Author Topic: Bagle rootkit clean up, final steps (Read 4066 times)

saneiac · « **on:** April 12, 2009, 12:56:56 AM »

I was recently infected with a rootkit Bagle variant. I believe I managed to remove it using ComboFix, and have reinstalled my anti-virus, but I have a few things I still want to verify.

1. Obviously, is it completely removed?
2. This rootkit modifies regitry entries to disable booting up in safe mode. I have not tried to fix this. How can I fix it, and how can I verify it is fixed? I have no access to safe mode even under normal circumstances, as this is a company computer, and they will not give out the password.
3. My hosts file now includes a huge list of websites with a comment that they were added by Spybot S&D. I have not seen this before, but it may be something new from Spybot. Are these valid?
4. A minor thing. Combofix changed the date format of the tooltip when I hover over the time/date item on my taskbar, and I can't find how to change it back.

Here is my HijackThis log. I can also post my original ComboFix log from the cleanup if anyone is interested.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:32, on 2009-04-12
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Sophos\Sophos Client Firewall\SCFManager.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Sophos\Sophos Client Firewall\SCFService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CA\SC\CAM\bin\cam.exe
C:\Program Files\GE Fanuc\GE Fanuc Licensing\CCFLIC0.exe
C:\WINDOWS\system32\crypserv.exe
C:\PROGRA~1\GECONT~1\DATAHI~1\DataHistorian.exe
C:\PROGRA~1\GECONT~1\SDB_SE~2\DBServer.exe
C:\Program Files\GE Energy\EgdCfgServer\EgdCfgServer.exe
C:\Program Files\ENDFORCE\AgentAPI.exe
C:\Program Files\Fiberlink\Extend360\WENGINE\wmonitor.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\LckFldService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SafeBoot\SBMGRNT.EXE
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\Program Files\Sophos\Remote Management System\RouterNT.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\GE Energy\WorkstationST Features\WorkstationSTservice.exe
C:\Program Files\CA\DSM\bin\caf.exe
C:\Program Files\GE Energy\WorkstationST Features\GeCssOpcAEServer.exe
C:\Program Files\CA\DSM\Bin\cfsmsmd.exe
C:\Program Files\CA\DSM\Bin\ccnfagent.exe
C:\Program Files\CA\DSM\Bin\cfnotsrvd.exe
C:\Program Files\CA\DSM\Bin\ccsmagtd.exe
C:\Program Files\CA\DSM\Bin\amswmagt.exe
C:\Program Files\CA\DSM\PMAgent\capmuamagt.exe
C:\Program Files\CA\DSM\Bin\cfftplugin.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\PROGRA~1\CYBERL~1\POWERD~1\PDVDDX~1.EXE
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Sophos\Sophos Client Firewall\SCFTray.exe
C:\Program Files\ENDFORCE\AgntTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\GE Energy\WorkstationST Features\WorkstationStatusMonitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: SupportCentral - {E5CA3FCB-32F0-4602-A3FD-0785E3F0F5BF} - C:\WINDOWS\system32\SCTOOL~1.DLL
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\PROGRA~1\CYBERL~1\POWERD~1\PDVDDX~1.EXE"
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SBMGRNT.EXE] C:\PROGRA~1\SafeBoot\SBMGRNT.EXE -WinLogon
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SCFTrayStartUp] C:\Program Files\Sophos\Sophos Client Firewall\SCFTray.exe
O4 - HKLM\..\Run: [ENDFORCEAgent] "C:\Program Files\ENDFORCE\AgntTray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = ?
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O4 - Global Startup: Workstation Status Monitor.lnk = C:\Program Files\GE Energy\WorkstationST Features\WorkstationStatusMonitor.exe
O9 - Extra button: Change Proxy - {7107766B-746A-4B6F-8356-8CF9EA743708} - C:\Program Files\TSG Proxy\Proxy.exe
O9 - Extra 'Tools' menuitem: Change Proxy - {7107766B-746A-4B6F-8356-8CF9EA743708} - C:\Program Files\TSG Proxy\Proxy.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Change Proxy - {7107766B-746A-4B6F-8356-8CF9EA743708} - C:\Program Files\TSG Proxy\Proxy.exe (HKCU)
O9 - Extra 'Tools' menuitem: Change Proxy - {7107766B-746A-4B6F-8356-8CF9EA743708} - C:\Program Files\TSG Proxy\Proxy.exe (HKCU)
O15 - Trusted Zone: *.ge-registrar.com
O15 - Trusted Zone: *.supportcentral.ge.com
O15 - Trusted Zone: http://cincnt1.ssqc.ge.com
O15 - Trusted Zone: http://cincnt2.ssqc.ge.com
O15 - Trusted Zone: http://genet.ae.ge.com
O15 - Trusted Zone: http://inside.ge.com
O15 - Trusted Zone: http://libraries.ge.com
O15 - Trusted Zone: http://ssqc.ge.com
O15 - Trusted Zone: time.infra.ge.com
O15 - Trusted Zone: *.ge.com
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {CAFECAFE-0013-0001-0029-ABCDEFABCDEF} (JInitiator 1.3.1.29) - http://gpserplb01.corporate.ge.com:8040/ji...tor/oajinit.exe
O16 - DPF: {CAFECAFE-0013-0001-0030-ABCDEFABCDEF} (JInitiator 1.3.1.30) - http://gpserplb01.corporate.ge.com:8040/ji...tor/oajinit.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = psamer.ps.ge.com
O17 - HKLM\Software\..\Telephony: DomainName = psamer.ps.ge.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = psamer.ps.ge.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = psamer.ps.ge.com
O20 - AppInit_DLLs: C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL
O20 - Winlogon Notify: CAF - C:\Program Files\CA\DSM\Bin\cfwlogon.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CA Message Queuing Server (CA-MessageQueuing) - CA, Inc. - C:\Program Files\CA\SC\CAM\bin\cam.exe
O23 - Service: CA DSM r11 Common Application Framework. (caf) - CA - C:\Program Files\CA\DSM\bin\caf.exe
O23 - Service: CA-License Client (CA_LIC_CLNT) - Unknown owner - C:\WINDOWS\LIC98RMT.exe
O23 - Service: CA-License Server (CA_LIC_SRVR) - Unknown owner - C:\WINDOWS\LIC98RMTD.exe
O23 - Service: CCFLIC0 - GE Fanuc - C:\Program Files\GE Fanuc\GE Fanuc Licensing\CCFLIC0.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Data Historian (DataHistorian) - GE Industrial Systems - C:\PROGRA~1\GECONT~1\DATAHI~1\DataHistorian.exe
O23 - Service: SDB Server (DBServer) - GE Energy - C:\PROGRA~1\GECONT~1\SDB_SE~2\DBServer.exe
O23 - Service: GE EGD Configuration Server (EgdCfg) - GE Energy - C:\Program Files\GE Energy\EgdCfgServer\EgdCfgServer.exe
O23 - Service: ENDFORCE Agent API - ENDFORCE, Inc. - C:\Program Files\ENDFORCE\AgentAPI.exe
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe
O23 - Service: Fiberlink Monitor Service (FiberlinkMonitor) - Boingo Wireless, Inc. - C:\Program Files\Fiberlink\Extend360\WENGINE\wmonitor.exe
O23 - Service: GeCssOpcAEServer - GE Energy - C:\Program Files\GE Energy\WorkstationST Features\GeCssOpcAEServer.exe
O23 - Service: Ge Css Opc Server (GeCssOpcServer) - GE Energy - C:\Program Files\GE Energy\GeCssOpcServer\GeCssOpcServer.exe
O23 - Service: EGD Service Control System Solutions (ICN Service) - GE Energy - C:\PROGRA~1\GECONT~1\ICN_SE~1\ICNService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LckFldService - Unknown owner - C:\WINDOWS\system32\LckFldService.exe
O23 - Service: LiveDataServer - GE Drive Systems - C:\PROGRA~1\GECONT~1\DATAHI~1\LiveDataServer.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: SafeBoot Configuration Manager (SafeBootConfigurationManager) - Control Break International - C:\Program Files\SafeBoot\SBMGRNT.EXE
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: Extend360 Agent (ServiceMgr) - Fiberlink Communications Corp. - C:\Program Files\Fiberlink\Extend360\ServiceMgr.exe
O23 - Service: Sophos Agent - Sophos Plc - C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
O23 - Service: Sophos Client Firewall - Sophos Plc - C:\Program Files\Sophos\Sophos Client Firewall\SCFService.exe
O23 - Service: Sophos Client Firewall Manager - Sophos Plc - C:\Program Files\Sophos\Sophos Client Firewall\SCFManager.exe
O23 - Service: Sophos Message Router - Sophos Plc - C:\Program Files\Sophos\Remote Management System\RouterNT.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O23 - Service: Ge WorkstationSTservice (WorkstationSTservice) - GE Energy - C:\Program Files\GE Energy\WorkstationST Features\WorkstationSTservice.exe

--
End of file - 12024 bytes

guestolo · « **Reply #1 on:** April 12, 2009, 01:21:32 AM »

Please go to this site to download ELIBAGLA tool:

Scroll down to the bottom of the site and click Descargar ELIBAGLA 12.25 - please save a file on the Desktop.
If it's possible, please disconnect a computer from the internet and disable an antivirus program,
Double click on the file you've just downloaded to run the program,
Leave the default settings and click Explorar,
The tool should automatically remove infected files, if it asks for a reboot, please allow it,
When it finishes, click Salir to close the program,
Reconnect to the internet and enable an antivirus program, if needed.
Please post the contents of the C:\InfoSat.txt in your next reply.

saneiac · « **Reply #2 on:** April 12, 2009, 01:57:51 AM »

I was unable to do this.

