Hey,
I;ve been trying to deal with this damn trojan program for the past four hours. Combofix did the job of getting rid of it... at least i think it did, however now I'm left with two things, the report below and the fact that I think a major file is damaged as now every program says 'Illegal operation attempted on a registry key that has been marked for deletion.'
I thought I could cope with dealing with this but now realise I'm sort of screwed. If any one has a spare minute and might know what I should do next please let me know.
I dont want to give up and reboot my machine, some one recommended downloading MGtools to try and see what might be damaged, would any one agree?
Thank you for any advice.
David
ComboFix 10-02-12.01 - David 13/02/2010 14:01:48.1.1 - x86
Microsoft Windows Vista Home Basic 6.0.6001.1.1252.44.1033.18.2008.1042 [GMT 0:00]
Running from: H:\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\$recycle.bin\S-1-5-21-1926248432-2299047243-2415942083-500
c:\program files\InternetSecurity2010
c:\program files\InternetSecurity2010\IS2010.exe
C:\s
c:\users\King David\AppData\Local\av.exe
c:\users\King David\AppData\Local\Microsoft\Windows\Temporary Internet Files\BM88xl.jpg
c:\users\King David\AppData\Local\Microsoft\Windows\Temporary Internet Files\mx25A6mnk.jpg
c:\users\King David\AppData\Local\Microsoft\Windows\Temporary Internet Files\udRemove.exe
c:\users\King David\AppData\Local\Microsoft\Windows\Temporary Internet Files\y843aP.jpg
c:\users\King David\AppData\Local\Microsoft\Windows\Temporary Internet Files\YbOnBa5nX.jpg
c:\users\King David\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Internet Security 2010.lnk
c:\users\King David\AppData\Roaming\Microsoft\Windows\Start Menu\Internet Security 2010.lnk
c:\windows\system32\404Fix.exe
c:\windows\system32\41.exe
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\an99qdenr.dll
c:\windows\system32\drivers\vzivvqfa.sys
c:\windows\system32\dumphive.exe
c:\windows\system32\flags.ini
c:\windows\system32\helper32.dll
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\kbdsock.dll
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\lowsec\user.ds.lll
c:\windows\system32\mshlps.dll
c:\windows\system32\o4Patch.exe
c:\windows\system32\oem5.inf
c:\windows\system32\Process.exe
c:\windows\system32\sdra64.exe
c:\windows\system32\smss32.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\uses32.dat
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\warning.html
c:\windows\system32\winlogon32.exe
c:\windows\system32\WS2Fix.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_vzivvqfa
-------\Service_vzivvqfa
((((((((((((((((((((((((( Files Created from 2010-01-13 to 2010-02-13 )))))))))))))))))))))))))))))))
.
2010-02-13 14:12 . 2010-02-13 14:14 -------- d-----w- c:\users\King David\AppData\Local\temp
2010-02-13 14:12 . 2010-02-13 14:12 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-02-13 13:58 . 2010-02-13 13:58 -------- dc----w- c:\programdata\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2010-02-13 13:52 . 2010-02-13 13:52 -------- d-----w- C:\32788R22FWJFW
2010-02-13 13:06 . 2010-02-13 13:24 35 ----a-w- c:\users\King David\AppData\Roaming\SetValue.bat
2010-02-13 13:05 . 2010-02-13 13:07 -------- d-----w- c:\windows\system32\SmitfraudFix
2010-02-13 12:41 . 2010-02-13 12:41 -------- d--h--w- c:\windows\PIF
2010-02-13 12:30 . 2010-02-13 12:30 0 ----a-w- c:\windows\nsreg.dat
2010-02-06 20:07 . 2010-02-06 20:07 53760 ----a-w- c:\windows\system32\drivers\SSHDRV76.sys
2010-02-06 19:38 . 2010-02-06 20:13 -------- d-----w- c:\program files\Ascaron Entertainment
2010-01-23 10:36 . 2010-01-23 10:36 -------- d-----w- c:\program files\SmartUndelete
2010-01-22 18:41 . 2010-01-22 18:41 -------- d-----w- c:\users\King David\AppData\Roaming\JGsoft
2010-01-22 18:41 . 2010-01-22 18:41 -------- d-----w- c:\program files\JGsoft
2010-01-22 18:41 . 2009-12-16 03:30 66800 ----a-w- c:\windows\UnDeployV.exe
2010-01-16 16:05 . 2010-01-16 16:05 -------- d-----w- c:\program files\Black Isle
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-13 14:15 . 2009-12-28 01:59 -------- d-----w- c:\users\King David\AppData\Roaming\uTorrent
2010-02-13 14:14 . 2010-02-13 13:57 -------- d-----w- c:\program files\Spyware Doctor
2010-02-13 13:57 . 2010-02-13 13:57 -------- d-----w- c:\program files\Common Files\PC Tools
2010-02-13 13:57 . 2010-02-13 13:57 -------- d-----w- c:\users\King David\AppData\Roaming\PC Tools
2010-02-13 13:57 . 2010-02-13 13:57 -------- d-----w- c:\programdata\PC Tools
