|
#16
June 5th, 2008, 06:43 AM
|
||||
|
||||
|
GMER LOG
GMER 1.0.14.14536 - http://www.gmer.net Rootkit scan 2008-06-05 11:08:37 Windows 5.1.2600 Service Pack 2 ---- System - GMER 1.0.14 ---- SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xF5145588] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xF5145444] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xF5145922] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xF514501C] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xF514551E] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xF5144F5C] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xF5144FC0] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xF514563E] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xF51455FE] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xF514577E] ---- Kernel code sections - GMER 1.0.14 ---- ? C:\ComboFix\catchme.sys The system cannot find the path specified. ! ? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified. ! ---- User IAT/EAT - GMER 1.0.14 ---- IAT C:\WINDOWS\system32\services.exe[508] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00370002 IAT C:\WINDOWS\system32\services.exe[508] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00370000 ---- Devices - GMER 1.0.14 ---- AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software) AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software) AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software) AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software) AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software) ---- Registry - GMER 1.0.14 ---- Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Int ernet Settings\Cache\Paths@Directory C:\Documents and Settings\redilens\Local Settings\Temporary Internet Files\Content.IE5 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Int ernet Settings\Cache\Paths\path1@CachePath C:\Documents and Settings\redilens\Local Settings\Temporary Internet Files\Content.IE5\Cache1 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Int ernet Settings\Cache\Paths\path2@CachePath C:\Documents and Settings\redilens\Local Settings\Temporary Internet Files\Content.IE5\Cache2 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Int ernet Settings\Cache\Paths\path3@CachePath C:\Documents and Settings\redilens\Local Settings\Temporary Internet Files\Content.IE5\Cache3 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Int ernet Settings\Cache\Paths\path4@CachePath C:\Documents and Settings\redilens\Local Settings\Temporary Internet Files\Content.IE5\Cache4 ---- EOF - GMER 1.0.14 ---- |
|
#17
June 5th, 2008, 07:05 AM
|
||||
|
||||
|
There is no evidence of a rootkit infection.
I want to see what services are running. Go to Start > Run and type: cmd.exe and ok. Copy and paste the below string after the prompt > and hit Enter. sc query > c:\services.txt & start notepad c:\services.txt Your drive will be scanned and when finished, Notepad will pop up with some information. Copy and paste it in this thread. Next open a command prompt again and copy and paste the below commands please and hit Enter after each line. cd\ regdelnull hklm -s Your registry will be scanned and if any of the entries I am looking for is found, the scan will stop and you will be asked to confirm deletion, type n and hit Enter let the scan continue until it has finished. When it has finished, click on the Icon in the top left hand corner of the Command Prompt and choose Edit > Select All and then Edit > Copy. Rightclick on your Desktop and create a text file. Open it and position your mouse inside the file, rightclick again and choose Paste. Save the file and post the contents here. |
|
#18
June 5th, 2008, 07:22 AM
|
||||
|
||||
|
SERVICE_NAME: ALG
DISPLAY_NAME: Application Layer Gateway Service TYPE : 10 WIN32_OWN_PROCESS STATE : 4 RUNNING (STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN) WIN32_EXIT_CODE :0(0x0) SERVICE_EXIT_CODE :0(0x0) CHECKPOINT :0x0 WAIT_HINT :0x0 SERVICE_NAME: aswUpdSv DISPLAY_NAME: avast! iAVS4 Control Service TYPE : 110 WIN32_OWN_PROCESS (interactive) STATE : 4 RUNNING (STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE :0(0x0) SERVICE_EXIT_CODE :0(0x0) CHECKPOINT :0x0 WAIT_HINT :0x0 SERVICE_NAME: AudioSrv DISPLAY_NAME: Windows Audio TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN) WIN32_EXIT_CODE :0(0x0) SERVICE_EXIT_CODE :0(0x0) CHECKPOINT :0x0 WAIT_HINT :0x0 SERVICE_NAME: avast! Antivirus DISPLAY_NAME: avast! Antivirus TYPE : 110 WIN32_OWN_PROCESS (interactive) STATE : 4 RUNNING (STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE :0 (0x0) SERVICE_EXIT_CODE :0 (0x0) CHECKPOINT :0x0 WAIT_HINT :0x0 SERVICE_NAME: avast! Mail Scanner DISPLAY_NAME: avast! Mail Scanner TYPE : 110 WIN32_OWN_PROCESS (interactive) STATE : 4 RUNNING (STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: avast! Web Scanner DISPLAY_NAME: avast! Web Scanner TYPE : 110 WIN32_OWN_PROCESS (interactive) STATE : 4 RUNNING (STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: BITS DISPLAY_NAME: Background Intelligent Transfer Service TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: C-DillaCdaC11BA DISPLAY_NAME: C-DillaCdaC11BA TYPE : 10 WIN32_OWN_PROCESS STATE : 4 RUNNING (STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: CryptSvc DISPLAY_NAME: Cryptographic Services TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: DcomLaunch DISPLAY_NAME: DCOM Server Process Launcher TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (NOT_STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: Dhcp DISPLAY_NAME: DHCP Client TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: dmserver DISPLAY_NAME: Logical Disk Manager TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: Dnscache DISPLAY_NAME: DNS Client TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: ERSvc DISPLAY_NAME: Error Reporting Service TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: Eventlog DISPLAY_NAME: Event Log TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (NOT_STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: EventSystem DISPLAY_NAME: COM+ Event System TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: FastUserSwitchingCompatibility DISPLAY_NAME: Fast User Switching Compatibility TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: helpsvc DISPLAY_NAME: Help and Support TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: lanmanserver DISPLAY_NAME: Server TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE,PAUSABLE,ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: lanmanworkstation DISPLAY_NAME: Workstation TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE,PAUSABLE,ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: LmHosts DISPLAY_NAME: TCP/IP NetBIOS Helper TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: Netman DISPLAY_NAME: Network Connections TYPE : 