Do I have a malware?

[dansuleman]

Hello,

My PC hard disk tend to have this continouns whirring sound (like a program(s) constantly running) even when I don't have many programs opened. Might just have the browser opened and surfing. Though I have scanned with my anti-virus (Kaspersky) which has not detected anything, I just wondered whether I might have a malware that has not been detected by my anti-virus.

I have my original windows install disc.

Many thanks.
Dan

DDS.txt below

DDS (Ver_09-10-26.01) - NTFSx86
Run by kay at 18:56:49.20 on 29/10/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.532 [GMT 0:00]

AV: Kaspersky Internet Security *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\ASTSRV.EXE
C:\Program Files\Betting Assistant\AUClient.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Macrium\Reflect\ReflectService.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\T-Mobile Mobile Broadband Manager\UIExec.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\WINDOWS\system32\wscntfy.exe
svchost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Documents and Settings\kay\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Connection Wizard,ShellNext = hxxp://espn.go.com/motion/detect.html
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky internet security 2010\ievkbd.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - c:\program files\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [<NO NAME>]
mRun: [avp] "c:\program files\kaspersky lab\kaspersky internet security 2010\avp.exe"
mRun: [UIExec] "c:\program files\t-mobile mobile broadband manager\UIExec.exe"
mRun: [btbb_McciTrayApp] "c:\program files\bt broadband desktop help\btbb\BTHelpNotifier.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: Add to Anti-Banner - c:\program files\kaspersky lab\kaspersky internet security 2010\ie_banner_deny.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - c:\program files\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Notify: GoToAssist - c:\program files\citrix\gotoassist\570\G2AWinLogon.dll
Notify: LMIinit - LMIinit.dll
AppInit_DLLs: c:\progra~1\kasper~1\kasper~2\mzvkbd3.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\kay\applic~1\mozilla\firefox\profiles\xml8ew1j.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - component: c:\documents and settings\kay\application data\mozilla\firefox\profiles\xml8ew1j.default\extensions\{81bf1d23-5f17-408d-ac6b-bd6df7caf670}\components\XpcomOpusConnector.dll
FF - component: c:\program files\mozilla firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll
FF - plugin: c:\documents and settings\kay\local settings\application data\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\common files\motive\npMotive.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npBBCPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npBTEmailConfig.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-1-29 33808]
R0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\drivers\pssnap.sys [2008-5-20 15328]
R1 is-P7DI0drv;is-P7DI0drv;c:\windows\system32\drivers\71094298.sys [2009-4-22 148496]
R2 Gruss Software Ltd: Betting Assistant update permissions manager. 30256.;Gruss Software Ltd: Betting Assistant update permissions manager. 30256.;c:\program files\betting assistant\auclient.exe -permissionmanagerrun --> c:\program files\betting assistant\AUClient.exe -PermissionManagerRun [?]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2008-7-24 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2009-7-4 47640]
R2 ReflectService;Macrium Reflect Image Mounting Service;c:\program files\macrium\reflect\ReflectService.exe [2009-8-25 220128]
R2 UI Assistant Service;UI Assistant Service;c:\program files\t-mobile mobile broadband manager\AssistantServices.exe [2009-10-26 241664]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2008-4-30 31760]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2009-5-16 19472]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2008-12-17 8704]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2008-12-17 3072]
S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [2009-10-26 9728]
S3 utqymty0;AVZ Kernel Driver;\??\c:\windows\system32\drivers\utqymty0.sys --> c:\windows\system32\drivers\utqymty0.sys [?]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

