dakov.exe file causing problems?

February 15, 2010 at 15:52:47
Specs: Windows XP Home Edition 2002 SP3
My computer is getting slower and slower. Have recently had the kids downloaded limewire - never again! Since then i have found a file dakov.exe that is taking up 80-90% of the cpu. I can't find it to delete it. I can not do an end process on it - how do I get rid of it. My virus check and sypware software is not finding it.

See More: dakov.exe file causing problems?

Report •


#1
February 15, 2010 at 19:14:11
DDS will help us determine what processes to use to remove the baddies and Malwarebytes is a top rated removal tool to start the process with.

Download DDS and save it to your desktop.
DDS.scr


Disable any script blocker if your Anti-Virus/Anti-Malware has it.
Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.
Then double click dds.scr to run the tool.
When done, the DDS.txt will open.
Click Yes at the next prompt for Optional Scan.

When done, DDS will open two (2) logs:
1. DDS.txt
2. Attach.txt

Save both reports to your desktop then post them please.

Please download Malwarebytes' Anti-Malware from one of these sites:

MalwareBytes1

MalwareBytes2

Rename the setup file, mbam-setup.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename mbam-setup.exe to tool.exe> click save.

1. Double Click tool.exe to install the application.
2. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
3. If an update is found, it will download and install the latest version.
4. Once the program has loaded, select "Perform Quick Scan", then click Scan. The scan may take some time to finish,so please be patient.
5. When the scan is complete, click OK, then Show Results to view the results.
6. Make sure that everything found is checked, and click Remove Selected.
7. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.
8. The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
9. Copy&Paste the entire report in your next reply.


Report •

#2
February 26, 2010 at 19:12:58
Thank you for the advice - problem is reduced but not fixed. I ran the Malwarebytes several times as it crashed when trying to delete all problems so did the cleanups in chunks. I had to keep adjusting the cpu priority on the dakov.exe file as the machine would almost come to a stop - I could not delete/remove/end that process.
I used my spybot and cleaned some problems there. While in the Spybot I saw the file I think was causing most of the problems in the startup area Dakov.exe - it was checked to start on reboot. Unticked that then used the Assasin in the Malware to kill it as I couldn't get at any other way. That seems to have fixed the 100% CPU problem but on doing a full scan with the Malware I now have a "Rootbit agent str.sys" which will not delete, be killed, removed etc. I have also uninstalled/deleted the PC Tools anti virus as it hadn't picked up any of the 16 virus etc. It seems I still have a problem - what can I do now please. Have attached/posted logs etc as requested. Many thanks.
Attach.txt
DDS (Ver_09-12-01.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 26/04/2005 12:39:16 p.m.
System Uptime: 26/02/2010 1:22:37 p.m. (0 hours ago)