120 WIN32_SHARE_PROCESS (interactive) STATE : 4 RUNNING (STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: Nla DISPLAY_NAME: Network Location Awareness (NLA) TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: PlugPlay DISPLAY_NAME: Plug and Play TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (NOT_STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: Pml Driver HPZ12 DISPLAY_NAME: Pml Driver HPZ12 TYPE : 10 WIN32_OWN_PROCESS STATE : 4 RUNNING (STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: PolicyAgent DISPLAY_NAME: IPSEC Services TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: ProtectedStorage DISPLAY_NAME: Protected Storage TYPE : 120 WIN32_SHARE_PROCESS (interactive) STATE : 4 RUNNING (STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: RasMan DISPLAY_NAME: Remote Access Connection Manager TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: RemoteRegistry DISPLAY_NAME: Remote Registry TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: RpcSs DISPLAY_NAME: Remote Procedure Call (RPC) TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (NOT_STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: SamSs DISPLAY_NAME: Security Accounts Manager TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (NOT_STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: Schedule DISPLAY_NAME: Task Scheduler TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE,PAUSABLE,ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: seclogon DISPLAY_NAME: Secondary Logon TYPE : 120 WIN32_SHARE_PROCESS (interactive) STATE : 4 RUNNING (STOPPABLE,PAUSABLE,IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: SENS DISPLAY_NAME: System Event Notification TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: SharedAccess DISPLAY_NAME: Windows Firewall/Internet Connection Sharing (ICS) TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: ShellHWDetection DISPLAY_NAME: Shell Hardware Detection TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE,PAUSABLE,ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: Spooler DISPLAY_NAME: Print Spooler TYPE : 110 WIN32_OWN_PROCESS (interactive) STATE : 4 RUNNING (STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: srservice DISPLAY_NAME: System Restore Service TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: SSDPSRV DISPLAY_NAME: SSDP Discovery Service TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: stisvc DISPLAY_NAME: Windows Image Acquisition (WIA) TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: Tally License Server DISPLAY_NAME: Tally License Server (NT) TYPE : 10 WIN32_OWN_PROCESS STATE : 4 RUNNING (STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: TapiSrv DISPLAY_NAME: Telephony TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE,PAUSABLE,IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: TermService DISPLAY_NAME: Terminal Services TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (NOT_STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: Themes DISPLAY_NAME: Themes TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: TrkWks DISPLAY_NAME: Distributed Link Tracking Client TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: ugiipqd DISPLAY_NAME: Unigraphics Plot Server (ugiipqd) TYPE : 10 WIN32_OWN_PROCESS STATE : 4 RUNNING (STOPPABLE,PAUSABLE,IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: Unigraphics License Server (uglmd) DISPLAY_NAME: Unigraphics License Server (uglmd) TYPE : 10 WIN32_OWN_PROCESS STATE : 4 RUNNING (STOPPABLE,PAUSABLE,IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: W32Time DISPLAY_NAME: Windows Time TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: WebClient DISPLAY_NAME: WebClient TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: winmgmt DISPLAY_NAME: Windows Management Instrumentation TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE,PAUSABLE,ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: wscsvc DISPLAY_NAME: Security Center TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: wuauserv DISPLAY_NAME: Automatic Updates TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: WZCSVC DISPLAY_NAME: Wireless Zero Configuration TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 |
|
#19
June 5th, 2008, 07:25 AM
|
||||
|
||||
|
got an error on the registry scanner
Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\Documents and Settings\redilens>cd\ C:\>regdelnull hklm -s 'regdelnull' is not recognized as an internal or external command, operable program or batch file. C:\>regdelnull hklm-s 'regdelnull' is not recognized as an internal or external command, operable program or batch file. C:\>regdelnull hklm -s 'regdelnull' is not recognized as an internal or external command, operable program or batch file. C:\> |
|
#20
June 5th, 2008, 07:32 AM
|
||||
|
||||
|
Ooops sorry purveet, I didnt post the link to download the utility. You need to go here and download RegDelNull.zip first. Unzip the file and when you have done this, read the Eula and then copy and paste RegDelNull.exe to your C folder.
Follow my instructions now. Your services are fine. |
|
#21
June 5th, 2008, 07:38 AM
|
||||
|
||||
|
hey ann...
did the scan... it didnt find anything.. hope thats good... Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\Documents and Settings\redilens>cd\ C:\>regdelnull hklm -s RegDelNull v1.10 - Delete Registry keys with embedded Nulls Copyright (C) 2005-2006 Mark Russinovich Sysinternals - www.sysinternals.com Scan complete. C:\> |
|
#22
June 5th, 2008, 07:50 AM
|
||||
|
||||
|
Yes that's good.
Open notepad and copy and paste the text in the codebox below into it as you did before and save the file as CFScript.txt Code:
File::
C:\WINDOWS\SYSTEM32\ciwdaapi.sys
C:\WINDOWS\SYSTEM32\spwdbapi.sys
C:\WINDOWS\SYSTEM32\mpwdeapi.dll
C:\WINDOWS\SYSTEM32\siwdaapi.exe
C:\WINDOWS\SYSTEM32\axptajpg.exe
Registry::
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{45AADFAA-DD36-42AB-83AD-0521BBF58C24}"=-
"{55694105-5108-9405-3695-954187462155}"=-
I have to log out now but I will be back in a couple of hours time. |
|
#23
June 5th, 2008, 08:00 AM
|
||||
|
||||
|
hey ann.. here are the scans...