Sophos anti-virus prevented the first download attempt, identifying it as Mal/NafBot-A virus. I disabled Sophos and downloaded. When I tried to run the program, it gave a pop-up saying something to the effect that the software is being upgraded, and the new version will be posted later. I could not find a place to download older versions either at this site or the developer's site.

Krogan · « **Reply #3 on:** April 12, 2009, 03:03:09 AM »

Hey do you work for GE? lol sorry i figured id ask because i saw GE in your HJT log like thirty times

guestolo · « **Reply #4 on:** April 12, 2009, 08:23:01 AM »

Why not post the log from ComboFix, a copy of it can be found in this location
C:\Combofix.txt

Quote

Combofix changed the date format of the tooltip when I hover over the time/date item on my taskbar, and I can't find how to change it back.

We can change that back in a bit, let me see the log first please

saneiac · « **Reply #5 on:** April 12, 2009, 09:36:37 AM »

A few things:
Prevx, and I think pxscan, are from an online scanner I tried after Kaspersky online scanner failed to load. It quickly got on my nerves with constant pop-up reminders to buy, and is gone.
Although it says Sophos anti-virus is running, at this point the main Sophos .exe file was corrupt, so while it may have had some pieces running, it was not protecting anything, and I could not disable it for Combofix.

ComboFix 09-04-04.01 - OLIVASED 2009-04-09 10:09:58.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1601 [GMT -5:00]
Running from: c:\documents and settings\OLIVASED\Desktop\Combo-Fix.exe
AV: Sophos Anti-Virus *On-access scanning enabled* (Outdated)
FW: Sophos Client Firewall *enabled*
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\OLIVASED\Application Data\drivers\downld
c:\documents and settings\OLIVASED\Application Data\drivers\downld\23473640.exe
c:\documents and settings\OLIVASED\Application Data\drivers\downld\23475203.exe
c:\documents and settings\OLIVASED\Application Data\drivers\downld\23475765.exe
c:\documents and settings\OLIVASED\Application Data\drivers\downld\23711015.exe
c:\documents and settings\OLIVASED\Application Data\drivers\downld\23715250.exe
c:\documents and settings\OLIVASED\Application Data\drivers\downld\23717625.exe
c:\documents and settings\OLIVASED\Application Data\drivers\downld\23765843.exe
c:\documents and settings\OLIVASED\Application Data\drivers\downld\23932515.exe
c:\documents and settings\OLIVASED\Application Data\drivers\downld\23935000.exe
c:\documents and settings\OLIVASED\Application Data\drivers\downld\23935390.exe
c:\documents and settings\OLIVASED\Application Data\drivers\downld\23978781.exe
c:\documents and settings\OLIVASED\Application Data\drivers\downld\23981875.exe
c:\documents and settings\OLIVASED\Application Data\drivers\downld\23983031.exe
c:\documents and settings\OLIVASED\Application Data\drivers\downld\24383265.exe
c:\documents and settings\OLIVASED\Application Data\drivers\downld\24385312.exe
c:\documents and settings\OLIVASED\Application Data\drivers\downld\24385546.exe
c:\documents and settings\OLIVASED\Application Data\drivers\downld\24390968.exe
c:\documents and settings\OLIVASED\Application Data\drivers\downld\24393578.exe
c:\documents and settings\OLIVASED\Application Data\drivers\downld\24394296.exe
c:\documents and settings\OLIVASED\Application Data\drivers\downld\24398906.exe
c:\documents and settings\OLIVASED\Application Data\drivers\downld\24400906.exe
c:\documents and settings\OLIVASED\Application Data\drivers\downld\24400953.exe
c:\documents and settings\OLIVASED\Application Data\drivers\downld\24418093.exe
c:\documents and settings\OLIVASED\Application Data\drivers\downld\24423187.exe
c:\documents and settings\OLIVASED\Application Data\drivers\downld\24424359.exe
c:\documents and settings\OLIVASED\Application Data\drivers\downld\24425703.exe
c:\documents and settings\OLIVASED\Application Data\drivers\downld\24482671.exe
c:\documents and settings\OLIVASED\Application Data\drivers\downld\24487000.exe
c:\documents and settings\OLIVASED\Application Data\drivers\downld\24489484.exe
c:\documents and settings\OLIVASED\Application Data\drivers\downld\24551281.exe
c:\documents and settings\OLIVASED\Application Data\drivers\downld\24555328.exe
c:\documents and settings\OLIVASED\Application Data\drivers\downld\24555750.exe
c:\documents and settings\OLIVASED\Application Data\drivers\downld\24564359.exe
c:\documents and settings\OLIVASED\Application Data\drivers\downld\24565859.exe
c:\documents and settings\OLIVASED\Application Data\drivers\downld\24566015.exe
c:\documents and settings\OLIVASED\Application Data\drivers\downld\24745437.exe
c:\documents and settings\OLIVASED\Application Data\drivers\downld\24752187.exe
c:\documents and settings\OLIVASED\Application Data\drivers\downld\24752984.exe
c:\documents and settings\OLIVASED\Application Data\drivers\downld\24829656.exe
c:\documents and settings\OLIVASED\Application Data\drivers\downld\24842046.exe
c:\documents and settings\OLIVASED\Application Data\drivers\downld\24850875.exe
c:\documents and settings\OLIVASED\Application Data\drivers\downld\24852796.exe
c:\documents and settings\OLIVASED\Application Data\drivers\downld\24859968.exe
c:\documents and settings\OLIVASED\Application Data\drivers\downld\24862078.exe
c:\documents and settings\OLIVASED\Application Data\drivers\downld\24862250.exe
c:\documents and settings\OLIVASED\Application Data\drivers\wfsintwq.sys
c:\documents and settings\OLIVASED\Application Data\drivers\winupgro.exe
c:\documents and settings\OLIVASED\Application Data\m
c:\documents and settings\OLIVASED\Application Data\m\flec006.exe
c:\documents and settings\OLIVASED\Application Data\m\list.oct
c:\documents and settings\OLIVASED\Application Data\m\shared\3D Ikebana Screensaver 4.0.zip
c:\documents and settings\OLIVASED\Application Data\m\shared\3DCombine 3.4.1 Crack.zip
c:\documents and settings\OLIVASED\Application Data\m\shared\Activation.Symantec.Norton.Systeme.Works.2007.Avec.Crack.&.Super.News.2007.zip
c:\documents and settings\OLIVASED\Application Data\m\shared\Advanced Business Card Maker 4.0 (Key+Serial).zip
c:\documents and settings\OLIVASED\Application Data\m\shared\Agenda Organizer Deluxe 2.8 (Serial).zip
c:\documents and settings\OLIVASED\Application Data\m\shared\Agent Card Maker 1.20 Build 040722.zip
c:\documents and settings\OLIVASED\Application Data\m\shared\Agogo DVD To PSP Video Converter 6.91.zip
c:\documents and settings\OLIVASED\Application Data\m\shared\Agree Free Mobile 3GP MP4 MPEG4 Video Converter 4.0.zip
c:\documents and settings\OLIVASED\Application Data\m\shared\AlacartE 4.62.zip
c:\documents and settings\OLIVASED\Application Data\m\shared\AlarmClock Gadget 1.0.0.216.zip
c:\documents and settings\OLIVASED\Application Data\m\shared\Apexico VAT-Books 1.2.zip
c:\documents and settings\OLIVASED\Application Data\m\shared\Arc Menu 5.3a (KeyGen).zip
c:\documents and settings\OLIVASED\Application Data\m\shared\ArGoSoft Time Synchronizer 1.0.0.6.zip
c:\documents and settings\OLIVASED\Application Data\m\shared\Assistant Tech Admin Tool 1.0.zip
c:\documents and settings\OLIVASED\Application Data\m\shared\ASTsearch Toolbar 1.0.zip
c:\documents and settings\OLIVASED\Application Data\m\shared\Auction Kung Fu 1.2.zip
c:\documents and settings\OLIVASED\Application Data\m\shared\Avex DVD to iPod Converter 4 build 05.zip
c:\documents and settings\OLIVASED\Application Data\m\shared\Avg.Anti-Virus.v7.1.394.757.Incl.Keygen-Ssg.zip
c:\documents and settings\OLIVASED\Application Data\m\shared\AVS DVD Player 2.4.4.144.zip
c:\documents and settings\OLIVASED\Application Data\m\shared\Bible Max 1.3.0.zip
c:\documents and settings\OLIVASED\Application Data\m\shared\Bill Gates Eyes 1.0.zip
c:\documents and settings\OLIVASED\Application Data\m\shared\Bound Around 1.0.zip
c:\documents and settings\OLIVASED\Application Data\m\shared\CanonWebcam 1.0.0.51.zip
c:\documents and settings\OLIVASED\Application Data\m\shared\CD to iPod Solution 6.4.3.zip
c:\documents and settings\OLIVASED\Application Data\m\shared\Chaos Sync 2.0.zip
c:\documents and settings\OLIVASED\Application Data\m\shared\Character-Building Thought Power 1.0 [Serial].zip
c:\documents and settings\OLIVASED\Application Data\m\shared\Christersson SendFile 2.0.6 for Sony Ericsson [KeyGen].zip
c:\documents and settings\OLIVASED\Application Data\m\shared\Clip Color 1.0.5.zip
c:\documents and settings\OLIVASED\Application Data\m\shared\Collectorz.com MP3 Collector 2.2.zip
c:\documents and settings\OLIVASED\Application Data\m\shared\CompuApps OnBelay 2.0 build 012.zip
c:\documents and settings\OLIVASED\Application Data\m\shared\ConnectCode Barcode Font Pack 3.0 (Key+Serial).zip
c:\documents and settings\OLIVASED\Application Data\m\shared\Convert XLS To Any 2.6 (Patch).zip
c:\documents and settings\OLIVASED\Application Data\m\shared\CRM Customer Portal 3.0.2.zip
c:\documents and settings\OLIVASED\Application Data\m\shared\cryptlib 3.1.zip