2010-02-13 13:24 . 2010-02-13 13:06 691 ----a-w- c:\users\King David\AppData\Roaming\GetValue.vbs
2010-02-11 17:05 . 2009-12-24 00:48 -------- d-----w- c:\users\King David\AppData\Roaming\vlc
2010-02-06 18:41 . 2009-12-27 22:39 -------- d-----w- c:\users\King David\AppData\Roaming\PCF-VLC
2010-01-31 22:13 . 2009-08-25 14:05 6714 ----a-w- c:\users\King David\AppData\Roaming\wklnhst.dat
2010-01-26 21:10 . 2009-10-04 16:14 -------- d-----w- c:\program files\Lx_cats
2010-01-23 20:17 . 2009-08-28 19:04 -------- d-----w- c:\users\King David\AppData\Roaming\dvdcss
2010-01-16 16:05 . 2009-08-16 21:37 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-16 16:05 . 2009-08-16 21:42 -------- d-----w- c:\program files\Common Files\InstallShield
2010-01-16 15:09 . 2010-01-05 13:14 -------- d-----w- c:\program files\Activision
2010-01-04 03:22 . 2010-01-04 03:22 -------- d-----w- c:\program files\Sierra
2010-01-02 19:12 . 2010-01-01 23:43 -------- d-----w- c:\program files\Soldier of Fortune II - Double Helix
2010-01-02 19:11 . 2009-12-25 00:07 -------- d-----w- c:\program files\Paradox Interactive
2009-12-31 14:53 . 2009-12-26 02:49 -------- d-----w- c:\program files\Firefly Studios
2009-12-28 10:39 . 2009-12-28 10:39 -------- d-----w- c:\program files\AGEIA Technologies
2009-12-28 01:59 . 2009-12-28 01:59 -------- d-----w- c:\program files\uTorrent
2009-12-28 01:39 . 2009-12-28 01:18 -------- d-----w- c:\program files\Empire - Total War
2009-12-27 19:58 . 2009-12-27 19:58 -------- d-----w- c:\program files\Sierra On-Line
2009-12-27 19:38 . 2009-12-27 19:38 -------- d-----w- c:\program files\Alcohol Soft
2009-12-27 19:34 . 2009-12-27 19:34 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-12-26 02:14 . 2009-12-26 02:14 -------- d-----w- c:\users\King David\AppData\Roaming\gtk-2.0
2009-12-26 02:03 . 2009-12-26 02:03 -------- d-----w- c:\users\King David\AppData\Roaming\Participatory Culture Foundation
2009-12-26 02:02 . 2009-12-26 02:02 -------- d-----w- c:\program files\Participatory Culture Foundation
2009-12-26 00:41 . 2009-12-26 00:41 281760 ----a-w- c:\windows\system32\drivers\atksgt.sys
2009-12-26 00:41 . 2009-12-26 00:41 25888 ----a-w- c:\windows\system32\drivers\lirsgt.sys
2009-12-02 12:29 . 2009-12-02 12:29 86016 ----a-w- c:\programdata\NOS\Adobe_Downloads\arh.exe
2009-08-16 22:00 . 2009-08-16 22:00 75 --sh--r- c:\windows\CT4CET.bin
2009-08-17 00:02 . 2009-04-11 19:01 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2009-12-28 289584]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-05-08 1516840]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-05-11 483428]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-05-10 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-05-10 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-05-10 150552]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-12-21 3810304]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-05-07 178712]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-04-24 250192]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-06-03 206064]
"lxdcamon"="c:\program files\Lexmark 1300 Series\lxdcamon.exe" [2007-04-30 20480]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2009-11-18 1243088]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=wdmaud.drv
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKLM\~\startupfolder\C:^Users^King David^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Dell Dock.lnk]
path=c:\users\King David\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock.lnk
backup=c:\windows\pss\Dell Dock.lnk.Startup
backupExtension=.Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2009-09-04 12:08 935288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-10-03 04:08 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
2009-02-05 02:26 128232 ------w- c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-09-22 19:05 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\appcertdlls]
appsecdll REG_SZ c:\windows\system32\mshlps.dll
R0 PCTCore;PCTools KDS;c:\windows\System32\drivers\PCTCore.sys [13/02/2010 13:57 207792]
R1 SSHDRV76;SSHDRV76;c:\windows\System32\drivers\SSHDRV76.sys [06/02/2010 20:07 53760]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_f6ef8056\AEstSrv.exe [17/08/2009 00:07 81920]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [13/02/2010 13:57 112592]
R2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [18/12/2008 19:05 155648]
R2 lxdc_device;lxdc_device;c:\windows\system32\lxdccoms.exe -service --> c:\windows\system32\lxdccoms.exe -service [?]
