Please ensure you read this guide carefully and install the Recovery Console first.
The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
This allows us to more easily help you should your computer have a problem after an attempted removal of malware.
It is a simple procedure that will only take a few moments of your time.
Once installed, you should see a blue screen prompt that says:
o The Recovery Console was successfully installed.
Please continue as follows:
o Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
o Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.
Hi Nuppi,
No joy with the Combo fix...nothing happens when I run it...have tried all the usual tricks, shut down all the antivirus software,firewalls etc, changed the combofix name to cf.exe and ran via "%userprofile%\desktop\cf.exe" /killall
Strange behaviour indeed...any other tips ?
Mvh
Nick
That did the trick...dont know why I didnt think of tht myself-friday!#heres the log as per your request
Happy reading and thanks again for your time with this
Regards
Nick
ComboFix 08-06-05.3 - Nick and Erika 2008-06-07 12:22:45.1 - NTFSx86 MINIMAL
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1667 [GMT 2:00]
Running from: C:\Users\Nick and Erika\Desktop\cf.exe
.
((((((((((((((((((((((((( Files Created from 2008-05-07 to 2008-06-07 )))))))))))))))))))))))))))))))
.
No new files created in this timespan
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-07 09:41
d
w C:\Program Files\PestPatrol
2008-06-06 05:51
d
w C:\Users\Nick and Erika\AppData\Roaming\temp
2008-06-05 21:41
d
w C:\Users\Nick and Erika\AppData\Roaming\BitTorrent
2008-06-05 06:31
d---a-w C:\ProgramData\TEMP
2008-06-05 06:31
d
w C:\ProgramData\Spybot - Search & Destroy
2008-06-05 06:20
d
w C:\ProgramData\Lavasoft
2008-06-05 06:20
d
w C:\Program Files\SpywareBlaster
2008-06-05 06:04
d
w C:\ProgramData\Intuit
2008-06-04 20:34
d
w C:\ProgramData\DVD Shrink
2008-06-04 18:11
d
w C:\ProgramData\Corel
2008-06-04 13:47
d
w C:\ProgramData\comodo
2008-06-04 13:36 249,592 ----a-w C:\Windows\System32\cssdll32.dll
2008-06-04 13:36
d
w C:\Program Files\COMODO
2008-06-04 13:34 85,008 ----a-w C:\Windows\system32\drivers\cmdguard.sys
2008-06-04 13:34 25,104 ----a-w C:\Windows\system32\drivers\cmdhlp.sys
2008-06-04 13:34 143,104 ----a-w C:\Windows\System32\guard32.dll
2008-06-04 13:34
d
w C:\Users\Nick and Erika\AppData\Roaming\Comodo
2008-06-04 10:53
d
w C:\Program Files\Spybot - Search & Destroy
2008-06-04 10:48 96,520 ----a-w C:\Windows\system32\drivers\avgldx86.sys
2008-06-04 10:48 10,520 ----a-w C:\Windows\System32\avgrsstx.dll
2008-06-04 10:48
d--h--w C:\ProgramData\Avg8
2008-06-04 08:16
d
w C:\ProgramData\Skype
2008-06-04 07:58 319,456 ----a-w C:\Windows\DIFxAPI.dll
2008-06-04 07:44
d
w C:\Program Files\ffdshow
2008-06-04 07:44
d
w C:\Program Files\CCleaner
2008-05-25 12:04
d
w C:\Program Files\Creative
2008-05-25 12:03
d--h--w C:\Program Files\InstallShield Installation Information
2008-05-22 09:16 0 ---ha-w C:\Windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2008-05-21 17:56 174 --sha-w C:\Program Files\desktop.ini
2008-05-21 17:36
d
w C:\Program Files\Windows Sidebar
2008-05-21 17:36
d
w C:\Program Files\Windows Calendar
2008-05-21 17:35
d
w C:\Program Files\Windows Photo Gallery
2008-05-21 17:35
d
w C:\Program Files\Windows Mail
2008-05-21 17:35
d
w C:\Program Files\Windows Defender
2008-05-21 17:13 82,432 ----a-w C:\Windows\System32\axaltocm.dll
2008-05-21 17:13 101,888 ----a-w C:\Windows\System32\ifxcardm.dll
2008-05-19 09:40
d
w C:\Program Files\AviSynth 2.5
2008-05-17 08:33
d
w C:\Program Files\AVG
2008-05-10 16:21
d
w C:\Program Files\Trend Micro
2008-05-09 07:52
d
w C:\Program Files\dvdSanta
2008-04-27 11:01
d
w C:\Program Files\Microsoft SQL Server
2008-04-27 10:58
d
w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-04-18 08:06
d
w C:\Program Files\MetaTrader 4
2007-12-16 16:53 47,360 ----a-w C:\Users\Nick and Erika\AppData\Roaming\pcouffin.sys
2007-05-31 02:05 1,132,112 ---ha-r C:\ProgramData\pswi_preloaded.exe
2007-12-22 16:15 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
2007-12-22 16:15 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
.
