GeekPolice
Would you like to react to this message? Create an account in a few clicks or log in to continue.

GeekPoliceLog in

 


descriptionURGENT need help on  Trojan virus removal EmptyURGENT need help on Trojan virus removal

more_horiz
my computer recently got infected with the virus 'TrojanDownloader:Win32/Renos.JS'. It has stopped my Kaspersky antivirus software from working, and has stopped IE and firefox, so I can't get on the internet (I'm using a friend's computer now). Windows defender has detected it, but it doesn't delete it. Please can you tell me how to get rid of this virus?
Thanks

descriptionURGENT need help on  Trojan virus removal EmptyRe: URGENT need help on Trojan virus removal

more_horiz
Please transfer this download from a clean computer to the infected one:

Please download ComboFix URGENT need help on  Trojan virus removal Combofix from BleepingComputer.com

Rename ComboFix.exe to commy.exe before you save it to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
  • Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\commy.exe" /stepdel
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console

URGENT need help on  Trojan virus removal Query_RC
Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
URGENT need help on  Trojan virus removal RC_successful

  • Click on Yes, to continue scanning for malware.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.

I would also like to see a list of installed programs, so please do this:
Click Start > Run then copy/paste the following single-line command into the Run box and click OK:

C:\Qoobox\Add-Remove Programs.txt

In your next reply, please include the ComboFix log and the Add-Remove Programs log.

descriptionURGENT need help on  Trojan virus removal EmptyRe: URGENT need help on Trojan virus removal

more_horiz
Here's the ComboFix log:
ComboFix 09-10-20.03 - Ammar 21/10/2009 12:38.1.2 - NTFSx86
Microsoft®️ Windows Vista™️ Home Premium 6.0.6001.1.1252.44.1033.18.2046.1347 [GMT 1]
Running from: c:\users\Ammar\Desktop\commy.exe
Command switches used :: /stepdel
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-1400113804-1914402855-3429530994-500
c:\$recycle.bin\S-1-5-21-2152478756-3922319563-605102323-500
c:\$recycle.bin\S-1-5-21-2761920510-736693625-3431824637-500
c:\windows\Installer\d15c.msi
c:\$recycle.bin\S-1-5-21-1400113804-1914402855-3429530994-500\desktop.ini
c:\$recycle.bin\S-1-5-21-2152478756-3922319563-605102323-500\desktop.ini
c:\$recycle.bin\S-1-5-21-2761920510-736693625-3431824637-500\desktop.ini
c:\program files\Applications\myp.ico
c:\users\Ammar\Documents\My Documents.url

Infected copy of c:\windows\system32\cngaudit.dll was found and disinfected
Restored copy from - c:\windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_e62d292932a96ce6\cngaudit.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}


((((((((((((((((((((((((( Files Created from 2009-09-21 to 2009-10-21 )))))))))))))))))))))))))))))))
.

2009-10-21 11:45 . 2009-10-21 11:48 -------- d-----w- c:\users\Ammar\AppData\Local\temp
2009-10-21 11:45 . 2009-10-21 11:45 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-10-20 16:18 . 2009-10-20 16:18 -------- d-----w- C:\Kontiki
2009-10-20 15:09 . 2009-10-20 15:09 -------- d-----w- c:\windows\system32\EventProviders
2009-10-20 11:38 . 2009-10-20 18:23 0 ----a-r- c:\windows\win32k.sys
2009-10-15 20:11 . 2009-09-04 12:24 61440 ----a-w- c:\windows\system32\msasn1.dll
2009-10-15 20:11 . 2009-09-14 09:44 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2009-10-15 20:11 . 2009-04-02 12:37 604672 ----a-w- c:\windows\system32\WMSPDMOD.DLL
2009-10-12 11:33 . 2009-10-12 11:33 -------- d-----w- c:\programdata\Office Genuine Advantage
2009-10-02 19:04 . 2009-10-01 09:29 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-09-24 11:23 . 2009-09-24 11:23 -------- d-----w- c:\users\Ammar\AppData\Roaming\TomTom
2009-09-24 11:23 . 2009-09-24 11:23 -------- d-----w- c:\users\Ammar\AppData\Local\TomTom
2009-09-24 11:23 . 2009-09-24 11:23 -------- d-----w- c:\program files\TomTom International B.V
2009-09-24 11:23 . 2009-09-24 11:23 -------- d-----w- c:\program files\TomTom HOME 2