Motherboard: Dell Computer Corp. | | 0G1548
Processor: Intel(R) Celeron(R) CPU 2.40GHz | Microprocessor | 2392/400mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 75 GiB total, 21.37 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1600: 30/11/2009 7:56:13 p.m. - System Checkpoint
RP1601: 1/12/2009 8:23:27 p.m. - System Checkpoint
RP1602: 2/12/2009 11:54:32 p.m. - System Checkpoint
RP1603: 4/12/2009 12:23:32 a.m. - System Checkpoint
RP1604: 5/12/2009 1:23:22 a.m. - System Checkpoint
RP1605: 6/12/2009 2:23:24 a.m. - System Checkpoint
RP1606: 7/12/2009 3:38:49 p.m. - System Checkpoint
RP1607: 8/12/2009 4:31:59 p.m. - System Checkpoint
RP1608: 9/12/2009 5:32:00 p.m. - System Checkpoint
RP1609: 10/12/2009 7:05:35 p.m. - System Checkpoint
RP1610: 11/12/2009 7:36:33 p.m. - System Checkpoint
RP1611: 12/12/2009 8:36:31 p.m. - System Checkpoint
RP1612: 13/12/2009 9:36:37 p.m. - System Checkpoint
RP1613: 14/12/2009 10:36:29 p.m. - System Checkpoint
RP1614: 15/12/2009 11:36:33 p.m. - System Checkpoint
RP1615: 17/12/2009 12:36:30 a.m. - System Checkpoint
RP1616: 18/12/2009 12:52:02 a.m. - System Checkpoint
RP1617: 19/12/2009 1:52:02 a.m. - System Checkpoint
RP1618: 20/12/2009 2:51:53 a.m. - System Checkpoint
RP1619: 21/12/2009 3:05:38 a.m. - System Checkpoint
RP1620: 22/12/2009 4:05:35 a.m. - System Checkpoint
RP1621: 23/12/2009 5:10:38 a.m. - System Checkpoint
RP1622: 24/12/2009 6:05:39 a.m. - System Checkpoint
RP1623: 25/12/2009 7:05:36 a.m. - System Checkpoint
RP1624: 11/01/2010 12:23:52 a.m. - System Checkpoint
RP1625: 12/01/2010 1:39:52 a.m. - System Checkpoint
RP1626: 13/01/2010 2:20:41 a.m. - System Checkpoint
RP1627: 14/01/2010 3:20:39 a.m. - System Checkpoint
RP1628: 15/01/2010 4:20:38 a.m. - System Checkpoint
RP1629: 16/01/2010 5:57:46 p.m. - System Checkpoint
RP1630: 29/01/2010 9:54:59 p.m. - System Checkpoint
RP1631: 30/01/2010 9:56:28 p.m. - System Checkpoint
RP1632: 1/02/2010 10:39:38 p.m. - System Checkpoint
RP1633: 2/02/2010 11:42:17 p.m. - System Checkpoint
RP1634: 4/02/2010 12:27:34 a.m. - System Checkpoint
RP1635: 5/02/2010 12:39:16 a.m. - System Checkpoint
RP1636: 6/02/2010 1:39:16 a.m. - System Checkpoint
RP1637: 7/02/2010 2:39:15 a.m. - System Checkpoint
RP1638: 8/02/2010 3:39:12 a.m. - System Checkpoint
RP1639: 10/02/2010 7:43:11 a.m. - System Checkpoint
RP1640: 10/02/2010 12:51:47 p.m. - System Checkpoint
RP1641: 11/02/2010 2:05:07 p.m. - System Checkpoint
RP1642: 12/02/2010 4:31:10 p.m. - System Checkpoint
RP1643: 13/02/2010 7:43:33 p.m. - System Checkpoint
RP1644: 14/02/2010 7:50:08 p.m. - System Checkpoint
RP1645: 15/02/2010 10:09:27 p.m. - System Checkpoint
RP1646: 16/02/2010 10:52:23 p.m. - System Checkpoint
RP1647: 17/02/2010 11:34:20 p.m. - System Checkpoint
RP1648: 19/02/2010 3:52:47 p.m. - Removed Macromedia Dreamweaver 8
RP1649: 19/02/2010 4:02:31 p.m. - Removed Philips CamSuite.
RP1650: 20/02/2010 4:36:53 p.m. - System Checkpoint
RP1651: 21/02/2010 5:36:53 p.m. - System Checkpoint
RP1652: 22/02/2010 5:48:21 p.m. - System Checkpoint
RP1653: 23/02/2010 6:47:58 p.m. - System Checkpoint
RP1654: 24/02/2010 7:45:06 p.m. - System Checkpoint
RP1655: 25/02/2010 8:45:15 p.m. - System Checkpoint