c:\documents and settings\OLIVASED\Application Data\m\shared\dataPro 1.5.6.zip
c:\documents and settings\OLIVASED\Application Data\m\shared\DentSuite 1.0.zip
c:\documents and settings\OLIVASED\Application Data\m\shared\Desktop Christmas Tree 1.12.zip
c:\documents and settings\OLIVASED\Application Data\m\shared\DigiCat 1.03h.zip
c:\documents and settings\OLIVASED\Application Data\m\shared\DomainInspect 1.6.zip
c:\documents and settings\OLIVASED\Application Data\m\shared\Dragonfly Chart .Net 2.000.zip
c:\documents and settings\OLIVASED\Application Data\m\shared\Earthsim 1.9.zip
c:\documents and settings\OLIVASED\Application Data\m\shared\EasyCollage (Home Edition) 1.6 [Key+Serial].zip
c:\documents and settings\OLIVASED\Application Data\m\shared\Email Director 9.2.0.zip
c:\documents and settings\OLIVASED\Application Data\m\shared\EmailMarketingAssistant Pro 1.1.zip
c:\documents and settings\OLIVASED\Application Data\m\shared\Embird Alphabet 17 1.0.zip
c:\documents and settings\OLIVASED\Application Data\m\shared\Excel Invoice Manager Platinum 2.8.1012 (With Crack).zip
c:\documents and settings\OLIVASED\Application Data\m\shared\Flash Terminal 4.2.zip
c:\documents and settings\OLIVASED\Application Data\m\shared\FlexCls Express 1.7.10.zip
c:\documents and settings\OLIVASED\Application Data\m\shared\Font Manager 3.53 [Serial].zip
c:\documents and settings\OLIVASED\Application Data\m\shared\FreeSecurity 1.zip
c:\documents and settings\OLIVASED\Application Data\m\shared\FunkyBit 3GP Video Converter 1.2 (Patch).zip
c:\documents and settings\OLIVASED\Application Data\m\shared\Gas Station Software 4.1 (Patch).zip
c:\documents and settings\OLIVASED\Application Data\m\shared\Gather Items CMM 2.0.zip
c:\documents and settings\OLIVASED\Application Data\m\shared\Graph Plotter 2.5 Serial.zip
c:\documents and settings\OLIVASED\Application Data\m\shared\HandyFind 2.0.6.zip
c:\documents and settings\OLIVASED\Application Data\m\shared\Hide Folders XP 2.9.8.zip
c:\documents and settings\OLIVASED\Application Data\m\shared\HiFi WAV Cutter 1.00.zip
c:\documents and settings\OLIVASED\Application Data\m\shared\HistoryKill Shot & PopUp Killer Pro 3.032.zip
c:\documents and settings\OLIVASED\Application Data\m\shared\HumanityThunder 3.1.1028 (Key).zip
c:\documents and settings\OLIVASED\Application Data\m\shared\IB LogManager Viewer 2.6.0.2.zip
c:\documents and settings\OLIVASED\Application Data\m\shared\iMacros Web Automation and Web Testing 6.12.zip
c:\documents and settings\OLIVASED\Application Data\m\shared\ImTOO Video to Audio Converter 3.1.53.0321b.zip
c:\documents and settings\OLIVASED\Application Data\m\shared\Indiecom Services (001582676-A) 2.zip
c:\documents and settings\OLIVASED\Application Data\m\shared\InfoRSS 1.1.4.2.zip
c:\documents and settings\OLIVASED\Application Data\m\shared\Insulated Concrete Forms 1.00.zip
c:\documents and settings\OLIVASED\Application Data\m\shared\Intrinsic Value Investing Training Wizard 3.0.zip
c:\documents and settings\OLIVASED\Application Data\m\shared\Invisible Secrets 4.6.1 [Serial].zip
c:\documents and settings\OLIVASED\Application Data\m\shared\iPlayAnywhere for iTunes 4.0.zip
c:\documents and settings\OLIVASED\Application Data\m\shared\iWellsoft 3GP Video Converter 1.3.zip
c:\documents and settings\OLIVASED\Application Data\m\shared\Jet DVD Ripper 1.4 (Patch).zip
c:\documents and settings\OLIVASED\Application Data\m\shared\JPEGCompressor 1.0 [Key].zip
c:\documents and settings\OLIVASED\Application Data\m\shared\Keyboard Layout Manager 2.90.zip
c:\documents and settings\OLIVASED\Application Data\m\shared\LingvoSoft Suite 2008 German - Russian 2.1.28.zip
c:\documents and settings\OLIVASED\Application Data\m\shared\LyricGrabber 0.8.4.zip
c:\documents and settings\OLIVASED\Application Data\m\shared\MagicPDF 2.01.zip
c:\documents and settings\OLIVASED\Application Data\m\shared\MDTeleText 0.62.zip
c:\documents and settings\OLIVASED\Application Data\m\shared\MetaLAN 2 Beta [KeyGen].zip
c:\documents and settings\OLIVASED\Application Data\m\shared\MetaTags 2.3.5.2.zip
c:\documents and settings\OLIVASED\Application Data\m\shared\MobileDJ Pro 1.03 (KeyGen).zip
c:\documents and settings\OLIVASED\Application Data\m\shared\MSDict Pocket Oxford Dictionary and Thesaurus (Pocket PC) 4.40.zip
c:\documents and settings\OLIVASED\Application Data\m\shared\MSN Emoticons Plus 3.2.zip
c:\documents and settings\OLIVASED\Application Data\m\shared\MSN Monitor Pro & MSN Sniffer 2.zip
c:\documents and settings\OLIVASED\Application Data\m\shared\MySQLDirect .NET Data Provider 4.00 Key.zip
c:\documents and settings\OLIVASED\Application Data\m\shared\Need4 iPod Converter 5.6.zip
c:\documents and settings\OLIVASED\Application Data\m\shared\Net Logger Pro 2.06.zip
c:\documents and settings\OLIVASED\Application Data\m\shared\Nitro PDF Professional 4.91.zip
c:\documents and settings\OLIVASED\Application Data\m\shared\NOD32.2.70.23.[InglÃ©s][by.verdugofinal].zip
c:\documents and settings\OLIVASED\Application Data\m\shared\Notepad GTI 1.904.zip
c:\documents and settings\OLIVASED\Application Data\m\shared\Pamela for Skype Standard Version 1.36 (Cracked).zip
c:\documents and settings\OLIVASED\Application Data\m\shared\PaxKel Christmas 2.0.zip
c:\documents and settings\OLIVASED\Application Data\m\shared\Pops 0.1.zip
c:\documents and settings\OLIVASED\Application Data\m\shared\Portable Key Launch 1.71.zip
c:\documents and settings\OLIVASED\Application Data\m\shared\Pragma Fortress SSH Server.zip
c:\documents and settings\OLIVASED\Application Data\m\shared\PrinterJob 2.0.2.zip
c:\documents and settings\OLIVASED\Application Data\m\shared\Profit Percent Calculator 1.0.zip
c:\documents and settings\OLIVASED\Application Data\m\shared\QRCode 2D Barcode ActiveX 3.0.zip
c:\documents and settings\OLIVASED\Application Data\m\shared\Quick Pallet Maker 4.1.0.zip
c:\documents and settings\OLIVASED\Application Data\m\shared\RAUL 1.0.3.zip
c:\documents and settings\OLIVASED\Application Data\m\shared\ReportMaker 4.15.zip
c:\documents and settings\OLIVASED\Application Data\m\shared\Ro-En Translator 1.1.0.0.zip
c:\documents and settings\OLIVASED\Application Data\m\shared\Rock Collector 1.0 (Crack).zip
c:\documents and settings\OLIVASED\Application Data\m\shared\Rubber Ducky System Monitor 1.11.zip
c:\documents and settings\OLIVASED\Application Data\m\shared\Safelist Marketing eCourse 3.0.zip
c:\documents and settings\OLIVASED\Application Data\m\shared\Secura Backup Home Edition 2.13.zip
c:\documents and settings\OLIVASED\Application Data\m\shared\Serial.Prevx1.41.zip
c:\documents and settings\OLIVASED\Application Data\m\shared\Shutdown Monster 4.0.5.2.zip
c:\documents and settings\OLIVASED\Application Data\m\shared\Siteheart 0.2.1.zip
c:\documents and settings\OLIVASED\Application Data\m\shared\Slingo Casino Pak 1.0.zip
c:\documents and settings\OLIVASED\Application Data\m\shared\SmartList To Go 3.0.zip
c:\documents and settings\OLIVASED\Application Data\m\shared\Softcode Analog Clock 1.3b.zip
c:\documents and settings\OLIVASED\Application Data\m\shared\SOPHOS.ANTIVIRUS.V3.88.NTW2KXP.Multilanguage-FeDEX.zip
c:\documents and settings\OLIVASED\Application Data\m\shared\Space Exploration 3D Screensaver 1.0 [Crack].zip
c:\documents and settings\OLIVASED\Application Data\m\shared\Spell Maestro 2.2.7 (Key+Serial).zip
c:\documents and settings\OLIVASED\Application Data\m\shared\Spellway Hotkey Assistant 1.65.zip
c:\documents and settings\OLIVASED\Application Data\m\shared\Spider-Man 2 Trailer.zip
c:\documents and settings\OLIVASED\Application Data\m\shared\StepVoice Recorder 1.4.zip
c:\documents and settings\OLIVASED\Application Data\m\shared\Symantec.Norton.Ghost.10.Spanish.part06.zip
c:\documents and settings\OLIVASED\Application Data\m\shared\TAMP 1.04.zip
c:\documents and settings\OLIVASED\Application Data\m\shared\The Big Bang Screensaver.zip
c:\documents and settings\OLIVASED\Application Data\m\shared\Timaeus 6.0.5 [Cracked].zip
c:\documents and settings\OLIVASED\Application Data\m\shared\Universe Wars Extension 1.17.11.zip
c:\documents and settings\OLIVASED\Application Data\m\shared\Unreal Tournament 2004 Sniper Arena 2K4 mod.zip
c:\documents and settings\OLIVASED\Application Data\m\shared\Visual Paradigm for UML Enterprise Edition 5.2.zip
c:\documents and settings\OLIVASED\Application Data\m\shared\Web Printer 1.2 [Patch].zip
c:\documents and settings\OLIVASED\Application Data\m\shared\Weld Cost Calc XL 1.0.2.zip
c:\documents and settings\OLIVASED\Application Data\m\shared\WiFi Signal 2.7.1.zip
c:\documents and settings\OLIVASED\Application Data\m\shared\WinGraphic 2.1.1.zip
c:\documents and settings\OLIVASED\Application Data\m\shared\WinTiles 1.2.zip
c:\documents and settings\OLIVASED\Application Data\m\srvlist.oct
c:\windows\system32\ban_list.txt
c:\windows\system32\mdelk.exe
c:\windows\system32\mdm.exe
c:\windows\system32\wintems.exe
d:\users\OLIVASED\My Documents\iridium.exe

