4656)
c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
c:\program files\Trusteer\Rapport\bin\rooksbas.dll
c:\windows\System32\msctfime.ime
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Windows Desktop Search\WindowsSearch.exe
.
**************************************************************************
.
Completion time: 2010-08-02 12:59:48 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-02 11:59
ComboFix2.txt 2010-08-01 10:02
ComboFix3.txt 2010-07-30 13:49

Pre-Run: 2,167,570,432 bytes free
Post-Run: 2,176,094,208 bytes free

- - End Of File - - 9F7A9200C0400A1765D671DA2E821870

[Broni]

It looks better

What are the current issues?

Uninstall Combofix:
Go Start > Run [Vista users, go Start>"Start search"]
Type in:
Combofix /Uninstall
Note the space between the "Combofix" and the "/Uninstall"
Click OK (Vista users - press Enter).
Restart computer.

=============================================================

Download OTL to your Desktop.

* Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
* Under the Custom Scan box paste this in:



netsvcs
drivers32 /all
&#37;SYSTEMDRIVE%\*.*
%systemroot%\system32\Spool\prtprocs\w32x86\*.dll
%systemroot%\system32\*.wt
%systemroot%\system32\*.ruy
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\system32\spool\prtprocs\w32x86\*.tmp
%systemroot%\*. /mp /s
/md5start
/md5stop
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\user32.dll /md5
%systemroot%\system32\ws2_32.dll /md5
%systemroot%\system32\ws2help.dll /md5
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs



* Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

• When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.

[charliewon]

Broni
Still have all the same issues on computer
No task bar
No start
Internet will not start
Cannot drag anything on desktop

OTL Log

OTL logfile created on: 02/08/2010 17:35:14 - Run 1
OTL by OldTimer - Version 3.2.9.1 Folder = C:\Documents and Settings\User\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 68.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 92.00% Paging File free
Paging file location(s): C:\pagefile.sys 1920 3840 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 38.23 Gb Total Space | 2.11 Gb Free Space | 5.53% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 1.88 Gb Total Space | 1.88 Gb Free Space | 99.62% Space Free | Partition Type: FAT
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: FAMILY
Current User Name: User
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/08/02 17:29:14 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\User\Desktop\OTL.exe
PRC - [2010/07/01 12:07:20 | 001,361,128 | ---- | M] (Trusteer Ltd.) -- C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
PRC - [2010/07/01 12:07:18 | 000,840,936 | ---- | M] (Trusteer Ltd.) -- C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
PRC - [2010/06/10 07:36:33 | 002,245,576 | ---- | M] (COMODO) -- C:\Program Files\COMODO\COMODO Internet Security\cfpupdat.exe
PRC - [2010/05/19 15:37:06 | 000,037,888 | ---- | M] (Nullsoft, Inc.) -- C:\Program Files\Winamp\winampa.exe
PRC - [2010/01/28 12:34:40 | 001,800,464 | ---- | M] (COMODO) -- C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
PRC - [2009/06/25 15:12:42 | 001,414,144 | ---- | M] (Nokia) -- C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe
PRC - [2009/03/13 13:13:12 | 000,572,928 | ---- | M] () -- C:\Program Files\Atomic Alarm Clock\AtomicAlarmClock.exe
PRC - [2008/05/26 22:19:14 | 000,123,904 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Desktop Search\WindowsSearch.exe
PRC - [2002/08/29 13:00:00 | 001,004,032 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (SafeList) ==========

MOD - [2010/08/02 17:29:14 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\User\Desktop\OTL.exe
MOD - [2010/06/07 18:07:08 | 000,541,928 | ---- | M] (Trusteer Ltd.) -- C:\Program Files\Trusteer\Rapport\bin\rooksbas.dll
MOD - [2002/08/29 13:00:00 | 000,143,872 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\MSIMTF.dll
MOD - [2002/08/29 13:00:00 | 000,106,547 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- C:\Program Files\WinPcap\rpcapd.exe -d -f %ProgramFiles%\WinPcap\rpcapd.ini -- (rpcapd) Remote Packet Capture Protocol v.0 (experimental)
SRV - File not found [On_Demand | Stopped] -- C:\WINDOWS\System32\appmgmts.dll -- (AppMgmt)
SRV - [2010/07/01 12:07:18 | 000,840,936 | ---- | M] (Trusteer Ltd.) [Auto | Running] -- C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe -- (RapportMgmtService)
SRV - [2010/01/28 12:34:37 | 000,723,632 | ---- | M] (COMODO) [Auto | Stopped] -- C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe -- (cmdAgent)
SRV - [2009/06/02 10:10:08 | 000,637,952 | ---- | M] (Nokia.) [On_Demand | Stopped] -- C:\Program Files\PC Connectivity Solution\ServiceLayer.exe -- (ServiceLayer)
SRV - [2007/12/17 22:00:00 | 000,143,872 | ---- | M] (SEIKO EPSON CORPORATION) [Auto | Stopped] -- C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE -- (EPSON_EB_RPCV4_01) EPSON V5 Service4(01)
SRV - [2007/01/11 22:02:00 | 000,113,664 | ---- | M] (SEIKO EPSON CORPORATION) [Auto | Stopped] -- C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE -- (EPSON_PM_RPCV4_01) EPSON V3 Service4(01)
SRV - [2005/11/14 02:06:04 | 000,069,632 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe -- (IDriverT)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\LVCM.sys -- (QCMerced)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\lvusbsta.sys -- (LVUSBSta)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\ComboFix\catchme.sys -- (catchme)
DRV - [2010/07/01 12:07:30 | 000,166,632 | ---- | M] (Trusteer Ltd.) [Kernel | System | Running] -- C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys -- (RapportPG)
DRV - [2010/07/01 12:07:30 | 000,059,240 | ---- | M] (Trusteer Ltd.) [Kernel | System | Running] -- C:\Program Files\Trusteer\Rapport\bin\RapportKELL.sys -- (RapportKELL)
DRV - [2010/02/13 10:56:04 | 000,134,344 | ---- | M] (COMODO) [File_System | System | Stopped] -- C:\WINDOWS\system32\drivers\cmdguard.sys -- (cmdGuard)
DRV - [2010/01/28 12:34:57 | 000,087,104 | ---- | M] (COMODO) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\inspect.sys -- (Inspect)
DRV - [2010/01/28 12:34:56 | 000,025,160 | ---- | M] (COMODO) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\cmdhlp.sys -- (cmdHlp)
DRV - [2009/10/27 16:46:30 | 000,132,424 | ---- | M] (COMODO Security Solutions Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\cfrmd.sys -- (CFRMD)
DRV - [2009/06/17 12:27:56 | 000,038,160 | ---- | M] (Malwarebytes Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy)
DRV - [2009/05/26 11:05:56 | 000,007,408 | R--- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | On_Demand | Stopped] -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM)
DRV - [2009/05/26 11:05:54 | 000,009,968 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2009/05/26 11:05:52 | 000,072,944 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2009/03/19 14:48:18 | 000,136,704 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nmwcdnsu.sys -- (nmwcdnsu)
DRV - [2009/03/19 14:48:12 | 000,008,320 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nmwcdnsuc.sys -- (nmwcdnsuc)
DRV - [2009/02/09 08:37:56 | 000,007,808 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbser_lowerfltj.sys -- (UsbserFilt)
DRV - [2009/02/09 08:37:48 | 000,007,808 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbser_lowerflt.sys -- (upperdev)