==== Installed Programs ======================


Adobe Flash Player 10 Plugin
Adobe Photoshop 7.0
Adobe Reader 7.0.7
Apple Mobile Device Support
Apple Software Update
ArcSoft PhotoImpression 3.0
Bonjour
BookCAT
Broadcom 440x 10/100 Integrated Controller
CCleaner
Collectorz.com Movie Collector
Conexant SmartHSFi V92 56K DF PCI Modem
Cook'n Favorites 7.0
CuteFTP 7 Home
Dell ResourceCD
Digital Line Detect
DuchessESML
DVD Shrink 3.2
EPSON CardMonitor
EPSON Copy Utility 3
EPSON PhotoQuicker3.5
EPSON PhotoStarter3.1
EPSON PRINT Image Framer Tool2.1
EPSON Printer Software
EPSON Scan
EPSON Smart Panel
EPSON Web-To-Page
ESPRX430 Reference Guide
ESPRX430 Software Guide
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB970653-v3)
iKeyWorks 6.12
Image Resizer Powertoy for Windows XP
Intel(R) Extreme Graphics Driver
iPod for Windows 2005-03-23
iTunes
Java(TM) 6 Update 11
Look2Skype 1.4.0.8
Macromedia Extension Manager
Macromedia Flash Player 8
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Money 2000
Microsoft Office Professional Edition 2003
Microsoft Visual C++ 2005 Redistributable
Microsoft Works 7.0
Modem Helper
Mozilla Firefox (3.0.17)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
Nero Suite
Netscape (7.02)
Netscape Browser (remove only)
PC Tools AntiVirus 6.0
Philips SPC1030NC Webcam
PhotoImpression 5
Picasa 3
PIF DESIGNER2.1
PowerDVD
QuickTime
RealPlayer
REALTEK USB Wireless LAN Driver and Utility
Samsung Media Studio
ScanToWeb
SCAR
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974455)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Sibelius Scorch
Sibelius Scorch Plugin
Sierra Wireless EVDO Watcher
Skype™ 4.0
Sony Picture Utility
Sony USB Driver
SoundMAX
Spybot - Search & Destroy
Sweep!
TreeSize Free V2.1
Update for Windows Internet Explorer 8 (KB975364)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973815)
Viewpoint Media Player (Remove Only)
WebFldrs XP
Windows Driver Package - Philips (SPC1030) Image (06/11/2008 5.8.8.042)
Windows Driver Package - Philips CL (phaudlwr) MEDIA (06/02/2008 1.0.5.12)
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Windows Media Format Runtime
Windows Media Player 10
Windows XP Service Pack 3
YP-U1

==== End Of File ===========================
DDS.txt
DDS (Ver_09-12-01.01) - NTFSx86
Run by Owner at 13:37:58.48 on Fri 26/02/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.64.1033.18.503.69 [GMT 13:00]

AV: PC Tools AntiVirus 6.0.0.19 *On-access scanning enabled* (Updated) {832E7172-E406-4bb2-8B19-6D29F2C93A98}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Sierra Wireless\3G Wireless Module\Generic\Components\SWAutoLaunch.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\Ctd.exe
C:\WINDOWS\msa.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sierra Wireless\3G Wireless Module\Generic\Watcher.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\vspc1030.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CP.EXE
C:\Documents and Settings\Owner\dakov.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\REALTEK USB Wireless LAN Driver and Utility\RtWLan.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.trademe.co.nz/
uInternet Connection Wizard,ShellNext = iexplore
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: {BA52B914-B692-46c4-B683-905236F6F655} - No File
TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [PCTAVApp] "c:\program files\pc tools antivirus\PCTAV.exe" /MONITORSCAN
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [EPSON Stylus Photo RX430 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATI9CP.EXE /P31 "EPSON Stylus Photo RX430 Series" /M "Stylus Photo RX430" /EF "HKCU"
uRun: [TOY5KNQ8OC] c:\docume~1\owner\locals~1\temp\Ctd.exe
uRun: [dakov] c:\documents and settings\owner\dakov.exe
uRun: [ROUA3O12PW] c:\windows\msa.exe
uRunOnce: [FFTI] c:\documents and settings\owner\application data\mozilla\firefox\profiles\k41wueoq.default\extensions\{b13721c7-f507-4982-b2e5-502a71474fed}\ffti.exe /verysilent /suppressmsgboxes /norestart /destpath="c:\documents and settings\owner\application data\mozilla\firefox\profiles/k41wueoq.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [PCTAVApp] "c:\program files\pc tools antivirus\PCTAV.exe" /MONITORSCAN
mRun: [spc1030] c:\windows\vspc1030.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\realte~1.lnk - c:\program files\realtek usb wireless lan driver and utility\RtWLan.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Office Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: {E7C66126-27FC-4C16-ABFC-29F9C569FCC7} = 202.27.158.40 202.27.156.72
Notify: igfxcui - igfxsrvc.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\k41wueoq.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxps://myairnz.com/myairnz/portal/initViewMyKoru.do?locale=en_NZ&currsite=www.airnz.co.nz
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R? 827f6407-90be-41df-bea3-d6cb0292aac8;827f6407-90be-41df-bea3-d6cb0292aac8
R? ACPService;ACPService
R? phaudlwr;Philips Audio Filter
R? purwwv;purwwv
R? RTL8187B;Realtek RTL8187B Wireless 802.11g 54Mbps USB 2.0 Network Adapter
R? SPC1030;USB2.0 PC Camera (SPC1030)
S? AVFilter;AVFilter
S? AVHook;AVHook
S? EAPPkt;Realtek EAPPkt Protocol
S? PCTAVSvc;PC Tools AntiVirus Engine
S? PCTCore;PCTools KDS
S? SSHNAS;SSHNAS
S? SWAutoLaunch;SWAutoLaunch