Sigcheck
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PestPatrol Control Center"="C:\PROGRA~1\PESTPA~1\PPControl.exe" [2004-11-15 12:49 98304]
"CookiePatrol"="C:\PROGRA~1\PESTPA~1\CookiePatrol.exe" [2005-01-10 10:35 73728]
"PPMemCheck"="C:\PROGRA~1\PESTPA~1\PPMemCheck.exe" [2003-04-19 09:53 148480]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2006-11-13 15:32 118784]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-06-04 12:48 1177368]
"COMODO SafeSurf"="C:\Program Files\COMODO\SafeSurf\cssurf.exe" [2008-06-04 15:36 278264]
"COMODO Firewall Pro"="C:\Program Files\COMODO\Firewall\cfp.exe" [2008-06-04 15:34 1655552]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"@=" []
"GrpConv"="grpconv -o" []
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
VESWinlogon.dll 2007-02-14 01:19 98304 C:\Windows\System32\VESWinlogon.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.i420"= i420vfw.dll
"vidc.ffds"= C:\Program Files\ffdshow\ffdshow.ax
"midi1"= usbkt1x1.dll
"midi2"= usbkt1x1.dll
"vidc.yv12"= yv12vfw.dll
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
"AdobeUpdater"=C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
"ISUSPM"="C:\ProgramData\Macrovision\FLEXnet Connect\6\ISUSPM.exe" -scheduler
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
"<NO NAME>"=
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"Apoint"=C:\Program Files\Apoint\Apoint.exe
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{09C41AAA-EB42-41BC-A50A-106C02B5633C}"= Disabled:UDP:C:\Program Files\Sony\VAIO Media 6.0\Vc.exe:[VAIO Media] VAIO Media
"{9F356359-4863-498C-82DB-66ECAE934F0D}"= Disabled:TCP:C:\Program Files\Sony\VAIO Media 6.0\Vc.exe:[VAIO Media] VAIO Media
"TCP Query User{57C05AE7-A669-4869-BDA2-287437C2BE61}C:\\program files\\bittorrent\\bittorrent.exe"= UDP:C:\program files\bittorrent\bittorrent.exe:bittorrent
"UDP Query User{0D897B3C-47E4-44ED-96B1-0F73AAC369B9}C:\\program files\\bittorrent\\bittorrent.exe"= TCP:C:\program files\bittorrent\bittorrent.exe:bittorrent
"{6988B870-7963-4DB0-ADAB-6D1BB2DC0859}"= UDP:C:\Program Files\BitTorrent\bittorrent.exe:BitTorrent
"{D025C2D3-EC4C-4B8B-837F-87AAD78F09A7}"= TCP:C:\Program Files\BitTorrent\bittorrent.exe:BitTorrent
"{8C833C37-7922-48F6-94B0-AA4693FAD2A7}"= Disabled:UDP:C:\Program Files\DNA\btdna.exe:DNA
"{6403965E-087F-4A1C-836D-D2EABB28B495}"= Disabled:TCP:C:\Program Files\DNA\btdna.exe:DNA
"{25D29FB8-6AF9-4D04-B6AA-A80C2946630D}"= Disabled:UDP:C:\Program Files\Skype\Phone\Skype.exe:Skype
"{AC734530-2C8B-40D1-8BBF-E880381CFE11}"= Disabled:TCP:C:\Program Files\Skype\Phone\Skype.exe:Skype
"{BC8BD059-45D7-4219-84AF-77A25B5F2C18}"= Disabled:UDP:C:\Program Files\Skype\Phone\Skype.exe:Skype
"{3FD1D74E-A50C-4B5C-BD9E-54476CFBA952}"= Disabled:TCP:C:\Program Files\Skype\Phone\Skype.exe:Skype
"{AB8E62EC-5CBD-4B11-9F11-59537B9CD580}"= C:\Program Files\AVG\AVG8\avgupd.exe:avgupd.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\BitTorrent\\bittorrent.exe"= C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent
R3 RegKill;RegKill;C:\Windows\system32\Drivers\RegKill.sys [2002-11-27 23:46]
S1 AvgLdx86;AVG AVI Loader Driver x86;C:\Windows\system32\Drivers\avgldx86.sys [2008-06-04 12:48]
S1 cmdGuard;COMODO Firewall Pro Sandbox Driver;C:\Windows\system32\DRIVERS\cmdguard.sys [2008-06-04 15:34]
S1 cmdHlp;COMODO Firewall Pro Helper Driver;C:\Windows\system32\DRIVERS\cmdhlp.sys [2008-06-04 15:34]
S2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-06-04 12:48]
S2 MSSQL$VAIO_VEDB;SQL Server (VAIO_VEDB);"C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sVAIO_VEDB []
S2 SBSDWSCService;SBSD Security Center Service;C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [2008-01-28 11:43]
S3 igfx;igfx;C:\Windows\system32\DRIVERS\igdkmd32.sys [2007-01-23 15:12]
S3 ti21sony;ti21sony;C:\Windows\system32\drivers\ti21sony.sys [2007-02-08 15:27]
S3 UKS11LDR;Midiman USB Keystation Loader;C:\Windows\system32\drivers\uks11ldr.sys [2002-09-25 08:02]
S3 USBKS1X1;Midiman USB Keystation USB Driver;C:\Windows\system32\drivers\usbks1x1.sys [2002-09-25 08:02]
S3 USBMIDIM;Midiman USB MidiSport Midi Kernel Driver;C:\Windows\system32\drivers\usbmidim.sys [2002-09-25 08:02]
S3 VAIOMediaPlatform-UCLS-AppServer;VAIO Media Content Collection;C:\Program Files\Sony\VAIO Media Integrated Server\UCLS.exe [2007-01-11 01:51]
S3 VAIOMediaPlatform-UCLS-HTTP;VAIO Media Content Collection (HTTP);"C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-UCLS-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\UCLS\HTTP" []
S3 VAIOMediaPlatform-UCLS-UPnP;VAIO Media Content Collection (UPnP);C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe [2007-01-16 23:05]
S3 yukonwlh;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk60x86.sys [2007-12-28 11:51]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\shell\AutoRun\command - G:\Autorun\Autorun.exe
*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-06-07 09:42:04 C:\Windows\Tasks\RegCure Program Check.job"
- C:\Program Files\RegCure\RegCure.exe
"2008-01-31 03:44:28 C:\Windows\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
"2008-06-07 09:38:19 C:\Windows\Tasks\Vaio Service Utility.job"
- C:\Program Files\Sony\Vaio Service Utility\VAIO-SU.exe
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-07 12:25:16
Windows 6.0.6001 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-06-07 12:25:51
ComboFix-quarantined-files.txt 2008-06-07 10:25:46
The system cannot find message text for message number 0x2379 in the message file for Application.