=============== Created Last 30 ================

2009-10-29 1541 0 d-----w- c:\program files\common files\Motive
2009-10-29 15:05:59 0 d-----w- c:\program files\BT Broadband Desktop Help
2009-10-29 15:05:44 0 d-----w- c:\program files\Citrix
2009-10-29 15:03:46 65536 ----a-w- c:\windows\system32\YCRWin32.dll
2009-10-29 15:03:40 84992 ----a-w- c:\windows\system32\ATL70.DLL
2009-10-29 15:03:40 344064 ----a-w- c:\windows\system32\msvcr70.dll
2009-10-29 15:03:09 0 d-----w- c:\program files\Yahoo!
2009-10-29 15:00:28 0 d-----w- c:\program files\BTHomeHub
2009-10-26 23:23:45 7070 ----a-w- C:\NetworkCfg.xml
2009-10-26 23:02:48 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
2009-10-26 23:02:48 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2009-10-26 22:59:28 105344 ----a-w- c:\windows\system32\drivers\ZTEusbnmea.sys
2009-10-26 22:59:28 104960 ----a-w- c:\windows\system32\drivers\ZTEusbser6k.sys
2009-10-26 22:58:48 9728 ----a-w- c:\windows\system32\drivers\massfilter.sys
2009-10-26 22:58:48 104960 ----a-w- c:\windows\system32\drivers\ZTEusbmdm6k.sys
2009-10-26 22:58:43 0 d-----w- c:\docume~1\kay\applic~1\Program Files
2009-10-26 22:58:36 8464 ----a-w- c:\windows\system32\sporder.dll
2009-10-26 22:58:36 22528 ----a-w- c:\windows\system32\drivers\BMLoad.sys
2009-10-26 22:58:36 18816 ----a-w- c:\windows\system32\drivers\tcpipBM.sys
2009-10-26 22:58:35 719360 ----a-w- c:\windows\system32\bmutil.dll
2009-10-26 22:58:35 471040 ----a-w- c:\windows\system32\bmnet.dll
2009-10-26 22:58:35 294912 ----a-w- c:\windows\system32\bminstall.dll
2009-10-26 22:58:35 126976 ----a-w- c:\windows\system32\bmdumpd.bin
2009-10-26 22:58:27 0 d-----w- c:\windows\system32\SupportAppCB
2009-10-26 22:58:24 0 d-----w- c:\program files\T-Mobile Mobile Broadband Manager
2009-10-25 18:38:44 52816 ----a-w- C:\w7jf_9k3_
2009-10-25 18:38:03 310344 ----a-w- C:\instbiterscr2.exe
2009-10-25 18:37:52 22 ----a-w- C:\k98l_mp_biterScripting
2009-10-21 17:50:38 0 d-----w- c:\program files\The Geek
2009-10-15 10:12:08 0 d-----w- c:\docume~1\kay\applic~1\Any DVD Converter Professional
2009-10-15 10:12:05 0 d-----w- c:\program files\Any DVD Converter Professional
2009-10-08 14:36:24 0 d-----w- c:\docume~1\kay\applic~1\FastStone
2009-10-08 14:21:55 0 d-----w- c:\program files\FastStone Image Viewer
2009-10-03 09:03:02 0 d-----w- c:\program files\NCH Software
2009-10-03 09:01:07 0 d-----w- c:\program files\NCH Swift Sound

==================== Find3M ====================

2009-10-29 18:56:55 319888160 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-10-29 11:08:44 4271720 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-10-14 14:35:58 108059 ----a-w- c:\windows\system32\drivers\klin.dat
2009-10-14 14:35:57 95259 ----a-w- c:\windows\system32\drivers\klick.dat

============= FINISH: 18:57:19.10 ===============

[thewall]

Hello dansuleman Welcome to the TSF Virus/Trojan/Spyware Help forum. I will be assisting you in cleaning up your system.


I ask that you refrain from running tools other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.




After 3 days if a topic is not replied to we assume it has been abandoned and it is closed.


Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Instruction can be found HERE
  
• Double click on ComboFix.exe & follow the prompts.
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:





Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.








Thanks,



thewall

[dansuleman]

Hello thewall,

I have followed your instruction. Attached is the combofix report.

Many thanks

[thewall]

No problem, you're welcome.

When you run the following and post the log don't make it an attachment, just post it in the window.



Special ComboFix script made for this computer only

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs including TeaTimer if you have it so they do not interfere with the running of ComboFix. Instructions for doing so are located here

3. Open notepad and copy/paste the text in the quotebox below into it:

Quote:

File::
c:\windows\system32\Drivers\utqymty0.sys
Driver::
utqymty0

Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

[dansuleman]

Done as advised. Text below. Thanks.