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-21 11:50 . 2008-04-04 14:23 -------- d-----w- c:\programdata\Kontiki
2009-10-21 11:49 . 2007-09-26 18:44 -------- d-----w- c:\program files\Dl_cats
2009-10-21 11:38 . 2008-08-22 10:35 -------- d-----w- c:\program files\Applications
2009-10-20 16:08 . 2008-08-24 15:06 -------- d-----w- c:\programdata\Kaspersky Lab
2009-10-20 10:51 . 2007-10-06 11:08 -------- d-----w- c:\programdata\Google Updater
2009-10-17 09:47 . 2009-06-06 11:17 -------- d-----w- c:\users\Ammar\AppData\Roaming\Spotify
2009-10-16 02:14 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-10-16 02:04 . 2007-09-11 10:02 -------- d-----w- c:\programdata\Microsoft Help
2009-10-14 13:11 . 2009-08-19 12:09 108059 ----a-w- c:\windows\system32\drivers\klin.dat
2009-10-14 13:11 . 2009-08-19 12:09 95259 ----a-w- c:\windows\system32\drivers\klick.dat
2009-10-12 11:33 . 2007-09-19 18:20 88456 ----a-w- c:\users\Ammar\AppData\Local\GDIPFONTCACHEV1.DAT
2009-10-11 21:24 . 2007-09-11 10:04 -------- d-----w- c:\program files\Microsoft Works
2009-09-25 07:38 . 2007-09-11 09:57 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-24 16:20 . 2007-09-11 10:10 -------- d-----w- c:\program files\Common Files\Adobe
2009-09-24 11:20 . 2008-02-10 12:01 -------- d-----w- c:\program files\TomTom HOME
2009-09-14 17:26 . 2009-09-14 17:26 -------- d-----w- c:\program files\iLike
2009-09-14 17:26 . 2008-09-28 20:06 -------- d-----w- c:\program files\iTunes
2009-09-14 12:31 . 2009-09-14 12:31 1775094 ----a-w- c:\programdata\SPL8842.tmp
2009-09-10 17:30 . 2009-10-15 20:12 213504 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-09 23:11 . 2009-06-28 18:46 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-06 15:28 . 2007-09-11 09:57 -------- d-----w- c:\program files\Java
2009-08-31 13:55 . 2009-10-15 20:12 293376 ----a-w- c:\windows\system32\psisdecd.dll
2009-08-31 13:55 . 2009-10-15 20:12 428544 ----a-w- c:\windows\system32\EncDec.dll
2009-08-28 12:39 . 2009-09-03 18:01 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-08-28 10:15 . 2009-09-03 18:01 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-27 05:22 . 2009-10-15 20:12 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-27 05:17 . 2009-10-15 20:12 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-08-27 05:17 . 2009-10-15 20:12 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-08-27 03:42 . 2009-10-15 20:12 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-08-22 15:12 . 2009-06-06 15:41 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-08-22 15:11 . 2009-06-06 15:42 38208 ----a-w- c:\users\Ammar\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-08-19 12:20 . 2009-05-24 14:30 128016 ----a-w- c:\windows\system32\drivers\kl1.sys
2009-08-19 12:10 . 2009-08-19 12:10 604140 --sha-w- c:\windows\system32\drivers\ISwift3.dat
2009-08-17 22:33 . 2009-08-17 22:33 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-14 17:07 . 2009-09-09 18:29 897608 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-08-14 16:29 . 2009-09-09 18:29 104960 ----a-w- c:\windows\system32\netiohlp.dll
2009-08-14 16:29 . 2009-09-09 18:29 17920 ----a-w- c:\windows\system32\netevent.dll
2009-08-14 14:16 . 2009-09-09 18:29 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2009-08-14 14:16 . 2009-09-09 18:29 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2009-08-14 14:16 . 2009-09-09 18:29 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2009-08-14 14:16 . 2009-09-09 18:29 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2009-08-14 14:16 . 2009-09-09 18:29 19968 ----a-w- c:\windows\system32\ARP.EXE
2009-08-14 14:16 . 2009-09-09 18:29 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2009-08-14 14:16 . 2009-09-09 18:29 10240 ----a-w- c:\windows\system32\finger.exe
2009-08-05 14:22 . 2009-10-15 20:12 3597896 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-08-05 14:22 . 2009-10-15 20:12 3546184 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-08-03 14:07 . 2009-08-03 14:07 403816 ----a-w- c:\windows\system32\OGACheckControl.dll
2009-08-03 14:07 . 2009-08-03 14:07 322928 ----a-w- c:\windows\system32\OGAAddin.dll
2009-08-03 14:07 . 2009-08-03 14:07 230768 ----a-w- c:\windows\system32\OGAEXEC.exe
2009-07-25 04:23 . 2009-04-18 13:44 411368 ----a-w- c:\windows\system32\deploytk.dll
2008-02-08 22:15 . 2008-02-08 22:15 135680 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2007-09-11 17:40 . 2007-09-11 17:35 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-10-06 68856]
"kdx"="c:\program files\Kontiki\KHost.exe" [2007-04-23 1032640]
"iLike"="c:\program files\iLike\1.2.16\ilikesidebar.exe" [2008-09-10 63024]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2009-08-27 247144]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 221184]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-02-08 1836544]
"Dell Photo AIO Printer 922"="c:\program files\Dell Photo AIO Printer 922\dlbtbmgr.exe" [2004-03-29 290816]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"FaxCenterServer"="c:\program files\Dell PC Fax\fm3032.exe" [2006-11-03 312200]
"dlcxmon.exe"="c:\program files\Dell Photo AIO Printer 926\dlcxmon.exe" [2007-01-12 292336]
"MemoryCardManager"="c:\program files\Dell Photo AIO Printer 926\memcard.exe" [2006-11-03 304008]
"DLCXCATS"="c:\windows\system32\spool\DRIVERS\W32X86\3\DLCXtime.dll" [2006-10-16 106496]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-11-24 185896]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-05-24 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-05-24 8429568]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-05-24 81920]
"4oD"="c:\program files\Kontiki\KHost.exe" [2007-04-23 1032640]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2007-03-15 4390912]

c:\users\Ammar\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
BBC iPlayer Desktop.lnk - c:\program files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe [2009-6-6 95744]
Cyber-shot Viewer Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2007-11-4 155648]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll c:\progra~1\KASPER~1\KASPER~2\mzvkbd3.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\System32\drivers\klbg.sys [15/12/2008 20:41 33808]
R2 dlcx_device;dlcx_device;c:\windows\system32\dlcxcoms.exe -service --> c:\windows\system32\dlcxcoms.exe -service [?]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [27/08/2009 16:05 92008]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\System32\drivers\klmouflt.sys [16/05/2009 20:59 19472]
S3 netr73;Belkin Wireless 54G USB Network Adapter Driver for Vista;c:\windows\System32\drivers\netr73.sys [20/08/2009 11:16 464384]
.
Contents of the 'Scheduled Tasks' folder

2009-10-21 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-10-06 19:52]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.sky.com
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
mSearchURL = hxxp://internetsearchservice.com
IE: Download all links with IDM - c:\users\Ammar\AppData\Local\Temp\Rar$EX01.178\IEGetAll.htm
IE: Download FLV video content with IDM - c:\users\Ammar\AppData\Local\Temp\Rar$EX01.178\IEGetVL.htm
IE: Download with IDM - c:\users\Ammar\AppData\Local\Temp\Rar$EX01.178\IEExt.htm
IE: {{08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.sky.com
FF - ProfilePath - c:\users\Ammar\AppData\Roaming\Mozilla\Firefox\Profiles\2w33kq8l.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - component: c:\program files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - hȋdden: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-DVDtoiPodConverter_upgrade - c:\program files\E-Zsoft\DVDtoiPodConverter\DVDtoiPodConverter.exe
HKU-Default-RunOnce-DelayShred - c:\program files\mcafee\mshr\ShrCL.EXE
AddRemove-Warning Center - c:\program files\Applications\wcu.exe



**************************************************************************
scanning hȋdden processes ...

scanning hȋdden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCXCATS = rundll32 c:\windows\system32\spool\DRIVERS\W32X86\3\DLCXtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hȋdden files ...

scan completed successfully
hȋdden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2761920510-736693625-3431824637-1000_Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
@Denied: (Full) (Everyone)
@Allowed: (Read) (RestrictedCode)
"scansk"=hex(0):d6,ea,e3,bf,6c,f6,46,9d,47,a4,15,bf,02,5c,17,e1,2d,09,05,57,c3,
73,54,1e,75,2d,68,df,d5,83,09,14,3a,e7,02,b6,62,2f,a8,b8,00,00,00,00,00,00,\

[HKEY_USERS\S-1-5-21-2761920510-736693625-3431824637-1000_Classes\CLSID\{d6cc81fb-0fe6-4f11-b1b6-75abc2f31ace}]
@Denied: (Full) (Everyone)
@Allowed: (Read) (RestrictedCode)
"Model"=dword:0000000c
"Therad"=dword:00000015
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(5508)
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\windows\system32\DLAAPI_W.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\dlcxcoms.exe
c:\program files\Kontiki\KService.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\system32\WUDFHost.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
c:\commy\CF20872.exe
c:\windows\System32\rundll32.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\System32\rundll32.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Dell Photo AIO Printer 922\dlbtbmon.exe
c:\windows\System32\wscript.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
c:\commy\PEV.cfxxe
.
**************************************************************************
.
Completion time: 2009-10-21 12:53 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-21 11:53