============== File Associations ===============

regfile=*** no open command defined ***

=============== Created Last 30 ================

2010-02-15 05:41:45 0 d-----w- c:\docume~1\owner\applic~1\Uniblue
2010-02-13 04:31:21 210944 ----a-w- c:\windows\msa.exe
2010-02-13 04:30:48 258048 ----a-w- c:\windows\system32\sshnas21.dll
2010-02-13 04:29:42 72192 --sh--r- c:\documents and settings\owner\dakov.exe

==================== Find3M ====================

2008-10-16 04:23:17 719612 ----a-w- c:\program files\bulk.zip
2008-09-17 23:38:54 867080 ----a-w- c:\program files\ccsetup211_slim.exe
2002-03-19 05:30:00 5528 ----a-w- c:\program files\PowerToyReadme.htm
2002-03-19 05:30:00 21504 ----a-w- c:\program files\phototoys.dll

============= FINISH: 13:47:55.04 ===============
MBAM Reports
Malwarebytes' Anti-Malware 1.44
Database version: 3794
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

26/02/2010 6:18:25 p.m.
mbam-log-2010-02-26 (18-18-25).txt

Scan type: Quick Scan
Objects scanned: 121678
Time elapsed: 26 minute(s), 3 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 1
Registry Keys Infected: 5
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
C:\WINDOWS\msa.exe (Trojan.Agent) -> Not selected for removal.

Memory Modules Infected:
c:\WINDOWS\system32\sshnas21.dll (Trojan.Downloader) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sshnas (Trojan.Downloader) -> Not selected for removal.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Not selected for removal.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Handle (Malware.Trace) -> Not selected for removal.
HKEY_CURRENT_USER\SOFTWARE\ROUA3O12PW (Trojan.FakeAlert) -> Not selected for removal.
HKEY_CURRENT_USER\SOFTWARE\TOY5KNQ8OC (Trojan.FakeAlert) -> Not selected for removal.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\roua3o12pw (Trojan.Agent) -> Not selected for removal.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\toy5knq8oc (Trojan.FakeAlert) -> Not selected for removal.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\sshnas21.dll (Trojan.Downloader) -> Delete on reboot.
C:\WINDOWS\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job (Trojan.Downloader) -> Not selected for removal.
C:\WINDOWS\system32\Drivers\str.sys (Rootkit.Agent) -> Not selected for removal.
C:\WINDOWS\msa.exe (Trojan.Agent) -> Not selected for removal.
C:\WINDOWS\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (Trojan.Downloader) -> Not selected for removal.

Malwarebytes' Anti-Malware 1.44
Database version: 3794
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

27/02/2010 12:11:53 a.m.
mbam-log-2010-02-27 (00-11-53).txt

Scan type: Quick Scan
Objects scanned: 121543
Time elapsed: 13 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SSHNAS (Trojan.Renos) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Handle (Malware.Trace) -> Not selected for removal.
HKEY_CURRENT_USER\SOFTWARE\ROUA3O12PW (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\TOY5KNQ8OC (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\roua3o12pw (Trojan.Agent) -> Not selected for removal.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\toy5knq8oc (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job (Trojan.Downloader) -> Not selected for removal.
C:\WINDOWS\system32\Drivers\str.sys (Rootkit.Agent) -> Not selected for removal.
C:\WINDOWS\msa.exe (Trojan.Agent) -> Not selected for removal.
C:\WINDOWS\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (Trojan.Downloader) -> Not selected for removal.