The system cannot find message text for message number 0x2379 in the message file for Application.
174 --- E O F --- 2008-05-23 07:21:51
Not sure what you mean....do you mean through the firewall? if so, then there is no record of skype or skanner in firewall records....
I used to have skype running but it had ome sort of "error", I uninstalled and tried to reinstall, but the message was there was no room on disc (30gbs easy), so no skype installed anymore.
Re skanner: It uploads OK and goes to 100% update thn just cuts out with an error message...wierd eh?
Something is up, but I guess that the combofix log didnt say exactly what....where from here I wonder?
Hi Nuppi
The link you put up is inactive, can you repost?
Also managed to finish and save a kasp.online scan and have posted below
Regards
Nick
KASPERSKY ONLINE SCANNER REPORT
Sunday, June 08, 2008 12:57:23 PM
Operating System: Microsoft Windows Vista Home Edition, Service Pack 1 (Build 6001)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 8/06/2008
Kaspersky Anti-Virus database records: 839011
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
B:\
C:\
D:\
E:\
F:\
I:\
Scan Statistics:
Total number of scanned objects: 81805
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 01:08:03
Infected Object Name / Virus Name / Last Action
C:\Boot\BCD Object is locked skipped
C:\Boot\BCD.LOG Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\master.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\mastlog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\model.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\modellog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\msdbdata.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\msdblog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\tempdb.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\templog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\ERRORLOG Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\log_445.trc Object is locked skipped
C:\ProgramData\Avg8\Log\avgcore.log Object is locked skipped
C:\ProgramData\Avg8\Log\avglng.log Object is locked skipped
C:\ProgramData\Avg8\Log\avgrs.log Object is locked skipped
C:\ProgramData\Avg8\Log\avgscan.log Object is locked skipped
C:\ProgramData\Avg8\Log\avgsched.log Object is locked skipped
C:\ProgramData\Avg8\Log\avgsrm.log Object is locked skipped
C:\ProgramData\Avg8\Log\avgwd.log Object is locked skipped
C:\ProgramData\Avg8\scanlogs\I_00000009.log Object is locked skipped
C:\ProgramData\comodo\common\db\sigsdb.db Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\Users\Nick and Erika\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT Object is locked skipped
C:\Users\Nick and Erika\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat Object is locked skipped
C:\Users\Nick and Erika\AppData\Local\Microsoft\Windows\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Users\Nick and Erika\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Users\Nick and Erika\AppData\Local\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Users\Nick and Erika\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1 Object is locked skipped
C:\Users\Nick and Erika\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2 Object is locked skipped
C:\Users\Nick and Erika\AppData\Local\Microsoft\Windows\UsrClass.dat{c2b5a8d4-9fa1-11dc-8e69-001a80455320}.TM.blf Object is locked skipped
C:\Users\Nick and Erika\AppData\Local\Microsoft\Windows\UsrClass.dat{c2b5a8d4-9fa1-11dc-8e69-001a80455320}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Users\Nick and Erika\AppData\Local\Microsoft\Windows\UsrClass.dat{c2b5a8d4-9fa1-11dc-8e69-001a80455320}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Users\Nick and Erika\AppData\Roaming\Microsoft\Windows\Cookies\index.dat Object is locked skipped
C:\Users\Nick and Erika\ntuser.dat Object is locked skipped
C:\Users\Nick and Erika\ntuser.dat.LOG1 Object is locked skipped
C:\Users\Nick and Erika\ntuser.dat.LOG2 Object is locked skipped
C:\Users\Nick and Erika\ntuser.dat{6526407b-31fc-11dd-8428-001a80455320}.TM.blf Object is locked skipped
C:\Users\Nick and Erika\ntuser.dat{6526407b-31fc-11dd-8428-001a80455320}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Users\Nick and Erika\ntuser.dat{6526407b-31fc-11dd-8428-001a80455320}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Windows\Debug\PASSWD.LOG Object is locked skipped
C:\Windows\Debug\WIA\wiatrace.log Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WindowsUpdate.log Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG1 Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG2 Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT{3a539869-6a70-11db-887c-d362bd253390}.TM.blf Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT{3a539869-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT{3a539869-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1 Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG2 Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT{3a539865-6a70-11db-887c-d362bd253390}.TM.blf Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT{3a539865-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT{3a539865-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Windows\SoftwareDistribution\EventCache\{9EEA684D-14B5-4C69-871D-2F2D9369D67E}.bin Object is locked skipped
C:\Windows\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 Object is locked skipped
C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 Object is locked skipped
C:\Windows\System32\catroot2\edb.log Object is locked skipped