R2 lxdcCATSCustConnectService;lxdcCATSCustConnectService;c:\windows\System32\spool\drivers\w32x86\3\lxdcserv.exe [25/05/2007 08:38 99248]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [13/02/2010 13:57 359624]
R2 yksvc;Marvell Yukon Service;c:\windows\System32\svchost.exe -k yksvcs [21/01/2008 02:33 21504]
R3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\System32\drivers\CtClsFlt.sys [16/08/2009 21:59 144128]
--- Other Services/Drivers In Memory ---
*Deregistered* - PCTSDInjDriver32
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
yksvcs REG_MULTI_SZ yksvc
.
Contents of the 'Scheduled Tasks' folder
2010-02-12 c:\windows\Tasks\User_Feed_Synchronization-{3F0A56F2-8589-49CB-9DFD-A6CCBA74D102}.job
- c:\windows\system32\msfeedssync.exe [2008-01-21 02:34]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Trusted Zone: buy-internetsecurity10.com
Trusted Zone: buy-is2010.com
Trusted Zone: is-software-download.com
Trusted Zone: is-software-download25.com
Trusted Zone: is10-soft-download.com
Trusted Zone: buy-internetsecurity10.com
Trusted Zone: buy-is2010.com
FF - ProfilePath - c:\users\King David\AppData\Roaming\Mozilla\Firefox\Profiles\z20p6oa2.default\
FF - prefs.js: browser.search.selectedEngine - Ask
FF - prefs.js: browser.startup.homepage - www.google.co.uk
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
.
- - - - ORPHANS REMOVED - - - -
BHO-{A3BA40A2-74F0-42BD-F434-00B15A2C8953} - c:\windows\system32\an99qdenr.dll
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKCU-Run-Remote System Protection - c:\windows\system32\an99qdenr.dll
HKCU-Run-smss32.exe - c:\windows\system32\smss32.exe
SharedTaskScheduler-{A3BA40A2-74F0-42BD-F434-00B15A2C8953} - c:\windows\system32\an99qdenr.dll
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-13 14:15
Windows 6.0.6001 Service Pack 1 NTFS
scanning hȋdden processes ...
scanning hȋdden autostart entries ...
scanning hȋdden files ...
scan completed successfully
hȋdden files: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys PCTCore.sys iastor.sys spza.sys hal.dll >>UNKNOWN [0x84D51938]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0x8819f322
\Driver\ACPI -> acpi.sys @ 0x805b1d68
\Driver\iaStor -> iastor.sys @ 0x87c505a0
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->user & kernel MBR OK
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'Explorer.exe'(3912)
c:\program files\Spyware Doctor\pctgmhk.dll
c:\windows\system32\timedate.cpl
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\DriverStore\FileRepository\stwrt.inf_f6ef8056\STacSV.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\windows\system32\lxdccoms.exe
c:\program files\Spyware Doctor\pctsSvc.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\program files\Synaptics\SynTP\SynTPHelper.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
.
**************************************************************************
.