Malwarebytes' Anti-Malware 1.44
Database version: 3794
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

27/02/2010 12:35:08 a.m.
mbam-log-2010-02-27 (00-35-08).txt

Scan type: Quick Scan
Objects scanned: 121579
Time elapsed: 16 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Handle (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\TOY5KNQ8OC (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\roua3o12pw (Trojan.Agent) -> Not selected for removal.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\Drivers\str.sys (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\msa.exe (Trojan.Agent) -> Not selected for removal.
C:\WINDOWS\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (Trojan.Downloader) -> Quarantined and deleted successfully.

Malwarebytes' Anti-Malware 1.44
Database version: 3794
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

27/02/2010 12:55:13 a.m.
mbam-log-2010-02-27 (00-55-13).txt

Scan type: Quick Scan
Objects scanned: 121417
Time elapsed: 14 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\roua3o12pw (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\Drivers\str.sys (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\msa.exe (Trojan.Agent) -> Quarantined and deleted successfully.

Malwarebytes' Anti-Malware 1.44
Database version: 3794
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

27/02/2010 11:40:59 a.m.
mbam-log-2010-02-27 (11-40-59).txt

Scan type: Full Scan (C:\|)
Objects scanned: 195157
Time elapsed: 1 hour(s), 14 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\Drivers\str.sys (Rootkit.Agent) -> Delete on reboot.

Malwarebytes' Anti-Malware 1.44
Database version: 3794
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

27/02/2010 2:16:55 p.m.
mbam-log-2010-02-27 (14-16-55).txt

Scan type: Full Scan (C:\|)
Objects scanned: 195037
Time elapsed: 45 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\Drivers\str.sys (Rootkit.Agent) -> Delete on reboot.


Report •

#3
February 26, 2010 at 19:32:37
Please download Combofix with internet explorer instead of you other browser if possible.

Remember..your PC Tools antivirus and Spybot's TeaTimer must be turned off or disabled before running ComboFix. You do not need to turn off Malwarebytes. The clickable link "This Link" in the ComboFix tutorial will help you get them disabled.

Please download ComboFix to the desktop from one of the following links:

ComboFix

Rename the setup file, combofix.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename combofix.exe to to Combo-Fix> click save.
Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop.
If you are using Firefox, make sure that your download settings are as follows:
Tools->Options->Main tab
Set to "Always ask me where to Save the files".

Please do not rename Combofix to other names, but only to the one indicated.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
-----------------------------------------------------------
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
-----------------------------------------------------------
Close any open browsers.
WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------
Double click on Combo-Fix.exe & follow the prompts.
Install the recovery console when asked.
When finished, it will produce a report for you.
Please post the "C:\Combo-Fix.txt" .
Note: Do not mouseclick combo-fix's window while it's running. That may cause it to hang.


Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything unless told to do so while we are fixing your problem.


Report •

Related Solutions

#4
February 26, 2010 at 21:11:50
Hi - thanks. Have run the Combo-fix as instructed. I used Internet Explorer as requested - usually use Firefox.
Repot posted below
ComboFix 10-02-26.01 - Owner 27/02/2010 17:44:29.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.64.1033.18.503.228 [GMT 13:00]
Running from: c:\documents and settings\Owner\Desktop\Combo-Fix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\str.sys
c:\windows\system32\drivers\uohqyuez.sys
c:\windows\system32\twain_32.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_PURWWV
-------\Legacy_SSHNAS


((((((((((((((((((((((((( Files Created from 2010-01-27 to 2010-02-27 )))))))))))))))))))))))))))))))
.