ComboFix 09-10-30.01 - kay 01/11/2009 16:25.2.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.591 [GMT 0:00]
Running from: c:\documents and settings\kay\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\kay\Desktop\CFScript.txt
AV: Kaspersky Internet Security *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

FILE ::
"c:\windows\system32\Drivers\utqymty0.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_UTQYMTY0
-------\Service_utqymty0


((((((((((((((((((((((((( Files Created from 2009-10-01 to 2009-11-01 )))))))))))))))))))))))))))))))
.

2009-10-31 19:23 . 2007-12-13 20:13 17264 ----a-w- c:\windows\system32\drivers\mprifl.sys
2009-10-31 19:23 . 2009-10-31 19:23 -------- d-----w- c:\program files\My Lockbox
2009-10-30 10:29 . 2009-10-30 10:29 -------- d-----w- c:\program files\RebelBetting
2009-10-29 15:11 . 2009-10-29 15:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-10-29 15:09 . 2009-10-29 15:09 -------- d-----w- c:\documents and settings\kay\Application Data\Motive
2009-10-29 15:06 . 2009-10-30 21:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Motive
2009-10-29 15:06 . 2009-10-29 15:07 -------- d-----w- c:\program files\Common Files\Motive
2009-10-29 15:05 . 2009-10-29 15:05 -------- d-----w- c:\program files\BT Broadband Desktop Help
2009-10-29 15:05 . 2009-10-29 15:05 -------- d-----w- c:\program files\Citrix
2009-10-29 15:03 . 2001-10-11 11:26 65536 ----a-w- c:\windows\system32\YCRWin32.dll
2009-10-29 15:03 . 2002-01-05 07:37 344064 ----a-w- c:\windows\system32\msvcr70.dll
2009-10-29 15:03 . 2002-01-05 06:18 84992 ----a-w- c:\windows\system32\ATL70.DLL
2009-10-29 15:03 . 2009-10-29 15:10 -------- d-----w- c:\program files\Yahoo!
2009-10-29 15:00 . 2009-10-29 15:00 -------- d-----w- c:\program files\BTHomeHub
2009-10-26 23:02 . 2008-04-13 18:45 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
2009-10-26 23:02 . 2008-04-13 18:45 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2009-10-26 22:59 . 2009-05-22 09:04 105344 ----a-w- c:\windows\system32\drivers\ZTEusbnmea.sys
2009-10-26 22:59 . 2009-05-22 09:04 104960 ----a-w- c:\windows\system32\drivers\ZTEusbser6k.sys
2009-10-26 22:58 . 2009-05-22 09:04 9728 ----a-w- c:\windows\system32\drivers\massfilter.sys
2009-10-26 22:58 . 2009-05-22 09:04 104960 ----a-w- c:\windows\system32\drivers\ZTEusbmdm6k.sys