----- BITS: Possible infected sites -----

hxxp://wsus.ad.ge.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SROSA
-------\Legacy_SROSA
-------\Service_sK9Ou0s

((((((((((((((((((((((((( Files Created from 2009-03-09 to 2009-04-09 )))))))))))))))))))))))))))))))
.

2009-04-09 09:22 . 2009-04-09 10:03 <DIR> d-------- c:\windows\BDOSCAN8
2009-04-09 09:05 . 2009-04-09 09:05 <DIR> d-------- c:\program files\Prevx
2009-04-09 09:05 . 2009-04-09 10:15 <DIR> d-------- c:\documents and settings\All Users\Application Data\PrevxCSI
2009-04-09 09:05 . 2009-04-09 09:05 22,024 --a------ c:\windows\system32\drivers\pxscan.sys
2009-04-09 09:05 . 2009-04-09 09:05 39 --a------ c:\windows\wininit.ini
2009-04-09 07:38 . 2009-04-09 07:55 <DIR> d-------- c:\documents and settings\OLIVASED\Application Data\HouseCall 6.6
2009-04-09 06:16 . 2009-04-09 10:11 <DIR> d--h----- c:\documents and settings\OLIVASED\Application Data\drivers
2009-04-09 00:48 . 2009-04-09 00:48 <DIR> d-------- c:\program files\LEAD Technologies
2009-04-09 00:48 . 2008-05-20 20:05 1,855,488 --a------ c:\windows\system32\LFDJV14n.dll
2009-03-29 11:08 . 2008-04-04 21:00 147,456 --a------ c:\windows\system32\hpcpn5r1.dll
2009-03-29 11:05 . 2009-03-29 11:05 <DIR> d-------- C:\HP LJP3005 PCL6 Driver
2009-03-23 11:25 . 2009-03-23 11:25 <DIR> d-------- c:\windows\system32\Adobe
2009-03-09 13:24 . 2009-03-09 13:24 <DIR> d-------- c:\program files\ENDFORCE
2009-03-09 13:24 . 2009-03-09 13:24 <DIR> d-------- c:\program files\Common Files\PostureAgent

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-09 14:59 --------- d-----w c:\program files\Symantec
2009-04-09 12:31 --------- d-----w c:\program files\Nortel Networks
2009-04-09 12:12 --------- d-----w c:\program files\eMule
2009-04-09 05:48 --------- d--h--w c:\program files\InstallShield Installation Information
2009-04-07 04:53 --------- d-----w c:\program files\SafeBoot
2009-03-23 16:37 --------- d-----w c:\program files\CIMPLICITY Machine Edition
2009-03-18 23:36 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-02-27 14:16 --------- d-----w c:\program files\Hewlett-Packard
2009-02-26 21:51 --------- d-----w c:\program files\Oracle
2009-02-12 18:46 --------- d-----w c:\program files\Java
2007-03-02 14:52 961,160 ----a-w c:\documents and settings\All Users\Application Data\NXPowerLite.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-04-16 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-04-16 155648]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-04-16 131072]
"PDVDDXSrv"="c:\progra~1\CYBERL~1\POWERD~1\PDVDDX~1.EXE" [2006-10-20 118784]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-10-09 2183168]
"SBMGRNT.EXE"="c:\progra~1\SafeBoot\SBMGRNT.EXE" [2008-05-16 49212]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-07-20 1228800]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"SCFTrayStartUp"="c:\program files\Sophos\Sophos Client Firewall\SCFTray.exe" [2009-04-09 224296]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-12 148888]
"ENDFORCEAgent"="c:\program files\ENDFORCE\AgntTray.exe" [2007-12-21 1646592]
"SigmatelSysTrayApp"="stsystra.exe" [2007-02-19 c:\windows\STSYSTRA.EXE]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\windows\Installer\{AC76BA86-7AD7-1033-7B44-A81300000003}\IconAC76BA86.exe [2008-11-13 300032]
AutoUpdate Monitor.lnk - c:\program files\Sophos\AutoUpdate\ALMon.exe [2007-10-26 245760]
Workstation Status Monitor.lnk - c:\program files\GE Energy\WorkstationST Features\WorkstationStatusMonitor.exe [2008-07-22 65536]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLogonScripts"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff"= 1 (0x1)
"DisablePersonalDirChange"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\CAF]
2008-02-29 20:13 27400 c:\program files\Ca\DSM\bin\cfWlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-857407748-547254352-1705232-22426\Scripts\Logon\0\0]
"Script"=CAUnicenterR11CheckV3.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-857407748-547254352-1705232-22426\Scripts\Logon\1\0]
"Script"=PSAMERLogonScript.vbs

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]
@="service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Woodward\\Control Assistant 3\\ctrlassist.exe"=
"c:\\Program Files\\Woodward\\Watch Window II\\WatchWindowII.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"5556:TCP"= 5556:TCP:SafeBoot

R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [2009-04-09 22024]
R0 SafeBoot;SafeBoot;c:\windows\system32\drivers\safeboot.sys [2008-05-16 30267]
R0 SBAlg;SBAlg;c:\windows\system32\drivers\sbalg.sys [2008-05-16 44848]
R1 RsvLock;RsvLock;c:\windows\system32\drivers\rsvlock.sys [2008-05-16 4752]
R1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [2008-11-17 101120]
R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [2008-11-17 33408]
R1 SBFlop;SBFlop;c:\windows\system32\drivers\sbflop.sys [2008-05-16 6096]
R1 SbPrcCtl;SbPrcCtl;c:\windows\system32\drivers\sbprcctl.sys [2008-05-16 14864]
R2 caf;CA DSM r11 Common Application Framework.;c:\program files\Ca\DSM\bin\CAF.exe [2008-02-29 193800]
R2 CSIScanner;CSIScanner;c:\program files\Prevx\prevx.exe [2009-04-09 4414520]
R2 DataHistorian;Data Historian;c:\progra~1\GECONT~1\DATAHI~1\DataHistorian.exe [2008-11-13 450645]
R2 DBServer;SDB Server;c:\progra~1\GECONT~1\SDB_SE~2\DBServer.exe [2008-11-13 274432]
R2 EgdCfg;GE EGD Configuration Server;c:\program files\GE Energy\EgdCfgServer\EgdCfgServer.exe [2008-07-22 32768]
R2 ENDFORCE Agent API;ENDFORCE Agent API;c:\program files\ENDFORCE\AgentAPI.exe [2007-12-19 2945024]
R2 FiberlinkMonitor;Fiberlink Monitor Service;c:\program files\Fiberlink\Extend360\WENGINE\wmonitor.exe [2005-05-06 65604]
R2 GeCssOpcAEServer;GeCssOpcAEServer;c:\program files\GE Energy\WorkstationST Features\GeCssOpcAEServer.exe [2008-07-22 77824]
R2 SafeBootConfigurationManager;SafeBoot Configuration Manager;c:\program files\SafeBoot\sbmgrnt.exe [2008-05-16 49212]
R2 WorkstationSTservice;Ge WorkstationSTservice;c:\program files\GE Energy\WorkstationST Features\WorkstationSTservice.exe [2008-07-22 81920]
R3 BW2NDIS5;BW2NDIS5;c:\windows\system32\drivers\BW2NDIS5.SYS [2004-11-01 17536]
R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [2008-05-14 9433]
S0 black;black;c:\windows\system32\drivers\BlackDrv.sys --> c:\windows\system32\drivers\BlackDrv.sys [?]
S1 scfdriver;SCF Kernel Driver;\??\c:\windows\system32\Drivers\scfdriver.sys --> c:\windows\system32\Drivers\scfdriver.sys [?]
S2 GeCssOpcServer;Ge Css Opc Server;c:\program files\GE Energy\GeCssOpcServer\GeCssOpcServer.exe [2008-07-22 45056]
S2 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [2008-05-14 115680]
S2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\Sophos\Sophos Anti-Virus\SAVAdminService.exe [2008-11-17 69632]
S2 SAVService;Sophos Anti-Virus;c:\program files\Sophos\Sophos Anti-Virus\SavService.exe [2008-11-17 98304]
S2 Sophos Client Firewall Manager;Sophos Client Firewall Manager;c:\program files\Sophos\Sophos Client Firewall\SCFManager.exe [2009-04-04 109608]
S2 Sophos Client Firewall;Sophos Client Firewall;c:\program files\Sophos\Sophos Client Firewall\SCFService.exe [2009-04-04 93224]
S3 CA_LIC_CLNT;CA-License Client;c:\windows\LIC98RMT.exe [2003-08-06 73728]
S3 CA_LIC_SRVR;CA-License Server;c:\windows\LIC98RMTD.exe [2003-08-06 73728]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [?]
S3 ExtranetAccess;Contivity VPN Service;c:\program files\Nortel Networks\Extranet_serv.exe [2008-05-14 630784]
S3 ICN Service;EGD Service Control System Solutions;c:\progra~1\GECONT~1\ICN_SE~1\ICNService.exe [2008-11-13 77824]
S3 LiveDataServer;LiveDataServer;c:\progra~1\GECONT~1\DATAHI~1\LiveDataServer.exe -SS --> c:\progra~1\GECONT~1\DATAHI~1\LiveDataServer.exe -SS [?]
S3 RapFile;RapFile;c:\windows\system32\drivers\RapFile.sys [2006-11-03 36676]
S3 RapNet;RapNet;c:\windows\system32\drivers\RapNet.sys [2006-11-03 24344]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{02d7e951-9f6e-11dd-946a-444553544200}]
\Shell\AutoRun\command - G:\DTVaultPrivacy.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0ca4a5e2-8ec9-11db-9d25-806d6172696f}]
\Shell\AutoRun\command - e:\programs\nu2menu\nu2menu.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a3195f28-29e0-11dd-940b-444553544200}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fa0210f2-1b8f-11de-94ed-444553544200}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\Flash 9.0.159.0]
c:\windows\Options\Packages\Specapps\Adobe_Flash_9.0.159.0\Install.exe /V9 /S