2010-02-26 02:24 . 2010-02-26 02:24 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2010-02-26 02:24 . 2010-01-07 03:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-26 02:24 . 2010-02-26 02:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-26 02:23 . 2010-01-07 03:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-26 02:23 . 2010-02-26 02:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-15 14:54 . 2010-02-15 14:54 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-02-15 05:41 . 2010-02-15 05:41 -------- d-----w- c:\documents and settings\Owner\Application Data\Uniblue
2010-02-13 04:36 . 2010-02-13 04:36 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-26 22:45 . 2009-03-03 05:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-02-26 12:02 . 2007-09-01 06:57 -------- d-----w- c:\program files\PC Tools AntiVirus
2010-02-26 11:59 . 2008-05-08 20:25 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-02-19 03:03 . 2008-10-23 07:13 -------- d-----w- c:\program files\Philips
2010-02-19 03:02 . 2008-10-23 07:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Philips
2010-02-19 02:54 . 2008-11-30 09:25 -------- d-----w- c:\program files\Common Files\Macromedia
2010-02-19 02:53 . 2008-11-30 09:25 -------- d-----w- c:\program files\Macromedia
2010-02-19 02:26 . 2005-09-13 11:43 -------- d-----w- c:\program files\LimeWire
2010-02-11 21:42 . 2007-04-04 10:42 -------- d-----w- c:\documents and settings\Owner\Application Data\Skype
2008-10-16 04:23 . 2008-10-16 04:23 719612 ----a-w- c:\program files\bulk.zip
2008-09-17 23:38 . 2008-09-17 23:39 867080 ----a-w- c:\program files\ccsetup211_slim.exe
2002-03-19 05:30 . 2002-03-19 05:30 5528 ----a-w- c:\program files\PowerToyReadme.htm
2002-03-19 05:30 . 2002-03-19 05:30 21504 ----a-w- c:\program files\phototoys.dll
2005-09-15 06:26 . 2006-05-16 04:21 44153 ----a-w- c:\program files\mozilla firefox\components\inspector.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus Photo RX430 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9CP.EXE" [2004-04-09 98304]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-10-18 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-10-18 126976]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-5-1 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-4-26 24576]
REALTEK USB Wireless LAN Utility.lnk - c:\program files\REALTEK USB Wireless LAN Driver and Utility\RtWLan.exe [2009-11-3 790528]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
2004-09-22 04:10 1871872 ------w- c:\program files\Ahead\Nero BackItUp\NBJ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-08 23:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2003-10-31 07:42 32768 ----a-w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"dakov"=c:\documents and settings\Owner\dakov.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"spc1030"=c:\windows\vspc1030.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [3/11/2009 9:25 a.m. 38144]
R2 SWAutoLaunch;SWAutoLaunch;c:\program files\Sierra Wireless\3G Wireless Module\Generic\Components\SWAutoLaunch.exe [1/05/2007 2:03 p.m. 65536]
S2 ACPService;ACPService;"c:\program files\Philips\CamSuite\1.0.9.0\ACPService.exe" --> c:\program files\Philips\CamSuite\1.0.9.0\ACPService.exe [?]
S2 purwwv;purwwv;\??\c:\windows\system32\drivers\uohqyuez.sys --> c:\windows\system32\drivers\uohqyuez.sys [?]
S3 827f6407-90be-41df-bea3-d6cb0292aac8;827f6407-90be-41df-bea3-d6cb0292aac8;\??\d:\player\cds300.dll --> d:\player\cds300.dll [?]
S3 phaudlwr;Philips Audio Filter;c:\windows\system32\drivers\phaudlwr.sys [24/10/2008 11:55 a.m. 88704]
S3 RTL8187B;Realtek RTL8187B Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187B.sys [3/11/2009 9:22 a.m. 207616]
S3 SPC1030;USB2.0 PC Camera (SPC1030);c:\windows\system32\drivers\spc1030.sys [23/10/2008 8:15 p.m. 3035776]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.trademe.co.nz/
uInternet Connection Wizard,ShellNext = iexplore
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Office Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {E7C66126-27FC-4C16-ABFC-29F9C569FCC7} = 202.27.158.40 202.27.156.72
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\k41wueoq.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxps://myairnz.com/myairnz/portal/initViewMyKoru.do?locale=en_NZ&currsite=www.airnz.co.nz
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-dakov - c:\documents and settings\Owner\dakov.exe
MSConfigStartUp-Google Update - c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
AddRemove-Collectorz.com Movie Collector - c:\progra~1\COLLEC~1.COM\MOVIEC~1\UNWISE.EXE

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-27 17:58
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3464)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-02-27 18:04:28 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-27 05:04

Pre-Run: 22,918,615,040 bytes free
Post-Run: 22,826,401,792 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - CB52A563D54A83031CDBE3ABD8BC73E9


Report •

#5
February 26, 2010 at 21:22:04
Open Notepad and copy/paste everything between the X's into it and make sure the first word (such as KILLALL, File, Folder, Registry etc.) is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
KILLALL::
File::
c:\windows\system32\drivers\uohqyuez.sys

Driver::
purwwv

Registry::
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"dakov"=-

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red symbol on your desktop) if combofix does not auto start click "run".

Please post the log that is produced.

Download ATF Cleaner from this link:
http://www.majorgeeks.com/ATF_Cleaner_d4949.html
Run ATF-Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.

Next create a new restore point. Go to start> run> type in msconfig> ok> click launch system restore> check the circle beside "create a restore point> next> name it today's date> create > click home > exit the system configuration utility> restart the computer.

Please run the BitDefender online scan this link:
Bitdefender Online Scanner

Click I Agree to agree to the EULA.
Allow the ActiveX control to install when prompted.
Click Click here to scan to begin the scan.
Please refrain from using the computer until the scan is finished. This might take a while to run, but it is important that nothing else is running while you scan.
When the scan is finished, click on Click here to export the scan results.
Save the report to your desktop so you can post it in your next reply.


Report •

#6
February 26, 2010 at 22:02:53
Hi - this is the log from the rerun combo fix. Am doing the ATF cleaner and other bits now - will post that data as requested - thanks

ComboFix 10-02-26.01 - Owner 27/02/2010 18:43:32.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.64.1033.18.503.263 [GMT 13:00]
Running from: c:\documents and settings\Owner\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt

FILE ::
"c:\windows\system32\drivers\uohqyuez.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_purwwv


((((((((((((((((((((((((( Files Created from 2010-01-27 to 2010-02-27 )))))))))))))))))))))))))))))))
.

2010-02-26 02:24 . 2010-02-26 02:24 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2010-02-26 02:24 . 2010-01-07 03:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-26 02:24 . 2010-02-26 02:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-26 02:23 . 2010-01-07 03:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-26 02:23 . 2010-02-26 02:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-15 14:54 . 2010-02-15 14:54 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-02-15 05:41 . 2010-02-15 05:41 -------- d-----w- c:\documents and settings\Owner\Application Data\Uniblue
2010-02-13 04:36 . 2010-02-13 04:36 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-26 22:45 . 2009-03-03 05:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-02-26 12:02 . 2007-09-01 06:57 -------- d-----w- c:\program files\PC Tools AntiVirus
2010-02-26 11:59 . 2008-05-08 20:25 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-02-19 03:03 . 2008-10-23 07:13 -------- d-----w- c:\program files\Philips
2010-02-19 03:02 . 2008-10-23 07:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Philips
2010-02-19 02:54 . 2008-11-30 09:25 -------- d-----w- c:\program files\Common Files\Macromedia
2010-02-19 02:53 . 2008-11-30 09:25 -------- d-----w- c:\program files\Macromedia
2010-02-19 02:26 . 2005-09-13 11:43 -------- d-----w- c:\program files\LimeWire
2010-02-11 21:42 . 2007-04-04 10:42 -------- d-----w- c:\documents and settings\Owner\Application Data\Skype
2008-10-16 04:23 . 2008-10-16 04:23 719612 ----a-w- c:\program files\bulk.zip
2008-09-17 23:38 . 2008-09-17 23:39 867080 ----a-w- c:\program files\ccsetup211_slim.exe
2002-03-19 05:30 . 2002-03-19 05:30 5528 ----a-w- c:\program files\PowerToyReadme.htm
2002-03-19 05:30 . 2002-03-19 05:30 21504 ----a-w- c:\program files\phototoys.dll
2005-09-15 06:26 . 2006-05-16 04:21 44153 ----a-w- c:\program files\mozilla firefox\components\inspector.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus Photo RX430 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9CP.EXE" [2004-04-09 98304]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-10-18 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-10-18 126976]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-5-1 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-4-26 24576]
REALTEK USB Wireless LAN Utility.lnk - c:\program files\REALTEK USB Wireless LAN Driver and Utility\RtWLan.exe [2009-11-3 790528]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
2004-09-22 04:10 1871872 ------w- c:\program files\Ahead\Nero BackItUp\NBJ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-08 23:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2003-10-31 07:42 32768 ----a-w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"spc1030"=c:\windows\vspc1030.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [3/11/2009 9:25 a.m. 38144]
R2 SWAutoLaunch;SWAutoLaunch;c:\program files\Sierra Wireless\3G Wireless Module\Generic\Components\SWAutoLaunch.exe [1/05/2007 2:03 p.m. 65536]
S2 ACPService;ACPService;"c:\program files\Philips\CamSuite\1.0.9.0\ACPService.exe" --> c:\program files\Philips\CamSuite\1.0.9.0\ACPService.exe [?]
S3 827f6407-90be-41df-bea3-d6cb0292aac8;827f6407-90be-41df-bea3-d6cb0292aac8;\??\d:\player\cds300.dll --> d:\player\cds300.dll [?]
S3 phaudlwr;Philips Audio Filter;c:\windows\system32\drivers\phaudlwr.sys [24/10/2008 11:55 a.m. 88704]
S3 RTL8187B;Realtek RTL8187B Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187B.sys [3/11/2009 9:22 a.m. 207616]
S3 SPC1030;USB2.0 PC Camera (SPC1030);c:\windows\system32\drivers\spc1030.sys [23/10/2008 8:15 p.m. 3035776]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.trademe.co.nz/
uInternet Connection Wizard,ShellNext = iexplore
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Office Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\k41wueoq.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxps://myairnz.com/myairnz/portal/initViewMyKoru.do?locale=en_NZ&currsite=www.airnz.co.nz
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-27 18:52
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2428)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-02-27 18:58:10 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-27 05:58
ComboFix2.txt 2010-02-27 05:04