2009-10-26 22:58 . 2009-10-26 22:58 -------- d-----w- c:\documents and settings\kay\Application Data\Program Files
2009-10-26 22:58 . 2009-05-22 09:08 8464 ----a-w- c:\windows\system32\sporder.dll
2009-10-26 22:58 . 2009-05-22 09:08 22528 ----a-w- c:\windows\system32\drivers\BMLoad.sys
2009-10-26 22:58 . 2009-05-22 09:08 18816 ----a-w- c:\windows\system32\drivers\tcpipBM.sys
2009-10-26 22:58 . 2009-05-22 09:08 719360 ----a-w- c:\windows\system32\bmutil.dll
2009-10-26 22:58 . 2009-05-22 09:08 294912 ----a-w- c:\windows\system32\bminstall.dll
2009-10-26 22:58 . 2009-05-22 09:08 126976 ----a-w- c:\windows\system32\bmdumpd.bin
2009-10-26 22:58 . 2009-05-22 09:08 471040 ----a-w- c:\windows\system32\bmnet.dll
2009-10-26 22:58 . 2009-10-26 22:58 -------- d-----w- c:\windows\system32\SupportAppCB
2009-10-26 22:58 . 2009-10-26 23:03 -------- d-----w- c:\program files\T-Mobile Mobile Broadband Manager
2009-10-25 18:38 . 2009-10-25 18:40 310344 ----a-w- C:\instbiterscr2.exe
2009-10-22 20:58 . 2009-10-22 20:58 -------- d-----w- c:\documents and settings\kay\Local Settings\Application Data\Opera
2009-10-22 20:57 . 2009-10-22 20:58 -------- d-----w- c:\program files\Opera
2009-10-21 17:50 . 2009-10-21 17:50 -------- d-----w- c:\program files\The Geek
2009-10-18 18:03 . 2009-10-18 18:07 -------- d-----w- c:\documents and settings\kay\Local Settings\Application Data\Temp
2009-10-18 18:03 . 2009-10-18 18:07 -------- d-----w- c:\documents and settings\kay\Local Settings\Application Data\Google
2009-10-15 10:12 . 2009-10-15 10:12 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-15 10:12 . 2009-10-15 10:12 -------- d-----w- c:\documents and settings\kay\Application Data\Any DVD Converter Professional
2009-10-15 10:12 . 2009-10-15 10:12 -------- d-----w- c:\program files\Any DVD Converter Professional
2009-10-08 14:36 . 2009-10-08 14:36 -------- d-----w- c:\documents and settings\kay\Application Data\FastStone
2009-10-08 14:21 . 2009-10-08 14:22 -------- d-----w- c:\program files\FastStone Image Viewer
2009-10-03 09:03 . 2009-10-03 09:03 -------- d-----w- c:\program files\NCH Software
2009-10-03 09:01 . 2009-10-03 09:01 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Swift Sound
2009-10-03 09:01 . 2009-10-03 09:01 -------- d-----w- c:\program files\NCH Swift Sound
2009-10-03 09:01 . 2009-10-03 09:01 -------- d-----w- c:\documents and settings\kay\Application Data\NCH Swift Sound