Completion time: 2010-02-13 14:19:05 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-13 14:19
Pre-Run: 92,515,819,520 bytes free
Post-Run: 96,578,150,400 bytes free
- - End Of File - - 86997278D80E2BD9A360DB6AAC27320D
I;ve been trying to deal with this damn trojan program for the past four hours. Combofix did the job of getting rid of it... at least i think it did, however now I'm left with two things, the report below and the fact that I think a major file is damaged as now every program says 'Illegal operation attempted on a registry key that has been marked for deletion.'
I thought I could cope with dealing with this but now realise I'm sort of screwed. If any one has a spare minute and might know what I should do next please let me know.
I dont want to give up and reboot my machine, some one recommended downloading MGtools to try and see what might be damaged, would any one agree?
Thank you for any advice.
David
ComboFix 10-02-12.01 - David 13/02/2010 14:01:48.1.1 - x86
Microsoft Windows Vista Home Basic 6.0.6001.1.1252.44.1033.18.2008.1042 [GMT 0:00]
Running from: H:\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\$recycle.bin\S-1-5-21-1926248432-2299047243-2415942083-500
c:\program files\InternetSecurity2010
c:\program files\InternetSecurity2010\IS2010.exe
C:\s
c:\users\King David\AppData\Local\av.exe
c:\users\King David\AppData\Local\Microsoft\Windows\Temporary Internet Files\BM88xl.jpg
c:\users\King David\AppData\Local\Microsoft\Windows\Temporary Internet Files\mx25A6mnk.jpg
c:\users\King David\AppData\Local\Microsoft\Windows\Temporary Internet Files\udRemove.exe
c:\users\King David\AppData\Local\Microsoft\Windows\Temporary Internet Files\y843aP.jpg
c:\users\King David\AppData\Local\Microsoft\Windows\Temporary Internet Files\YbOnBa5nX.jpg
c:\users\King David\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Internet Security 2010.lnk
c:\users\King David\AppData\Roaming\Microsoft\Windows\Start Menu\Internet Security 2010.lnk
c:\windows\system32\404Fix.exe
c:\windows\system32\41.exe
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\an99qdenr.dll
c:\windows\system32\drivers\vzivvqfa.sys
c:\windows\system32\dumphive.exe
c:\windows\system32\flags.ini
c:\windows\system32\helper32.dll
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\kbdsock.dll
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\lowsec\user.ds.lll
c:\windows\system32\mshlps.dll
c:\windows\system32\o4Patch.exe
c:\windows\system32\oem5.inf
c:\windows\system32\Process.exe
c:\windows\system32\sdra64.exe
c:\windows\system32\smss32.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\uses32.dat
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\warning.html
c:\windows\system32\winlogon32.exe
c:\windows\system32\WS2Fix.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_vzivvqfa
-------\Service_vzivvqfa
((((((((((((((((((((((((( Files Created from 2010-01-13 to 2010-02-13 )))))))))))))))))))))))))))))))
.
2010-02-13 14:12 . 2010-02-13 14:14 -------- d-----w- c:\users\King David\AppData\Local\temp
2010-02-13 14:12 . 2010-02-13 14:12 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-02-13 13:58 . 2010-02-13 13:58 -------- dc----w- c:\programdata\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2010-02-13 13:52 . 2010-02-13 13:52 -------- d-----w- C:\32788R22FWJFW
2010-02-13 13:06 . 2010-02-13 13:24 35 ----a-w- c:\users\King David\AppData\Roaming\SetValue.bat
2010-02-13 13:05 . 2010-02-13 13:07 -------- d-----w- c:\windows\system32\SmitfraudFix
2010-02-13 12:41 . 2010-02-13 12:41 -------- d--h--w- c:\windows\PIF
2010-02-13 12:30 . 2010-02-13 12:30 0 ----a-w- c:\windows\nsreg.dat
2010-02-06 20:07 . 2010-02-06 20:07 53760 ----a-w- c:\windows\system32\drivers\SSHDRV76.sys
2010-02-06 19:38 . 2010-02-06 20:13 -------- d-----w- c:\program files\Ascaron Entertainment
2010-01-23 10:36 . 2010-01-23 10:36 -------- d-----w- c:\program files\SmartUndelete
2010-01-22 18:41 . 2010-01-22 18:41 -------- d-----w- c:\users\King David\AppData\Roaming\JGsoft
2010-01-22 18:41 . 2010-01-22 18:41 -------- d-----w- c:\program files\JGsoft
2010-01-22 18:41 . 2009-12-16 03:30 66800 ----a-w- c:\windows\UnDeployV.exe
2010-01-16 16:05 . 2010-01-16 16:05 -------- d-----w- c:\program files\Black Isle
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-13 14:15 . 2009-12-28 01:59 -------- d-----w- c:\users\King David\AppData\Roaming\uTorrent
2010-02-13 14:14 . 2010-02-13 13:57 -------- d-----w- c:\program files\Spyware Doctor
2010-02-13 13:57 . 2010-02-13 13:57 -------- d-----w- c:\program files\Common Files\PC Tools
2010-02-13 13:57 . 2010-02-13 13:57 -------- d-----w- c:\users\King David\AppData\Roaming\PC Tools