Pre-Run: 22,827,225,088 bytes free
Post-Run: 22,796,685,312 bytes free

- - End Of File - - 53085DC4090559DA1ABBF6440711B53D


Report •

#7
February 26, 2010 at 22:10:56
If you do not have a antivirus running you need to or else you will be reinfected with something worse before to long...these programs are quick to infect a computer.

You can download the free version of AVG antivirus at this link:
AVG Free Antivirus

Update it once you get it installed.

navigate to and delete this folder if found:

c:\program files\LimeWire


Report •

#8
February 27, 2010 at 00:12:30
Hi - Have run the bit defender program - report below. Am now downlading the AVG virus program. I currenlty run SPYBOT also, is that enough to stop this happening again? I can not go through this again - it has given me nightmares!!! LOL. I have taken off all Limrewire stuff - first thing I did and dealt to 16 year old son who downloaded it!!! - No violence in our family!! but he'll be doing dishes until he's 30!!!
BitDefender Online Scanner


Scan report generated at: Sat, Feb 27, 2010 - 20:51:34



Scan path: C:\;D:\;




Statistics

Time

01:09:40

Files

149262

Folders

6330

Boot Sectors

0

Archives

1634

Packed Files

8101


Results

Identified Viruses

1

Infected Files

1

Suspect Files

0

Warnings

0

Disinfected

0

Deleted Files

1


Engines Info

Virus Definitions

5330460

Engine build

AVCORE v2.1 Windows/i386 11.0.0.33 (Jan 06 2010)

Scan plugins

17

Archive plugins

44

Unpack plugins

8

E-mail plugins

6

System plugins

4


Scan Settings

First Action

Disinfect

Second Action

Delete

Heuristics

Yes

Enable Warnings

Yes

Scanned Extensions

*;

Exclude Extensions

Scan Emails

Yes

Scan Archives

Yes

Scan Packed

Yes

Scan Files

Yes

Scan Boot

Yes



Scanned File

Status

C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\uohqyuez.sys.vir

Infected with: Rootkit.33333

C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\uohqyuez.sys.vir

Deleted







Report •

#9
February 27, 2010 at 08:20:23
That looks like a clean computer to me. You do need to run the AFT cleaner if you did't and run it about once a week.

You should consider adding "Spywareblaster" to your arsenol of antispyware tools, you can download it from this link Spywareblaster

Just download it,install it, and update it. Its free and runs in the background, so you don't actually run it, and re-writes malicious script before it can install on your computer. Look for updates weekly as there is no auto-update on the free version.

How is the computer operating?


Report •

#10
February 28, 2010 at 01:11:23
Hi - many thanks for all your help!! It's like having a new computer - so fast, no more waiting for the keys to show the typing! Have run all the antivirus programs etc you recommended and have installed the Spywareblaster. Will regularly update it, AVG and spybot and BAN kids from Limewire or anything similar. Many thanks!

Report •

#11
February 28, 2010 at 08:25:45
Glad we could help.

Report •

Ask Question