C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb Object is locked skipped
C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb Object is locked skipped
C:\Windows\System32\config\COMPONENTS Object is locked skipped
C:\Windows\System32\config\COMPONENTS.LOG1 Object is locked skipped
C:\Windows\System32\config\COMPONENTS.LOG2 Object is locked skipped
C:\Windows\System32\config\DEFAULT Object is locked skipped
C:\Windows\System32\config\DEFAULT.LOG1 Object is locked skipped
C:\Windows\System32\config\DEFAULT.LOG2 Object is locked skipped
C:\Windows\System32\config\RegBack\COMPONENTS Object is locked skipped
C:\Windows\System32\config\RegBack\DEFAULT Object is locked skipped
C:\Windows\System32\config\RegBack\SAM Object is locked skipped
C:\Windows\System32\config\RegBack\SECURITY Object is locked skipped
C:\Windows\System32\config\RegBack\SOFTWARE Object is locked skipped
C:\Windows\System32\config\RegBack\SYSTEM Object is locked skipped
C:\Windows\System32\config\SAM Object is locked skipped
C:\Windows\System32\config\SAM.LOG1 Object is locked skipped
C:\Windows\System32\config\SAM.LOG2 Object is locked skipped
C:\Windows\System32\config\SECURITY Object is locked skipped
C:\Windows\System32\config\SECURITY.LOG1 Object is locked skipped
C:\Windows\System32\config\SECURITY.LOG2 Object is locked skipped
C:\Windows\System32\config\SOFTWARE Object is locked skipped
C:\Windows\System32\config\SOFTWARE.LOG1 Object is locked skipped
C:\Windows\System32\config\SOFTWARE.LOG2 Object is locked skipped
C:\Windows\System32\config\SYSTEM Object is locked skipped
C:\Windows\System32\config\SYSTEM.LOG1 Object is locked skipped
C:\Windows\System32\config\SYSTEM.LOG2 Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TM.blf Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000003.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000004.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{6526405e-31fc-11dd-8428-001a80455320}.TxR.0.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{6526405e-31fc-11dd-8428-001a80455320}.TxR.1.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{6526405e-31fc-11dd-8428-001a80455320}.TxR.2.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{6526405e-31fc-11dd-8428-001a80455320}.TxR.blf Object is locked skipped
C:\Windows\System32\LogFiles\Scm\SCM.EVM Object is locked skipped
C:\Windows\System32\LogFiles\WMI\WdiContextLog.etl.001 Object is locked skipped
C:\Windows\System32\Msdtc\KtmRmTm.blf Object is locked skipped
C:\Windows\System32\Msdtc\KtmRmTmContainer00000000000000000001 Object is locked skipped
C:\Windows\System32\Msdtc\KtmRmTmContainer00000000000000000002 Object is locked skipped
C:\Windows\System32\spool\SpoolerETW.etl Object is locked skipped
C:\Windows\System32\wbem\Logs\WMITracing.log Object is locked skipped
C:\Windows\System32\wbem\repository\INDEX.BTR Object is locked skipped
C:\Windows\System32\wbem\repository\MAPPING1.MAP Object is locked skipped
C:\Windows\System32\wbem\repository\MAPPING2.MAP Object is locked skipped
C:\Windows\System32\wbem\repository\OBJECTS.DATA Object is locked skipped
C:\Windows\System32\wfp\wfpdiag.etl Object is locked skipped
C:\Windows\System32\winevt\Logs\Application.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\DFS Replication.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\HardwareEvents.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Internet Explorer.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Key Management Service.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Media Center.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Bits-Client%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-DriverFrameworks-UserMode%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-International%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WHEA.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-LanguagePackSetup%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkAccessProtection%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReadyBoost%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReliabilityAnalysisComponent%4Metrics.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReliabilityAnalysisComponent%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Resolver%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Leak-Diagnostic%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-RestartManager%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-TaskScheduler%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-WLAN-AutoConfig%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\ODiag.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\OSession.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Security.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\System.evtx Object is locked skipped
C:\Windows\Tasks\SCHEDLGU.TXT Object is locked skipped
C:\Windows\TEMP\d38f92d5-5663-4bac-9f60-fd7748856ec8.tmp Object is locked skipped
C:\Windows\WindowsUpdate.log Object is locked skipped
Scan process completed.
Thanks for that...glad I can say its clean.
I guess its Vista teething probs that are doing the strange things and not a virus remnant afterall...roll on SP2
I would like to say thanks alot for you efforts (team effort!) a great service offered to those not in the know!
Keep up the good work
Regards
NtD
Comments
* Please visit this webpage for download links, and instructions for running the tool:
http://www.bleepingcomputer.com/comb...o-use-combofix
Please ensure you read this guide carefully and install the Recovery Console first.