2010-02-13 13:57 . 2010-02-13 13:57 -------- d-----w- c:\programdata\PC Tools
2010-02-13 13:24 . 2010-02-13 13:06 691 ----a-w- c:\users\King David\AppData\Roaming\GetValue.vbs
2010-02-11 17:05 . 2009-12-24 00:48 -------- d-----w- c:\users\King David\AppData\Roaming\vlc
2010-02-06 18:41 . 2009-12-27 22:39 -------- d-----w- c:\users\King David\AppData\Roaming\PCF-VLC
2010-01-31 22:13 . 2009-08-25 14:05 6714 ----a-w- c:\users\King David\AppData\Roaming\wklnhst.dat
2010-01-26 21:10 . 2009-10-04 16:14 -------- d-----w- c:\program files\Lx_cats
2010-01-23 20:17 . 2009-08-28 19:04 -------- d-----w- c:\users\King David\AppData\Roaming\dvdcss
2010-01-16 16:05 . 2009-08-16 21:37 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-16 16:05 . 2009-08-16 21:42 -------- d-----w- c:\program files\Common Files\InstallShield
2010-01-16 15:09 . 2010-01-05 13:14 -------- d-----w- c:\program files\Activision
2010-01-04 03:22 . 2010-01-04 03:22 -------- d-----w- c:\program files\Sierra
2010-01-02 19:12 . 2010-01-01 23:43 -------- d-----w- c:\program files\Soldier of Fortune II - Double Helix
2010-01-02 19:11 . 2009-12-25 00:07 -------- d-----w- c:\program files\Paradox Interactive
2009-12-31 14:53 . 2009-12-26 02:49 -------- d-----w- c:\program files\Firefly Studios
2009-12-28 10:39 . 2009-12-28 10:39 -------- d-----w- c:\program files\AGEIA Technologies
2009-12-28 01:59 . 2009-12-28 01:59 -------- d-----w- c:\program files\uTorrent
2009-12-28 01:39 . 2009-12-28 01:18 -------- d-----w- c:\program files\Empire - Total War
2009-12-27 19:58 . 2009-12-27 19:58 -------- d-----w- c:\program files\Sierra On-Line
2009-12-27 19:38 . 2009-12-27 19:38 -------- d-----w- c:\program files\Alcohol Soft
2009-12-27 19:34 . 2009-12-27 19:34 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-12-26 02:14 . 2009-12-26 02:14 -------- d-----w- c:\users\King David\AppData\Roaming\gtk-2.0
2009-12-26 02:03 . 2009-12-26 02:03 -------- d-----w- c:\users\King David\AppData\Roaming\Participatory Culture Foundation
2009-12-26 02:02 . 2009-12-26 02:02 -------- d-----w- c:\program files\Participatory Culture Foundation
2009-12-26 00:41 . 2009-12-26 00:41 281760 ----a-w- c:\windows\system32\drivers\atksgt.sys
2009-12-26 00:41 . 2009-12-26 00:41 25888 ----a-w- c:\windows\system32\drivers\lirsgt.sys
2009-12-02 12:29 . 2009-12-02 12:29 86016 ----a-w- c:\programdata\NOS\Adobe_Downloads\arh.exe
2009-08-16 22:00 . 2009-08-16 22:00 75 --sh--r- c:\windows\CT4CET.bin
2009-08-17 00:02 . 2009-04-11 19:01 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2009-12-28 289584]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-05-08 1516840]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-05-11 483428]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-05-10 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-05-10 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-05-10 150552]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-12-21 3810304]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-05-07 178712]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-04-24 250192]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-06-03 206064]
"lxdcamon"="c:\program files\Lexmark 1300 Series\lxdcamon.exe" [2007-04-30 20480]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2009-11-18 1243088]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=wdmaud.drv
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKLM\~\startupfolder\C:^Users^King David^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Dell Dock.lnk]
path=c:\users\King David\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock.lnk
backup=c:\windows\pss\Dell Dock.lnk.Startup
backupExtension=.Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2009-09-04 12:08 935288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-10-03 04:08 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
2009-02-05 02:26 128232 ------w- c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-09-22 19:05 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\appcertdlls]
appsecdll REG_SZ c:\windows\system32\mshlps.dll
R0 PCTCore;PCTools KDS;c:\windows\System32\drivers\PCTCore.sys [13/02/2010 13:57 207792]
R1 SSHDRV76;SSHDRV76;c:\windows\System32\drivers\SSHDRV76.sys [06/02/2010 20:07 53760]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_f6ef8056\AEstSrv.exe [17/08/2009 00:07 81920]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [13/02/2010 13:57 112592]
R2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [18/12/2008 19:05 155648]
R2 lxdc_device;lxdc_device;c:\windows\system32\lxdccoms.exe -service --> c:\windows\system32\lxdccoms.exe -service [?]