Pre-Run: 210,580,164,608 bytes free
Post-Run: 211,239,079,936 bytes free

- - End Of File - - 24C3A70D64126281A0BB01EB7758DE8C

This is the list of installed programs:
4oD
ABBYY FineReader 6.0 Sprint
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 8.1.4
Adobe Shockwave Player
Apple Mobile Device Support
Apple Software Update
BBC iPlayer Desktop
Bonjour
Browser Address Error Redirector
Chinese Simplified Fonts Support For Adobe Reader 8
Dell PC Fax
Dell Photo AIO Printer 922
Dell Photo AIO Printer 926
Dell Support Center (Support Software)
Dell System Customization Wizard
DellSupport
Google Desktop
Google Earth
Google Toolbar for Internet Explorer
Google Updater
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
iLike Sidebar
Internet From BT
iTunes
Java(TM) 6 Update 15
Java(TM) SE Runtime Environment 6
Kaspersky Anti-Virus 2010
Microsoft .NET Framework 3.5 SP1
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Mozilla Firefox (3.0.14)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
NVIDIA Drivers
NVIDIANetworkDiagnostic
OGA Notifier 2.0.0048.0
Orange Preload
QuickTime
RealPlayer
Realtek High Definition Audio Driver
Roxio Creator Audio
Roxio Creator BDAV Plugin
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Drag-to-Disc
Roxio Express Labeler
Roxio MyDVD DE
Roxio Update Manager
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB969679)
Security Update for Microsoft Office Excel 2007 (KB969682)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB969604)
Sibelius Scorch (ActiveX Only)
Sky Broadband
Sky Broadband Browser Branding
Sonic Activation Module
Sony Picture Utility
Spelling Dictionaries Support For Adobe Reader 8
Spotify
StatsDirect
Tiscali Internet
TomTom HOME 2.7.2.1825
TomTom HOME Visual Studio Merge Modules
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
VideoLAN VLC media player 0.8.6d
Warning Center
Windows Media Player Firefox Plugin

By the way, the ComboFix managed to restore my internet, so I can use links and downloads now.
Thanks

descriptionURGENT need help on  Trojan virus removal EmptyRe: URGENT need help on Trojan virus removal

more_horiz
Re-running ComboFix to remove infections:

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:
  4. Save this as CFScript.txt, in the same location as ComboFix.exe

    URGENT need help on  Trojan virus removal Cfscriptb4i

  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


==

Download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

descriptionURGENT need help on  Trojan virus removal EmptyRe: URGENT need help on Trojan virus removal

more_horiz
Here's the ComboFix log:

ComboFix 09-10-20.03 - Ammar 22/10/2009 9:56.2.2 - NTFSx86
Microsoft®️ Windows Vista™️ Home Premium 6.0.6001.1.1252.44.1033.18.2046.1237 [GMT 1:00]
Running from: c:\users\Ammar\Desktop\ComboFix.exe
Command switches used :: c:\users\Ammar\Desktop\CFScript.txt
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2009-09-22 to 2009-10-22 )))))))))))))))))))))))))))))))
.

2009-10-22 09:01 . 2009-10-22 09:01 -------- d-----w- c:\users\TEMP\AppData\Local\temp
2009-10-22 09:01 . 2009-10-22 09:01 -------- d-----w- c:\users\Public\AppData\Local\temp
2009-10-22 09:01 . 2009-10-22 09:01 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-10-21 12:13 . 2009-10-21 12:16 -------- d-----w- c:\program files\Windows Live Safety Center
2009-10-21 11:45 . 2009-10-22 09:01 -------- d-----w- c:\users\Ammar\AppData\Local\temp
2009-10-20 16:18 . 2009-10-20 16:18 -------- d-----w- C:\Kontiki
2009-10-20 15:09 . 2009-10-20 15:09 -------- d-----w- c:\windows\system32\EventProviders
2009-10-20 11:38 . 2009-10-20 18:23 0 ----a-r- c:\windows\win32k.sys
2009-10-15 20:11 . 2009-09-04 12:24 61440 ----a-w- c:\windows\system32\msasn1.dll
2009-10-15 20:11 . 2009-09-14 09:44 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2009-10-15 20:11 . 2009-04-02 12:37 604672 ----a-w- c:\windows\system32\WMSPDMOD.DLL
2009-10-12 11:33 . 2009-10-12 11:33 -------- d-----w- c:\programdata\Office Genuine Advantage
2009-10-02 19:04 . 2009-10-01 09:29 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-09-24 11:23 . 2009-09-24 11:23 -------- d-----w- c:\users\Ammar\AppData\Roaming\TomTom
2009-09-24 11:23 . 2009-09-24 11:23 -------- d-----w- c:\users\Ammar\AppData\Local\TomTom
2009-09-24 11:23 . 2009-09-24 11:23 -------- d-----w- c:\program files\TomTom International B.V
2009-09-24 11:23 . 2009-09-24 11:23 -------- d-----w- c:\program files\TomTom HOME 2