The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
This allows us to more easily help you should your computer have a problem after an attempted removal of malware.
It is a simple procedure that will only take a few moments of your time.
Once installed, you should see a blue screen prompt that says:
o The Recovery Console was successfully installed.
Please continue as follows:
o Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
o Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.
Please include the report in your next post:
C:\ComboFix.txt
No joy with the Combo fix...nothing happens when I run it...have tried all the usual tricks, shut down all the antivirus software,firewalls etc, changed the combofix name to cf.exe and ran via "%userprofile%\desktop\cf.exe" /killall
Strange behaviour indeed...any other tips ?
Mvh
Nick
Try to do scan in safe mode :
PC Hell: How to Start Windows in Safe Mode
Happy reading and thanks again for your time with this
Regards
Nick
ComboFix 08-06-05.3 - Nick and Erika 2008-06-07 12:22:45.1 - NTFSx86 MINIMAL
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1667 [GMT 2:00]
Running from: C:\Users\Nick and Erika\Desktop\cf.exe
.
((((((((((((((((((((((((( Files Created from 2008-05-07 to 2008-06-07 )))))))))))))))))))))))))))))))
.
No new files created in this timespan
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-07 09:41
d
w C:\Program Files\PestPatrol
2008-06-06 05:51
d
w C:\Users\Nick and Erika\AppData\Roaming\temp
2008-06-05 21:41
d
w C:\Users\Nick and Erika\AppData\Roaming\BitTorrent
2008-06-05 06:31
d---a-w C:\ProgramData\TEMP
2008-06-05 06:31
d
w C:\ProgramData\Spybot - Search & Destroy
2008-06-05 06:20
d
w C:\ProgramData\Lavasoft
2008-06-05 06:20
d
w C:\Program Files\SpywareBlaster
2008-06-05 06:04
d
w C:\ProgramData\Intuit
2008-06-04 20:34
d
w C:\ProgramData\DVD Shrink
2008-06-04 18:11
d
w C:\ProgramData\Corel
2008-06-04 13:47
d
w C:\ProgramData\comodo
2008-06-04 13:36 249,592 ----a-w C:\Windows\System32\cssdll32.dll
2008-06-04 13:36
d
w C:\Program Files\COMODO
2008-06-04 13:34 85,008 ----a-w C:\Windows\system32\drivers\cmdguard.sys
2008-06-04 13:34 25,104 ----a-w C:\Windows\system32\drivers\cmdhlp.sys
2008-06-04 13:34 143,104 ----a-w C:\Windows\System32\guard32.dll
2008-06-04 13:34
d
w C:\Users\Nick and Erika\AppData\Roaming\Comodo
2008-06-04 10:53
d
w C:\Program Files\Spybot - Search & Destroy
2008-06-04 10:48 96,520 ----a-w C:\Windows\system32\drivers\avgldx86.sys
2008-06-04 10:48 10,520 ----a-w C:\Windows\System32\avgrsstx.dll
2008-06-04 10:48
d--h--w C:\ProgramData\Avg8
2008-06-04 08:16
d
w C:\ProgramData\Skype
2008-06-04 07:58 319,456 ----a-w C:\Windows\DIFxAPI.dll
2008-06-04 07:44
d
w C:\Program Files\ffdshow
2008-06-04 07:44
d
w C:\Program Files\CCleaner
2008-05-25 12:04
d
w C:\Program Files\Creative
2008-05-25 12:03
d--h--w C:\Program Files\InstallShield Installation Information
2008-05-22 09:16 0 ---ha-w C:\Windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2008-05-21 17:56 174 --sha-w C:\Program Files\desktop.ini
2008-05-21 17:36
d
w C:\Program Files\Windows Sidebar
2008-05-21 17:36
d
w C:\Program Files\Windows Calendar
2008-05-21 17:35
d
w C:\Program Files\Windows Photo Gallery
2008-05-21 17:35
d
w C:\Program Files\Windows Mail
2008-05-21 17:35
d
w C:\Program Files\Windows Defender
2008-05-21 17:13 82,432 ----a-w C:\Windows\System32\axaltocm.dll
2008-05-21 17:13 101,888 ----a-w C:\Windows\System32\ifxcardm.dll
2008-05-19 09:40
d
w C:\Program Files\AviSynth 2.5
2008-05-17 08:33
d
w C:\Program Files\AVG
2008-05-10 16:21
d
w C:\Program Files\Trend Micro
2008-05-09 07:52
d
w C:\Program Files\dvdSanta
2008-04-27 11:01
d
w C:\Program Files\Microsoft SQL Server
2008-04-27 10:58
d
w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-04-18 08:06
d
w C:\Program Files\MetaTrader 4
2007-12-16 16:53 47,360 ----a-w C:\Users\Nick and Erika\AppData\Roaming\pcouffin.sys
2007-05-31 02:05 1,132,112 ---ha-r C:\ProgramData\pswi_preloaded.exe
2007-12-22 16:15 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
2007-12-22 16:15 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
.