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{1D2908F4-2CC5-4F72-BAFF-9026CF04C227}]
%systemroot\system32\msiexec.exe /i %systemroot%\options\packages\coreapps\pcinfo\pcinfo.msi /qb!

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{257AC5ED-A013-4E10-B3C0-099F5E8D8FC2}]
%Sytemroot%\system32\msiexec.exe /i %Systemroot%\options\pacakges\coreapps\TSG Proxy\TSG Proxy Button.msi /qn

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{27B3FC9C-0096-4590-85B5-FF334D432C8D}]
c:\windows\system32\msiexec.exe /i c:\windows\options\packages\coreapps\MekkoGraphics3\MekkoGraphics3.msi Transforms="c:\windows\options\packages\coreapps\MekkoGraphics3\MekkoGraphics3.mst" /qn

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{621FCD24-4498-4324-A81E-07D331376EDF}]
c:\program files\PixiePack Codec Pack\InstallerHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{AB543DE7-1359-4C70-B0FC-D4BB3AB83D8B}]
c:\windows\system32\msiexec.exe /fomus c:\windows\options\packages\specapps\nxplite3\nxplite301.msi /qb!

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{AC76BA86-7AD7-1033-7B44-A81200000003}]
msiexec.exe /fu {AC76BA86-7AD7-1033-7B44-A81200000003} /qn

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{C8B0680B-CDAE-4809-9F91-387B6DE00F7C}]
c:\windows\System32\msiexec.exe /fu {C8B0680B-CDAE-4809-9F91-387B6DE00F7C} /qn

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{C9E72B0C-1F6A-4C67-84D8-3F7743B87E37}]
c:\windows\System32\msiexec.exe /i c:\windows\Options\Packages\CoreApps\GETemplates\GETemplatesGEE.msi /qb!

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{D9C88940-0322-4E06-AB35-ADC6F01E9AD7}]
c:\windows\system32\msiexec.exe /i c:\windows\options\packages\coreapps\customsettings\geecustset1.msi /qb!
.
Contents of the 'Scheduled Tasks' folder

2009-04-07 c:\windows\Tasks\Workstation.job
- c:\program files\Sophos\Sophos Anti-Virus\BackgroundScanClient.exe [2008-11-17 07:47]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-IridiumTimeWizard - d:\users\OLIVASED\My Documents\iridium.exe
HKLM-Run-AuditMode - c:\sysprep\factory.exe

.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
IE: {{7107766B-746A-4B6F-8356-8CF9EA743708} - c:\program files\TSG Proxy\Proxy.exe c:\program files\TSG Proxy\Proxy.exe
Trusted Zone: ge-registrar.com
Trusted Zone: ge.com
Trusted Zone: ge.com\*.supportcentral
Trusted Zone: ge.com\cincnt1.ssqc
Trusted Zone: ge.com\cincnt2.ssqc
Trusted Zone: ge.com\genet.ae
Trusted Zone: ge.com\inside
Trusted Zone: ge.com\libraries
Trusted Zone: ge.com\ssqc
Trusted Zone: ge.com\time.infra
TCP: {67618DDB-01D1-43C3-8CC4-72CD9F4D3412} = 195.219.14.20,66.110.61.66
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {CAFECAFE-0013-0001-0029-ABCDEFABCDEF} - hxxp://gpserplb01.corporate.ge.com:8040/jinitiator/oajinit.exe
DPF: {CAFECAFE-0013-0001-0030-ABCDEFABCDEF} - hxxp://gpserplb01.corporate.ge.com:8040/jinitiator/oajinit.exe
.
.
------- File Associations -------
.
inifile=%SystemRoot%\System32\NOTEPAD.EXE %1"
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-09 10:17:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Sophos Message Router]
"ImagePath"="\"c:\program files\Sophos\Remote Management System\RouterNT.exe\" -service -name Router -ORBListenEndpoints iiop://:8193/ssl_port=8194"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1652)
c:\windows\system32\BCMLogon.dll
c:\program files\CA\DSM\Bin\cfwlogon.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\windows\system32\scardsvr.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Ca\SC\CAM\bin\cam.exe
c:\program files\GE Fanuc\GE Fanuc Licensing\CCFLIC0.exe
c:\windows\system32\Crypserv.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\LckFldService.exe
c:\program files\Dell\QuickSet\NicConfigSvc.exe
c:\program files\Sophos\Remote Management System\ManagementAgentNT.exe
c:\program files\Sophos\Remote Management System\RouterNT.exe
c:\program files\SigmaTel\C-Major Audio\WDM\STACSV.EXE
c:\windows\system32\wdfmgr.exe
c:\program files\Ca\DSM\bin\cfsmsmd.exe
c:\program files\Ca\DSM\bin\ccnfAgent.exe
c:\program files\Ca\DSM\bin\cfnotsrvd.exe
c:\program files\Ca\DSM\bin\ccsmagtd.exe
c:\program files\Ca\DSM\bin\amswmagt.exe
c:\program files\Ca\DSM\PMAgent\capmuamagt.exe
c:\program files\Ca\DSM\bin\cfFTPlugin.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Apoint\hidfind.exe
c:\program files\Apoint\ApntEx.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-04-09 10:21:52 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-09 15:21:50

Pre-Run: 19,283,714,048 bytes free
Post-Run: 19,123,331,072 bytes free

447 --- E O F --- 2008-12-13 16:03:50

guestolo · « **Reply #6 on:** April 12, 2009, 12:22:07 PM »

Combofix seemed to of taken care of the rootkit
But Can you do still do the following:
Download [color=\"#FF0000\"]> ATF Cleaner <[/color] by Atribune and save it to your Desktop.

Double Click on ATF-Cleaner.exe to Run it
Check the boxes to the left of:

Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
*Prefetch (Windows XP) only.
Java Cache

The rest are optional - if you want to remove the lot, check "Select All".
Finally click Empty Selected. When you get the "Done Cleaning" message, click OK.
If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit from the Main menu

download Malwarebytes' Anti-Malware from Here or Here
Save the installer to desktop

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to [color=\"#006400\"]Update Malwarebytes' Anti-Malware[/color] and [color=\"#006400\"]Launch Malwarebytes' Anti-Malware[/color], then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

With that log, can you also do the following
Download [color=\"#FF0000\"]Rooter.exe[/color] to your desktop

* Then doubleclick it to start the tool
* A Notepad file containing the report will open, also found at %systemdrive%\Rooter.txt. Post that here

saneiac · « **Reply #7 on:** April 13, 2009, 06:04:03 AM »

Anti-malware came up with two items. I did not fix either. Windows updates and Sophos anti-virus definitions are handled automatically when I connect to my company VPN.

MBAM log

Malwarebytes' Anti-Malware 1.36
Database version: 1974
Windows 5.1.2600 Service Pack 2

2009-04-13 05:54:53
mbam-log-2009-04-13 (05-54-49).txt

Scan type: Quick Scan
Objects scanned: 156587
Time elapsed: 49 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
================================================================================
==================

Rooter log

Microsoft Windows XP Professional (5.1.2600) Service Pack 2

C:\ [Fixed] - NTFS - (Total:38162 Mo/Free:1372 Mo)
D:\ [Fixed] - NTFS - (Total:36099 Mo/Free:1642 Mo)
E:\ [CD-Rom] (Total:4462 Mo/Free:0 Mo)
J:\ [Network] (Total:0 Mo/Free:0 Mo)

2009-04-13| 5:57

----------------------\\ Processes..