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-22 09:02 . 2008-04-04 14:23 -------- d-----w- c:\programdata\Kontiki
2009-10-22 08:46 . 2007-09-26 18:44 -------- d-----w- c:\program files\Dl_cats
2009-10-21 22:13 . 2009-10-21 22:13 972636 ----a-w- c:\programdata\SPLF2E3.tmp
2009-10-21 22:10 . 2009-10-21 22:10 972636 ----a-w- c:\programdata\SPLF514.tmp
2009-10-21 12:08 . 2009-06-06 11:17 -------- d-----w- c:\users\Ammar\AppData\Roaming\Spotify
2009-10-21 11:52 . 2007-10-06 11:08 -------- d-----w- c:\programdata\Google Updater
2009-10-21 11:38 . 2008-08-22 10:35 -------- d-----w- c:\program files\Applications
2009-10-20 16:08 . 2008-08-24 15:06 -------- d-----w- c:\programdata\Kaspersky Lab
2009-10-16 02:14 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-10-16 02:04 . 2007-09-11 10:02 -------- d-----w- c:\programdata\Microsoft Help
2009-10-14 13:11 . 2009-08-19 12:09 108059 ----a-w- c:\windows\system32\drivers\klin.dat
2009-10-14 13:11 . 2009-08-19 12:09 95259 ----a-w- c:\windows\system32\drivers\klick.dat
2009-10-12 11:33 . 2007-09-19 18:20 88456 ----a-w- c:\users\Ammar\AppData\Local\GDIPFONTCACHEV1.DAT
2009-10-11 21:24 . 2007-09-11 10:04 -------- d-----w- c:\program files\Microsoft Works
2009-09-25 07:38 . 2007-09-11 09:57 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-24 16:20 . 2007-09-11 10:10 -------- d-----w- c:\program files\Common Files\Adobe
2009-09-24 11:20 . 2008-02-10 12:01 -------- d-----w- c:\program files\TomTom HOME
2009-09-14 17:26 . 2009-09-14 17:26 -------- d-----w- c:\program files\iLike
2009-09-14 17:26 . 2008-09-28 20:06 -------- d-----w- c:\program files\iTunes
2009-09-14 12:31 . 2009-09-14 12:31 1775094 ----a-w- c:\programdata\SPL8842.tmp
2009-09-10 17:30 . 2009-10-15 20:12 213504 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-09 23:11 . 2009-06-28 18:46 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-06 15:28 . 2007-09-11 09:57 -------- d-----w- c:\program files\Java
2009-08-31 13:55 . 2009-10-15 20:12 293376 ----a-w- c:\windows\system32\psisdecd.dll
2009-08-31 13:55 . 2009-10-15 20:12 428544 ----a-w- c:\windows\system32\EncDec.dll
2009-08-28 12:39 . 2009-09-03 18:01 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-08-28 10:15 . 2009-09-03 18:01 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-27 05:22 . 2009-10-15 20:12 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-27 05:17 . 2009-10-15 20:12 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-08-27 05:17 . 2009-10-15 20:12 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-08-27 03:42 . 2009-10-15 20:12 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-08-22 15:11 . 2009-06-06 15:42 38208 ----a-w- c:\users\Ammar\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-08-19 12:20 . 2009-05-24 14:30 128016 ----a-w- c:\windows\system32\drivers\kl1.sys
2009-08-19 12:10 . 2009-08-19 12:10 604140 --sha-w- c:\windows\system32\drivers\ISwift3.dat
2009-08-17 22:33 . 2009-08-17 22:33 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-14 17:07 . 2009-09-09 18:29 897608 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-08-14 16:29 . 2009-09-09 18:29 104960 ----a-w- c:\windows\system32\netiohlp.dll
2009-08-14 16:29 . 2009-09-09 18:29 17920 ----a-w- c:\windows\system32\netevent.dll
2009-08-14 14:16 . 2009-09-09 18:29 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2009-08-14 14:16 . 2009-09-09 18:29 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2009-08-14 14:16 . 2009-09-09 18:29 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2009-08-14 14:16 . 2009-09-09 18:29 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2009-08-14 14:16 . 2009-09-09 18:29 19968 ----a-w- c:\windows\system32\ARP.EXE
2009-08-14 14:16 . 2009-09-09 18:29 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2009-08-14 14:16 . 2009-09-09 18:29 10240 ----a-w- c:\windows\system32\finger.exe
2009-08-05 14:22 . 2009-10-15 20:12 3597896 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-08-05 14:22 . 2009-10-15 20:12 3546184 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-08-03 14:07 . 2009-08-03 14:07 403816 ----a-w- c:\windows\system32\OGACheckControl.dll
2009-08-03 14:07 . 2009-08-03 14:07 322928 ----a-w- c:\windows\system32\OGAAddin.dll
2009-08-03 14:07 . 2009-08-03 14:07 230768 ----a-w- c:\windows\system32\OGAEXEC.exe
2009-07-25 04:23 . 2009-04-18 13:44 411368 ----a-w- c:\windows\system32\deploytk.dll
2008-02-08 22:15 . 2008-02-08 22:15 135680 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2007-09-11 17:40 . 2007-09-11 17:35 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((( SnapShot@2009-10-21_11.48.32 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-11-02 13:05 . 2009-10-22 08:46 66190 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2007-09-19 18:20 . 2009-10-22 08:46 19888 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2761920510-736693625-3431824637-1000_UserData.bin
- 2007-09-19 18:13 . 2009-10-21 11:47 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2007-09-19 18:13 . 2009-10-22 08:49 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2007-09-19 18:13 . 2009-10-22 08:49 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2007-09-19 18:13 . 2009-10-21 11:47 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2007-09-19 18:13 . 2009-10-21 11:47 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2007-09-19 18:13 . 2009-10-22 08:49 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-10-21 12:13 . 2009-10-21 12:13 39424 c:\windows\Installer\18aeda.msi
+ 2007-11-28 19:43 . 2009-10-21 22:47 5992 c:\windows\System32\WDI\ERCQueuedResolutions.dat
- 2007-11-28 19:43 . 2009-10-21 11:32 5992 c:\windows\System32\WDI\ERCQueuedResolutions.dat
- 2009-10-21 11:47 . 2009-10-21 11:47 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-10-22 08:44 . 2009-10-22 08:44 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-10-22 08:44 . 2009-10-22 08:44 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-10-21 11:47 . 2009-10-21 11:47 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-10-13 20:35 . 2009-10-21 21:03 253546 c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_FastS4.bin
+ 2009-10-21 12:16 . 2009-10-21 12:16 850944 c:\windows\Installer\18af16.msp
+ 2009-10-21 12:13 . 2009-10-21 12:13 170496 c:\windows\Installer\18aef8.msp
+ 2009-10-21 12:13 . 2009-10-21 12:13 162304 c:\windows\Installer\18aef2.msp
+ 2009-10-21 12:13 . 2009-10-21 12:13 189440 c:\windows\Installer\18aeec.msp
+ 2009-10-21 12:13 . 2009-10-21 12:13 217088 c:\windows\Installer\18aee6.msp
+ 2009-10-21 12:13 . 2009-10-21 12:13 375296 c:\windows\Installer\18aee0.msp
+ 2009-10-21 12:16 . 2009-10-21 12:16 9443328 c:\windows\Installer\18af10.msp
+ 2009-10-21 12:15 . 2009-10-21 12:15 2446336 c:\windows\Installer\18af0a.msp
+ 2009-10-21 12:14 . 2009-10-21 12:14 2001920 c:\windows\Installer\18aefe.msp
+ 2009-10-21 12:15 . 2009-10-21 12:15 30402560 c:\windows\Installer\18af04.msp
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-10-06 68856]
"kdx"="c:\program files\Kontiki\KHost.exe" [2007-04-23 1032640]
"iLike"="c:\program files\iLike\1.2.16\ilikesidebar.exe" [2008-09-10 63024]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2009-08-27 247144]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 221184]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-02-08 1836544]
"Dell Photo AIO Printer 922"="c:\program files\Dell Photo AIO Printer 922\dlbtbmgr.exe" [2004-03-29 290816]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"FaxCenterServer"="c:\program files\Dell PC Fax\fm3032.exe" [2006-11-03 312200]
"dlcxmon.exe"="c:\program files\Dell Photo AIO Printer 926\dlcxmon.exe" [2007-01-12 292336]
"MemoryCardManager"="c:\program files\Dell Photo AIO Printer 926\memcard.exe" [2006-11-03 304008]
"DLCXCATS"="c:\windows\system32\spool\DRIVERS\W32X86\3\DLCXtime.dll" [2006-10-16 106496]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-11-24 185896]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-05-24 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-05-24 8429568]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-05-24 81920]
"4oD"="c:\program files\Kontiki\KHost.exe" [2007-04-23 1032640]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2007-03-15 4390912]

c:\users\Ammar\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
BBC iPlayer Desktop.lnk - c:\program files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe [2009-6-6 95744]
Cyber-shot Viewer Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2007-11-4 155648]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll c:\progra~1\KASPER~1\KASPER~2\mzvkbd3.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\System32\drivers\klbg.sys [15/12/2008 20:41 33808]
R2 dlcx_device;dlcx_device;c:\windows\system32\dlcxcoms.exe -service --> c:\windows\system32\dlcxcoms.exe -service [?]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [27/08/2009 16:05 92008]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\System32\drivers\klmouflt.sys [16/05/2009 20:59 19472]
S3 netr73;Belkin Wireless 54G USB Network Adapter Driver for Vista;c:\windows\System32\drivers\netr73.sys [20/08/2009 11:16 464384]
.
Contents of the 'Scheduled Tasks' folder

2009-10-22 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-10-06 19:52]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
IE: Download all links with IDM - c:\users\Ammar\AppData\Local\Temp\Rar$EX01.178\IEGetAll.htm
IE: Download FLV video content with IDM - c:\users\Ammar\AppData\Local\Temp\Rar$EX01.178\IEGetVL.htm
IE: Download with IDM - c:\users\Ammar\AppData\Local\Temp\Rar$EX01.178\IEExt.htm
IE: {{08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.sky.com
FF - ProfilePath - c:\users\Ammar\AppData\Roaming\Mozilla\Firefox\Profiles\2w33kq8l.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - component: c:\program files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - hȋdden: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-22 10:01
Windows 6.0.6001 Service Pack 1 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCXCATS = rundll32 c:\windows\system32\spool\DRIVERS\W32X86\3\DLCXtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hȋdden files ...