Sigcheck
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PestPatrol Control Center"="C:\PROGRA~1\PESTPA~1\PPControl.exe" [2004-11-15 12:49 98304]
"CookiePatrol"="C:\PROGRA~1\PESTPA~1\CookiePatrol.exe" [2005-01-10 10:35 73728]
"PPMemCheck"="C:\PROGRA~1\PESTPA~1\PPMemCheck.exe" [2003-04-19 09:53 148480]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2006-11-13 15:32 118784]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-06-04 12:48 1177368]
"COMODO SafeSurf"="C:\Program Files\COMODO\SafeSurf\cssurf.exe" [2008-06-04 15:36 278264]
"COMODO Firewall Pro"="C:\Program Files\COMODO\Firewall\cfp.exe" [2008-06-04 15:34 1655552]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"@=" []
"GrpConv"="grpconv -o" []
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
VESWinlogon.dll 2007-02-14 01:19 98304 C:\Windows\System32\VESWinlogon.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.i420"= i420vfw.dll
"vidc.ffds"= C:\Program Files\ffdshow\ffdshow.ax
"midi1"= usbkt1x1.dll
"midi2"= usbkt1x1.dll
"vidc.yv12"= yv12vfw.dll
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
"AdobeUpdater"=C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
"ISUSPM"="C:\ProgramData\Macrovision\FLEXnet Connect\6\ISUSPM.exe" -scheduler
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
"<NO NAME>"=
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"Apoint"=C:\Program Files\Apoint\Apoint.exe
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{09C41AAA-EB42-41BC-A50A-106C02B5633C}"= Disabled:UDP:C:\Program Files\Sony\VAIO Media 6.0\Vc.exe:[VAIO Media] VAIO Media
"{9F356359-4863-498C-82DB-66ECAE934F0D}"= Disabled:TCP:C:\Program Files\Sony\VAIO Media 6.0\Vc.exe:[VAIO Media] VAIO Media
"TCP Query User{57C05AE7-A669-4869-BDA2-287437C2BE61}C:\\program files\\bittorrent\\bittorrent.exe"= UDP:C:\program files\bittorrent\bittorrent.exe:bittorrent
"UDP Query User{0D897B3C-47E4-44ED-96B1-0F73AAC369B9}C:\\program files\\bittorrent\\bittorrent.exe"= TCP:C:\program files\bittorrent\bittorrent.exe:bittorrent
"{6988B870-7963-4DB0-ADAB-6D1BB2DC0859}"= UDP:C:\Program Files\BitTorrent\bittorrent.exe:BitTorrent
"{D025C2D3-EC4C-4B8B-837F-87AAD78F09A7}"= TCP:C:\Program Files\BitTorrent\bittorrent.exe:BitTorrent
"{8C833C37-7922-48F6-94B0-AA4693FAD2A7}"= Disabled:UDP:C:\Program Files\DNA\btdna.exe:DNA
"{6403965E-087F-4A1C-836D-D2EABB28B495}"= Disabled:TCP:C:\Program Files\DNA\btdna.exe:DNA
"{25D29FB8-6AF9-4D04-B6AA-A80C2946630D}"= Disabled:UDP:C:\Program Files\Skype\Phone\Skype.exe:Skype
"{AC734530-2C8B-40D1-8BBF-E880381CFE11}"= Disabled:TCP:C:\Program Files\Skype\Phone\Skype.exe:Skype
"{BC8BD059-45D7-4219-84AF-77A25B5F2C18}"= Disabled:UDP:C:\Program Files\Skype\Phone\Skype.exe:Skype
"{3FD1D74E-A50C-4B5C-BD9E-54476CFBA952}"= Disabled:TCP:C:\Program Files\Skype\Phone\Skype.exe:Skype
"{AB8E62EC-5CBD-4B11-9F11-59537B9CD580}"= C:\Program Files\AVG\AVG8\avgupd.exe:avgupd.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\BitTorrent\\bittorrent.exe"= C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent
R3 RegKill;RegKill;C:\Windows\system32\Drivers\RegKill.sys [2002-11-27 23:46]
S1 AvgLdx86;AVG AVI Loader Driver x86;C:\Windows\system32\Drivers\avgldx86.sys [2008-06-04 12:48]
S1 cmdGuard;COMODO Firewall Pro Sandbox Driver;C:\Windows\system32\DRIVERS\cmdguard.sys [2008-06-04 15:34]
S1 cmdHlp;COMODO Firewall Pro Helper Driver;C:\Windows\system32\DRIVERS\cmdhlp.sys [2008-06-04 15:34]
S2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-06-04 12:48]
S2 MSSQL$VAIO_VEDB;SQL Server (VAIO_VEDB);"C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sVAIO_VEDB []
S2 SBSDWSCService;SBSD Security Center Service;C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [2008-01-28 11:43]
S3 igfx;igfx;C:\Windows\system32\DRIVERS\igdkmd32.sys [2007-01-23 15:12]
S3 ti21sony;ti21sony;C:\Windows\system32\drivers\ti21sony.sys [2007-02-08 15:27]
S3 UKS11LDR;Midiman USB Keystation Loader;C:\Windows\system32\drivers\uks11ldr.sys [2002-09-25 08:02]
S3 USBKS1X1;Midiman USB Keystation USB Driver;C:\Windows\system32\drivers\usbks1x1.sys [2002-09-25 08:02]
S3 USBMIDIM;Midiman USB MidiSport Midi Kernel Driver;C:\Windows\system32\drivers\usbmidim.sys [2002-09-25 08:02]
S3 VAIOMediaPlatform-UCLS-AppServer;VAIO Media Content Collection;C:\Program Files\Sony\VAIO Media Integrated Server\UCLS.exe [2007-01-11 01:51]
S3 VAIOMediaPlatform-UCLS-HTTP;VAIO Media Content Collection (HTTP);"C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-UCLS-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\UCLS\HTTP" []
S3 VAIOMediaPlatform-UCLS-UPnP;VAIO Media Content Collection (UPnP);C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe [2007-01-16 23:05]
S3 yukonwlh;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk60x86.sys [2007-12-28 11:51]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\shell\AutoRun\command - G:\Autorun\Autorun.exe
*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-06-07 09:42:04 C:\Windows\Tasks\RegCure Program Check.job"
- C:\Program Files\RegCure\RegCure.exe
"2008-01-31 03:44:28 C:\Windows\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
"2008-06-07 09:38:19 C:\Windows\Tasks\Vaio Service Utility.job"
- C:\Program Files\Sony\Vaio Service Utility\VAIO-SU.exe
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-07 12:25:16
Windows 6.0.6001 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-06-07 12:25:51
ComboFix-quarantined-files.txt 2008-06-07 10:25:46
The system cannot find message text for message number 0x2379 in the message file for Application.