ComboFix 08-06-01.6 - redilens 2008-06-05 12:24:06.4 - FAT32x86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.488 [GMT 5.5:30] Running from: C:\Documents and Settings\redilens\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\redilens\Desktop\CFScript.txt WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! FILE :: C:\WINDOWS\SYSTEM32\axptajpg.exe C:\WINDOWS\SYSTEM32\ciwdaapi.sys C:\WINDOWS\SYSTEM32\mpwdeapi.dll C:\WINDOWS\SYSTEM32\siwdaapi.exe C:\WINDOWS\SYSTEM32\spwdbapi.sys . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\SYSTEM32\axptajpg.exe C:\WINDOWS\SYSTEM32\ciwdaapi.sys C:\WINDOWS\SYSTEM32\mpwdeapi.dll C:\WINDOWS\SYSTEM32\siwdaapi.exe C:\WINDOWS\SYSTEM32\spwdbapi.sys . ((((((((((((((((((((((((( Files Created from 2008-05-05 to 2008-06-05 ))))))))))))))))))))))))))))))) . 2008-06-05 10:56 . 2008-06-05 10:56 250 --a------ C:\WINDOWS\gmer.ini 2008-06-05 10:42 . 2008-06-05 10:42 <DIR> d-------- C:\gmer 2008-06-04 14:20 . 2008-06-04 14:20 <DIR> d-------- C:\Documents and Settings\redilens\Application Data\Malwarebytes 2008-06-04 14:20 . 2008-06-04 14:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-06-04 14:20 . 2008-05-30 01:06 34,296 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbamcatchme.sys 2008-06-04 14:20 . 2008-05-30 01:06 15,864 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys 2008-06-04 14:16 . 2008-06-04 14:16 <DIR> d-------- C:\Program Files\Common Files\Download Manager . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )) . 2008-05-07 09:43 79,272 ----a-w C:\Documents and Settings\redilens\Application Data\GDIPFONTCACHEV1.DAT 2008-04-29 08:02 --------- d-sh--w C:\Program Files\Common Files\WindowsLiveInstaller 2008-04-29 08:02 --------- d-----w C:\Program Files\Windows Live 2008-04-29 08:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller 2008-04-28 07:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\SYSTEM32\win32k.sys 2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\SYSTEM32\dllcache\win32k.sys 2003-12-05 14:09 266 --sh--w C:\Program Files\desktop.ini 2003-12-05 14:09 11,079 ---h--w C:\Program Files\folder.htt . ((((((((((((((((((((((((((((( snapshot@2008-06-03_15.04.21.56 ))))))))))))))))))))))))))))))))))))))))) . - 2008-06-03 05:41:18 2,048 --s-a-w C:\WINDOWS\bootstat.dat + 2008-06-05 05:20:46 2,048 --s-a-w C:\WINDOWS\bootstat.dat + 2008-06-05 05:26:34 884,736 ----a-w C:\WINDOWS\gmer.dll + 2008-04-17 15:43:02 811,008 ----a-w C:\WINDOWS\gmer.exe + 2008-06-05 05:26:34 85,969 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\gmer.sys + 2008-06-05 05:21:18 16,384 ----a-w C:\WINDOWS\TEMP\Perflib_Perfdata_458.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\shelliconoverlayidentifiers\Sl owFile Icon Overlay] @={7D688A77-C613-11D0-999B-00C04FD655E1} [HKEY_CLASSES_ROOT\CLSID\{7D688A77-C613-11D0-999B-00C04FD655E1}] 2005-09-23 08:35 8450560 --a------ C:\WINDOWS\SYSTEM32\SHELL32.DLL [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run] "googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-02 02:52 3739648] "H/PC Connection Agent"="D:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2005-11-15 19:44 1200128] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run] "avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp. exe" [2008-05-16 04:49 79224] "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.e xe" [2001-07-09 10:50 155648] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run] "Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" [ ] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ 24Online Client.lnk - C:\Program Files\eLitecore\Cyberoam Client for 24Online\CyberoamClient.exe [2004-01-06 11:12:46 245760] Microsoft Office.lnk - D:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ShellServiceObjectDelayLoad] "JavaView"= {DA191DE0-AA86-D04E-4B87-2A3D4928BE99} - C:\WINDOWS\AppPatch\Jview.dll [ ] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=SysWoWCt.dll,skqncbib.dll,nhmxbjkl. dll,yzztimsn.dll,nhmxcjkl.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "VIDC.VDOM"= vdowave.drv "Vids.draw"= dvideo.dll "VIDC.SP62"= SP6X_32.DLL "vidc.DIV3"= DivXc32.dll "vidc.DIV4"= DivXc32f.dll "msacm.divxa32"= DivXa32.acm "VIDC.HFYU"= huffyuv.dll "SENTINEL"= snti386.dll "VIDC.MJPG"= pvmjpg21.dll [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\run-] "RealJukeboxSystray"=C:\Program Files\Real\RealJukebox\tsystray.exe "Yahoo! Pager"=C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe -quiet [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run-] "AltnetPointsManager"=c:\program files\altnet\points manager\points manager.exe -s "ccApp"=C:\Program Files\Common Files\Symantec Shared\ccApp.exe "ccRegVfy"=C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe "Advanced Tools Check"=C:\PROGRA~1\NORTON~1\ADVTOOLS\ADVCHK.EXE "NPROTECT"=C:\PROGRA~1\NORTON~1\ADVTOOLS\NPROTECT. EXE "Openwares LiveUpdate"=C:\Program Files\LiveUpdate\LiveUpdate.exe "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot "QuickTime Task"="C:\WINDOWS\SYSTEM32\qttask.exe" -atboottime "RealTray"=C:\Program Files\Real\RealPlayer\realplay.exe SYSTEMBOOTHIDEPLAYER "LoadQM"=loadqm.exe "msnappau"="c:\program files\MSN Apps\Updater\01.02.3000.1001\hi\msnappau.exe" [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\setup\disabledrunkeys] "LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme "ashMaiSv"=C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.ex e "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot "avast! Web Scanner"=C:\PROGRA~1\ALWILS~1\AVAST4\ASHWEBSV.EXE [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\runservices-] "NPROTECT"=C:\PROGRA~1\NORTON~1\ADVTOOLS\NPROTECT. EXE "ccEvtMgr"=C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe "ScriptBlocking"="C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg "RNBOStart"=C:\WINDOWS\SYSTEM\RNBOSENT\SENTSTRT.EX E [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Messenger\\msmsgs.exe"= "D:\\Program Files\\EDS\\Unigraphics NX 2.0\\UGII\\ugraf.exe"= "D:\\Program Files\\Intuwave Ltd\\Shared\\mRouterRunTime\\mRouterRuntime.exe"= "C:\\Program Files\\DC++\\DCPlusPlus.exe"= "D:\\Program Files\\Real\\RealPlayer\\RealPlay.exe"= "C:\\Program Files\\Google\\Google Talk\\googletalk.exe"= "D:\\Program Files\\BitTorrent\\bittorrent.exe"= "D:\\Program Files\\uTorrent\\utorrent.exe"= "C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"= "C:\\Program Files\\Skype\\Phone\\Skype.exe"= "D:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "D:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "D:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"= "D:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"= "D:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "D:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"= "D:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "D:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"= "D:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"= "D:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"= "D:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= "D:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"= "D:\Program Files\Microsoft ActiveSync\rapimgr.exe"= D:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager "D:\Program Files\Microsoft ActiveSync\wcescomm.exe"= D:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager "D:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= D:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application "F:\\Games\\Age of Empires II\\Age Of Empires 2.exe"= "E:\\Program Files\\Tally\\tally9.exe"= "C:\\Program Files\\eLitecore\\Cyberoam