c:\windows\TEMP\TMP0000006E89A27C184F2944CD

scan completed successfully
hȋdden files: 1

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2761920510-736693625-3431824637-1000_Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
@Denied: (Full) (Everyone)
@Allowed: (Read) (RestrictedCode)
"scansk"=hex(0):d6,ea,e3,bf,6c,f6,46,9d,47,a4,15,bf,02,5c,17,e1,2d,09,05,57,c3,
73,54,1e,75,2d,68,df,d5,83,09,14,3a,e7,02,b6,62,2f,a8,b8,00,00,00,00,00,00,\

[HKEY_USERS\S-1-5-21-2761920510-736693625-3431824637-1000_Classes\CLSID\{d6cc81fb-0fe6-4f11-b1b6-75abc2f31ace}]
@Denied: (Full) (Everyone)
@Allowed: (Read) (RestrictedCode)
"Model"=dword:0000000c
"Therad"=dword:00000015
.
Completion time: 2009-10-22 10:03
ComboFix-quarantined-files.txt 2009-10-22 09:03
ComboFix2.txt 2009-10-21 11:53

Pre-Run: 212,215,189,504 bytes free
Post-Run: 212,242,374,656 bytes free

- - End Of File - - 8AA1F85F21AE6C4135DC9785BFF6C3A6

Here's the SecurityCheck log:

Results of screen317's Security Check version 0.99.0
Windows Vista Service Pack 1 (UAC is enabled)
Out of date service pack!!
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
Kaspersky Anti-Virus 2010
Kaspersky Anti-Virus 2010
WMIC entry does not exist for antivirus; attempting automatic update.
``````````````````````````````
Anti-malware/Other Utilities Check:

Java(TM) 6 Update 15
Java(TM) SE Runtime Environment 6
Adobe Flash Player 10
Adobe Reader 8.1.4
Chinese Simplified Fonts Support For Adobe Reader 8
``````````````````````````````
Process Check:
objlist.exe by Laurent

Windows Defender MSASCui.exe
``````````````````````````````
DNS Vulnerability Check:

Request Timed Out (Wireless Internet connection/Disconnected Internet/Proxy?)

`````````End of Log```````````

descriptionURGENT need help on  Trojan virus removal EmptyRe: URGENT need help on Trojan virus removal

more_horiz
Re-running ComboFix to remove infections:

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:

    Rootkit::
    c:\windows\system32\drivers\klin.dat
    c:\windows\system32\drivers\klick.dat

    File::
    c:\programdata\SPL8842.tmp
  4. Save this as CFScript.txt, in the same location as ComboFix.exe

    URGENT need help on  Trojan virus removal 2v3rg44

  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.

descriptionURGENT need help on  Trojan virus removal EmptyRe: URGENT need help on Trojan virus removal

more_horiz
Here's the ComboFix log:

ComboFix 09-10-20.03 - Ammar 23/10/2009 18:05.3.2 - NTFSx86
Microsoft®️ Windows Vista™️ Home Premium 6.0.6001.1.1252.44.1033.18.2046.1213 [GMT 1:00]
Running from: c:\users\Ammar\Desktop\commy.exe.exe
Command switches used :: c:\users\Ammar\Desktop\CFScript.txt.txt
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

FILE ::
"c:\programdata\SPL8842.tmp"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programdata\SPL8842.tmp

.
((((((((((((((((((((((((( Files Created from 2009-09-23 to 2009-10-23 )))))))))))))))))))))))))))))))
.

2009-10-23 17:11 . 2009-10-23 17:11 -------- d-----w- c:\users\TEMP\AppData\Local\temp
2009-10-23 17:11 . 2009-10-23 17:11 -------- d-----w- c:\users\Public\AppData\Local\temp
2009-10-23 17:11 . 2009-10-23 17:11 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-10-21 12:13 . 2009-10-21 12:16 -------- d-----w- c:\program files\Windows Live Safety Center
2009-10-21 11:45 . 2009-10-23 17:24 -------- d-----w- c:\users\Ammar\AppData\Local\temp
2009-10-20 16:18 . 2009-10-20 16:18 -------- d-----w- C:\Kontiki
2009-10-20 15:09 . 2009-10-20 15:09 -------- d-----w- c:\windows\system32\EventProviders
2009-10-20 11:38 . 2009-10-20 18:23 0 ----a-r- c:\windows\win32k.sys
2009-10-15 20:11 . 2009-09-04 12:24 61440 ----a-w- c:\windows\system32\msasn1.dll
2009-10-15 20:11 . 2009-09-14 09:44 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2009-10-15 20:11 . 2009-04-02 12:37 604672 ----a-w- c:\windows\system32\WMSPDMOD.DLL
2009-10-12 11:33 . 2009-10-12 11:33 -------- d-----w- c:\programdata\Office Genuine Advantage
2009-10-02 19:04 . 2009-10-01 09:29 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-09-24 11:23 . 2009-09-24 11:23 -------- d-----w- c:\users\Ammar\AppData\Roaming\TomTom
2009-09-24 11:23 . 2009-09-24 11:23 -------- d-----w- c:\users\Ammar\AppData\Local\TomTom
2009-09-24 11:23 . 2009-09-24 11:23 -------- d-----w- c:\program files\TomTom International B.V
2009-09-24 11:23 . 2009-09-24 11:23 -------- d-----w- c:\program files\TomTom HOME 2