--Locked-- [System Process]
---------- System
---------- \SystemRoot\System32\smss.exe
---------- \??\C:\WINDOWS\system32\csrss.exe
---------- \??\C:\WINDOWS\system32\winlogon.exe
---------- C:\WINDOWS\system32\services.exe
---------- C:\WINDOWS\system32\lsass.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\System32\svchost.exe
---------- C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\System32\WLTRYSVC.EXE
---------- C:\WINDOWS\System32\bcmwltry.exe
---------- C:\Program Files\Sophos\Sophos Client Firewall\SCFManager.exe
---------- C:\WINDOWS\system32\spoolsv.exe
---------- C:\Program Files\Sophos\Sophos Client Firewall\SCFService.exe
---------- C:\WINDOWS\System32\SCardSvr.exe
---------- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
---------- C:\Program Files\Bonjour\mDNSResponder.exe
---------- C:\Program Files\CA\SC\CAM\bin\cam.exe
---------- C:\Program Files\GE Fanuc\GE Fanuc Licensing\CCFLIC0.exe
---------- C:\WINDOWS\system32\crypserv.exe
---------- C:\PROGRA~1\GECONT~1\DATAHI~1\DataHistorian.exe
---------- C:\PROGRA~1\GECONT~1\SDB_SE~2\DBServer.exe
---------- C:\Program Files\GE Energy\EgdCfgServer\EgdCfgServer.exe
---------- C:\Program Files\ENDFORCE\AgentAPI.exe
---------- C:\Program Files\Fiberlink\Extend360\WENGINE\wmonitor.exe
---------- C:\Program Files\Java\jre6\bin\jqs.exe
---------- C:\WINDOWS\system32\LckFldService.exe
---------- C:\WINDOWS\System32\svchost.exe
---------- C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
---------- C:\WINDOWS\System32\svchost.exe
---------- C:\Program Files\SafeBoot\SBMGRNT.EXE
---------- C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
---------- C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe
---------- C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
---------- C:\Program Files\Sophos\Remote Management System\RouterNT.exe
---------- C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\system32\wdfmgr.exe
---------- C:\Program Files\GE Energy\WorkstationST Features\WorkstationSTservice.exe
---------- C:\Program Files\CA\DSM\bin\caf.exe
---------- C:\Program Files\GE Energy\WorkstationST Features\GeCssOpcAEServer.exe
---------- C:\Program Files\CA\DSM\Bin\cfsmsmd.exe
---------- C:\WINDOWS\System32\alg.exe
---------- C:\WINDOWS\system32\wbem\wmiprvse.exe
---------- C:\Program Files\CA\DSM\Bin\ccnfagent.exe
---------- C:\Program Files\CA\DSM\Bin\cfnotsrvd.exe
---------- C:\Program Files\CA\DSM\Bin\ccsmagtd.exe
---------- C:\Program Files\CA\DSM\Bin\amswmagt.exe
---------- C:\Program Files\CA\DSM\PMAgent\capmuamagt.exe
---------- C:\Program Files\CA\DSM\Bin\cfftplugin.exe
---------- C:\WINDOWS\Explorer.EXE
---------- C:\Program Files\Apoint\Apoint.exe
---------- C:\WINDOWS\stsystra.exe
---------- C:\WINDOWS\system32\igfxtray.exe
---------- C:\WINDOWS\system32\hkcmd.exe
---------- C:\WINDOWS\system32\igfxpers.exe
---------- C:\WINDOWS\system32\igfxsrvc.exe
---------- C:\PROGRA~1\CYBERL~1\POWERD~1\PDVDDX~1.EXE
---------- C:\WINDOWS\system32\WLTRAY.exe
---------- C:\Program Files\Dell\QuickSet\quickset.exe
---------- C:\Program Files\Apoint\HidFind.exe
---------- C:\Program Files\Apoint\Apntex.exe
---------- C:\Program Files\Java\jre6\bin\jusched.exe
---------- C:\Program Files\Sophos\Sophos Client Firewall\SCFTray.exe
---------- C:\Program Files\ENDFORCE\AgntTray.exe
---------- C:\Program Files\iTunes\iTunesHelper.exe
---------- C:\WINDOWS\system32\ctfmon.exe
---------- C:\Program Files\Sophos\AutoUpdate\ALMon.exe
---------- C:\Program Files\GE Energy\WorkstationST Features\WorkstationStatusMonitor.exe
---------- C:\Program Files\iPod\bin\iPodService.exe
---------- C:\Program Files\Internet Explorer\iexplore.exe
---------- C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
---------- C:\WINDOWS\explorer.exe
---------- C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
---------- C:\Gap_cdr\Gap218B.exe
---------- C:\Program Files\Internet Explorer\iexplore.exe
---------- C:\WINDOWS\System32\NOTEPAD.EXE
---------- C:\WINDOWS\system32\cmd.exe
---------- C:\Rooter$\RK.exe

----------------------\\ Search..

C:\DOCUME~1\OLIVASED\APPLIC~1\drivers
==> BAGLE <==

----------------------\\ ROOTKIT !!

1 - "C:\Rooter$\Rooter_1.txt" - 2009-04-13| 5:57

----------------------\\ Scan completed at 5:57

guestolo · « **Reply #8 on:** April 13, 2009, 09:11:23 AM »

Please download [color=\"blue\"]DirLook[/color] by jpshortstuff from one of the following mirrors:
[color=\"red\"]Link 1[/color]
[color=\"red\"]Link 2[/color]
[color=\"red\"]Link 3[/color]

Double-click DirLook.exe to run it (Vista Users should right-click and select Run As Administrator...).
Ensure that Show Hidden Files/Folders and BBCode Ouput are both checked.
Copy the content of the following codebox into the main textfield:

Code: [Select]

c:\documents and settings\OLIVASED\Application Data\drivers

Click the DirLook button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply. (Note: The log can also be found at C:\DirLook.txt)

Note: Scanning may take longer for large folders.

saneiac · « **Reply #9 on:** April 13, 2009, 09:47:23 AM »

DirLook.exe v2.0 by jpshortstuff
Log created at 09:45 on 13/04/2009
==================================
Contents of "c:\documents and settings\OLIVASED\Application Data\drivers"

[color=\"blue\"]---FOLDERS---[/color]

(none found)

[color=\"blue\"]---FILES---[/color]

(none found)

==================================
[color=\"blue\"]=EOF=[/color]

guestolo · « **Reply #10 on:** April 13, 2009, 06:34:20 PM »

One last tool please, I should have had you run this one earlier
Please download FindyKill to your Desktop.

Double-click FindyKill.exe to run the installer.
Please follow the prompts to install the program.
FindyKill's icon should appear on your Desktop. Plug in any removable media and devices, such as usb flash drives or memory cards. Please close all opened windows / programs.
Then, double-click FindyKill's icon to run the tool.
A menu will appear, write E and hit Enter.
Choose the option 2. Clean infected files found. (write 2 and hit Enter).
Computer will reboot. Let the tool run uninterrupted.
The tool will generate a log: C:\FindyKill.txt. Please post its contents.

Note: [color=\"#FF0000\"]process.exe[/color] is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

saneiac · « **Reply #11 on:** April 19, 2009, 05:13:19 PM »

############################## [ FindyKill V4.725 ]

# User : OLIVASED () # T00559506
# Update on 19/04/09 by Chiquitine29
# Start at: 16:09:58 | 2009-04-19
# Website : http://pagesperso-orange.fr/FindyKill.Ad.Remover/

# Intel® Core(tm)2 Duo CPU T7250 @ 2.00GHz
# Microsoft Windows XP Professional (5.1.2600 32-bit) # Service Pack 2
# Internet Explorer 6.0.2900.2180
# Windows Firewall Status : Disabled
# AV : Sophos Anti-Virus [ Enabled | (!) Outdated ]
# FW : Sophos Client Firewall[ Enabled ]

# C:\ # Local Fixed Disk # 37.27 Go (17.13 Go free) [System] # NTFS
# D:\ # Local Fixed Disk # 35.25 Go (16.72 Go free) [Data] # NTFS
# E:\ # CD-ROM Disc # 4.36 Go (0 Mo free) [MTV_NEW_06] # UDF
# F:\ # Local Fixed Disk # 232.83 Go (116.76 Go free) [WD Passport] # FAT32
# H:\ # Removable Disk # 983.7 Mo (630.64 Mo free) [EDWARD] # FAT
# J:\ # Network Connection # 881.86 Go (1.6 Go free) [Local Disk] # NTFS

############################## [ Active Processes ]

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Sophos\Sophos Client Firewall\SCFManager.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Sophos\Sophos Client Firewall\SCFService.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CA\SC\CAM\bin\cam.exe
C:\Program Files\GE Fanuc\GE Fanuc Licensing\CCFLIC0.exe
C:\WINDOWS\system32\crypserv.exe
C:\PROGRA~1\GECONT~1\DATAHI~1\DataHistorian.exe
C:\PROGRA~1\GECONT~1\SDB_SE~2\DBServer.exe
C:\Program Files\GE Energy\EgdCfgServer\EgdCfgServer.exe
C:\Program Files\ENDFORCE\AgentAPI.exe
C:\Program Files\Fiberlink\Extend360\WENGINE\wmonitor.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\LckFldService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SafeBoot\SBMGRNT.EXE
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\Program Files\Sophos\Remote Management System\RouterNT.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\GE Energy\WorkstationST Features\WorkstationSTservice.exe
C:\Program Files\CA\DSM\bin\caf.exe
C:\Program Files\GE Energy\WorkstationST Features\GeCssOpcAEServer.exe
C:\Program Files\CA\DSM\Bin\cfsmsmd.exe
C:\Program Files\CA\DSM\Bin\ccnfagent.exe
C:\Program Files\CA\DSM\Bin\cfnotsrvd.exe
C:\Program Files\CA\DSM\Bin\ccsmagtd.exe
C:\Program Files\CA\DSM\Bin\amswmagt.exe
C:\Program Files\CA\DSM\PMAgent\capmuamagt.exe
C:\Program Files\CA\DSM\Bin\cfftplugin.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\DSM\Bin\sd_jexec.exe