Client for 24Online\\CyberoamClient.exe"= "D:\\Program Files\\Tally 72\\tally72.exe"= "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List] "26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-16 04:50] R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswF sBlk.sys [2008-05-16 04:46] R2 Cap7134;TV Capture Card WDM Video Capture;C:\WINDOWS\system32\DRIVERS\Cap7134.sys [2002-08-25 21:30] R2 Unigraphics License Server (uglmd);Unigraphics License Server (uglmd);"D:\Program Files\EDS\License Servers\UGNXFLEXlm\lmgrd.exe" [2003-06-30 18:05] R3 PhTVTune;TV Capture Card WDM TV Tuner;C:\WINDOWS\system32\DRIVERS\PhTVTune.sys [2002-07-16 21:30] S2 Tally License Server;Tally License Server (NT);E:\Program Files\Tally\tallylicserver.exe [2006-12-12 16:04] S2 ugiipqd;Unigraphics Plot Server (ugiipqd);C:\WINDOWS\system32\spool\ugplot\ugiipqd .exe [2003-07-23 19:07] S3 FTLUND;Lundinova Filter Driver;C:\WINDOWS\system32\drivers\ftlund.sys [2004-01-19 20:57] S3 SPCA508A;Micro WebCam;C:\WINDOWS\system32\DRIVERS\SPCA508A.SYS [2000-08-17 14:30] *Newly Created Service* - CATCHME *Newly Created Service* - GMER [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] C:\WINDOWS\SYSTEM32\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl . Contents of the 'Scheduled Tasks' folder "2008-06-04 13:30:02 C:\WINDOWS\Tasks\Tune-up Application Start.job" "2004-02-25 07:00:30 C:\WINDOWS\Tasks\Maintenance-Defragment programs.job" - C:\WINDOWS\DEFRAG.EXE "2004-02-25 07:00:30 C:\WINDOWS\Tasks\Maintenance-Disk cleanup.job" - C:\WINDOWS\CLEANMGR.EXE . ************************************************** ************************ catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-06-05 12:26:12 Windows 5.1.2600 Service Pack 2 FAT NTAPI scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************** ************************ . Completion time: 2008-06-05 12:27:04 ComboFix-quarantined-files.txt 2008-06-05 06:57:02 ComboFix4.txt 2008-06-03 09:34:54 ComboFix3.txt 2008-06-05 03:50:32 ComboFix2.txt 2008-06-05 05:24:44 Pre-Run: 114,458,624 bytes free Post-Run: 106,184,704 bytes free 187 --- E O F --- 2008-04-26 13:02:42 |
|
#24
June 5th, 2008, 08:01 AM
|
||||
|
||||
|
HJT LOG---
Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 12:27:44 PM, on 6/5/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\drivers\CDAC11BA.EXE C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\system32\svchost.exe D:\Program Files\EDS\License Servers\UGNXFLEXlm\lmgrd.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe D:\Program Files\EDS\License Servers\UGNXFLEXlm\uglmd.exe D:\Program Files\Microsoft ActiveSync\wcescomm.exe D:\PROGRA~1\MICROS~2\rapimgr.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\explorer.exe D:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\ACROBAT\ACTIVEX\ACROIEHELPER.OCX O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\hi\msntb.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\hi\msntb.dll O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart O4 - HKCU\..\Run: [H/PC Connection Agent] "D:\Program Files\Microsoft ActiveSync\wcescomm.exe" O4 - HKUS\S-1-5-19\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet (User 'Default user') O4 - Global Startup: 24Online Client.lnk = C:\Program Files\eLitecore\Cyberoam Client for 24Online\CyberoamClient.exe O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html O8 - Extra context menu item: Download by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~2\INetRepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~2\INetRepl.dll O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~2\INetRepl.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O17 - HKLM\System\CCS\Services\Tcpip\..\{2E2438DE-9143-4060-A7F8-6E967E266439}: Domain = manage.cyberoam O17 - HKLM\System\CCS\Services\Tcpip\..\{2E2438DE-9143-4060-A7F8-6E967E266439}: NameServer = 172.16.251.251 O17 - HKLM\System\CCS\Services\Tcpip\..\{D4AAB6CE-48A8-424B-A2F4-B376B57092E1}: Domain = manage.cyberoam O20 - AppInit_DLLs: SysWoWCt.dll,skqncbib.dll,nhmxbjkl.dll,yzztimsn.dl l,nhmxcjkl.dll O21 - SSODL: JavaView - {DA191DE0-AA86-D04E-4B87-2A3D4928BE99} - C:\WINDOWS\AppPatch\Jview.dll (file missing) O21 - SSODL: ThunderAdvise - {97421D0D-E07F-40DF-8F07-99597B9585AD} - (no file) O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (file missing) O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Tally License Server (NT) (Tally License Server) - Unknown owner - E:\Program Files\Tally\tallylicserver.exe O23 - Service: Unigraphics Plot Server (ugiipqd) (ugiipqd) - Unigraphics Solutions, Inc - C:\WINDOWS\system32\spool\ugplot\ugiipqd.exe O23 - Service: Unigraphics License Server (uglmd) - Macrovision Corporation - D:\Program Files\EDS\License Servers\UGNXFLEXlm\lmgrd.exe -- End of file - 6916 bytes |
|
#26
June 5th, 2008, 09:38 AM
|
||||
|
||||
|
Ok. I think that file will be in your temp files. I'll address that shortly.
Close Internet Explorer and any open windows and run Hijack This again. Check the below entries and click on Fix Checked. R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank O20 - AppInit_DLLs: SysWoWCt.dll,skqncbib.dll,nhmxbjkl.dll,yzztimsn.dl l,nhmxcjkl.dll O21 - SSODL: JavaView - {DA191DE0-AA86-D04E-4B87-2A3D4928BE99} - C:\WINDOWS\AppPatch\Jview.dll (file missing) O21 - SSODL: ThunderAdvise - {97421D0D-E07F-40DF-8F07-99597B9585AD} - (no file) Reboot and go here and download ATF cleaner (do not download the Recommended Download on the mirror site). Use it to remove all Temp Files, Cookies and Temp Internet Files, Java Cache and any others that you would like to remove. If you also use Opera or Firefox, also click on the cleaning options for each browser. Next, disable your antivirus program. To do this, rightclick on the Icon in the Notification area (lower righthand corner of your screen) and choose Quit, Exit, Close or whatever option is offered. Now go here and run an online scan with BitDefender (you will need to use Internet Explorer for this scan). When the ActiveX Control has loaded, click on "Click here to scan" and grab a coffee. When BitDefender completes the scan, select the "Detected Problems" tab. Click on "Click here to export scan". Save the file as an HTML to your Desktop. Then click on the saved file and allow it to open with your browser. Go to Edit > Select All then copy the log and paste it back here. Run Hijack This again and post a new log please. Also run ComboFix and post a new log. |
|
#27
June 11th, 2008, 09:52 AM
|
||||
|
||||
|
hey ann... sorry for the delay... did all the scans....here are the logs
Scan path: A:\;C:\;D:\;E:\;F:\;G:\;H:\; Statistics Time 01:14:38 Files 198228 Folders 5685 Boot Sectors 6 Archives 3471 Packed Files 7228 Results Identified Viruses 19 Infected Files 70 Suspect Files 0 Warnings 0 Disinfected 0 Deleted Files 69 Engines Info Virus Definitions 1260216 Engine build AVCORE v1.0 (build 2422) (i386) (Sep 25 2007 08:26:36) Scan plugins 16 Archive plugins 42 Unpack plugins 7 E-mail plugins 6 System plugins 5 Scan Settings First Action Disinfect Second Action Delete Heuristics Yes Enable Warnings Yes Scanned Extensions *; Exclude Extensions Scan Emails Yes Scan Archives Yes Scan Packed Yes Scan Files Yes Scan Boot Yes Scanned File Status C:\WINDOWS\SYSTEM\SFGPack.dat=>92cc8a4b-dadf-4fcd-b03d-9da31d3cc4a0.combo=>(Embedded EXE g)Infected with: Trojan.Veevo.B C:\WINDOWS\SYSTEM\SFGPack.dat=>92cc8a4b-dadf-4fcd-b03d-9da31d3cc4a0.combo=>(Embedded EXE g) Deleted C:\WINDOWS\SYSTEM\SFGPack.dat=>92cc8a4b-dadf-4fcd-b03d-9da31d3cc4a0.combo Update failed C:\WINDOWS\SYSTEM\VeevoPack.dat=>afb8a913-4ba7-4eb2-b9d6-1399aac793e8.combo=>(Embedded EXE g) Detected with: Adware.Veevo.B C:\WINDOWS\SYSTEM\VeevoPack.dat=>afb8a913-4ba7-4eb2-b9d6-1399aac793e8.combo=>(Embedded EXE g) Deleted C:\WINDOWS\SYSTEM\VeevoPack.dat=>afb8a913-4ba7-4eb2-b9d6-1399aac793e8.combo Update failed C:\WINDOWS\SYSTEM\VeevoPack\83a38b1e-db60-4f23-83fd-26980f1e3089.combo=>(Embedded EXE g) Detected with: Adware.Popupdefence.A C:\WINDOWS\SYSTEM\VeevoPack\83a38b1e-db60-4f23-83fd-26980f1e3089.combo=>(Embedded EXE g) Deleted C:\WINDOWS\SYSTEM\VeevoPack\83a38b1e-db60-4f23-83fd-26980f1e3089.combo Update failed C:\WINDOWS\SYSTEM\VeevoPack\afb8a913-4ba7-4eb2-b9d6-1399aac793e8.combo=>(Embedded EXE g) Detected with: Adware.Veevo.B C:\WINDOWS\SYSTEM\VeevoPack\afb8a913-4ba7-4eb2-b9d6-1399aac793e8.combo=>(Embedded EXE g) Deleted C:\WINDOWS\SYSTEM\VeevoPack\afb8a913-4ba7-4eb2-b9d6-1399aac793e8.combo Update failed C:\WINDOWS\SYSTEM\SFGPack\92cc8a4b-dadf-4fcd-b03d-9da31d3cc4a0.combo=>(Embedded EXE g) Infected with: Trojan.Veevo.B C:\WINDOWS\SYSTEM\SFGPack\92cc8a4b-dadf-4fcd-b03d-9da31d3cc4a0.combo=>(Embedded EXE g) Deleted C:\WINDOWS\SYSTEM\SFGPack\92cc8a4b-dadf-4fcd-b03d-9da31d3cc4a0.combo Update failed C:\WINDOWS\SYSTEM32\exclean.exe Detected with: Adware.Bargainbuddy.AN C:\WINDOWS\SYSTEM32\exclean.exe Deleted C:\WINDOWS\SYSTEM32\CSUNINST.EXE Detected with: Adware.Cometsys.I C:\WINDOWS\SYSTEM32\CSUNINST.EXE Deleted C:\WINDOWS\SYSTEM32\mnmhgsrv.dll Infected with: Trojan.PWS.OnlineGames.YZK C:\WINDOWS\SYSTEM32\mnmhgsrv.dll Disinfection failed C:\WINDOWS\SYSTEM32\mnmhgsrv.dll Delete failed C:\WINDOWS\SYSTEM32\ismhasrv.exe Infected with: Trojan.PWS.OnlineGames.YZJ C:\WINDOWS\SYSTEM32\ismhasrv.exe Deleted C:\WINDOWS\SYSTEM32\etshabty.exe Infected with: Trojan.PWS.OnlineGames.YZJ C:\WINDOWS\SYSTEM32\etshabty.exe Deleted C:\WINDOWS\SYSTEM32\zaztamsn.exe Infected with: Trojan.PWS.OnlineGames.YZJ C:\WINDOWS\SYSTEM32\zaztamsn.exe Deleted C:\WINDOWS\SYSTEM32\dfqnabib.exe Infected with: Trojan.PWS.OnlineGames.YZJ C:\WINDOWS\SYSTEM32\dfqnabib.exe Deleted C:\WINDOWS\SYSTEM32\tjfyabyt.exe Infected with: Trojan.PWS.OnlineGames.YZJ C:\WINDOWS\SYSTEM32\tjfyabyt.exe Deleted C:\WINDOWS\SYSTEM32\lpmxajkl.exe Infected with: Trojan.PWS.OnlineGames.YZJ C:\WINDOWS\SYSTEM32\lpmxajkl.exe Deleted C:\WINDOWS\SYSTEM32\zsdjabmp.exe Infected with: Trojan.PWS.OnlineGames.YZJ C:\WINDOWS\SYSTEM32\zsdjabmp.exe Deleted C:\WINDOWS\SYSTEM32\lpsgajba.exe Infected with: Trojan.PWS.OnlineGames.YZJ C:\WINDOWS\SYSTEM32\lpsgajba.exe Deleted C:\WINDOWS\SYSTEM32\zxfhajpg.exe Infected with: Trojan.PWS.OnlineGames.YZJ C:\WINDOWS\SYSTEM32\zxfhajpg.exe Deleted C:\WINDOWS\Downloaded Program Files\HDPlugin1101.dll Detected with: Adware.Gator.X C:\WINDOWS\Downloaded Program Files\HDPlugin1101.dll Deleted C:\WINDOWS\AppPatch\Jview.dll Infected with: Trojan.Downloader.JKBD C:\WINDOWS\AppPatch\Jview.dll Deleted C:\WINDOWS\AppPatch\AcXtrnel.dll Infected with: Generic.Malware.gPWS.C82BECA1 C:\WINDOWS\AppPatch\AcXtrnel.dll Disinfection failed C:\WINDOWS\AppPatch\AcXtrnel.dll Deleted C:\Program Files\HomeKeyLogger\KeyLogger.Dll Infected with: Trojan.Spy.Keylogger.AI C:\Program Files\HomeKeyLogger\KeyLogger.Dll Deleted C:\Program Files\Alwil Software\Avast4\DATA\moved\down[1].exe.vir Infected with: Generic.Malware.SBdldsp.97CED6BB C:\Program Files\Alwil Software\Avast4\DATA\moved\down[1].exe.vir Disinfection failed C:\Program Files\Alwil Software\Avast4\DATA\moved\down[1].exe.vir Deleted C:\Software\Spyware Registry Scanner\backup-20040312-112317-749.dll Detected with: Application.Euniverse.H |
|
#28
June 11th, 2008, 09:54 AM
|
||||
|
||||
|
C:\Software\Spyware Registry Scanner\backup-20040312-112317-749.dll
Disinfection failed C:\Software\Spyware Registry Scanner\backup-20040312-112317-749.dll Deleted C:\Software\Spyware Registry Scanner\backups\backup-20050219-115555-572.dll Detected with: Application.Euniverse.H C:\Software\Spyware Registry Scanner\backups\backup-20050219-115555-572.dll Disinfection failed C:\Software\Spyware Registry Scanner\backups\backup-20050219-115555-572.dll Deleted C:\QooBox\Quarantine\C\Program Files\MyWay\myBar\2.bin\MYWAYPLUGINPROXY.CLASS.vir Detected with: Adware.Mywebsearch.BC C:\QooBox\Quarantine\C\Program Files\MyWay\myBar\2.bin\MYWAYPLUGINPROXY.CLASS.vir Deleted C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\dbxDgrevCh eck.dll.vir Detected with: Adware.Agent.LX C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\dbxDgrevCh eck.dll.vir Deleted C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\zaztamsn.e xe.vir Infected with: Trojan.PWS.OnlineGames.YZJ C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\zaztamsn.e xe.vir Deleted C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\yzztimsn.d ll.vir Infected with: Trojan.PWS.OnlineGames.YZK C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\yzztimsn.d ll.vir Disinfection failed C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\yzztimsn.d ll.vir Deleted C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\zxcsahlp.e xe.vir Infected with: Trojan.PWS.OnlineGames.YZJ C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\zxcsahlp.e xe.vir Deleted C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\etshabty.e xe.vir Infected with: Trojan.PWS.OnlineGames.YZJ C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\etshabty.e xe.vir Deleted C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\ismhasrv.e xe.vir Infected with: Trojan.PWS.OnlineGames.YZJ C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\ismhasrv.e xe.vir Deleted C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\apsgdjba.d ll.vir Infected with: Trojan.Dropper.RWY C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\apsgdjba.d ll.vir Disinfection failed C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\apsgdjba.d ll.vir Deleted C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\dfqnabib.e xe.vir Infected with: Trojan.PWS.OnlineGames.YZJ C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\dfqnabib.e xe.vir Deleted C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\ghwxattb.e xe.vir Infected with: Trojan.PWS.OnlineGames.YZJ C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\ghwxattb.e xe.vir Deleted C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\lpmxajkl.e xe.vir Infected with: Trojan.PWS.OnlineGames.YZJ C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\lpmxajkl.e xe.vir Deleted C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\lpsgajba.e xe.vir Infected with: Trojan.PWS.OnlineGames.YZJ C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\lpsgajba.e xe.vir Deleted C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\mnmhgsrv.d ll.vir Infected with: Trojan.PWS.OnlineGames.YZK C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\mnmhgsrv.d ll.vir Disinfection failed C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\mnmhgsrv.d ll.vir Deleted C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\nhmxbjkl.d ll.vir Infected with: Trojan.PWS.OnlineGames.YZK C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\nhmxbjkl.d ll.vir Disinfection failed C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\nhmxbjkl.d ll.vir Deleted C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\nhmxcjkl.d ll.vir Infected with: Trojan.PWS.OnlineGames.YZK C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\nhmxcjkl.d ll.vir Disinfection failed C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\nhmxcjkl.d ll.vir Deleted C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\oswxcttb.d ll.vir Infected with: Trojan.PWS.OnlineGames.YZK C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\oswxcttb.d ll.vir Disinfection failed C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\oswxcttb.d ll.vir Deleted C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\skqncbib.d ll.vir Infected with: Trojan.PWS.OnlineGames.YZK C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\skqncbib.d ll.vir Disinfection failed C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\skqncbib.d ll.vir Deleted C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\tjfyabyt.e xe.vir Infected with: Trojan.PWS.OnlineGames.YZJ C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\tjfyabyt.e xe.vir Deleted C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\zxfhajpg.e xe.vir Infected with: Trojan.PWS.OnlineGames.YZJ C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\zxfhajpg.e xe.vir Deleted C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\zxptejpg.d ll.vir Infected with: Trojan.PWS.OnlineGames.YZK C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\zxptejpg.d ll.vir Disinfection failed C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\zxptejpg.d ll.vir Deleted C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\axptajpg.e xe.vir Infected with: Trojan.PWS.OnlineGames.YZJ C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\axptajpg.e xe.vir Deleted C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\mpwdeapi.d ll.vir Infected with: Trojan.PWS.OnlineGames.YZK C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\mpwdeapi.d ll.vir Disinfection failed C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\mpwdeapi.d ll.vir Deleted C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\siwdaapi.e xe.vir Infected with: Trojan.PWS.OnlineGames.YZJ C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\siwdaapi.e xe.vir Deleted C:\QooBox\Quarantine\C\WINDOWS\rising453.exe.vir Infected with: Trojan.Downloader.Agent.YTX |
|
#29
June 11th, 2008, 09:55 AM
|
||||
|
||||
|
C:\QooBox\Quarantine\C\WINDOWS\rising453.exe.vir
Deleted C:\QooBox\Quarantine\C\WINDOWS\AppPatch\AcXtrnel.d ll.vir Infected with: Generic.Malware.gPWS.C82BECA1 C:\QooBox\Quarantine\C\WINDOWS\AppPatch\AcXtrnel.d ll.vir Disinfection failed C:\QooBox\Quarantine\C\WINDOWS\AppPatch\AcXtrnel.d ll.vir Deleted C:\QooBox\Quarantine\C\WINDOWS\AppPatch\Jview.dll. vir Infected with: Trojan.Downloader.JKBD C:\QooBox\Quarantine\C\WINDOWS\AppPatch\Jview.dll. vir Deleted C:\Documents and Settings\redilens\Local Settings\Temporary Internet Files\Content.IE5\I5MN892V\root[1].gif Infected with: DeepScan:Generic.Malware.dld!!.8E2E18BD C:\Documents and Settings\redilens\Local Settings\Temporary Internet Files\Content.IE5\I5MN892V\root[1].gif Disinfection failed C:\Documents and Settings\redilens\Local Settings\Temporary Internet Files\Content.IE5\I5MN892V\root[1].gif Deleted C:\Documents and Settings\redilens\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.26655 Infected with: Trojan.PWS.OnlineGames.YZK C:\Documents and Settings\redilens\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.26655 Disinfection failed C:\Documents and Settings\redilens\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.26655 Deleted C:\Documents and Settings\redilens\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.58507 Infected with: Trojan.PWS.OnlineGames.YZK C:\Documents and Settings\redilens\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.58507 Disinfection failed C:\Documents and Settings\redilens\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.58507 Deleted C:\Documents and Settings\redilens\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.95735 Infected with: Trojan.PWS.OnlineGames.YZK C:\Documents and Settings\redilens\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.95735 Disinfection failed C:\Documents and Settings\redilens\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.95735 Deleted C:\Documents and Settings\redilens\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.68334 Infected with: Trojan.PWS.OnlineGames.YZK C:\Documents and Settings\redilens\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.68334 Disinfection failed C:\Documents and Settings\redilens\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.68334 Deleted C:\Documents and Settings\redilens\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.42642 Infected with: Trojan.PWS.OnlineGames.YZJ C:\Documents and Settings\redilens\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.42642 Deleted C:\Documents and Settings\redilens\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.80717 Infected with: Trojan.PWS.OnlineGames.YZJ C:\Documents and Settings\redilens\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.80717 Deleted C:\Documents and Settings\redilens\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.26795 Infected with: Trojan.PWS.OnlineGames.YZJ C:\Documents and Settings\redilens\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.26795 Deleted C:\Documents and Settings\redilens\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.68765 Infected with: Trojan.PWS.OnlineGames.YZJ C:\Documents and Settings\redilens\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.68765 Deleted C:\Documents and Settings\redilens\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.30023 Infected with: Trojan.PWS.OnlineGames.YZJ C:\Documents and Settings\redilens\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.30023 Deleted C:\Documents and Settings\redilens\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.79186 Infected with: Trojan.PWS.OnlineGames.YZJ C:\Documents and Settings\redilens\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.79186 Deleted C:\Documents and Settings\redilens\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.82887 Infected with: Trojan.PWS.OnlineGames.YZJ C:\Documents and Settings\redilens\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.82887 Deleted C:\Documents and Settings\redilens\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.34886 Infected with: Trojan.PWS.OnlineGames.YZJ C:\Documents and Settings\redilens\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.34886 Deleted C:\Documents and Settings\redilens\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.17360 Infected with: Trojan.PWS.OnlineGames.YZJ C:\Documents and Settings\redilens\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.17360 Deleted C:\Documents and Settings\redilens\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.37857 Infected with: Trojan.PWS.OnlineGames.YZJ C:\Documents and Settings\redilens\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.37857 Deleted C:\Documents and Settings\redilens\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.13225 Infected with: Trojan.PWS.OnlineGames.YZK C:\Documents and Settings\redilens\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.13225 Disinfection failed C:\Documents and Settings\redilens\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.13225 Deleted C:\Documents and Settings\redilens\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.70204 Infected with: Trojan.PWS.OnlineGames.YZK C:\Documents and Settings\redilens\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.70204 Disinfection failed C:\Documents and Settings\redilens\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.70204 Deleted C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\YNEPATI9\root[1].gif Infected with: DeepScan:Generic.Malware.dld!!.8E2E18BD C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\YNEPATI9\root[1].gif Disinfection failed C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\YNEPATI9\root[1].gif Deleted |
|
#30
June 11th, 2008, 09:55 AM
|
||||
|
||||
|
ComboFix 08-06-01.6 - redilens 2008-06-11 14:13:40.5 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.439 [GMT 5.5:30] Running from: C:\Documents and Settings\redilens\Desktop\ComboFix.exe WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\system32\jashbbty.sys C:\WINDOWS\system32\smmhbsrv.sys C:\WINDOWS\system32\xfztbmsn.sys . ((((((((((((((((((((((((( Files Created from 2008-05-11 to 2008-06-11 ))))))))))))))))))))))))))))))) . 2008-06-11 11:55 . 2008-06-11 11:55 <DIR> d-------- C:\WINDOWS\LastGood 2008-06-11 11:55 . 2008-06-11 11:55 <DIR> d-------- C:\WINDOWS\BDOSCAN8 2008-06-10 15:24 . 2008-06-11 11:02 24 --a------ C:\WINDOWS\SYSTEM32\toqnabib.sys 2008-06-10 15:23 . 2008-06-11 11:02 24 --a------ C:\WINDOWS\SYSTEM32\wymxajkl.sys 2008-06-05 10:56 . 2008-06-05 10:56 250 --a------ C:\WINDOWS\gmer.ini 2008-06-05 10:42 . 2008-06-05 10:42 <DIR> d-------- C:\gmer 2008-06-04 14:20 . 2008-06-04 14:20 <DIR> d-------- C:\Documents and Settings\redilens\Application Data\Malwarebytes 2008-06-04 14:20 . 2008-06-04 14:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-06-04 14:20 . 2008-05-30 01:06 34,296 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbamcatchme.sys 2008-06-04 14:20 . 2008-05-30 01:06 15,864 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys 2008-06-04 14:16 . 2008-06-04 14:16 <DIR> d-------- C:\Program Files\Common Files\Download Manager . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )) . 2008-05-07 09:43 79,272 ----a-w C:\Documents and Settings\redilens\Application Data\GDIPFONTCACHEV1.DAT 2008-04-29 08:02 --------- d-sh--w C:\Program Files\Common Files\WindowsLiveInstaller 2008-04-29 08:02 --------- d-----w C:\Program Files\Windows Live 2008-04-29 08:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller 2008-04-28 07:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\SYSTEM32\win32k.sys 2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\SYSTEM32\dllcache\win32k.sys 2003-12-05 14:09 266 --sh--w C:\Program Files\desktop.ini 2003-12-05 14:09 11,079 ---h--w C:\Program Files\folder.htt 2004-08-08 09:49 538,120 --sh--w C:\WINDOWS\SYSTEM32\mnmhgsrv.dll 2004-08-08 09:52 520 --sh--w C:\WINDOWS\SYSTEM32\snfybbyt.sys 2004-08-08 09:52 513,544 --sh--w C:\WINDOWS\SYSTEM32\ozfyebyt.dll 2004-08-08 09:54 520 --sh--w C:\WINDOWS\SYSTEM32\gpsgajba.sys 2004-08-08 09:54 520 --sh--w C:\WINDOWS\SYSTEM32\xsdjbbmp.sys 2004-08-08 09:54 520 --sh--w C:\WINDOWS\SYSTEM32\xzfhbjpg.sys 2004-08-08 09:54 513,544 --sh--w C:\WINDOWS\SYSTEM32\yxfhcjpg.dll 2004-08-08 09:53 520 --sh--w C:\WINDOWS\SYSTEM32\rnmxajkl.sys 2004-08-08 09:53 520 --sh--w C:\WINDOWS\SYSTEM32\aoqnabib.sys . ((((((((((((((((((((((((((((( snapshot@2008-06-03_15.04.21.56 ))))))))))))))))))))))))))))))))))))))))) . + 2008-06-11 06:25:26 45,056 ----a-w C:\WINDOWS\BDOSCAN8\avxdisk.dll + 2008-06-11 06:25:26 10,240 ----a-w C:\WINDOWS\BDOSCAN8\avxs.dll + 2008-06-11 06:25:28 27,136 ----a-w C:\WINDOWS\BDOSCAN8\avxt.dll + 2008-06-11 06:25:52 181,760 ----a-w C:\WINDOWS\BDOSCAN8\bdcore.dll + 2008-01-09 09:31:48 118,784 ----a-w C:\WINDOWS\BDOSCAN8\bdupd.dll + 2008-01-09 09:31:48 53,248 ----a-w C:\WINDOWS\BDOSCAN8\ipsupd.dll + 2008-06-11 06:26:06 142,848 ----a-w C:\WINDOWS\BDOSCAN8\libfn.dll + 2008-06-11 06:25:34 86,016 ----a-w C:\WINDOWS\BDOSCAN8\librtvr.dll + 2008-01-09 09:31:48 53,248 ----a-w C:\WINDOWS\bdoscandel.exe - 2008-06-03 05:41:18 2,048 --s-a-w C:\WINDOWS\bootstat.dat + 2008-06-11 06:13:52 2,048 --s-a-w C:\WINDOWS\bootstat.dat + 2008-01-09 09:31:48 118,784 ----a-w C:\WINDOWS\Downloaded Program Files\bdupd.dll + 2008-01-09 09:31:48 53,248 ----a-w C:\WINDOWS\Downloaded Program Files\ipsupd.dll + 2008-06-05 05:26:34 884,736 ----a-w C:\WINDOWS\gmer.dll + 2008-04-17 15:43:02 811,008 ----a-w C:\WINDOWS\gmer.exe + 2008-06-05 05:26:34 85,969 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\gmer.sys + 2008-06-11 06:14:20 16,384 ----a-w C:\WINDOWS\TEMP\Perflib_Perfdata_3c4.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7C8D1401-A58D-A81C-CD24-A5915C4517C7}] 2004-08-08 15:19 538120 ---hs---- C:\WINDOWS\system32\mnmhgsrv.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\shelliconoverlayidentifiers\Sl owFile Icon Overlay] @={7D688A77-C613-11D0-999B-00C04FD655E1} [HKEY_CLASSES_ROOT\CLSID\{7D688A77-C613-11D0-999B-00C04FD655E1}] 2005-09-23 08:35 8450560 --a------ C:\WINDOWS\SYSTEM32\SHELL32.DLL [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run] "googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-02 02:52 3739648] "H/PC Connection Agent"="D:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2005-11-15 19:44 1200128] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run] "avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp. exe" [2008-05-16 04:49 79224] "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.e xe" [2001-07-09 10:50 155648] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run] "Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" [ ] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ 24Online Client.lnk - C:\Program Files\eLitecore\Cyberoam Client for 24Online\CyberoamClient.exe [2004-01-06 11:12:46 245760] Microsoft Office.lnk - D:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360] [hkey_local_machine\software\microsoft\windows\curr entversion\explorer\shellexecutehooks] "{7C8D1401-A58D-A81C-CD24-A5915C4517C7}"= C:\WINDOWS\system32\mnmhgsrv.dll [2004-08-08 15:19 538120] "{1DB3C525-5271-46F7-887A-D4E1ADAA7632}"= C:\WINDOWS\system32\hfrdzx.dll [ ] "{45AADFAA-DD36-42AB-83AD-0521BBF58C24}"= C:\WINDOWS\system32\zdesfx.dll [ ] "{5E907A48-400E-4EA8-9792-FFAE052D59E9}"= C:\WINDOWS\system32\pedadt.dll [ ] "{1E51C0FD-EE36-434B-AD2A-FD1FF3731C38}"= C:\WINDOWS\system32\wyrsdj.dll [ ] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "VIDC.VDOM"= vdowave.drv "Vids.draw"= dvideo.dll "VIDC.SP62"= SP6X_32.DLL "vidc.DIV3"= DivXc32.dll "vidc.DIV4"= DivXc32f.dll "msacm.divxa32"= DivXa32.acm "VIDC.HFYU"= huffyuv.dll "SENTINEL"= snti386.dll "VIDC.MJPG"= pvmjpg21.dll [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\run-] "RealJukeboxSystray"=C:\Program Files\Real\RealJukebox\tsystray.exe "Yahoo! Pager"=C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe -quiet [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run-] "AltnetPointsManager"=c:\program files\altnet\points manager\points manager.exe -s "ccApp"=C:\Program Files\Common Files\Symantec Shared\ccApp.exe "ccRegVfy"=C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe "Advanced Tools Check"=C:\PROGRA~1\NORTON~1\ADVTOOLS\ADVCHK.EXE "NPROTECT"=C:\PROGRA~1\NORTON~1\ADVTOOLS\NPROTECT. EXE "Openwares LiveUpdate"=C:\Program Files\LiveUpdate\LiveUpdate.exe "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot "QuickTime Task"="C:\WINDOWS\SYSTEM32\qttask.exe" -atboottime "RealTray"=C:\Program Files\Real\RealPlayer\realplay.exe SYSTEMBOOTHIDEPLAYER "LoadQM"=loadqm.exe "msnappau"="c:\program files\MSN Apps\Updater\01.02.3000.1001\hi\msnappau.exe" [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\setup\disabledrunkeys] "LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme "ashMaiSv"=C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.ex e "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot "avast! Web Scanner"=C:\PROGRA~1\ALWILS~1\AVAST4\ASHWEBSV.EXE [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\runservices-] "NPROTECT"=C:\PROGRA~1\NORTON~1\ADVTOOLS\NPROTECT. EXE "ccEvtMgr"=C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe "ScriptBlocking"="C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg "RNBOStart"=C:\WINDOWS\SYSTEM\RNBOSENT\SENTSTRT.EX E [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Messenger\\msmsgs.exe"= "D:\\Program Files\\EDS\\Unigraphics NX 2.0\\UGII\\ugraf.exe"= "D:\\Program Files\\Intuwave Ltd\\Shared\\mRouterRunTime\\mRouterRuntime.exe"= "C:\\Program Files\\DC++\\DCPlusPlus.exe"= "D:\\Program Files\\Real\\RealPlayer\\RealPlay.exe"= "C:\\Program Files\\Google\\Google Talk\\googletalk.exe"= "D:\\Program Files\\BitTorrent\\bittorrent.exe"= "D:\\Program Files\\uTorrent\\utorrent.exe"= "C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"= "C:\\Program Files\\Skype\\Phone\\Skype.exe"= "D:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "D:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "D:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"= "D:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"= "D:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "D:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"= "D:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "D:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"= "D:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"= "D:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"= "D:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= "D:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"= "D:\Program Files\Microsoft ActiveSync\rapimgr.exe"= D:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager "D:\Program Files\Microsoft ActiveSync\wcescomm.exe"= D:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager "D:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= D:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application "F:\\Games\\Age of Empires II\\Age Of Empires 2.exe"= "E:\\Program Files\\Tally\\tally9.exe"= "C:\\Program Files\\eLitecore\\Cyberoam Client for 24Online\\CyberoamClient.exe"= "D:\\Program Files\\Tally 72\\tally72.exe"= "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List] "26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-16 04:50] R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswF sBlk.sys [2008-05-16 04:46] R2 Cap7134;TV Capture Card WDM Video Capture;C:\WINDOWS\system32\DRIVERS\Cap7134.sys [2002-08-25 21:30] R2 Tally License Server;Tally License Server (NT);E:\Program Files\Tally\tallylicserver.exe [2006-12-12 16:04] R2 ugiipqd;Unigraphics Plot Server (ugiipqd);C:\WINDOWS\system32\spool\ugplot\ugiipqd .exe [2003-07-23 19:07] R2 Unigraphics License Server (uglmd);Unigraphics License Server (uglmd);"D:\Program Files\EDS\License Servers\UGNXFLEXlm\lmgrd.exe" [2003-06-30 18:05] R3 PhTVTune;TV Capture Card WDM TV Tuner;C:\WINDOWS\system32\DRIVERS\PhTVTune.sys [2002-07-16 21:30] S3 FTLUND;Lundinova Filter Driver;C:\WINDOWS\system32\drivers\ftlund.sys [2004-01-19 20:57] S3 SPCA508A;Micro WebCam;C:\WINDOWS\system32\DRIVERS\SPCA508A.SYS [2000-08-17 14:30] *Newly Created Service* - CATCHME [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] C:\WINDOWS\SYSTEM32\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl . Contents of the 'Scheduled Tasks' folder "2008-06-07 08:30:02 C:\WINDOWS\Tasks\Tune-up Application Start.job" "2004-02-25 07:00:30 C:\WINDOWS\Tasks\Maintenance-Defragment programs.job" - C:\WINDOWS\DEFRAG.EXE "2004-02-25 07:00:30 C:\WINDOWS\Tasks\Maintenance-Disk cleanup.job" - C:\WINDOWS\CLEANMGR.EXE . ************************************************** ************************ catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-06-11 14:16:04 Windows 5.1.2600 Service Pack 2 FAT NTAPI scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************** ************************ . Completion time: 2008-06-11 14:17:01 ComboFix-quarantined-files.txt 2008-06-11 08:46:58 ComboFix5.txt 2008-06-03 09:34:54 ComboFix4.txt 2008-06-05 03:50:32 ComboFix3.txt 2008-06-05 05:24:44 ComboFix2.txt 2008-06-05 06:57:06 Pre-Run: 100,454,400 bytes free Post-Run: 90,308,608 bytes free 206 --- E O F --- 2008-04-26 13:02:42 |
 |
| Bookmarks |
«
Previous Topic
|
Next Topic
»
| Topic Tools | |
|
|
All times are GMT +1. The time now is 11:08 PM.