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-23 17:25 . 2008-04-04 14:23 -------- d-----w- c:\programdata\Kontiki
2009-10-23 17:24 . 2007-09-26 18:44 -------- d-----w- c:\program files\Dl_cats
2009-10-22 17:29 . 2007-10-06 11:08 -------- d-----w- c:\programdata\Google Updater
2009-10-21 22:13 . 2009-10-21 22:13 972636 ----a-w- c:\programdata\SPLF2E3.tmp
2009-10-21 22:10 . 2009-10-21 22:10 972636 ----a-w- c:\programdata\SPLF514.tmp
2009-10-21 12:08 . 2009-06-06 11:17 -------- d-----w- c:\users\Ammar\AppData\Roaming\Spotify
2009-10-21 11:38 . 2008-08-22 10:35 -------- d-----w- c:\program files\Applications
2009-10-20 16:08 . 2008-08-24 15:06 -------- d-----w- c:\programdata\Kaspersky Lab
2009-10-16 02:14 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-10-16 02:04 . 2007-09-11 10:02 -------- d-----w- c:\programdata\Microsoft Help
2009-10-14 13:11 . 2009-08-19 12:09 108059 ----a-w- c:\windows\system32\drivers\klin.dat
2009-10-14 13:11 . 2009-08-19 12:09 95259 ----a-w- c:\windows\system32\drivers\klick.dat
2009-10-12 11:33 . 2007-09-19 18:20 88456 ----a-w- c:\users\Ammar\AppData\Local\GDIPFONTCACHEV1.DAT
2009-10-11 21:24 . 2007-09-11 10:04 -------- d-----w- c:\program files\Microsoft Works
2009-09-25 07:38 . 2007-09-11 09:57 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-24 16:20 . 2007-09-11 10:10 -------- d-----w- c:\program files\Common Files\Adobe
2009-09-24 11:20 . 2008-02-10 12:01 -------- d-----w- c:\program files\TomTom HOME
2009-09-14 17:26 . 2009-09-14 17:26 -------- d-----w- c:\program files\iLike
2009-09-14 17:26 . 2008-09-28 20:06 -------- d-----w- c:\program files\iTunes
2009-09-10 17:30 . 2009-10-15 20:12 213504 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-09 23:11 . 2009-06-28 18:46 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-06 15:28 . 2007-09-11 09:57 -------- d-----w- c:\program files\Java
2009-08-31 13:55 . 2009-10-15 20:12 293376 ----a-w- c:\windows\system32\psisdecd.dll
2009-08-31 13:55 . 2009-10-15 20:12 428544 ----a-w- c:\windows\system32\EncDec.dll
2009-08-28 12:39 . 2009-09-03 18:01 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-08-28 10:15 . 2009-09-03 18:01 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-27 05:22 . 2009-10-15 20:12 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-27 05:17 . 2009-10-15 20:12 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-08-27 05:17 . 2009-10-15 20:12 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-08-27 03:42 . 2009-10-15 20:12 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-08-22 15:11 . 2009-06-06 15:42 38208 ----a-w- c:\users\Ammar\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-08-19 12:20 . 2009-05-24 14:30 128016 ----a-w- c:\windows\system32\drivers\kl1.sys
2009-08-19 12:10 . 2009-08-19 12:10 604140 --sha-w- c:\windows\system32\drivers\ISwift3.dat
2009-08-17 22:33 . 2009-08-17 22:33 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-14 17:07 . 2009-09-09 18:29 897608 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-08-14 16:29 . 2009-09-09 18:29 104960 ----a-w- c:\windows\system32\netiohlp.dll
2009-08-14 16:29 . 2009-09-09 18:29 17920 ----a-w- c:\windows\system32\netevent.dll
2009-08-14 14:16 . 2009-09-09 18:29 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2009-08-14 14:16 . 2009-09-09 18:29 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2009-08-14 14:16 . 2009-09-09 18:29 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2009-08-14 14:16 . 2009-09-09 18:29 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2009-08-14 14:16 . 2009-09-09 18:29 19968 ----a-w- c:\windows\system32\ARP.EXE
2009-08-14 14:16 . 2009-09-09 18:29 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2009-08-14 14:16 . 2009-09-09 18:29 10240 ----a-w- c:\windows\system32\finger.exe
2009-08-05 14:22 . 2009-10-15 20:12 3597896 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-08-05 14:22 . 2009-10-15 20:12 3546184 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-08-03 14:07 . 2009-08-03 14:07 403816 ----a-w- c:\windows\system32\OGACheckControl.dll
2009-08-03 14:07 . 2009-08-03 14:07 322928 ----a-w- c:\windows\system32\OGAAddin.dll
2009-08-03 14:07 . 2009-08-03 14:07 230768 ----a-w- c:\windows\system32\OGAEXEC.exe
2008-02-08 22:15 . 2008-02-08 22:15 135680 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2007-09-11 17:40 . 2007-09-11 17:35 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((( SnapShot@2009-10-21_11.48.32 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-09-11 10:17 . 2009-10-23 16:58 62122 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2009-10-23 16:58 66206 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2007-09-19 18:20 . 2009-10-23 16:58 19888 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2761920510-736693625-3431824637-1000_UserData.bin
+ 2007-09-19 18:13 . 2009-10-23 17:13 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2007-09-19 18:13 . 2009-10-21 11:47 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2007-09-19 18:13 . 2009-10-23 17:13 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2007-09-19 18:13 . 2009-10-21 11:47 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2007-09-19 18:13 . 2009-10-21 11:47 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2007-09-19 18:13 . 2009-10-23 17:13 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2007-09-21 17:41 . 2009-09-27 18:40 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2007-09-21 17:41 . 2009-10-23 00:36 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2007-09-21 17:41 . 2009-09-27 18:40 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2007-09-21 17:41 . 2009-10-23 00:36 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2007-09-21 17:41 . 2009-09-27 18:40 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2007-09-21 17:41 . 2009-10-23 00:36 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-10-21 12:13 . 2009-10-21 12:13 39424 c:\windows\Installer\18aeda.msi
- 2007-11-28 19:43 . 2009-10-21 11:32 5992 c:\windows\System32\WDI\ERCQueuedResolutions.dat
+ 2007-11-28 19:43 . 2009-10-21 22:47 5992 c:\windows\System32\WDI\ERCQueuedResolutions.dat
+ 2009-10-23 17:12 . 2009-10-23 17:12 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2009-10-21 11:47 . 2009-10-21 11:47 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-10-23 17:12 . 2009-10-23 17:12 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-10-21 11:47 . 2009-10-21 11:47 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-10-13 20:35 . 2009-10-22 23:31 253800 c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_FastS4.bin
+ 2006-11-02 10:33 . 2009-10-23 17:01 599942 c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2009-10-13 18:05 599942 c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2009-10-13 18:05 105448 c:\windows\System32\perfc009.dat
+ 2006-11-02 10:33 . 2009-10-23 17:01 105448 c:\windows\System32\perfc009.dat
+ 2009-10-21 12:16 . 2009-10-21 12:16 850944 c:\windows\Installer\18af16.msp
+ 2009-10-21 12:13 . 2009-10-21 12:13 170496 c:\windows\Installer\18aef8.msp
+ 2009-10-21 12:13 . 2009-10-21 12:13 162304 c:\windows\Installer\18aef2.msp
+ 2009-10-21 12:13 . 2009-10-21 12:13 189440 c:\windows\Installer\18aeec.msp
+ 2009-10-21 12:13 . 2009-10-21 12:13 217088 c:\windows\Installer\18aee6.msp
+ 2009-10-21 12:13 . 2009-10-21 12:13 375296 c:\windows\Installer\18aee0.msp
+ 2009-10-21 12:16 . 2009-10-21 12:16 9443328 c:\windows\Installer\18af10.msp
+ 2009-10-21 12:15 . 2009-10-21 12:15 2446336 c:\windows\Installer\18af0a.msp
+ 2009-10-21 12:14 . 2009-10-21 12:14 2001920 c:\windows\Installer\18aefe.msp
+ 2009-10-21 12:15 . 2009-10-21 12:15 30402560 c:\windows\Installer\18af04.msp
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-10-06 68856]
"kdx"="c:\program files\Kontiki\KHost.exe" [2007-04-23 1032640]
"iLike"="c:\program files\iLike\1.2.16\ilikesidebar.exe" [2008-09-10 63024]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2009-08-27 247144]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 221184]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-02-08 1836544]
"Dell Photo AIO Printer 922"="c:\program files\Dell Photo AIO Printer 922\dlbtbmgr.exe" [2004-03-29 290816]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"FaxCenterServer"="c:\program files\Dell PC Fax\fm3032.exe" [2006-11-03 312200]
"dlcxmon.exe"="c:\program files\Dell Photo AIO Printer 926\dlcxmon.exe" [2007-01-12 292336]
"MemoryCardManager"="c:\program files\Dell Photo AIO Printer 926\memcard.exe" [2006-11-03 304008]
"DLCXCATS"="c:\windows\system32\spool\DRIVERS\W32X86\3\DLCXtime.dll" [2006-10-16 106496]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-11-24 185896]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-05-24 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-05-24 8429568]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-05-24 81920]
"4oD"="c:\program files\Kontiki\KHost.exe" [2007-04-23 1032640]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2007-03-15 4390912]