R2 lxdcCATSCustConnectService;lxdcCATSCustConnectService;c:\windows\System32\spool\drivers\w32x86\3\lxdcserv.exe [25/05/2007 08:38 99248]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [13/02/2010 13:57 359624]
R2 yksvc;Marvell Yukon Service;c:\windows\System32\svchost.exe -k yksvcs [21/01/2008 02:33 21504]
R3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\System32\drivers\CtClsFlt.sys [16/08/2009 21:59 144128]
--- Other Services/Drivers In Memory ---
*Deregistered* - PCTSDInjDriver32
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
yksvcs REG_MULTI_SZ yksvc
.
Contents of the 'Scheduled Tasks' folder
2010-02-12 c:\windows\Tasks\User_Feed_Synchronization-{3F0A56F2-8589-49CB-9DFD-A6CCBA74D102}.job
- c:\windows\system32\msfeedssync.exe [2008-01-21 02:34]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Trusted Zone: buy-internetsecurity10.com
Trusted Zone: buy-is2010.com
Trusted Zone: is-software-download.com
Trusted Zone: is-software-download25.com
Trusted Zone: is10-soft-download.com
Trusted Zone: buy-internetsecurity10.com
Trusted Zone: buy-is2010.com
FF - ProfilePath - c:\users\King David\AppData\Roaming\Mozilla\Firefox\Profiles\z20p6oa2.default\
FF - prefs.js: browser.search.selectedEngine - Ask
FF - prefs.js: browser.startup.homepage - www.google.co.uk
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
.
- - - - ORPHANS REMOVED - - - -
BHO-{A3BA40A2-74F0-42BD-F434-00B15A2C8953} - c:\windows\system32\an99qdenr.dll
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKCU-Run-Remote System Protection - c:\windows\system32\an99qdenr.dll
HKCU-Run-smss32.exe - c:\windows\system32\smss32.exe
SharedTaskScheduler-{A3BA40A2-74F0-42BD-F434-00B15A2C8953} - c:\windows\system32\an99qdenr.dll
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-13 14:15
Windows 6.0.6001 Service Pack 1 NTFS
scanning hȋdden processes ...
scanning hȋdden autostart entries ...
scanning hȋdden files ...
scan completed successfully
hȋdden files: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys PCTCore.sys iastor.sys spza.sys hal.dll >>UNKNOWN [0x84D51938]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0x8819f322
\Driver\ACPI -> acpi.sys @ 0x805b1d68
\Driver\iaStor -> iastor.sys @ 0x87c505a0
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->user & kernel MBR OK
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'Explorer.exe'(3912)
c:\program files\Spyware Doctor\pctgmhk.dll
c:\windows\system32\timedate.cpl
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\DriverStore\FileRepository\stwrt.inf_f6ef8056\STacSV.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\windows\system32\lxdccoms.exe
c:\program files\Spyware Doctor\pctsSvc.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\program files\Synaptics\SynTP\SynTPHelper.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
.
**************************************************************************
.
Completion time: 2010-02-13 14:19:05 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-13 14:19
Pre-Run: 92,515,819,520 bytes free
Post-Run: 96,578,150,400 bytes free
- - End Of File - - 86997278D80E2BD9A360DB6AAC27320D