|
#16
March 1st, 2010, 12:48 PM
|
|||
|
|||
|
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
. . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run] "F-PROT Antivirus Tray application"="c:\program files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe" [2009-08-27 1597832] [hkey_local_machine\software\microsoft\windows\curr entversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "e:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2009-09-03 08:51 548352 ----a-w- e:\program files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\FPAVServer] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\rootrepeal.sys] @="" [HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List] "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\WINDOWS\\system32\\sessmgr.exe"= "c:\\Program Files\\Motorola\\RSD Lite\\SDL.exe"= "e:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"= "e:\\Program Files\\Vuze\\Azureus.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List] "3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping "3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP) [HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\IcmpSettings] "AllowInboundEchoRequest"= 1 (0x1) R0 BsStor;B.H.A Storage Helper Driver;c:\windows\system32\drivers\BsStor.sys [7/8/2005 11:07 AM 10112] R0 FPAV_RTP;FPAV_RTP;c:\windows\system32\drivers\FSto pW.sys [2/15/2010 5:48 PM 682840] R0 pavboot;pavboot;c:\windows\system32\drivers\pavboo t.sys [3/1/2010 2:37 AM 28552] R1 SASDIFSV;SASDIFSV;e:\program files\SUPERAntiSpyware\sasdifsv.sys [1/5/2010 7:56 AM 9968] R1 SASKUTIL;SASKUTIL;e:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/5/2010 7:56 AM 74480] R2 FPAVServer;F-PROT Antivirus for Windows system;c:\program files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe [8/27/2009 4:26 PM 75424] S2 Browserxmlprov;Computer Browser Browserxmlprov; srv --> srv [?] S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [2/20/2007 11:19 PM 40832] S3 RkPavproc1;RkPavproc1;c:\windows\system32\drivers\ RkPavproc1.sys [3/1/2010 3:18 AM 17544] S3 SASENUM;SASENUM;e:\program files\SUPERAntiSpyware\SASENUM.SYS [1/5/2010 7:56 AM 7408] S3 sbusb;Sound Blaster USB Audio Driver;c:\windows\system32\drivers\sbusb.sys [4/4/2005 12:19 PM 1462272] S3 utqyndc4;AVZ Kernel Driver;\??\c:\windows\system32\Drivers\utqyndc4.sy s --> c:\windows\system32\Drivers\utqyndc4.sys [?] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs tgczvmzr . Contents of the 'Scheduled Tasks' folder 2010-02-28 c:\windows\Tasks\User_Feed_Synchronization-{F3F804D0-89C6-4893-9F67-C297B5DC96B7}.job - c:\windows\system32\msfeedssync.exe [2006-10-17 23:01] 2010-03-01 c:\windows\Tasks\{08F9F48B-330B-4F48-B581-FF6D28F480B3}_ASHISH_Ashish Sethi.job - c:\windows\system32\mobsync.exe [2002-08-13 00:12] . . ------- Supplementary Scan ------- . uStart Page = about:blank uInternet Connection Wizard,ShellNext = iexplore TCP: {CC818FBF-B893-4115-8D9A-0F787AD1F21D} = 203.187.215.35 203.187.192.15 DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab FF - ProfilePath - c:\documents and settings\Ashish Sethi\Application Data\Mozilla\Firefox\Profiles\yfds138r.default\ FF - prefs.js: browser.search.defaulturl - hxxp://www.fastbrowsersearch.com/results/results.aspx?s=DEF&v=19&q= FF - prefs.js: browser.search.selectedEngine - Fast Browser Search FF - prefs.js: browser.startup.homepage - hxxp://www.weddingsutra.com/Ashishwedsshilpa/ FF - prefs.js: keyword.URL - hxxp://www.fastbrowsersearch.com/results/results.aspx?s=NAUS&v=19&tid={C46363AA-8644-503C-918C-91F45B130289}&q= FF - component: c:\documents and settings\Ashish Sethi\Application Data\Mozilla\Firefox\Profiles\yfds138r.default\ext ensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll FF - plugin: c:\documents and settings\Ashish Sethi\Application Data\Mozilla\Firefox\Profiles\yfds138r.default\ext ensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll FF - plugin: e:\program files\Adobe\Reader 9.0\Reader\browser\nppdf32.dll FF - plugin: e:\program files\VideoLAN\VLC\npvlc.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ ---- FIREFOX POLICIES ---- FF - user.js: yahoo.ytff.general.dontshowhpoffer - true. - - - - ORPHANS REMOVED - - - - Notify-avgrsstarter - (no file) Notify-WRNotifier - (no file) ************************************************** ************************ catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-03-01 17:22 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************** ************************ [HKEY_LOCAL_MACHINE\System\ControlSet002\Services\B rowserxmlprov] "ImagePath"=" srv" . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences] @Denied: (2) (LocalSystem) "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:0 1,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,78,3f,8f ,ed,14,08,0c,45,bf,28,e5,\ "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:0 1,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,78,3f,8f ,ed,14,08,0c,45,bf,28,e5,\ [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\Curr entVersion\run\OptionalComponents\IMAIL] @DACL=(02 0000) "Installed"="1" @="" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\Curr entVersion\run\OptionalComponents\MAPI] @DACL=(02 0000) "Installed"="1" "NoChange"="1" @="" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\Curr entVersion\run\OptionalComponents\MSFS] @DACL=(02 0000) "Installed"="1" @="" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(828) e:\program files\SUPERAntiSpyware\SASWINLO.dll c:\windows\system32\WININET.dll - - - - - - - > 'explorer.exe'(1920) c:\windows\system32\WININET.dll c:\windows\system32\webcheck.dll c:\windows\system32\IEFRAME.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\CTsvcCDA.exe c:\program files\Java\jre6\bin\jqs.exe c:\windows\system32\nvsvc32.exe c:\windows\System32\tcpsvcs.exe c:\windows\System32\snmp.exe c:\windows\system32\wdfmgr.exe c:\windows\system32\MsPMSPSv.exe c:\windows\system32\wscntfy.exe . ************************************************** ************************ . Completion time: 2010-03-01 17:31:42 - machine was rebooted ComboFix-quarantined-files.txt 2010-03-01 12:01 Pre-Run: 797,507,584 bytes free Post-Run: 639,426,560 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOW S [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Micro soft Windows XP Home Edition" /fastdetect /NoExecute=OptIn - - End Of File - - B99370B6B1759941E924271121ED972D 
|
|
#17
March 1st, 2010, 05:38 PM
|
|||
|
|||
|
Ahh!! Gmer also worked !!
GMER 1.0.15.15281 - http://www.gmer.net Rootkit scan 2010-03-01 23:04:58 Windows 5.1.2600 Service Pack 3 Running: p17lmety.exe; Driver: C:\DOCUME~1\ASHISH~1\LOCALS~1\Temp\kwtdrpod.sys ---- Kernel code sections - GMER 1.0.15 ---- ? Combo-Fix.sys The system cannot find the file specified. ! .text C:\WINDOWS\System32\DRIVERS\nv4_mini.sys section is writeable [0xF957C340, 0x105F3F, 0xF8000020] .text C:\WINDOWS\System32\nv4_disp.dll section is writeable [0xBF9D6300, 0x2347E0, 0xF8000020] ? C:\ComboFix\catchme.sys The system cannot find the path specified. ! ? C:\WINDOWS\system32\Drivers\PROCEXP113.SYS The system cannot find the file specified. ! ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe[2296] kernel32.dll!CreateThread + 1A 7C8106F1 4 Bytes CALL 00510D8D C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe (Icon in the taskbar notification area (F-PROT Antivirus)/FRISK Software International) ---- Devices - GMER 1.0.15 ---- AttachedDevice \FileSystem\Ntfs \Ntfs FStopW.sys (FPAV - RealTime Protector/FRISK Software International) AttachedDevice \FileSystem\Fastfat \Fat FStopW.sys (FPAV - RealTime Protector/FRISK Software International) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\ControlSet001\Services\tgczvmzr\Parame ters@ServiceDll C:\WINDOWS\system32\qsxpm.dll Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\run \OptionalComponents\IMAIL@Installed 1 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\run \OptionalComponents\IMAIL@ Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\run \OptionalComponents\MAPI@Installed 1 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\run \OptionalComponents\MAPI@NoChange 1 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\run \OptionalComponents\MAPI@ Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\run \OptionalComponents\MSFS@Installed 1 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\run \OptionalComponents\MSFS@ ---- EOF - GMER 1.0.15 ----
|
|
#18
March 1st, 2010, 05:58 PM
|
||||
|
||||
|
Hmm - that would be the first time I have seen ComboFix get that wrong.
Be sure to continue to temporarily disable any protective software when running the scan tools we use here. Open notepad (go to Start, Run, type notepad and press Enter) and copy/paste the text in the codebox below into it: Code:
KillAll:: Driver:: Browserxmlprov tgczvmzr File:: C:\WINDOWS\system32\qsxpm.dll NetSvc:: tgczvmzr RegLock:: [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences] [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\run\OptionalComponents\IMAIL] [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\run\OptionalComponents\MAPI] [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\run\OptionalComponents\MSFS] You should now have both ComboFix and that CFScript.txt on the desktop. Just left click/hold on the CFScript.txt file, and drag it into ComboFix to start the scan. ComboFix will now run as it did before. Allow the scan to run. When completed a text window will appear - please copy/paste the contents back here. This log can also be found at C:\ComboFix.txt. A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. ------------- Open and update Malwarebytes. * If an update is found, it will download and install the latest version. * Once the program has loaded, select "Perform quick scan", then click Scan. * The scan may take some time to finish,so please be patient. * When the scan is complete, click OK, then Show Results to view the results. * Make sure that everything is checked, and click Remove Selected. * When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. * The log is automatically saved by Malwarebytes and can be viewed by clicking the Logs tab in Malwarebytes. * Copy and Paste the entire report in your next reply. If it calls for a reboot to complete the repairs do that as well then. --------------- Disable your antivirus program and go here and run an online scan using ESET Online Scanner (you will need to use Internet Explorer for this scan, or download the installer to run it in a different browser). If you accept the Terms of Use, check the box and click Start. After the ActiveX Control has loaded, it will take a couple minutes for the scanner to get ready. Next, check the following boxes: Remove found threats Scan unwanted applications Next to "Current scan targets: Operating memory, Local drives", click the "Change" word. Make sure you place a check next to all disk drives, including any external drives that are attached (no need to check off the floppy or DVD/CD-Rom drives). Click Start. This scan may take a while, so please be patient. A log may open when the scan is complete (if not, go to C:\Program Files\EsetOnlineScanner\ and open the file log.txt). Click Edit - Select All then copy/paste that log back here please. If you have any problems getting Eset started, one work-around is to have an open Internet connection, and then click here and download the esetsmartinstaller_enu.exe Eset installer. Then click that file, and follow the same previous steps to run the scan. Post that log, the C:\ComboFix.txt log and the Malwarebytes log please.
|
|
#19
March 2nd, 2010, 08:18 PM
|
|||
|
|||
|
HI Jintan,
As guided by you i am pasting the log's ComboFix 10-02-28.03 - Ashish Sethi 03/02/2010 1:14.2.1 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.255.83 [GMT 5.5:30] Running from: c:\documents and settings\Ashish Sethi\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Ashish Sethi\Desktop\CFScript.txt AV: F-PROT Antivirus for Windows *On-access scanning disabled* (Outdated) {3F8BAFFE-D251-4DC6-ACF9-81FDF61FB9C9} FILE :: "c:\windows\system32\qsxpm.dll" . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_BROWSERXMLPROV -------\Legacy_TGCZVMZR -------\Service_Browserxmlprov ((((((((((((((((((((((((( Files Created from 2010-02-01 to 2010-03-01 ))))))))))))))))))))))))))))))) . 2010-03-01 10:14 . 2009-12-14 07:08 33280 -c----w- c:\windows\system32\dllcache\csrsrv.dll 2010-03-01 07:20 . 2009-12-16 18:43 343040 -c----w- c:\windows\system32\dllcache\mspaint.exe 2010-02-28 21:48 . 2009-10-07 09:58 17544 ----a-w- c:\windows\system32\drivers\RkPavproc1.sys 2010-02-28 21:07 . 2009-06-30 04:07 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys 2010-02-26 08:39 . 2010-02-25 15:54 634104 ----a-w- c:\documents and settings\Ashish Sethi\Application Data\Mozilla\Firefox\Profiles\yfds138r.default\ext ensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll 2010-02-26 08:39 . 2010-02-25 15:54 797904 ----a-w- c:\documents and settings\Ashish Sethi\Application Data\Mozilla\Firefox\Profiles\yfds138r.default\ext ensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll 2010-02-26 07:12 . 2010-02-26 07:12 -------- d-----w- c:\program files\Microsoft Silverlight 2010-02-24 08:04 . 2001-08-18 12:00 82501 -c--a-w- c:\windows\system32\dllcache\bckg.dll 2010-02-24 08:04 . 2001-08-18 12:00 48706 -c--a-w- c:\windows\system32\dllcache\rvse.dll 2010-02-24 08:04 . 2001-08-18 12:00 40515 -c--a-w- c:\windows\system32\dllcache\chkr.dll 2010-02-24 08:04 . 2001-08-18 12:00 66113 -c--a-w- c:\windows\system32\dllcache\shvl.dll 2010-02-24 08:04 . 2001-08-18 12:00 57409 -c--a-w- c:\windows\system32\dllcache\hrtz.dll 2010-02-24 08:04 . 2001-08-18 12:00 13894 -c--a-w- c:\windows\system32\dllcache\zonelibm.dll 2010-02-24 08:04 . 2001-08-18 12:00 113222 -c--a-w- c:\windows\system32\dllcache\zoneclim.dll 2010-02-24 08:04 . 2001-08-18 12:00 5632 ----a-w- c:\windows\system32\write.exe 2010-02-24 08:02 . 2001-08-18 12:00 44544 ----a-w- c:\windows\system32\hticons.dll 2010-02-24 08:02 . 2001-08-18 12:00 138752 ----a-w- c:\windows\system32\sndvol32.exe 2010-02-24 08:02 . 2001-08-18 12:00 13312 -c--a-w- c:\windows\system32\dllcache\htrn_jis.dll 2010-02-24 08:02 . 2001-08-18 12:00 73216 ----a-w- c:\windows\system32\avwav.dll 2010-02-24 08:02 . 2001-08-18 12:00 16384 ----a-w- c:\windows\system32\avmeter.dll 2010-02-24 08:02 . 2001-08-18 12:00 227840 ----a-w- c:\windows\system32\avtapi.dll 2010-02-24 08:02 . 2001-08-18 12:00 35328 ----a-w- c:\windows\system32\winchat.exe 2010-02-24 08:01 . 2001-08-18 12:00 605696 ----a-w- c:\windows\system32\getuname.dll 2010-02-24 08:01 . 2001-08-18 12:00 80384 ----a-w- c:\windows\system32\charmap.exe 2010-02-24 08:00 . 2001-08-18 12:00 114688 ----a-w- c:\windows\system32\calc.exe 2010-02-24 08:00 . 2001-08-18 12:00 56832 ----a-w- c:\windows\system32\sol.exe 2010-02-24 08:00 . 2001-08-18 12:00 119808 ----a-w- c:\windows\system32\winmine.exe 2010-02-24 08:00 . 2001-08-18 12:00 126976 ----a-w- c:\windows\system32\mshearts.exe 2010-02-24 08:00 . 2001-08-18 12:00 55296 ----a-w- c:\windows\system32\freecell.exe 2010-02-24 08:00 . 2001-08-18 12:00 18944 ----a-w- c:\windows\system32\simptcp.dll 2010-02-24 08:00 . 2001-08-18 12:00 10240 ----a-w- c:\windows\system32\wbem\snmpstup.dll 2010-02-24 08:00 . 2010-02-24 09:09 -------- d-----w- c:\program files\trend micro 2010-02-24 07:59 . 2010-02-24 09:10 -------- d-----w- C:\rsit 2010-02-23 11:12 . 2010-02-23 11:12 -------- d-----w- c:\documents and settings\All Users\Application Data\TEMP 2010-02-23 09:38 . 2010-02-23 19:14 -------- d-----w- c:\documents and settings\Ashish Sethi\Local Settings\Application Data\Yahoo! 2010-02-21 19:51 . 2004-03-03 16:00 5504 ------w- c:\windows\system32\drivers\imagedrv.sys 2010-02-21 19:51 . 2004-03-03 16:00 125184 ------w- c:\windows\system32\drivers\imagesrv.sys 2010-02-21 12:26 . 2010-02-27 14:37 -------- d-----w- c:\documents and settings\Ashish Sethi\Application Data\vlc 2010-02-17 20:00 . 2010-02-17 20:00 -------- d-----w- c:\documents and settings\Ashish Sethi\Application Data\Uniblue 2010-02-15 19:16 . 2010-02-15 19:16 -------- d---a-w- c:\documents and settings\Ashish Sethi\Application Data\FRISK Software 2010-02-15 13:01 . 2010-02-15 13:01 52224 ----a-w- c:\documents and settings\Ashish Sethi\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\ SD10005.dll 2010-02-15 13:01 . 2010-02-22 10:12 117760 ----a-w- c:\documents and settings\Ashish Sethi\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\ UIREPAIR.DLL 2010-02-15 12:18 . 2009-08-27 10:55 682840 ----a-w- c:\windows\system32\drivers\FStopW.sys 2010-02-15 12:18 . 2010-02-15 12:18 -------- d---a-w- c:\documents and settings\All Users\Application Data\FRISK Software 2010-02-15 12:18 . 2010-02-15 12:18 -------- d---a-w- c:\program files\FRISK Software 2010-02-15 12:16 . 2010-02-15 12:16 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache 2010-02-15 12:11 . 2010-02-15 12:11 -------- d--ha-w- c:\documents and settings\NetworkService\Local Settings\Application Data\Microsoft 2010-02-15 12:11 . 2010-03-01 13:36 -------- d-sh--w- c:\documents and settings\NetworkService 2010-02-13 17:02 . 2010-02-13 17:09 -------- d---a-w- C:\getservice 2010-02-12 09:22 . 2010-02-15 08:59 -------- d---a-w- c:\documents and settings\Ashish Sethi\Application Data\Malwarebytes 2010-02-12 09:21 . 2010-02-15 08:59 -------- d---a-w- c:\documents and settings\All Users\Application Data\Malwarebytes 2010-02-09 19:57 . 2010-02-28 21:02 -------- d---a-w- c:\program files\Panda Security 2010-02-04 03:41 . 2010-02-04 03:41 -------- d-----w- c:\documents and settings\Administrator\Application Data\Creative 2010-02-04 02:46 . 2010-02-04 02:46 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com 2010-02-03 19:53 . 2010-02-03 19:53 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes 2010-02-03 19:47 . 2010-02-20 14:16 -------- d---a-w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2010-02-02 09:43 . 2010-03-01 05:00 -------- d---a-w- c:\documents and settings\Ashish Sethi\Application Data\QuickScan . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )) . 2010-02-22 13:12 . 2010-01-14 12:05 -------- d---a-w- c:\documents and settings\Ashish Sethi\Application Data\Azureus 2010-02-15 12:56 . 2010-01-19 20:42 -------- d---a-w- c:\documents and settings\Ashish Sethi\Application Data\SUPERAntiSpyware.com 2010-02-03 19:06 . 2010-01-15 14:58 -------- d---a-w- c:\documents and settings\All Users\Application Data\SecTaskMan 2010-01-22 17:28 . 2010-01-22 17:28 10 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_F60730A4A66673047777F5728467D4 01.dll 2010-01-22 17:28 . 2010-01-22 17:28 809 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_68AB67CA7DA73301B7449A03000000 10.dll 2010-01-22 17:28 . 2010-01-22 17:28 448 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_4F57260AB42358E4596E782BDC2749 10.dll 2010-01-22 17:28 . 2010-01-22 17:28 27 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_4EA42A62D9304AC4784BF238120681 FF.dll 2010-01-22 17:28 . 2010-01-22 17:28 139 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_1FBBCDDC3072CB6439B8CB8CA1E1AE AA.dll 2010-01-22 14:19 . 2010-01-22 14:19 -------- d---a-w- c:\program files\Common Files\Wise Installation Wizard 2010-01-21 15:38 . 2002-08-13 02:43 -------- d---a-w- c:\program files\Common Files\Adobe 2010-01-19 20:43 . 2010-01-19 20:43 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com 2010-01-15 21:29 . 2010-01-15 21:29 -------- d---a-w- c:\program files\Common Files\Java 2010-01-15 21:29 . 2010-01-15 21:29 61440 ----a-w- c:\documents and settings\Ashish Sethi\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\759e98 ee-5abd89ff-n\decora-sse.dll 2010-01-15 21:29 . 2010-01-15 21:29 503808 ----a-w- c:\documents and settings\Ashish Sethi\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\759e98 ee-5abd89ff-n\msvcp71.dll 2010-01-15 21:29 . 2010-01-15 21:29 499712 ----a-w- c:\documents and settings\Ashish Sethi\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\759e98 ee-5abd89ff-n\jmc.dll 2010-01-15 21:29 . 2010-01-15 21:29 348160 ----a-w- c:\documents and settings\Ashish Sethi\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\759e98 ee-5abd89ff-n\msvcr71.dll 2010-01-15 21:29 . 2010-01-15 21:29 12800 ----a-w- c:\documents and settings\Ashish Sethi\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\759e98 ee-5abd89ff-n\decora-d3d.dll 2010-01-15 21:29 . 2010-01-15 21:29 114688 ----a-w- c:\documents and settings\Ashish Sethi\Application Data\Sun\Java\Deployment\SystemCache\6.0\62\6baea4 fe-7d036020-n\jogl_cg.dll 2010-01-15 21:29 . 2010-01-15 21:29 315392 ----a-w- c:\documents and settings\Ashish Sethi\Application Data\Sun\Java\Deployment\SystemCache\6.0\62\6baea4 fe-7d036020-n\jogl.dll 2010-01-15 21:29 . 2010-01-15 21:29 20480 ----a-w- c:\documents and settings\Ashish Sethi\Application Data\Sun\Java\Deployment\SystemCache\6.0\62\6baea4 fe-7d036020-n\jogl_awt.dll 2010-01-15 21:29 . 2010-01-15 21:29 20480 ----a-w- c:\documents and settings\Ashish Sethi\Application Data\Sun\Java\Deployment\SystemCache\6.0\45\4f710e ed-5bb81b18-n\gluegen-rt.dll 2010-01-15 21:17 . 2010-01-15 21:26 411368 ----a-w- c:\windows\system32\deploytk.dll 2010-01-15 21:15 . 2004-12-18 08:22 -------- d---a-w- c:\program files\Java 2010-01-15 15:00 . 2010-01-15 15:00 907 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_3e43b73803c7c394f8a6b2f0402e19 c2.dll 2010-01-15 15:00 . 2010-01-15 15:00 3568 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_26DDC2EC4210AC63483DF9D4FCC5B5 9D.dll 2010-01-15 15:00 . 2010-01-15 15:00 133 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_22D599A1117F9914384D75B995A364 5C.dll 2010-01-15 15:00 . 2010-01-15 15:00 152 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_0E23E40C6140D434FA9B96967D309A FE.dll 2010-01-15 15:00 . 2010-01-15 15:00 10 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_0DC1503A46F231838AD88BCDDC8E8F 7C.dll 2010-01-15 15:00 . 2010-01-15 15:00 57 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_0D827F8E0F3CBE24BB2C4C3AA875C7 1B.dll 2010-01-15 15:00 . 2010-01-15 15:00 108 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_0B79C053C7D38EE4AB9A00CB3B5D24 72.dll 2010-01-15 15:00 . 2010-01-15 15:00 423 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_00002109020090400000000000F01F EC.dll 2010-01-14 12:05 . 2010-01-14 12:05 -------- d---a-w- c:\documents and settings\All Users\Application Data\Azureus 2010-01-14 05:42 . 2010-01-21 16:47 181120 ------w- c:\windows\system32\MpSigStub.exe 2010-01-13 05:10 . 2002-08-13 02:28 -------- d-----w- c:\program files\InstallShield Installation Information 2010-01-11 12:15 . 2010-01-11 12:15 54 ----a-w- c:\windows\system32\rp_stats.dat 2010-01-11 12:15 . 2010-01-11 12:15 39 ----a-w- c:\windows\system32\rp_rules.dat 2010-01-11 11:02 . 2010-01-11 06:52 0 ----a-w- c:\windows\system32\drivers\str.sys.vir 2010-01-09 22:47 . 2010-01-09 22:47 0 ----a-w- c:\windows\nsreg.dat 2009-12-31 16:50 . 2009-09-24 13:57 353792 ----a-w- c:\windows\system32\drivers\srv.sys 2009-12-21 19:14 . 2004-01-08 23:23 916480 ------w- c:\windows\system32\wininet.dll 2009-12-16 18:43 . 2004-08-04 07:56 343040 ----a-w- c:\windows\system32\mspaint.exe 2009-12-14 07:08 . 2009-09-24 13:58 33280 ----a-w- c:\windows\system32\csrsrv.dll 2009-12-08 19:27 . 2009-09-24 13:57 2189184 ------w- c:\windows\system32\ntoskrnl.exe 2009-12-08 18:43 . 2009-09-24 13:57 2066048 ------w- c:\windows\system32\ntkrnlpa.exe 2009-12-04 18:22 . 2009-09-24 13:57 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys 2005-09-15 12:56 . 2004-12-13 05:56 44153 ----a-w- c:\program files\mozilla firefox\components\inspector.dll .
|
|
#20
March 2nd, 2010, 08:20 PM
|
|||
|
|||
|
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
. . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run] "F-PROT Antivirus Tray application"="c:\program files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe" [2009-08-27 1597832] [hkey_local_machine\software\microsoft\windows\curr entversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "e:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2009-09-03 08:51 548352 ----a-w- e:\program files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\FPAVServer] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\rootrepeal.sys] @="" [HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List] "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\WINDOWS\\system32\\sessmgr.exe"= "c:\\Program Files\\Motorola\\RSD Lite\\SDL.exe"= "e:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"= "e:\\Program Files\\Vuze\\Azureus.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List] "3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping "3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP) [HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\IcmpSettings] "AllowInboundEchoRequest"= 1 (0x1) R0 BsStor;B.H.A Storage Helper Driver;c:\windows\system32\drivers\BsStor.sys [7/8/2005 11:07 AM 10112] R0 FPAV_RTP;FPAV_RTP;c:\windows\system32\drivers\FSto pW.sys [2/15/2010 5:48 PM 682840] R0 pavboot;pavboot;c:\windows\system32\drivers\pavboo t.sys [3/1/2010 2:37 AM 28552] R1 SASDIFSV;SASDIFSV;e:\program files\SUPERAntiSpyware\sasdifsv.sys [1/5/2010 7:56 AM 9968] R1 SASKUTIL;SASKUTIL;e:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/5/2010 7:56 AM 74480] R2 FPAVServer;F-PROT Antivirus for Windows system;c:\program files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe [8/27/2009 4:26 PM 75424] S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [2/20/2007 11:19 PM 40832] S3 RkPavproc1;RkPavproc1;c:\windows\system32\drivers\ RkPavproc1.sys [3/1/2010 3:18 AM 17544] S3 SASENUM;SASENUM;e:\program files\SUPERAntiSpyware\SASENUM.SYS [1/5/2010 7:56 AM 7408] S3 sbusb;Sound Blaster USB Audio Driver;c:\windows\system32\drivers\sbusb.sys [4/4/2005 12:19 PM 1462272] S3 utqyndc4;AVZ Kernel Driver;\??\c:\windows\system32\Drivers\utqyndc4.sy s --> c:\windows\system32\Drivers\utqyndc4.sys [?] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc . Contents of the 'Scheduled Tasks' folder 2010-03-01 c:\windows\Tasks\User_Feed_Synchronization-{F3F804D0-89C6-4893-9F67-C297B5DC96B7}.job - c:\windows\system32\msfeedssync.exe [2006-10-17 23:01] 2010-03-01 c:\windows\Tasks\{08F9F48B-330B-4F48-B581-FF6D28F480B3}_ASHISH_Ashish Sethi.job - c:\windows\system32\mobsync.exe [2002-08-13 00:12] . . ------- Supplementary Scan ------- . uStart Page = about:blank uInternet Connection Wizard,ShellNext = iexplore DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab FF - ProfilePath - c:\documents and settings\Ashish Sethi\Application Data\Mozilla\Firefox\Profiles\yfds138r.default\ FF - prefs.js: browser.search.defaulturl - hxxp://www.fastbrowsersearch.com/results/results.aspx?s=DEF&v=19&q= FF - prefs.js: browser.search.selectedEngine - Fast Browser Search FF - prefs.js: browser.startup.homepage - hxxp://www.weddingsutra.com/Ashishwedsshilpa/ FF - prefs.js: keyword.URL - hxxp://www.fastbrowsersearch.com/results/results.aspx?s=NAUS&v=19&tid={C46363AA-8644-503C-918C-91F45B130289}&q= FF - component: c:\documents and settings\Ashish Sethi\Application Data\Mozilla\Firefox\Profiles\yfds138r.default\ext ensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll FF - plugin: c:\documents and settings\Ashish Sethi\Application Data\Mozilla\Firefox\Profiles\yfds138r.default\ext ensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll FF - plugin: e:\program files\Adobe\Reader 9.0\Reader\browser\nppdf32.dll FF - plugin: e:\program files\VideoLAN\VLC\npvlc.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ ---- FIREFOX POLICIES ---- FF - user.js: yahoo.ytff.general.dontshowhpoffer - true. ************************************************** ************************ catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-03-02 01:28 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************** ************************ . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(824) e:\program files\SUPERAntiSpyware\SASWINLO.dll c:\windows\system32\WININET.dll - - - - - - - > 'explorer.exe'(3880) c:\windows\system32\WININET.dll c:\windows\system32\webcheck.dll c:\windows\system32\IEFRAME.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\CTsvcCDA.exe c:\program files\Java\jre6\bin\jqs.exe c:\windows\system32\nvsvc32.exe c:\windows\System32\tcpsvcs.exe c:\windows\System32\snmp.exe c:\windows\system32\wdfmgr.exe c:\windows\system32\MsPMSPSv.exe c:\windows\system32\wscntfy.exe . ************************************************** ************************ . Completion time: 2010-03-02 01:38:45 - machine was rebooted ComboFix-quarantined-files.txt 2010-03-01 20:08 ComboFix2.txt 2010-03-01 12:01 Pre-Run: 653,279,232 bytes free Post-Run: 609,460,224 bytes free - - End Of File - - 37D941F4283EC587B766A66081988618
|
|
#21
March 2nd, 2010, 08:24 PM
|
|||
|
|||
|
Malwarebytes' Anti-Malware 1.44
Database version: 3811 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 3/2/2010 4:39:43 AM mbam-log-2010-03-02 (04-39-43).txt Scan type: Quick Scan Objects scanned: 135581 Time elapsed: 15 minute(s), 39 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)
|
|
#22
March 3rd, 2010, 01:19 AM
|
||||
|
||||
|
Looking good. Let's see if ComboFix will help remove some malware changes to Firefox there, then scan to make sure nothing remains. First I would like to check one file.
Make sure you can View Hidden Files. Also uncheck "Hide Extensions for Known File Types" Then just go here, press new topic, fill in the needed details and just give a link to your post back here (see the "Instructions for uploading files" there for help, if needed). Then press the browse button and then navigate to & select the following file on your computer. c:\documents and settings\Ashish Sethi\Application Data\Mozilla\Firefox\Profiles\yfds138r.default\ext ensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll You DO NOT need to be a member to upload, anybody can upload the files. You will not be able to see the file once uploaded. --------------- Be sure to continue to temporarily disable any protective software when running the scan tools we use here. Also make a copy of the following, then close all open browsers, especially Firefox. Open notepad (go to Start, Run, type notepad and press Enter) and copy/paste the text in the codebox below into it: Code:
Firefox::
FF - ProfilePath - c:\documents and settings\Ashish Sethi\Application Data\Mozilla\Firefox\Profiles\yfds138r.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.fastbrowsersearch.com/results/results.aspx?s=DEF&v=19&q=
FF - prefs.js: browser.search.selectedEngine - Fast Browser Search
FF - prefs.js: browser.startup.homepage - hxxp://www.weddingsutra.com/Ashishwedsshilpa/
FF - prefs.js: keyword.URL - hxxp://www.fastbrowsersearch.com/results/results.aspx?s=NAUS&v=19&tid={C46363AA-8644-503C-918C-91F45B130289}&q=
You should now have both ComboFix and that CFScript.txt on the desktop. Just left click/hold on the CFScript.txt file, and drag it into ComboFix to start the scan. ComboFix will now run as it did before. Allow the scan to run. When completed a text window will appear - please copy/paste the contents back here. This log can also be found at C:\ComboFix.txt. A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. ------------- Disable your antivirus program and go here and run an online scan using ESET Online Scanner (you will need to use Internet Explorer for this scan, or download the installer to run it in a different browser). If you accept the Terms of Use, check the box and click Start. After the ActiveX Control has loaded, it will take a couple minutes for the scanner to get ready. Next, check the following boxes: Remove found threats Scan unwanted applications Next to "Current scan targets: Operating memory, Local drives", click the "Change" word. Make sure you place a check next to all disk drives, including any external drives that are attached (no need to check off the floppy or DVD/CD-Rom drives). Click Start. This scan may take a while, so please be patient. A log may open when the scan is complete (if not, go to C:\Program Files\EsetOnlineScanner\ and open the file log.txt). Click Edit - Select All then copy/paste that log back here please. If you have any problems getting Eset started, one work-around is to have an open Internet connection, and then click here and download the esetsmartinstaller_enu.exe Eset installer. Then click that file, and follow the same previous steps to run the scan. Post that log and the C:\ComboFix.txt please.
|
 |
| Bookmarks |
«
Previous Topic
|
Next Topic
»
| Topic Tools | |
|
|
All times are GMT +1. The time now is 04:49 AM.