c:\users\Ammar\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
BBC iPlayer Desktop.lnk - c:\program files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe [2009-6-6 95744]
Cyber-shot Viewer Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2007-11-4 155648]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll c:\progra~1\KASPER~1\KASPER~2\mzvkbd3.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\System32\drivers\klbg.sys [15/12/2008 20:41 33808]
R2 dlcx_device;dlcx_device;c:\windows\system32\dlcxcoms.exe -service --> c:\windows\system32\dlcxcoms.exe -service [?]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [27/08/2009 16:05 92008]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\System32\drivers\klmouflt.sys [16/05/2009 20:59 19472]
S3 netr73;Belkin Wireless 54G USB Network Adapter Driver for Vista;c:\windows\System32\drivers\netr73.sys [20/08/2009 11:16 464384]
.
Contents of the 'Scheduled Tasks' folder

2009-10-23 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-10-06 19:52]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
IE: Download all links with IDM - c:\users\Ammar\AppData\Local\Temp\Rar$EX01.178\IEGetAll.htm
IE: Download FLV video content with IDM - c:\users\Ammar\AppData\Local\Temp\Rar$EX01.178\IEGetVL.htm
IE: Download with IDM - c:\users\Ammar\AppData\Local\Temp\Rar$EX01.178\IEExt.htm
IE: {{08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.sky.com
FF - ProfilePath - c:\users\Ammar\AppData\Roaming\Mozilla\Firefox\Profiles\2w33kq8l.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - component: c:\program files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - hȋdden: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-23 18:24
Windows 6.0.6001 Service Pack 1 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCXCATS = rundll32 c:\windows\system32\spool\DRIVERS\W32X86\3\DLCXtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2761920510-736693625-3431824637-1000_Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
@Denied: (Full) (Everyone)
@Allowed: (Read) (RestrictedCode)
"scansk"=hex(0):d6,ea,e3,bf,6c,f6,46,9d,47,a4,15,bf,02,5c,17,e1,2d,09,05,57,c3,
73,54,1e,75,2d,68,df,d5,83,09,14,3a,e7,02,b6,62,2f,a8,b8,00,00,00,00,00,00,\

[HKEY_USERS\S-1-5-21-2761920510-736693625-3431824637-1000_Classes\CLSID\{d6cc81fb-0fe6-4f11-b1b6-75abc2f31ace}]
@Denied: (Full) (Everyone)
@Allowed: (Read) (RestrictedCode)
"Model"=dword:0000000c
"Therad"=dword:00000015
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(3404)
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\windows\system32\DLAAPI_W.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\dlcxcoms.exe
c:\program files\Kontiki\KService.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\system32\WUDFHost.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
c:\windows\servicing\TrustedInstaller.exe
c:\commy.exe\CF1210.exe
c:\windows\System32\rundll32.exe
c:\windows\System32\rundll32.exe
c:\program files\Dell Photo AIO Printer 922\dlbtbmon.exe
c:\windows\ehome\ehmsas.exe
c:\program files\iPod\bin\iPodService.exe
c:\commy.exe\PEV.cfxxe
.
**************************************************************************
.
Completion time: 2009-10-23 18:27 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-23 17:27
ComboFix2.txt 2009-10-22 09:03
ComboFix3.txt 2009-10-21 11:53

Pre-Run: 212,165,545,984 bytes free
Post-Run: 212,112,547,840 bytes free

- - End Of File - - 54E14A6BAF425147FDB4285870676AA3

descriptionURGENT need help on  Trojan virus removal EmptyRe: URGENT need help on Trojan virus removal

more_horiz
Please download Rooter to your desktop

  1. Double click it to start the tool.
  2. A Notepad file containing the report will open, also found at C:\Rooter.txt. Post that log in your next reply.

descriptionURGENT need help on  Trojan virus removal EmptyRe: URGENT need help on Trojan virus removal

more_horiz
Here's the Rooter log:

Rooter.exe (v1.0.2) by Eric_71
.
SeDebugPrivilege granted successfully ...
.
Windows Vista Home Edition (6.0.6001) Service Pack 1
[32_bits] - x86 Family 15 Model 107 Stepping 1, AuthenticAMD
.
[wscsvc] (Security Center) RUNNING (state:4)
[MpsSvc] RUNNING (state:4)
Windows Firewall -> Enabled
Windows Defender -> Enabled
User Account Control (UAC) -> Enabled
.
Internet Explorer 8.0.6001.18828
Mozilla Firefox 3.0.14 (en-GB)
.
C:\ [fȋxed-NTFS] .. ( Total:288 Go - Free:196 Go )
D:\ [fȋxed-NTFS] .. ( Total:9 Go - Free:5 Go )
E:\ [CD_Rom]
G:\ [Removable]
H:\ [Removable]
I:\ [Removable]
J:\ [Removable]
K:\ [Removable]
.
Scan : 21:38.41
Path : C:\Users\Ammar\Desktop\Rooter.exe
User : Ammar ( Administrator -> YES )
.
----------------------\\ Processes
.
Locked [System Process] (0)
Locked System (4)
______ \SystemRoot\System32\smss.exe (536)
______ C:\Windows\system32\csrss.exe (612)
______ C:\Windows\system32\wininit.exe (664)
______ C:\Windows\system32\csrss.exe (672)
______ C:\Windows\system32\services.exe (708)
______ C:\Windows\system32\lsass.exe (724)
______ C:\Windows\system32\lsm.exe (732)
______ C:\Windows\system32\winlogon.exe (776)
______ C:\Windows\system32\svchost.exe (924)
______ C:\Windows\system32\svchost.exe (1012)
______ C:\Windows\System32\svchost.exe (1052)
______ C:\Windows\System32\svchost.exe (1140)
______ C:\Windows\System32\svchost.exe (1184)
______ C:\Windows\system32\svchost.exe (1200)
Locked audiodg.exe (1276)
______ C:\Windows\system32\svchost.exe (1320)
______ C:\Windows\system32\SLsvc.exe (1336)
______ C:\Windows\system32\svchost.exe (1372)
______ C:\Windows\system32\svchost.exe (1588)
______ C:\Windows\System32\spoolsv.exe (1844)
______ C:\Windows\system32\svchost.exe (1868)
______ C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (936)
______ C:\Program Files\Bonjour\mDNSResponder.exe (1264)
______ C:\Windows\system32\dlcxcoms.exe (1432)
______ C:\Program Files\Kontiki\KService.exe (1596)
______ C:\Windows\system32\svchost.exe (932)
______ C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe (840)
______ C:\Program Files\Dell Support Center\bin\sprtsvc.exe (2188)
______ C:\Windows\system32\svchost.exe (2208)
______ C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe (2232)
______ C:\Windows\System32\svchost.exe (2272)
______ C:\Windows\system32\SearchIndexer.exe (2304)
______ C:\Windows\system32\WUDFHost.exe (2820)
______ C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe (2972)
______ C:\Windows\system32\taskeng.exe (3320)
______ C:\Windows\system32\Dwm.exe (3676)
______ C:\Windows\system32\taskeng.exe (2856)
______ C:\Program Files\Windows Defender\MSASCui.exe (3568)
______ C:\Windows\RtHDVCpl.exe (3552)
______ C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (3480)
______ C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe (3528)
______ C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe (2808)
______ C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe (256)
______ C:\Program Files\Dell Photo AIO Printer 926\memcard.exe (248)
______ C:\Program Files\Common Files\Real\Update_OB\realsched.exe (268)
______ C:\Program Files\Dell Support Center\bin\sprtcmd.exe (252)
______ C:\Program Files\iTunes\iTunesHelper.exe (3812)
______ C:\Windows\System32\rundll32.exe (3056)
______ C:\Program Files\Kontiki\KHost.exe (3420)
______ C:\Program Files\Java\jre6\bin\jusched.exe (2472)
______ C:\Windows\System32\rundll32.exe (156)
______ C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe (2796)
______ C:\Program Files\DellSupport\DSAgnt.exe (904)
______ C:\Windows\ehome\ehtray.exe (2920)
______ C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (3172)
______ C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe (3440)
______ C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe (3496)
______ C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (3288)
______ C:\Windows\ehome\ehmsas.exe (1520)
______ C:\Windows\system32\wuauclt.exe (3820)
______ C:\Program Files\iPod\bin\iPodService.exe (4420)
______ C:\Windows\Explorer.exe (3404)
______ C:\Windows\System32\mobsync.exe (4900)
______ C:\Windows\system32\SearchProtocolHost.exe (5084)
______ C:\Windows\system32\SearchFilterHost.exe (5268)
______ C:\Windows\system32\SearchProtocolHost.exe (1680)
______ C:\Windows\system32\DllHost.exe (1084)
______ C:\Windows\system32\DllHost.exe (6032)
______ C:\Users\Ammar\Desktop\Rooter.exe (5440)
.
----------------------\\ Device\Harddisk0\
.
\Device\Harddisk0 [Sectors : 63 x 512 Bytes]
.
\Device\Harddisk0\Partition1 (Start_Offset:32256 | Length:57544704)
\Device\Harddisk0\Partition2 (Start_Offset:57671680 | Length:10737418240)
\Device\Harddisk0\Partition3 --[ MBR ]-- (Start_Offset:10795089920 | Length:309276442624)
.
----------------------\\ Scheduled Tasks
.
C:\Windows\Tasks\Google Software Updater.job
C:\Windows\Tasks\SA.DAT
C:\Windows\Tasks\SCHEDLGU.TXT
.
----------------------\\ Registry
.
.
----------------------\\ Files & Folders
.
----------------------\\ Scan completed at 21:38.44
.
C:\Rooter$\Rooter_2.txt - (23/10/2009 | 21:38.44)