The system cannot find message text for message number 0x2379 in the message file for Application.
174 --- E O F --- 2008-05-23 07:21:51
I used to have skype running but it had ome sort of "error", I uninstalled and tried to reinstall, but the message was there was no room on disc (30gbs easy), so no skype installed anymore.
Re skanner: It uploads OK and goes to 100% update thn just cuts out with an error message...wierd eh?
Something is up, but I guess that the combofix log didnt say exactly what....where from here I wonder?
Ha det sa bra
Nick
How ever lets find if there is some older registry key to prevent installation
Please download here registry searching tool:
Link
Do a search with value "skype"
Send the results
The link you put up is inactive, can you repost?
Also managed to finish and save a kasp.online scan and have posted below
Regards
Nick
KASPERSKY ONLINE SCANNER REPORT
Sunday, June 08, 2008 12:57:23 PM
Operating System: Microsoft Windows Vista Home Edition, Service Pack 1 (Build 6001)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 8/06/2008
Kaspersky Anti-Virus database records: 839011
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
B:\
C:\
D:\
E:\
F:\
I:\
Scan Statistics:
Total number of scanned objects: 81805
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 01:08:03
Infected Object Name / Virus Name / Last Action
C:\Boot\BCD Object is locked skipped
C:\Boot\BCD.LOG Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\master.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\mastlog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\model.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\modellog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\msdbdata.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\msdblog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\tempdb.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\templog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\ERRORLOG Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\log_445.trc Object is locked skipped
C:\ProgramData\Avg8\Log\avgcore.log Object is locked skipped
C:\ProgramData\Avg8\Log\avglng.log Object is locked skipped
C:\ProgramData\Avg8\Log\avgrs.log Object is locked skipped
C:\ProgramData\Avg8\Log\avgscan.log Object is locked skipped
C:\ProgramData\Avg8\Log\avgsched.log Object is locked skipped
C:\ProgramData\Avg8\Log\avgsrm.log Object is locked skipped
C:\ProgramData\Avg8\Log\avgwd.log Object is locked skipped
C:\ProgramData\Avg8\scanlogs\I_00000009.log Object is locked skipped
C:\ProgramData\comodo\common\db\sigsdb.db Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\Users\Nick and Erika\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT Object is locked skipped
C:\Users\Nick and Erika\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat Object is locked skipped
C:\Users\Nick and Erika\AppData\Local\Microsoft\Windows\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Users\Nick and Erika\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Users\Nick and Erika\AppData\Local\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Users\Nick and Erika\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1 Object is locked skipped
C:\Users\Nick and Erika\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2 Object is locked skipped
C:\Users\Nick and Erika\AppData\Local\Microsoft\Windows\UsrClass.dat{c2b5a8d4-9fa1-11dc-8e69-001a80455320}.TM.blf Object is locked skipped
C:\Users\Nick and Erika\AppData\Local\Microsoft\Windows\UsrClass.dat{c2b5a8d4-9fa1-11dc-8e69-001a80455320}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Users\Nick and Erika\AppData\Local\Microsoft\Windows\UsrClass.dat{c2b5a8d4-9fa1-11dc-8e69-001a80455320}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Users\Nick and Erika\AppData\Roaming\Microsoft\Windows\Cookies\index.dat Object is locked skipped
C:\Users\Nick and Erika\ntuser.dat Object is locked skipped
C:\Users\Nick and Erika\ntuser.dat.LOG1 Object is locked skipped
C:\Users\Nick and Erika\ntuser.dat.LOG2 Object is locked skipped
C:\Users\Nick and Erika\ntuser.dat{6526407b-31fc-11dd-8428-001a80455320}.TM.blf Object is locked skipped
C:\Users\Nick and Erika\ntuser.dat{6526407b-31fc-11dd-8428-001a80455320}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Users\Nick and Erika\ntuser.dat{6526407b-31fc-11dd-8428-001a80455320}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Windows\Debug\PASSWD.LOG Object is locked skipped
C:\Windows\Debug\WIA\wiatrace.log Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WindowsUpdate.log Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG1 Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG2 Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT{3a539869-6a70-11db-887c-d362bd253390}.TM.blf Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT{3a539869-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT{3a539869-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1 Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG2 Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT{3a539865-6a70-11db-887c-d362bd253390}.TM.blf Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT{3a539865-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT{3a539865-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Windows\SoftwareDistribution\EventCache\{9EEA684D-14B5-4C69-871D-2F2D9369D67E}.bin Object is locked skipped
C:\Windows\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 Object is locked skipped
C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 Object is locked skipped
C:\Windows\System32\catroot2\edb.log Object is locked skipped
C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb Object is locked skipped
C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb Object is locked skipped
C:\Windows\System32\config\COMPONENTS Object is locked skipped
C:\Windows\System32\config\COMPONENTS.LOG1 Object is locked skipped
C:\Windows\System32\config\COMPONENTS.LOG2 Object is locked skipped
C:\Windows\System32\config\DEFAULT Object is locked skipped
C:\Windows\System32\config\DEFAULT.LOG1 Object is locked skipped
C:\Windows\System32\config\DEFAULT.LOG2 Object is locked skipped
C:\Windows\System32\config\RegBack\COMPONENTS Object is locked skipped
C:\Windows\System32\config\RegBack\DEFAULT Object is locked skipped
C:\Windows\System32\config\RegBack\SAM Object is locked skipped
C:\Windows\System32\config\RegBack\SECURITY Object is locked skipped
C:\Windows\System32\config\RegBack\SOFTWARE Object is locked skipped
C:\Windows\System32\config\RegBack\SYSTEM Object is locked skipped
C:\Windows\System32\config\SAM Object is locked skipped
C:\Windows\System32\config\SAM.LOG1 Object is locked skipped
C:\Windows\System32\config\SAM.LOG2 Object is locked skipped
C:\Windows\System32\config\SECURITY Object is locked skipped
C:\Windows\System32\config\SECURITY.LOG1 Object is locked skipped
C:\Windows\System32\config\SECURITY.LOG2 Object is locked skipped
C:\Windows\System32\config\SOFTWARE Object is locked skipped
C:\Windows\System32\config\SOFTWARE.LOG1 Object is locked skipped
C:\Windows\System32\config\SOFTWARE.LOG2 Object is locked skipped
C:\Windows\System32\config\SYSTEM Object is locked skipped
C:\Windows\System32\config\SYSTEM.LOG1 Object is locked skipped
C:\Windows\System32\config\SYSTEM.LOG2 Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TM.blf Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000003.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000004.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{6526405e-31fc-11dd-8428-001a80455320}.TxR.0.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{6526405e-31fc-11dd-8428-001a80455320}.TxR.1.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{6526405e-31fc-11dd-8428-001a80455320}.TxR.2.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{6526405e-31fc-11dd-8428-001a80455320}.TxR.blf Object is locked skipped
C:\Windows\System32\LogFiles\Scm\SCM.EVM Object is locked skipped
C:\Windows\System32\LogFiles\WMI\WdiContextLog.etl.001 Object is locked skipped
C:\Windows\System32\Msdtc\KtmRmTm.blf Object is locked skipped
C:\Windows\System32\Msdtc\KtmRmTmContainer00000000000000000001 Object is locked skipped
C:\Windows\System32\Msdtc\KtmRmTmContainer00000000000000000002 Object is locked skipped
C:\Windows\System32\spool\SpoolerETW.etl Object is locked skipped
C:\Windows\System32\wbem\Logs\WMITracing.log Object is locked skipped
C:\Windows\System32\wbem\repository\INDEX.BTR Object is locked skipped
C:\Windows\System32\wbem\repository\MAPPING1.MAP Object is locked skipped
C:\Windows\System32\wbem\repository\MAPPING2.MAP Object is locked skipped
C:\Windows\System32\wbem\repository\OBJECTS.DATA Object is locked skipped
C:\Windows\System32\wfp\wfpdiag.etl Object is locked skipped
C:\Windows\System32\winevt\Logs\Application.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\DFS Replication.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\HardwareEvents.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Internet Explorer.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Key Management Service.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Media Center.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Bits-Client%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-DriverFrameworks-UserMode%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-International%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WHEA.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-LanguagePackSetup%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkAccessProtection%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReadyBoost%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReliabilityAnalysisComponent%4Metrics.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReliabilityAnalysisComponent%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Resolver%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Leak-Diagnostic%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-RestartManager%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-TaskScheduler%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-WLAN-AutoConfig%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\ODiag.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\OSession.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Security.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\System.evtx Object is locked skipped
C:\Windows\Tasks\SCHEDLGU.TXT Object is locked skipped
C:\Windows\TEMP\d38f92d5-5663-4bac-9f60-fd7748856ec8.tmp Object is locked skipped
C:\Windows\WindowsUpdate.log Object is locked skipped
Scan process completed.
Sorry
New link
I guess its Vista teething probs that are doing the strange things and not a virus remnant afterall...roll on SP2
I would like to say thanks alot for you efforts (team effort!) a great service offered to those not in the know!
Keep up the good work
Regards
NtD
How about that Skype problem ?