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-01 16:42 . 2008-12-14 23:47 325034784 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-11-01 16:42 . 2008-12-14 23:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-11-01 16:41 . 2009-01-15 19:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Kontiki
2009-11-01 16:31 . 2008-12-14 23:47 4354664 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-11-01 16:07 . 2009-07-04 19:18 -------- d-----w- c:\program files\LogMeIn
2009-10-30 07:47 . 2009-04-22 21:49 -------- d-----w- c:\program files\Betting Assistant
2009-10-29 15:05 . 2008-12-14 23:26 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-29 15:05 . 2008-12-14 22:57 -------- d-----w- c:\program files\Common Files\InstallShield
2009-10-25 22:18 . 2009-08-18 22:03 -------- d-----w- c:\program files\AutoHotkey
2009-10-15 10:16 . 2009-08-26 10:10 -------- d-----w- c:\program files\Any Video Converter
2009-10-15 10:16 . 2009-08-26 10:10 -------- d-----w- c:\documents and settings\kay\Application Data\Any Video Converter
2009-10-14 14:35 . 2008-12-14 23:48 108059 ----a-w- c:\windows\system32\drivers\klin.dat
2009-10-14 14:35 . 2008-12-14 23:48 95259 ----a-w- c:\windows\system32\drivers\klick.dat
2009-10-08 14:41 . 2009-02-21 09:59 -------- d-----w- c:\documents and settings\kay\Application Data\Corel
2009-10-08 14:40 . 2009-02-21 09:59 848 -csha-w- c:\windows\system32\KGyGaAvL.sys
2009-10-04 07:54 . 2009-04-06 21:14 -------- d-----w- c:\documents and settings\kay\Application Data\Spotify
2009-09-27 14:57 . 2009-09-07 16:12 -------- d-----w- c:\program files\BetFairAndSquare Exchange Simulator
2009-09-27 12:46 . 2009-09-27 12:46 -------- d-----w- c:\program files\Macrium
2009-09-27 12:31 . 2009-02-05 15:59 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-10 14:37 . 2009-09-10 14:29 -------- d-----w- c:\program files\Spyware Doctor
2009-09-10 14:37 . 2009-09-10 14:29 -------- d-----w- c:\program files\Common Files\PC Tools
2009-09-09 19:20 . 2009-09-09 19:20 -------- d-----w- c:\program files\DaqBot
2009-09-07 16:09 . 2008-12-15 20:40 -------- d-----w- c:\program files\Microsoft.NET
2009-09-07 16:09 . 2009-09-07 16:06 -------- d-----w- c:\program files\Microsoft SQL Server
2009-09-07 16:09 . 2009-09-07 16:09 -------- d-----w- c:\program files\MSXML 6.0
2009-09-07 15:22 . 2009-09-07 15:21 -------- d-----w- c:\program files\SwarmSpawn
2009-09-05 07:18 . 2009-04-21 17:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-25 11:16 . 2009-08-25 11:16 32224 ----a-w- c:\windows\system32\drivers\psmounter.sys
2009-08-24 17:19 . 2009-08-24 17:19 604140 --sha-w- c:\windows\system32\drivers\ISwift3.dat
2009-08-24 17:16 . 2008-12-14 23:47 756000 --sha-w- c:\windows\system32\drivers\fidbox2.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-10-31_16.20.48 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-01 16:31 . 2009-11-01 16:31 16384 c:\windows\Temp\Perflib_Perfdata_74c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avp"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe" [2009-07-03 303376]
"flockbox"="c:\program files\My Lockbox\flockbox.exe" [2007-12-14 1071472]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-10-29 15:05 16680 ----a-w- c:\program files\Citrix\GoToAssist\570\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-10-16 19:35 87352 ----a-w- c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"stllssvr"=3 (0x3)
"sprtsvc_dellsupportcenter"=3 (0x3)
"ReflectService"=3 (0x3)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"NVSvc"=3 (0x3)
"Microsoft Office Groove Audit Service"=3 (0x3)
"JavaQuickStarterService"=3 (0x3)
"IDriverT"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\KAV\\Kaspersky Internet Security 7.0.1.325\\english\\setup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [29/01/2008 16:29 33808]
R0 MPRIFL;MPRIFL;c:\windows\system32\drivers\mprifl.sys [31/10/2009 19:23 17264]
R0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\drivers\pssnap.sys [20/05/2008 08:32 15328]
R1 is-P7DI0drv;is-P7DI0drv;c:\windows\system32\drivers\71094298.sys [22/04/2009 17:58 148496]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [24/07/2008 17:46 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [04/07/2009 19:18 47640]
R2 ReflectService;Macrium Reflect Image Mounting Service;c:\program files\Macrium\Reflect\ReflectService.exe [25/08/2009 11:16 220128]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [30/04/2008 16:06 31760]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [16/05/2009 19:59 19472]
S2 UI Assistant Service;UI Assistant Service;c:\program files\T-Mobile Mobile Broadband Manager\AssistantServices.exe [26/10/2009 22:58 241664]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [17/12/2008 22:52 8704]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [17/12/2008 22:52 3072]
S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [26/10/2009 22:58 9728]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

--- Other Services/Drivers In Memory ---

*Deregistered* - BMLoad
*Deregistered* - CLASSPNP_2
*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder

2009-10-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-839522115-484061587-2147188803-1003Core.job
- c:\documents and settings\kay\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-18 18:03]

2009-11-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-839522115-484061587-2147188803-1003UA.job
- c:\documents and settings\kay\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-18 18:03]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = hxxp://espn.go.com/motion/detect.html
IE: Add to Anti-Banner - c:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\ie_banner_deny.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\kay\Application Data\Mozilla\Firefox\Profiles\xml8ew1j.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - component: c:\documents and settings\kay\Application Data\Mozilla\Firefox\Profiles\xml8ew1j.default\extensions\{81BF1D23-5F17-408D-AC6B-BD6DF7CAF670}\components\XpcomOpusConnector.dll
FF - component: c:\program files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll
FF - plugin: c:\documents and settings\kay\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Common Files\Motive\npMotive.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npBBCPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npBTEmailConfig.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-01 16:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Environment*]
"Licence0"="04F0D21-79D8-7A25-D702-433F"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(960)
c:\program files\Citrix\GoToAssist\570\G2AWinLogon.dll
c:\windows\system32\LMIinit.dll

- - - - - - - > 'explorer.exe'(3788)
c:\windows\system32\LMIRfsClientNP.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\windows\system32\DLAAPI_W.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ASTSRV.EXE
c:\program files\Kontiki\KService.exe
c:\program files\LogMeIn\x86\RaMaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-11-01 16:45 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-01 16:45
ComboFix2.txt 2009-10-31 16:23

Pre-Run: 81,326,231,552 bytes free
Post-Run: 81,284,644,864 bytes free

- - End Of File - - 3386A9EA40A8669ACAF0CA922A225217

[thewall]

This scan can take quite awhile to run so be patient and allow it to finish unless you think something is not right then let me know.


Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

• Open the Kaspersky WebScanner
  page.
• Click on the button on the main page.
• The program will launch and fill in the Information section on the left.
• Read the "Requirements and Limitations" then press the button.
• The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
• Once the files have been downloaded, click on the ...button.
  In the scan settings make sure the following are selected:
  • Detect malicious programs of the following categories:
    Viruses, Worms, Trojan Horses, Rootkits
    Spyware, Adware, Dialers and other potentially dangerous programs
  • Scan compound files (doesn't apply to the File scan area):
    Archives
    Mail databases
    By default the above items should already be checked.
  • Click the button, if you made any changes.
• Now under the Scan section on the left:
  
  Select My Computer
  
• The program will now start and scan your system. This will run for a while, be patient and let it finish.
• Once the scan is complete, click on View scan report
• Now, click on the Save Report as button.
• In the drop down box labeled Files of type change the type to Text file.
• Save the file to your desktop.
• Copy and paste that information in your next post.

You can refer to this animation by sundavis if needed.

[dansuleman]

Hi thewall,

I attempted to run the kaspersky Webscanner as suggested, but it wouldn't run. It gets terminated and comes up with an error message stating I already have kaspersky internet suite 8.0 (9.0) on my computer, even though I have disabled the kaspersky suite on my computer (by right-clicking the icon in the task bar and selecting "pause protection") before running the online scanner.

Thanks
Dan

[thewall]

Try running this one instead:


I'd like us to scan your machine with ESET OnlineScan

1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
   ESET OnlineScan
2. Click the button.
3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
   1. Click on to download the ESET Smart Installer. Save it to your desktop.
   2. Double click on the icon on your desktop.
4. Check
5. Click the button.
6. Accept any security warnings from your browser.
7. Check
8. Push the Start button.
9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
10. When the scan completes, push
11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
12. Push the button.
13. Push

[dansuleman]

Hi thewall,

Scan done and contents of file copied below. Thanks.

C:\System Volume Information\_restore{2A946300-9462-4BE1-94B3-8E17FFA6F820}\RP286\A0030292.exe probably unknown NewHeur_PE virus deleted - quarantined
C:\System Volume Information\_restore{2A946300-9462-4BE1-94B3-8E17FFA6F820}\RP299\A0030586.exe probably unknown NewHeur_PE virus deleted - quarantined

[thewall]

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:

• Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
• Look for "Java Runtime Environment (JRE)" JRE 6 Update 16.
• Click the Download button to the right.
• Select your Platform: "Windows".
• Select your Language: "Multi-language".
• Read the License Agreement, and then check the box that says: "Accept License Agreement".
• Click Continue and the page will refresh.
• Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
• Close any programs you may have running - especially your web browser.

Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.

• Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
• Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
• Repeat as many times as necessary to remove each Java versions.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on jre-6u16-windows-i586.exe to install the newest version.

-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.

Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

[dansuleman]

Above instructions carried out and completed.

[thewall]

Sounds good. How is everything running now?

[dansuleman]

Sounds better now - significantly reduced constant running of the hard drive. Many thanks.

Just to confirm, so did I have any malware then, and if I did, how risky was it? Just need to know so as to decide whether to change my passwords to some financial sites.

One more thing, I also have a laptop that I use sometimes and would like this analysed as well as I use it for the same thing as my PC. Should I post a new thread with regards to the laptop or post it in this thread?

Many thanks for your assistance.

[dansuleman]

Just one more thing.

The possible virus found by the ESET online scan (NewHeur_PE virus) which was then deleted - quarantined, what happens to this? Is it completly off my PC, or would it reappear later as I don't have ESET anti-virus software itself on my PC? Thanks.

[thewall]

You had a rootkit and I would suggest you go ahead and change your passwords just to be on the safe side. Always a good idea to do this on a regular basis and anytime you believe you may have been infected.

I meant to tell you in my last post that the things ESET found will be removed when we uninstall ComboFix. It will delete all the old restore points and set a new then all of those will be gone.

If everything is OK we'll clean off our tools and I have some last suggestions for you.



Uninstall Combofix

• Press the Windows Key + R on your keyboard.
• Now copy & paste the green bolded text in the run-box and click OK.
  
  ComboFix /Uninstall
  
  <Notice the space between the "x" and "/".>
  

  

• The following will implement some very important cleanup procedures as well as reset System Restore points.

Below are some steps to follow in order to dramatically lower the chances of reinfection
You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented

1. Make sure you install all the security updates for Windows, Internet explorer & Microsoft Office
   Whenever a security problem in its software is found, Microsoft will usually create a patch for it to that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC, so keeping up with these patches will help to prevent malicious software being installed on your PC
   Go here to check for & install updates to Microsoft applications
   Note: The update process uses activex, so you will need to use internet explorer for it, and allow the activex control that it wants to install
2. Keep your non-Microsoft applications updated as well
   Microsoft isn't the only company whose products can contain security vulnerabilities, to check for other vulnerable programs running on your PC that are in need of an update, you can use the Secunia Software Inspector - I suggest that you run it at least once a month
3. Make Internet Explorer more secure
   Click Start > Run
   Type Inetcpl.cpl & click OK
   Click on the Security tab
   Click Reset all zones to default level
   Make sure the Internet Zone is selected & Click Custom level
   In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
   Next Click OK, then Apply button and then OK to exit the Internet Properties page.
4. Install SpywareBlaster & make sure to update it regularly
   SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
   If you don't know what activex controls are, see here
   You can download SpywareBlaster from here
5. Install the MVPs hosts file, and update it regularly
   You can use the HostMan host file manager to do this automaticly if you wish.
   For more information on the hosts file, and what it can do for you, you can view the Tutorial on the Hosts fileNote: On some PCs, having a custom HOSTS file installed can cause a significant slowdown. Following these instructions should resolve the issue
   • Click Start > Run
   • Type services.msc & click OK
   • In the list, find the service called DNS Client & double click on it.
   • On the dropdown box, change the setting from automatic to manual.
   • Click OK & then close the Services window
6. Install a-squared Free & update and scan with it regularly
   a-squared free is a product from Emsi Software provided free for private use that can detect and remove a variety of malicious software. You can get it here
   Note: If you have a dialup internet connection, you may also like to install a-squared Anti-Dialer which provides some real time protection against premium rate dialers
7. Finally, this is very important. It is absolutely essential to keep all of your security programs up to date
   

If you have any other questions or issues feel free to ask as I will be checking back on this topic.



Other than that if there is nothing else I can do for you then I wish you good luck in the future and thank you for using our forum.


thewall

[dansuleman]

Hello thewall,

All steps above followed except the last one with a-squared which i downloaded and ran to scan my PC. It found some traces (tracking cookies etc), about 135. However, when I selected them to be deleted, a-squared could not delete even one of them and kept requesting I contacted the a-squared support etc for every single one of them. Anyway, I have uninstalled a-squared, not quite happy with its performance.

Many thanks for all your assistance.
Dan

[thewall]

Your are very welcome, glad we could be of help. Since this issue appears to be resolved ... this Topic has been closed.

If your the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.