################## [ Infected File \ Folder ]

Deleted ! C:\WINDOWS\Prefetch\WINUPGRO.EXE-17681AA8.pf
Deleted ! "C:\Documents and Settings\OLIVASED\Application Data\drivers"

################## [ Infected Temp Files ]

################## [ Registry / Infected keys ]

Deleted ! HKEY_CURRENT_USER\Software\Local AppWizard-Generated Applications\key_gen
Deleted ! HKEY_CURRENT_USER\Software\Local AppWizard-Generated Applications\run

################## [ Cleaning Removable drives ]

# Deleting Files :

################## [ Registry / Mountpoint2 ]

# -> Not found !

################## [ States / Restarting of services ]

# Services : [ Auto=2 / Request=3 / Disable=4 ]

# Ndisuio -> # Type of startup =3
# Ip6Fw -> # Type of startup =2
# SharedAccess -> # Type of startup =2
# wuauserv -> # Type of startup =2
# wscsvc -> # Type of startup =2

################## [ Searching Other Infections ]

# RÃ©fÃ©rences de comparaison Bagle MD5 :

File ... : C:\Qoobox\Quarantine\C\Documents and Settings\OLIVASED\Application Data\drivers\winupgro.exe.vir
CRC32 .. : DENIED
MD5 .... : DENIED

guestolo · « **Reply #12 on:** April 19, 2009, 10:14:15 PM »

It's been awhile, can you post a fresh Hijackthis log and let me know how things are running now please

saneiac · « **Reply #13 on:** April 20, 2009, 09:36:43 AM »

Sorry about the delay, I was travelling. I seem to be running correctly again. The virus corrupted the .exe files of several programs, including Sophos anti-virus, spybot, and, for some reason, alarm clock, but I think I've found and replaced them all.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:31, on 2009-04-20
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Sophos\Sophos Client Firewall\SCFManager.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Sophos\Sophos Client Firewall\SCFService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CA\SC\CAM\bin\cam.exe
C:\Program Files\GE Fanuc\GE Fanuc Licensing\CCFLIC0.exe
C:\WINDOWS\system32\crypserv.exe
C:\PROGRA~1\GECONT~1\DATAHI~1\DataHistorian.exe
C:\PROGRA~1\GECONT~1\SDB_SE~2\DBServer.exe
C:\Program Files\GE Energy\EgdCfgServer\EgdCfgServer.exe
C:\Program Files\ENDFORCE\AgentAPI.exe
C:\Program Files\Fiberlink\Extend360\WENGINE\wmonitor.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\LckFldService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SafeBoot\SBMGRNT.EXE
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\Program Files\Sophos\Remote Management System\RouterNT.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\GE Energy\WorkstationST Features\WorkstationSTservice.exe
C:\Program Files\CA\DSM\bin\caf.exe
C:\Program Files\GE Energy\WorkstationST Features\GeCssOpcAEServer.exe
C:\Program Files\CA\DSM\Bin\cfsmsmd.exe
C:\Program Files\CA\DSM\Bin\ccnfagent.exe
C:\Program Files\CA\DSM\Bin\cfnotsrvd.exe
C:\Program Files\CA\DSM\Bin\ccsmagtd.exe
C:\Program Files\CA\DSM\Bin\amswmagt.exe
C:\Program Files\CA\DSM\PMAgent\capmuamagt.exe
C:\Program Files\CA\DSM\Bin\cfftplugin.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Apoint\HidFind.exe
C:\PROGRA~1\CYBERL~1\POWERD~1\PDVDDX~1.EXE
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Sophos\Sophos Client Firewall\SCFTray.exe
C:\Program Files\ENDFORCE\AgntTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\GE Energy\WorkstationST Features\WorkstationStatusMonitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://ps.setpac.ge.com/pac.pac
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: SupportCentral - {E5CA3FCB-32F0-4602-A3FD-0785E3F0F5BF} - C:\WINDOWS\system32\SCTOOL~1.DLL
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\PROGRA~1\CYBERL~1\POWERD~1\PDVDDX~1.EXE"
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SBMGRNT.EXE] C:\PROGRA~1\SafeBoot\SBMGRNT.EXE -WinLogon
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SCFTrayStartUp] C:\Program Files\Sophos\Sophos Client Firewall\SCFTray.exe
O4 - HKLM\..\Run: [ENDFORCEAgent] "C:\Program Files\ENDFORCE\AgntTray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = ?
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O4 - Global Startup: Workstation Status Monitor.lnk = C:\Program Files\GE Energy\WorkstationST Features\WorkstationStatusMonitor.exe
O9 - Extra button: Change Proxy - {7107766B-746A-4B6F-8356-8CF9EA743708} - C:\Program Files\TSG Proxy\Proxy.exe
O9 - Extra 'Tools' menuitem: Change Proxy - {7107766B-746A-4B6F-8356-8CF9EA743708} - C:\Program Files\TSG Proxy\Proxy.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Change Proxy - {7107766B-746A-4B6F-8356-8CF9EA743708} - C:\Program Files\TSG Proxy\Proxy.exe (HKCU)
O9 - Extra 'Tools' menuitem: Change Proxy - {7107766B-746A-4B6F-8356-8CF9EA743708} - C:\Program Files\TSG Proxy\Proxy.exe (HKCU)
O15 - Trusted Zone: *.ge-registrar.com
O15 - Trusted Zone: *.supportcentral.ge.com
O15 - Trusted Zone: http://cincnt1.ssqc.ge.com
O15 - Trusted Zone: http://cincnt2.ssqc.ge.com
O15 - Trusted Zone: http://genet.ae.ge.com
O15 - Trusted Zone: http://inside.ge.com
O15 - Trusted Zone: http://libraries.ge.com
O15 - Trusted Zone: http://ssqc.ge.com
O15 - Trusted Zone: time.infra.ge.com
O15 - Trusted Zone: *.ge.com
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {CAFECAFE-0013-0001-0029-ABCDEFABCDEF} (JInitiator 1.3.1.29) - http://gpserplb01.corporate.ge.com:8040/ji...tor/oajinit.exe
O16 - DPF: {CAFECAFE-0013-0001-0030-ABCDEFABCDEF} (JInitiator 1.3.1.30) - http://gpserplb01.corporate.ge.com:8040/ji...tor/oajinit.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = psamer.ps.ge.com
O17 - HKLM\Software\..\Telephony: DomainName = psamer.ps.ge.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = psamer.ps.ge.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = psamer.ps.ge.com
O20 - AppInit_DLLs: C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL
O20 - Winlogon Notify: CAF - C:\Program Files\CA\DSM\Bin\cfwlogon.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CA Message Queuing Server (CA-MessageQueuing) - CA, Inc. - C:\Program Files\CA\SC\CAM\bin\cam.exe
O23 - Service: CA DSM r11 Common Application Framework. (caf) - CA - C:\Program Files\CA\DSM\bin\caf.exe
O23 - Service: CA-License Client (CA_LIC_CLNT) - Unknown owner - C:\WINDOWS\LIC98RMT.exe
O23 - Service: CA-License Server (CA_LIC_SRVR) - Unknown owner - C:\WINDOWS\LIC98RMTD.exe
O23 - Service: CCFLIC0 - GE Fanuc - C:\Program Files\GE Fanuc\GE Fanuc Licensing\CCFLIC0.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Data Historian (DataHistorian) - GE Industrial Systems - C:\PROGRA~1\GECONT~1\DATAHI~1\DataHistorian.exe
O23 - Service: SDB Server (DBServer) - GE Energy - C:\PROGRA~1\GECONT~1\SDB_SE~2\DBServer.exe
O23 - Service: GE EGD Configuration Server (EgdCfg) - GE Energy - C:\Program Files\GE Energy\EgdCfgServer\EgdCfgServer.exe
O23 - Service: ENDFORCE Agent API - ENDFORCE, Inc. - C:\Program Files\ENDFORCE\AgentAPI.exe
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe
O23 - Service: Fiberlink Monitor Service (FiberlinkMonitor) - Boingo Wireless, Inc. - C:\Program Files\Fiberlink\Extend360\WENGINE\wmonitor.exe
O23 - Service: GeCssOpcAEServer - GE Energy - C:\Program Files\GE Energy\WorkstationST Features\GeCssOpcAEServer.exe
O23 - Service: Ge Css Opc Server (GeCssOpcServer) - GE Energy - C:\Program Files\GE Energy\GeCssOpcServer\GeCssOpcServer.exe
O23 - Service: EGD Service Control System Solutions (ICN Service) - GE Energy - C:\PROGRA~1\GECONT~1\ICN_SE~1\ICNService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LckFldService - Unknown owner - C:\WINDOWS\system32\LckFldService.exe
O23 - Service: LiveDataServer - GE Drive Systems - C:\PROGRA~1\GECONT~1\DATAHI~1\LiveDataServer.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: SafeBoot Configuration Manager (SafeBootConfigurationManager) - Control Break International - C:\Program Files\SafeBoot\SBMGRNT.EXE
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: Extend360 Agent (ServiceMgr) - Fiberlink Communications Corp. - C:\Program Files\Fiberlink\Extend360\ServiceMgr.exe
O23 - Service: Sophos Agent - Sophos Plc - C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
O23 - Service: Sophos Client Firewall - Sophos Plc - C:\Program Files\Sophos\Sophos Client Firewall\SCFService.exe
O23 - Service: Sophos Client Firewall Manager - Sophos Plc - C:\Program Files\Sophos\Sophos Client Firewall\SCFManager.exe
O23 - Service: Sophos Message Router - Sophos Plc - C:\Program Files\Sophos\Remote Management System\RouterNT.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O23 - Service: Ge WorkstationSTservice (WorkstationSTservice) - GE Energy - C:\Program Files\GE Energy\WorkstationST Features\WorkstationSTservice.exe