descriptionURGENT need help on  Trojan virus removal EmptyRe: URGENT need help on Trojan virus removal

more_horiz
Please download F-Secure's Blacklight from F-Secure.com

  • Save it to your Desktop
  • Double-click blbeta.exe then accept the agreement.
  • click > scan then > next,
  • You'll see a list of all items found.
  • Don't choose for rename yet! I want to see the log first, because legit items can also be present there...
  • There must be also a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers)
  • Post the contents of the log in your next reply.

descriptionURGENT need help on  Trojan virus removal EmptyRe: URGENT need help on Trojan virus removal

more_horiz
Here's the Blacklight log:

10/24/09 18:47:21 [Info]: BlackLight Engine 2.2.1092 initialized
10/24/09 18:47:21 [Info]: OS: 6.0 build 6001 (Service Pack 1)
10/24/09 18:47:21 [Note]: 7019 4
10/24/09 18:47:21 [Note]: 7005 0
10/24/09 18:47:24 [Note]: 7006 0
10/24/09 18:47:24 [Note]: 7027 0
10/24/09 18:47:24 [Note]: 7035 0
10/24/09 18:47:24 [Note]: 7026 0
10/24/09 18:47:24 [Note]: 7026 0
10/24/09 18:47:26 [Note]: FSRAW library version 1.7.1024
10/24/09 18:48:30 [Note]: 4015 1438
10/24/09 18:48:30 [Note]: 4027 1438 65536
10/24/09 18:48:30 [Note]: 4020 1389 65536
10/24/09 18:48:30 [Note]: 4018 1389 65536
10/24/09 19:03:06 [Note]: 7007 0

It did, however say at the end that no hȋdden items were found

descriptionURGENT need help on  Trojan virus removal EmptyRe: URGENT need help on Trojan virus removal

more_horiz
URGENT need help on  Trojan virus removal Mbamicontw5 Please download Malwarebytes Anti-Malware from here.

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • Please save the log to a location you will remember.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

descriptionURGENT need help on  Trojan virus removal EmptyRe: URGENT need help on Trojan virus removal

more_horiz
Here's the Malwarebytes log:
Malwarebytes' Anti-Malware 1.41
Database version: 3029
Windows 6.0.6001 Service Pack 1

25/10/2009 14:08:22
mbam-log-2009-10-25 (14-08-22).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 251380
Time elapsed: 53 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 5
Registry Data Items Infected: 2
Folders Infected: 1
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9034a523-d068-4be8-a284-9df278be776e} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Antivirus (Rogue.AntiVirus) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\*.safetyincludes.com (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\*.securemanaging.com (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\*.securewebinfo.com (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\searchurl (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchUrl\w\(default) (Trojan.Zlob) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchURL (Hijack.SearchPage) -> Bad: (http://internetsearchservice.com) Good: (http://www.Google.com/) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchUrl\w\(default) (Hijack.SearchPage) -> Bad: (http://internetsearchservice.com/search?q=%s) Good: (http://www.Google.com/) -> Quarantined and deleted successfully.

Folders Infected:
C:\Windows\System32\377186 (Trojan.BHO) -> Quarantined and deleted successfully.

Files Infected:
C:\Qoobox\Quarantine\C\Windows\System32\cngaudit.dll.vir (Trojan.Sirefef) -> Quarantined and deleted successfully.
C:\Users\Ammar\Documents\My Music\My Music.url (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Users\Ammar\Documents\My Pictures\My Pictures.url (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Users\Ammar\Documents\My Videos\My Video.url (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Windows\win32k.sys (Trojan.Dropper) -> Quarantined and deleted successfully.

descriptionURGENT need help on  Trojan virus removal EmptyRe: URGENT need help on Trojan virus removal

more_horiz
Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u

URGENT need help on  Trojan virus removal CF_Cleanup

This will also reset your restore points.

How is the machine running now?

descriptionURGENT need help on  Trojan virus removal EmptyRe: URGENT need help on Trojan virus removal

more_horiz
When I try and enter the text, it says Windows can't find 'ComboFix' eventhough it's saved to my desktop

descriptionURGENT need help on  Trojan virus removal EmptyRe: URGENT need help on Trojan virus removal

more_horiz
Oops dw, managed to work it Wink
Everything seems to be running fine now, I think the virus has been deleted.
Thx so much for your help Smile...

descriptionURGENT need help on  Trojan virus removal EmptyRe: URGENT need help on Trojan virus removal

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum