hi there
I am having a problem with my internet explorer poping up with random advertisements. It only does it when i have closed all running software an dont use my comuter for a few minutes they then start to pop up.
I have run malwarebytes and combofix which i will post the logs down the page.
I tried to run Eset NOD32 Online AntiVirus Scanner but this was asking if proxy was set up?
I will try to run gmer and dds if this helps and post the logs on here.
Combofix log
ComboFix 10-12-06.04 - michael 09/11/2010 22:41:05.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.446.155 [GMT 0:00]
Running from: J:\ComboFix.exe
AV: Norton 360 Premier Edition *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 Premier Edition *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.
((((((((((((((((((((((((( Files Created from 2010-10-09 to 2010-11-09 )))))))))))))))))))))))))))))))
.
2012-04-12 08:59 . 2012-04-12 09:37 -------- d-----w- C:\Mum n Dads Laptop Files
2012-03-15 20:28 . 2012-03-15 20:28 -------- d-----w- c:\documents and settings\michael\Local Settings\Application Data\Help
2012-03-15 20:25 . 2012-03-15 20:25 5248 ----a-w- c:\windows\system32\giveio.sys
2012-03-15 20:22 . 2012-03-15 20:32 -------- d-----w- c:\program files\SSC Service Utility
2012-03-11 16:37 . 2012-03-11 16:41 -------- d-----w- c:\documents and settings\All Users\Application Data\MGS
2012-03-03 14:48 . 2012-03-03 14:48 -------- d-----w- c:\documents and settings\michael\Local Settings\Application Data\Scansoft
2012-02-26 20:25 . 2012-02-26 20:25 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallShield
2012-02-26 20:24 . 2012-02-26 20:24 -------- d-----w- c:\documents and settings\michael\Application Data\Nuance
2012-02-26 19:59 . 2012-02-26 19:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Nuance
2012-02-26 19:59 . 2010-07-16 18:59 -------- d-----w- c:\windows\speech
2012-02-21 22:16 . 2012-02-21 22:16 -------- d-----w- c:\documents and settings\michael\Local Settings\Application Data\WinAVI
2012-02-21 22:16 . 2012-02-27 16:36 -------- d-----w- c:\program files\WinAVI Video Converter
2010-11-09 13:25 . 2010-11-09 13:21 107368 ----a-r- c:\windows\system32\GEARAspi.dll
2010-11-09 13:25 . 2010-11-09 13:22 26600 ----a-r- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-11-09 13:24 . 2010-11-09 13:22 36400 ----a-r- c:\windows\system32\drivers\SymIM.sys
2010-11-09 13:23 . 2010-11-09 13:23 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-11-09 13:23 . 2010-11-09 13:23 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-11-09 13:23 . 2010-11-09 15:15 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-11-09 13:23 . 2010-11-09 13:23 -------- d-----w- c:\program files\Symantec
2010-11-09 13:20 . 2010-11-09 22:02 -------- d-----w- c:\windows\system32\drivers\N360
2010-11-09 13:20 . 2010-11-09 13:21 -------- d-----w- c:\program files\Norton 360 Premier Edition
2010-11-09 13:20 . 2010-11-09 13:20 -------- d-----w- c:\program files\Windows Sidebar
2010-11-09 13:20 . 2010-11-09 13:20 -------- d-----w- c:\program files\NortonInstaller
2010-11-07 15:11 . 2007-04-08 16:38 946312 ----a-w- c:\windows\system32\wPDFViewplus01.dll
2010-11-07 15:10 . 2010-11-07 15:11 -------- d-----w- c:\program files\XSPPlat
2010-11-07 15:06 . 2010-11-07 15:06 186880 ----a-w- c:\windows\Gmirea.exe
2010-11-07 14:50 . 2010-11-07 14:57 -------- d-----w- c:\documents and settings\michael\Application Data\iktsoft
2010-11-02 16:23 . 2006-12-02 06:22 479232 ----a-w- c:\windows\system32\msvcm80.dll
2010-11-02 16:23 . 2010-11-02 16:23 -------- d-----w- c:\program files\MyXOFT
2010-11-02 16:15 . 2010-11-08 14:52 -------- d-----w- c:\program files\Music Trio
2010-11-02 15:55 . 2010-11-02 15:55 -------- d-----w- c:\documents and settings\michael\Application Data\Doblon
2010-11-02 15:23 . 2010-11-02 15:23 -------- d-----w- c:\program files\Doblon
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-28 18:15 . 2010-07-13 15:37 2672 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2010-10-28 18:15 . 2010-07-13 15:37 88 --sh--r- c:\documents and settings\All Users\Application Data\03BEF1D2A8.sys
2010-10-03 22:43 . 2010-10-03 22:43 59240 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
2010-09-18 11:23 . 2009-05-19 09:23 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2009-05-19 09:23 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2009-05-19 09:23 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2009-05-19 09:23 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58 . 2005-12-05 11:41 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58 . 2009-05-19 09:22 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58 . 2009-05-19 09:21 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-09-01 11:51 . 2009-05-19 09:19 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42 . 2005-12-05 11:41 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02 . 2006-06-15 11:31 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57 . 2005-12-05 11:41 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 13:39 . 2005-12-05 11:41 357248 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-26 12:52 . 2010-02-25 10:25 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12 . 2009-05-19 09:19 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17 . 2005-12-05 11:41 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45 . 2009-05-19 09:24 590848 ----a-w- c:\windows\system32\rpcrt4.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="c:\program files\CyberLink\Power2Go\Power2GoExpress.exe" [2005-07-08 1953887]
"Shareaza"="c:\program files\Shareaza\Shareaza.exe" [2010-02-06 4853760]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2009-01-30 204288]
"Corel Photo Downloader"="c:\program files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" [2009-12-30 523408]
"OW1T3CYG7T"="c:\windows\Gmirea.exe" [2010-11-07 186880]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]
"SoundMan"="SOUNDMAN.EXE" [2005-08-17 90112]
"VTTimer"="VTTimer.exe" [2005-03-07 53248]
"VTTrayp"="VTtrayp.exe" [2005-10-31 163840]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 32768]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2008-11-02 167936]
"EEventManager"="c:\progra~1\EPSONS~1\EVENTM~1\EEventManager.exe" [2008-12-04 665424]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"AOL_Demo"="c:\applications\Tool\AOL Demo\DSGDemo.exe" [2005-12-01 177178]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-06-03 1144104]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"SerialNumber"="A109A-K13-3ZXD-BAP5-TE"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Shareaza\\Shareaza.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Epson Software\\Event Manager\\EEventManager.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [03/10/2010 22:43 59240]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0308000.029\SymEFA.sys [09/11/2010 15:26 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\N360\0308000.029\BHDrvx86.sys [09/11/2010 15:25 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0308000.029\cchpx86.sys [09/11/2010 15:25 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20101201.001\IDSXpx86.sys [09/11/2010 13:43 341944]
R1 RapportBuka;RapportBuka;c:\windows\system32\drivers\RapportBuka.sys [07/03/2010 11:11 390528]
R1 RapportCerberus_19917;RapportCerberus_19917;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\19917\RapportCerberus_19917.sys [03/10/2010 22:54 34792]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [03/10/2010 22:43 169320]
R2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [23/03/2010 18:26 711352]
R2 ioloSystemService;iolo System Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [23/03/2010 18:26 711352]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [03/10/2010 22:43 767208]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [09/11/2010 19:03 102448]
R3 genmcmnUSB;USB Scroll Mouse Driver;c:\windows\system32\drivers\gflmouhid.sys [07/08/2003 16:42 6528]
S2 N360;Norton 360;c:\program files\Norton 360 Premier Edition\Engine\3.8.0.41\ccSvcHst.exe [09/11/2010 15:24 117640]
S3 EraserUtilDrv10910;EraserUtilDrv10910;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10910.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10910.sys [?]
S3 FXDRV;FXDRV;\??\d:\fxdrv.sys --> d:\Fxdrv.sys [?]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [25/02/2010 09:47 721904]
.
Contents of the 'Scheduled Tasks' folder
2010-11-09 c:\windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job
- c:\windows\Gmirea.exe [2010-11-07 15:06]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
IE: Download with &Shareaza - c:\program files\shareaza\razawebhook32.dll/3000
.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-09 23:05
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton 360 Premier Edition\Engine\3.8.0.41\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360 Premier Edition\Engine\3.8.0.41\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-3296923419-416603358-497765969-1007\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{DA0DB758-EF64-6991-E085-D0FCE315193A}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"jadihbnhefjddgapgnpp"=hex:6b,61,66,6b,61,62,6f,64,6a,69,67,62,65,68,6f,64,70,
67,6e,6e,65,6a,00,00
"iajebdmfkcagbiijok"=hex:6b,61,66,6b,61,62,6f,64,6a,69,67,62,65,68,6f,64,70,67,
6e,6e,65,6a,00,7c
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(14640)
c:\windows\system32\WININET.dll
c:\program files\Trusteer\Rapport\bin\rooksbas.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\program files\Windows Media Player\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-11-09 23:25:03
ComboFix-quarantined-files.txt 2010-11-09 23:24
Pre-Run: 21,554,262,016 bytes free
Post-Run: 21,735,727,104 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
- - End Of File - - DEFF2C2C31F03C3FD4BD88F194199A52
Malwarebytes log before deleting viruses produced this log >>
Malwarebytes' Anti-Malware 1.44
Database version: 3788
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
09/11/2010 00:47:43
mbam-log-2010-11-09 (00-47-43).txt
Scan type: Full Scan (C:\|)
Objects scanned: 204185
Time elapsed: 3 hour(s), 59 minute(s), 21 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
C:\WINDOWS\system32\sshnas21.dll (Trojan.Downloader) -> Delete on reboot.
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sshnas (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Handle (Malware.Trace) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Documents and Settings\michael\Local Settings\Temp\sshnas21.dll (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sshnas21.dll (Trojan.Downloader) -> Delete on reboot.
Then when i scanned again it produced this log >>
Malwarebytes' Anti-Malware 1.44
Database version: 3788
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
09/11/2010 18:36:52
mbam-log-2010-11-09 (18-36-52).txt
Scan type: Full Scan (C:\|)
Objects scanned: 184926
Time elapsed: 2 hour(s), 41 minute(s), 8 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Handle (Malware.Trace) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
Now m,alwarebytes does not find anything.
Hope someone can help
Thanks
Michael
I am having a problem with my internet explorer poping up with random advertisements. It only does it when i have closed all running software an dont use my comuter for a few minutes they then start to pop up.
I have run malwarebytes and combofix which i will post the logs down the page.
I tried to run Eset NOD32 Online AntiVirus Scanner but this was asking if proxy was set up?
I will try to run gmer and dds if this helps and post the logs on here.
Combofix log
ComboFix 10-12-06.04 - michael 09/11/2010 22:41:05.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.446.155 [GMT 0:00]
Running from: J:\ComboFix.exe
AV: Norton 360 Premier Edition *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 Premier Edition *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.
((((((((((((((((((((((((( Files Created from 2010-10-09 to 2010-11-09 )))))))))))))))))))))))))))))))
.
2012-04-12 08:59 . 2012-04-12 09:37 -------- d-----w- C:\Mum n Dads Laptop Files
2012-03-15 20:28 . 2012-03-15 20:28 -------- d-----w- c:\documents and settings\michael\Local Settings\Application Data\Help
2012-03-15 20:25 . 2012-03-15 20:25 5248 ----a-w- c:\windows\system32\giveio.sys
2012-03-15 20:22 . 2012-03-15 20:32 -------- d-----w- c:\program files\SSC Service Utility
2012-03-11 16:37 . 2012-03-11 16:41 -------- d-----w- c:\documents and settings\All Users\Application Data\MGS
2012-03-03 14:48 . 2012-03-03 14:48 -------- d-----w- c:\documents and settings\michael\Local Settings\Application Data\Scansoft
2012-02-26 20:25 . 2012-02-26 20:25 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallShield
2012-02-26 20:24 . 2012-02-26 20:24 -------- d-----w- c:\documents and settings\michael\Application Data\Nuance
2012-02-26 19:59 . 2012-02-26 19:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Nuance
2012-02-26 19:59 . 2010-07-16 18:59 -------- d-----w- c:\windows\speech
2012-02-21 22:16 . 2012-02-21 22:16 -------- d-----w- c:\documents and settings\michael\Local Settings\Application Data\WinAVI
2012-02-21 22:16 . 2012-02-27 16:36 -------- d-----w- c:\program files\WinAVI Video Converter
2010-11-09 13:25 . 2010-11-09 13:21 107368 ----a-r- c:\windows\system32\GEARAspi.dll
2010-11-09 13:25 . 2010-11-09 13:22 26600 ----a-r- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-11-09 13:24 . 2010-11-09 13:22 36400 ----a-r- c:\windows\system32\drivers\SymIM.sys
2010-11-09 13:23 . 2010-11-09 13:23 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-11-09 13:23 . 2010-11-09 13:23 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-11-09 13:23 . 2010-11-09 15:15 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-11-09 13:23 . 2010-11-09 13:23 -------- d-----w- c:\program files\Symantec
2010-11-09 13:20 . 2010-11-09 22:02 -------- d-----w- c:\windows\system32\drivers\N360
2010-11-09 13:20 . 2010-11-09 13:21 -------- d-----w- c:\program files\Norton 360 Premier Edition
2010-11-09 13:20 . 2010-11-09 13:20 -------- d-----w- c:\program files\Windows Sidebar
2010-11-09 13:20 . 2010-11-09 13:20 -------- d-----w- c:\program files\NortonInstaller
2010-11-07 15:11 . 2007-04-08 16:38 946312 ----a-w- c:\windows\system32\wPDFViewplus01.dll
2010-11-07 15:10 . 2010-11-07 15:11 -------- d-----w- c:\program files\XSPPlat
2010-11-07 15:06 . 2010-11-07 15:06 186880 ----a-w- c:\windows\Gmirea.exe
2010-11-07 14:50 . 2010-11-07 14:57 -------- d-----w- c:\documents and settings\michael\Application Data\iktsoft
2010-11-02 16:23 . 2006-12-02 06:22 479232 ----a-w- c:\windows\system32\msvcm80.dll
2010-11-02 16:23 . 2010-11-02 16:23 -------- d-----w- c:\program files\MyXOFT
2010-11-02 16:15 . 2010-11-08 14:52 -------- d-----w- c:\program files\Music Trio
2010-11-02 15:55 . 2010-11-02 15:55 -------- d-----w- c:\documents and settings\michael\Application Data\Doblon
2010-11-02 15:23 . 2010-11-02 15:23 -------- d-----w- c:\program files\Doblon
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-28 18:15 . 2010-07-13 15:37 2672 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2010-10-28 18:15 . 2010-07-13 15:37 88 --sh--r- c:\documents and settings\All Users\Application Data\03BEF1D2A8.sys
2010-10-03 22:43 . 2010-10-03 22:43 59240 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
2010-09-18 11:23 . 2009-05-19 09:23 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2009-05-19 09:23 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2009-05-19 09:23 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2009-05-19 09:23 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58 . 2005-12-05 11:41 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58 . 2009-05-19 09:22 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58 . 2009-05-19 09:21 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-09-01 11:51 . 2009-05-19 09:19 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42 . 2005-12-05 11:41 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02 . 2006-06-15 11:31 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57 . 2005-12-05 11:41 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 13:39 . 2005-12-05 11:41 357248 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-26 12:52 . 2010-02-25 10:25 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12 . 2009-05-19 09:19 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17 . 2005-12-05 11:41 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45 . 2009-05-19 09:24 590848 ----a-w- c:\windows\system32\rpcrt4.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="c:\program files\CyberLink\Power2Go\Power2GoExpress.exe" [2005-07-08 1953887]
"Shareaza"="c:\program files\Shareaza\Shareaza.exe" [2010-02-06 4853760]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2009-01-30 204288]
"Corel Photo Downloader"="c:\program files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" [2009-12-30 523408]
"OW1T3CYG7T"="c:\windows\Gmirea.exe" [2010-11-07 186880]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]
"SoundMan"="SOUNDMAN.EXE" [2005-08-17 90112]
"VTTimer"="VTTimer.exe" [2005-03-07 53248]
"VTTrayp"="VTtrayp.exe" [2005-10-31 163840]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 32768]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2008-11-02 167936]
"EEventManager"="c:\progra~1\EPSONS~1\EVENTM~1\EEventManager.exe" [2008-12-04 665424]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"AOL_Demo"="c:\applications\Tool\AOL Demo\DSGDemo.exe" [2005-12-01 177178]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-06-03 1144104]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"SerialNumber"="A109A-K13-3ZXD-BAP5-TE"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Shareaza\\Shareaza.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Epson Software\\Event Manager\\EEventManager.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [03/10/2010 22:43 59240]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0308000.029\SymEFA.sys [09/11/2010 15:26 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\N360\0308000.029\BHDrvx86.sys [09/11/2010 15:25 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0308000.029\cchpx86.sys [09/11/2010 15:25 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20101201.001\IDSXpx86.sys [09/11/2010 13:43 341944]
R1 RapportBuka;RapportBuka;c:\windows\system32\drivers\RapportBuka.sys [07/03/2010 11:11 390528]
R1 RapportCerberus_19917;RapportCerberus_19917;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\19917\RapportCerberus_19917.sys [03/10/2010 22:54 34792]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [03/10/2010 22:43 169320]
R2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [23/03/2010 18:26 711352]
R2 ioloSystemService;iolo System Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [23/03/2010 18:26 711352]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [03/10/2010 22:43 767208]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [09/11/2010 19:03 102448]
R3 genmcmnUSB;USB Scroll Mouse Driver;c:\windows\system32\drivers\gflmouhid.sys [07/08/2003 16:42 6528]
S2 N360;Norton 360;c:\program files\Norton 360 Premier Edition\Engine\3.8.0.41\ccSvcHst.exe [09/11/2010 15:24 117640]
S3 EraserUtilDrv10910;EraserUtilDrv10910;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10910.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10910.sys [?]
S3 FXDRV;FXDRV;\??\d:\fxdrv.sys --> d:\Fxdrv.sys [?]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [25/02/2010 09:47 721904]
.
Contents of the 'Scheduled Tasks' folder
2010-11-09 c:\windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job
- c:\windows\Gmirea.exe [2010-11-07 15:06]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
IE: Download with &Shareaza - c:\program files\shareaza\razawebhook32.dll/3000
.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-09 23:05
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton 360 Premier Edition\Engine\3.8.0.41\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360 Premier Edition\Engine\3.8.0.41\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-3296923419-416603358-497765969-1007\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{DA0DB758-EF64-6991-E085-D0FCE315193A}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"jadihbnhefjddgapgnpp"=hex:6b,61,66,6b,61,62,6f,64,6a,69,67,62,65,68,6f,64,70,
67,6e,6e,65,6a,00,00
"iajebdmfkcagbiijok"=hex:6b,61,66,6b,61,62,6f,64,6a,69,67,62,65,68,6f,64,70,67,
6e,6e,65,6a,00,7c
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(14640)
c:\windows\system32\WININET.dll
c:\program files\Trusteer\Rapport\bin\rooksbas.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\program files\Windows Media Player\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-11-09 23:25:03
ComboFix-quarantined-files.txt 2010-11-09 23:24
Pre-Run: 21,554,262,016 bytes free
Post-Run: 21,735,727,104 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
- - End Of File - - DEFF2C2C31F03C3FD4BD88F194199A52
Malwarebytes log before deleting viruses produced this log >>
Malwarebytes' Anti-Malware 1.44
Database version: 3788
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
09/11/2010 00:47:43
mbam-log-2010-11-09 (00-47-43).txt
Scan type: Full Scan (C:\|)
Objects scanned: 204185
Time elapsed: 3 hour(s), 59 minute(s), 21 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
C:\WINDOWS\system32\sshnas21.dll (Trojan.Downloader) -> Delete on reboot.
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sshnas (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Handle (Malware.Trace) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Documents and Settings\michael\Local Settings\Temp\sshnas21.dll (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sshnas21.dll (Trojan.Downloader) -> Delete on reboot.
Then when i scanned again it produced this log >>
Malwarebytes' Anti-Malware 1.44
Database version: 3788
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
09/11/2010 18:36:52
mbam-log-2010-11-09 (18-36-52).txt
Scan type: Full Scan (C:\|)
Objects scanned: 184926
Time elapsed: 2 hour(s), 41 minute(s), 8 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Handle (Malware.Trace) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
Now m,alwarebytes does not find anything.
Hope someone can help
Thanks
Michael