--
End of file - 11923 bytes

guestolo · « **Reply #14 on:** April 21, 2009, 07:49:08 AM »

Looks good,
Go to START>>RUN>>
copy and paste the following

[color=\"#FF0000\"]combofix /u[/color]
and press enter
This will uninstall ComboFix and it's components

you can manually delete
DirLook and it's file C:\DirLook.txt

Open FindyKill.exe from the shortcut on your desktop
Select E for english
Then select 3>>uninstall FindyKill

Can you post one last log for me please
supply an uninstall list from Hijackthis
Open Hijackthis>>Open MISC TOOLS SECTION>>Open UNINSTALL MANAGER
Click the SAVE LIST... button
Save the list to your desktop then copy>>Paste back here the Whole contents

saneiac · « **Reply #15 on:** April 23, 2009, 08:00:56 AM »

32 Bit HP CIO Components Installer
3500 Rack Configuration Software
AC3Filter (remove only)
Adobe Flash Player ActiveX
Adobe Reader 8.1.4
Adobe Shockwave Player
Adobe Shockwave Player 11
Alarm 2.0.4
Alarm Clock v1.0
ALPS Touch Pad Driver
Amazon MP3 Downloader 1.0.3
Apple Mobile Device Support
Apple Software Update
Bonjour
Broadcom Gigabit Integrated Controller
CA Unicenter DSM Agent + Asset Management Plugin
CA Unicenter DSM Agent + Basic Inventory Plugin
CA Unicenter DSM Agent + Software Delivery Plugin
Checkin-Checkout - V01.02.06C
CIMPLICITY HMI
Conexant HDA D330 MDC V.92 Modem
Control Assistant
Control Assistant 3.8
Control System Toolbox - V11.04.07C
Control System Toolbox Documentation
CyberLink PowerDVD 7.0
Data Historian - V05.01.19C
Data Historian Documentation
Dell Wireless WLAN Card
DivX Codec
DivX Converter
DivX Player
DivX Web Player
Driver Interface Program
eMule
Extend360
Folder Access 2.0.0 Free Version
GAP Editor
GE ControlST - V03.02.42C
GE ecomagination 1024x Screen Saver
GE Energy Custom Settings
GE Energy Office Templates
GE Fanuc Licensing
GE Fonts Version 5
GE Logo
GE Product Definition Interface
GE WorkstationST Package
Google Earth
Google Updater
Heroes of Might and MagicÂ® III Complete
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Windows XP (KB928388)
Hotfix for Windows XP (KB929120)
IE Trusted Sites
iHistorian 2.0
Inspira Fonts v2.0
Integrated Control Network Service - V02.03.04C
Intel® Graphics Media Accelerator Driver
IPScom for Integrated Protection
IPScom for Transformer & Generator Prot.
iTunes
J2SE Runtime Environment 5.0 Update 10
Java 2 Runtime Environment, SE v1.4.2
Java Run-time Environment v1.3.0_02
Java Run-time Environment v1.3.1
Java Run-time Environment v1.4.1_02
Java(tm) 6 Update 12
Java(tm) 6 Update 5
Java(tm) 6 Update 6
Java(tm) 6 Update 7
Ladder Logic 1.06A
LaserJet 1020 series
LEADTOOLS ePrint 5 Professional
Legal Notice
LiveUpdate 3.0 (Symantec Corporation)
Logicmaster 90-70
Magic Online III
Mark VI Controller - V05.10.00C
Mark VI Documentation
MarkVI Simulator - V01.04.11C
Mekko Graphics
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Office 2000 SR-1 Standard
Microsoft Office Converter Pack
Microsoft Office Outlook 2003
Microsoft Office Visio Viewer 2003 (English)
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual J# 2.0 Redistributable Package
MiniTab
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6 Service Pack 2 (KB954459)
myfantasyleague.com Game Day 2008
Nortel Networks Contivity VPN Client
NXPowerLite
Oracle JInitiator 1.3.1.29
Oracle JInitiator 1.3.1.30
PC Info
PixiePack Codec Pack
PKZIP Shared Components
PRIMIC HMI for Excitation Controllers
QuickSet
QuickTime
Roxio Creator Audio
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
S&P Polices Screen Saver
Sametime
SDB Server - V05.02.05C
SDB Server Documentation
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917537)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB947864)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953155)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB963027)
Shop for HP Supplies
SigmaTel Audio
SolveigMM AVI Trimmer
Sophos Antivirus
Sophos Anti-Virus
Sophos AutoUpdate
Sophos Client Firewall
Sophos NAC 3.0.382
Sophos Network Access Control
Sophos Remote Management System
Spybot - Search & Destroy
Spybot - Search & Destroy 1.3
Support Central Toolbar for Internet Explorer
SYCON.net GEE
TSG IE Proxy Button
Uconeer 2.4
Uninstaller - V03.00.26C
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB927891)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB946627)
Volo View Express
Watch Window II 2.8
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows Resource Kit Tools
Windows Support Tools
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinRAR archiver
Wireless Selector V1.0
Woodward Application Manager 2.7
World Clock 2001
XviD 1.1 final uninstall
zCalc 1.0

guestolo · « **Reply #16 on:** April 25, 2009, 10:49:50 AM »

Some of your software in outdated and insecure

Can you do the following:
Open your version of Adobe Reader, click on HELP>>Check for Updates
Follow the prompts to update

Afterwards:
Access your Add and Remove Programs and remove all older updates and versions of Sun Java
Ahead of time, close down All browser windows
Don't reboot if prompted till the last one is removed
Remove the following:
J2SE Runtime Environment 5.0 Update 10
Java 2 Runtime Environment, SE v1.4.2
Java Run-time Environment v1.3.0_02
Java Run-time Environment v1.3.1
Java Run-time Environment v1.4.1_02
Javaâ„¢ 6 Update 12
Javaâ„¢ 6 Update 5
Javaâ„¢ 6 Update 6
Javaâ„¢ 6 Update 7

Once the last one is removed, reboot your computer
Back in Windows
[color=\"blue\"]Updating Java:[/color]

Download the latest version of Java Runtime Environment (JRE).
Scroll down to where it says "JRE 6 Update 13".
Click the "Download" button to the right.
In the Window that opens, select Windows, beside Platform:>>Check the "agree" box and click Continue.
Click on the link to download Windows Offline Installation and save to your desktop.
Then from your desktop double-click on jre-6u13-windows-i586-p.exe that you downloaded to install the newest version.

Your version of Flash Player is outdated and insecure
Go to the following link
http://kb.adobe.com/selfservice/viewConten...rnalId=tn_14157
Download and save to your desktop
the Windows: [color=\"#0000FF\"]uninstall_flash_player.exe[/color] (205 KB)
Once saved to desktop
Close all browser windows
Double click on the Flash uninstaller, follow the prompts
You can delete the uninstaller after it has completed

Afterwards:
Spybot does not remove the older version properly when installing
Can you do the following
Open Spybot>>Select Immunization>>Select UNDO at the top menu bar
After you have removed all Immunization
Close Spybot>>Access Add and Remove Programs and remove both entries related to Spybot
Reboot afterwards
You can then redownload and install Spybot again
It's up to you to Immunize when installing, the long Hosts file will be created again
OR, you can choose not to Immunize during installation
Then after installation, open Immunize and Uncheck Hosts File at the bottom of the list and then choose to Immunize
Remember to check for Updates every couple weeks and reImmunize afterwards

Update your Flash, using Internet Explorer
go to the following link
http://www.adobe.com/products/flashplayer/

Allow ActiveX control install when prompted
DO NOT install any Toolbar related software, unless preferred
UNTICK the selection to install any

Let me know how things are now running please

TheTechGuide Forum

News:

Author Topic: Bagle rootkit clean up, final steps (Read 4066 times)

saneiac

Bagle rootkit clean up, final steps

guestolo

Bagle rootkit clean up, final steps

saneiac

Bagle rootkit clean up, final steps

Krogan

Bagle rootkit clean up, final steps

guestolo

Bagle rootkit clean up, final steps

saneiac

Bagle rootkit clean up, final steps

guestolo

Bagle rootkit clean up, final steps

saneiac

Bagle rootkit clean up, final steps

guestolo

Bagle rootkit clean up, final steps

saneiac

Bagle rootkit clean up, final steps

guestolo

Bagle rootkit clean up, final steps

saneiac

Bagle rootkit clean up, final steps

guestolo

Bagle rootkit clean up, final steps

saneiac

Bagle rootkit clean up, final steps

guestolo

Bagle rootkit clean up, final steps

saneiac

Bagle rootkit clean up, final steps

guestolo

Bagle rootkit clean up, final steps