Go Back   Cyber Tech Help Support Forums > Software > Malware Removal Forum

Notices

Closed Topic
 
Topic Tools
  #16  
Old June 5th, 2008, 06:43 AM
purveet's Avatar
purveet purveet is offline
Member
 
Join Date: Feb 2005
Location: Bombay India
Posts: 38
GMER LOG

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-06-05 11:08:37
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.14 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xF5145588]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xF5145444]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xF5145922]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xF514501C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xF514551E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xF5144F5C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xF5144FC0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xF514563E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xF51455FE]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xF514577E]

---- Kernel code sections - GMER 1.0.14 ----

? C:\ComboFix\catchme.sys The system cannot find the path specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified. !

---- User IAT/EAT - GMER 1.0.14 ----

IAT C:\WINDOWS\system32\services.exe[508] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00370002
IAT C:\WINDOWS\system32\services.exe[508] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00370000

---- Devices - GMER 1.0.14 ----

AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

---- Registry - GMER 1.0.14 ----

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Int ernet Settings\Cache\Paths@Directory C:\Documents and Settings\redilens\Local Settings\Temporary Internet Files\Content.IE5
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Int ernet Settings\Cache\Paths\path1@CachePath C:\Documents and Settings\redilens\Local Settings\Temporary Internet Files\Content.IE5\Cache1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Int ernet Settings\Cache\Paths\path2@CachePath C:\Documents and Settings\redilens\Local Settings\Temporary Internet Files\Content.IE5\Cache2
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Int ernet Settings\Cache\Paths\path3@CachePath C:\Documents and Settings\redilens\Local Settings\Temporary Internet Files\Content.IE5\Cache3
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Int ernet Settings\Cache\Paths\path4@CachePath C:\Documents and Settings\redilens\Local Settings\Temporary Internet Files\Content.IE5\Cache4

---- EOF - GMER 1.0.14 ----


  #17  
Old June 5th, 2008, 07:05 AM
AnnMarie's Avatar
AnnMarie AnnMarie is offline
Cyber Tech Help Moderator
 
Join Date: Oct 2001
O/S: Windows Vista 32-bit
Location: New Zealand
Posts: 59,811
There is no evidence of a rootkit infection.

I want to see what services are running. Go to Start > Run and type:

cmd.exe

and ok. Copy and paste the below string after the prompt > and hit Enter.

sc query > c:\services.txt & start notepad c:\services.txt

Your drive will be scanned and when finished, Notepad will pop up with some information. Copy and paste it in this thread.

Next open a command prompt again and copy and paste the below commands please and hit Enter after each line.

cd\
regdelnull hklm -s

Your registry will be scanned and if any of the entries I am looking for is found, the scan will stop and you will be asked to confirm deletion, type n and hit Enter let the scan continue until it has finished.

When it has finished, click on the Icon in the top left hand corner of the Command Prompt and choose Edit > Select All and then Edit > Copy. Rightclick on your Desktop and create a text file. Open it and position your mouse inside the file, rightclick again and choose Paste. Save the file and post the contents here.
  #18  
Old June 5th, 2008, 07:22 AM
purveet's Avatar
purveet purveet is offline
Member
 
Join Date: Feb 2005
Location: Bombay India
Posts: 38
SERVICE_NAME: ALG
DISPLAY_NAME: Application Layer Gateway Service
TYPE : 10 WIN32_OWN_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE :0(0x0)
SERVICE_EXIT_CODE :0(0x0)
CHECKPOINT :0x0
WAIT_HINT :0x0
SERVICE_NAME: aswUpdSv
DISPLAY_NAME: avast! iAVS4 Control Service
TYPE : 110 WIN32_OWN_PROCESS (interactive)
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE :0(0x0)
SERVICE_EXIT_CODE :0(0x0)
CHECKPOINT :0x0
WAIT_HINT :0x0
SERVICE_NAME: AudioSrv
DISPLAY_NAME: Windows Audio
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE :0(0x0)
SERVICE_EXIT_CODE :0(0x0)
CHECKPOINT :0x0
WAIT_HINT :0x0
SERVICE_NAME: avast! Antivirus
DISPLAY_NAME: avast! Antivirus
TYPE : 110 WIN32_OWN_PROCESS (interactive)
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE :0 (0x0)
SERVICE_EXIT_CODE :0 (0x0)
CHECKPOINT :0x0
WAIT_HINT :0x0
SERVICE_NAME: avast! Mail Scanner
DISPLAY_NAME: avast! Mail Scanner
TYPE : 110 WIN32_OWN_PROCESS (interactive)
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
SERVICE_NAME: avast! Web Scanner
DISPLAY_NAME: avast! Web Scanner
TYPE : 110 WIN32_OWN_PROCESS (interactive)
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
SERVICE_NAME: BITS
DISPLAY_NAME: Background Intelligent Transfer Service
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
SERVICE_NAME: C-DillaCdaC11BA
DISPLAY_NAME: C-DillaCdaC11BA
TYPE : 10 WIN32_OWN_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
SERVICE_NAME: CryptSvc
DISPLAY_NAME: Cryptographic Services
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
SERVICE_NAME: DcomLaunch
DISPLAY_NAME: DCOM Server Process Launcher
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(NOT_STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
SERVICE_NAME: Dhcp
DISPLAY_NAME: DHCP Client
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
SERVICE_NAME: dmserver
DISPLAY_NAME: Logical Disk Manager
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
SERVICE_NAME: Dnscache
DISPLAY_NAME: DNS Client
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
SERVICE_NAME: ERSvc
DISPLAY_NAME: Error Reporting Service
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
SERVICE_NAME: Eventlog
DISPLAY_NAME: Event Log
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(NOT_STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
SERVICE_NAME: EventSystem
DISPLAY_NAME: COM+ Event System
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
SERVICE_NAME: FastUserSwitchingCompatibility
DISPLAY_NAME: Fast User Switching Compatibility
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
SERVICE_NAME: helpsvc
DISPLAY_NAME: Help and Support
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
SERVICE_NAME: lanmanserver
DISPLAY_NAME: Server
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
SERVICE_NAME: lanmanworkstation
DISPLAY_NAME: Workstation
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
SERVICE_NAME: LmHosts
DISPLAY_NAME: TCP/IP NetBIOS Helper
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
SERVICE_NAME: Netman
DISPLAY_NAME: Network Connections
TYPE : 120 WIN32_SHARE_PROCESS (interactive)
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
SERVICE_NAME: Nla
DISPLAY_NAME: Network Location Awareness (NLA)
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
SERVICE_NAME: PlugPlay
DISPLAY_NAME: Plug and Play
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(NOT_STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
SERVICE_NAME: Pml Driver HPZ12
DISPLAY_NAME: Pml Driver HPZ12
TYPE : 10 WIN32_OWN_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: PolicyAgent
DISPLAY_NAME: IPSEC Services
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: ProtectedStorage
DISPLAY_NAME: Protected Storage
TYPE : 120 WIN32_SHARE_PROCESS (interactive)
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: RasMan
DISPLAY_NAME: Remote Access Connection Manager
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: RemoteRegistry
DISPLAY_NAME: Remote Registry
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: RpcSs
DISPLAY_NAME: Remote Procedure Call (RPC)
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(NOT_STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: SamSs
DISPLAY_NAME: Security Accounts Manager
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(NOT_STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: Schedule
DISPLAY_NAME: Task Scheduler
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: seclogon
DISPLAY_NAME: Secondary Logon
TYPE : 120 WIN32_SHARE_PROCESS (interactive)
STATE : 4 RUNNING
(STOPPABLE,PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: SENS
DISPLAY_NAME: System Event Notification
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: SharedAccess
DISPLAY_NAME: Windows Firewall/Internet Connection Sharing (ICS)
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: ShellHWDetection
DISPLAY_NAME: Shell Hardware Detection
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: Spooler
DISPLAY_NAME: Print Spooler
TYPE : 110 WIN32_OWN_PROCESS (interactive)
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: srservice
DISPLAY_NAME: System Restore Service
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: SSDPSRV
DISPLAY_NAME: SSDP Discovery Service
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: stisvc
DISPLAY_NAME: Windows Image Acquisition (WIA)
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: Tally License Server
DISPLAY_NAME: Tally License Server (NT)
TYPE : 10 WIN32_OWN_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: TapiSrv
DISPLAY_NAME: Telephony
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: TermService
DISPLAY_NAME: Terminal Services
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(NOT_STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: Themes
DISPLAY_NAME: Themes
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: TrkWks
DISPLAY_NAME: Distributed Link Tracking Client
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: ugiipqd
DISPLAY_NAME: Unigraphics Plot Server (ugiipqd)
TYPE : 10 WIN32_OWN_PROCESS
STATE : 4 RUNNING
(STOPPABLE,PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: Unigraphics License Server (uglmd)
DISPLAY_NAME: Unigraphics License Server (uglmd)
TYPE : 10 WIN32_OWN_PROCESS
STATE : 4 RUNNING
(STOPPABLE,PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: W32Time
DISPLAY_NAME: Windows Time
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: WebClient
DISPLAY_NAME: WebClient
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: winmgmt
DISPLAY_NAME: Windows Management Instrumentation
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: wscsvc
DISPLAY_NAME: Security Center
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: wuauserv
DISPLAY_NAME: Automatic Updates
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: WZCSVC
DISPLAY_NAME: Wireless Zero Configuration
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
  #19  
Old June 5th, 2008, 07:25 AM
purveet's Avatar
purveet purveet is offline
Member
 
Join Date: Feb 2005
Location: Bombay India
Posts: 38
got an error on the registry scanner

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\redilens>cd\

C:\>regdelnull hklm -s
'regdelnull' is not recognized as an internal or external command,
operable program or batch file.

C:\>regdelnull hklm-s
'regdelnull' is not recognized as an internal or external command,
operable program or batch file.

C:\>regdelnull hklm -s
'regdelnull' is not recognized as an internal or external command,
operable program or batch file.

C:\>
  #20  
Old June 5th, 2008, 07:32 AM
AnnMarie's Avatar
AnnMarie AnnMarie is offline
Cyber Tech Help Moderator
 
Join Date: Oct 2001
O/S: Windows Vista 32-bit
Location: New Zealand
Posts: 59,811
Ooops sorry purveet, I didnt post the link to download the utility. You need to go here and download RegDelNull.zip first. Unzip the file and when you have done this, read the Eula and then copy and paste RegDelNull.exe to your C folder.

Follow my instructions now. Your services are fine.
  #21  
Old June 5th, 2008, 07:38 AM
purveet's Avatar
purveet purveet is offline
Member
 
Join Date: Feb 2005
Location: Bombay India
Posts: 38
hey ann...

did the scan... it didnt find anything.. hope thats good...

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\redilens>cd\

C:\>regdelnull hklm -s

RegDelNull v1.10 - Delete Registry keys with embedded Nulls
Copyright (C) 2005-2006 Mark Russinovich
Sysinternals - www.sysinternals.com

Scan complete.


C:\>
  #22  
Old June 5th, 2008, 07:50 AM
AnnMarie's Avatar
AnnMarie AnnMarie is offline
Cyber Tech Help Moderator
 
Join Date: Oct 2001
O/S: Windows Vista 32-bit
Location: New Zealand
Posts: 59,811
Yes that's good.

Open notepad and copy and paste the text in the codebox below into it as you did before and save the file as CFScript.txt

Code:
File::
C:\WINDOWS\SYSTEM32\ciwdaapi.sys
C:\WINDOWS\SYSTEM32\spwdbapi.sys
C:\WINDOWS\SYSTEM32\mpwdeapi.dll
C:\WINDOWS\SYSTEM32\siwdaapi.exe
C:\WINDOWS\SYSTEM32\axptajpg.exe

Registry::
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{45AADFAA-DD36-42AB-83AD-0521BBF58C24}"=-
"{55694105-5108-9405-3695-954187462155}"=-
Drop it on ComboFix again and wait for ComboFix to finish running. Post the new ComboFix log and a new Hijack This log.

I have to log out now but I will be back in a couple of hours time.
  #23  
Old June 5th, 2008, 08:00 AM
purveet's Avatar
purveet purveet is offline
Member
 
Join Date: Feb 2005
Location: Bombay India
Posts: 38
hey ann.. here are the scans...

ComboFix 08-06-01.6 - redilens 2008-06-05 12:24:06.4 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.488 [GMT 5.5:30]
Running from: C:\Documents and Settings\redilens\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\redilens\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\SYSTEM32\axptajpg.exe
C:\WINDOWS\SYSTEM32\ciwdaapi.sys
C:\WINDOWS\SYSTEM32\mpwdeapi.dll
C:\WINDOWS\SYSTEM32\siwdaapi.exe
C:\WINDOWS\SYSTEM32\spwdbapi.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\SYSTEM32\axptajpg.exe
C:\WINDOWS\SYSTEM32\ciwdaapi.sys
C:\WINDOWS\SYSTEM32\mpwdeapi.dll
C:\WINDOWS\SYSTEM32\siwdaapi.exe
C:\WINDOWS\SYSTEM32\spwdbapi.sys

.
((((((((((((((((((((((((( Files Created from 2008-05-05 to 2008-06-05 )))))))))))))))))))))))))))))))
.

2008-06-05 10:56 . 2008-06-05 10:56 250 --a------ C:\WINDOWS\gmer.ini
2008-06-05 10:42 . 2008-06-05 10:42 <DIR> d-------- C:\gmer
2008-06-04 14:20 . 2008-06-04 14:20 <DIR> d-------- C:\Documents and Settings\redilens\Application Data\Malwarebytes
2008-06-04 14:20 . 2008-06-04 14:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-04 14:20 . 2008-05-30 01:06 34,296 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbamcatchme.sys
2008-06-04 14:20 . 2008-05-30 01:06 15,864 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys
2008-06-04 14:16 . 2008-06-04 14:16 <DIR> d-------- C:\Program Files\Common Files\Download Manager

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-05-07 09:43 79,272 ----a-w C:\Documents and Settings\redilens\Application Data\GDIPFONTCACHEV1.DAT
2008-04-29 08:02 --------- d-sh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-04-29 08:02 --------- d-----w C:\Program Files\Windows Live
2008-04-29 08:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-04-28 07:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\SYSTEM32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\SYSTEM32\dllcache\win32k.sys
2003-12-05 14:09 266 --sh--w C:\Program Files\desktop.ini
2003-12-05 14:09 11,079 ---h--w C:\Program Files\folder.htt
.

((((((((((((((((((((((((((((( snapshot@2008-06-03_15.04.21.56 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-03 05:41:18 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-05 05:20:46 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-05 05:26:34 884,736 ----a-w C:\WINDOWS\gmer.dll
+ 2008-04-17 15:43:02 811,008 ----a-w C:\WINDOWS\gmer.exe
+ 2008-06-05 05:26:34 85,969 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\gmer.sys
+ 2008-06-05 05:21:18 16,384 ----a-w C:\WINDOWS\TEMP\Perflib_Perfdata_458.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\shelliconoverlayidentifiers\Sl owFile Icon Overlay]
@={7D688A77-C613-11D0-999B-00C04FD655E1}

[HKEY_CLASSES_ROOT\CLSID\{7D688A77-C613-11D0-999B-00C04FD655E1}]
2005-09-23 08:35 8450560 --a------ C:\WINDOWS\SYSTEM32\SHELL32.DLL

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-02 02:52 3739648]
"H/PC Connection Agent"="D:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2005-11-15 19:44 1200128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp. exe" [2008-05-16 04:49 79224]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.e xe" [2001-07-09 10:50 155648]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" [ ]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
24Online Client.lnk - C:\Program Files\eLitecore\Cyberoam Client for 24Online\CyberoamClient.exe [2004-01-06 11:12:46 245760]
Microsoft Office.lnk - D:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ShellServiceObjectDelayLoad]
"JavaView"= {DA191DE0-AA86-D04E-4B87-2A3D4928BE99} - C:\WINDOWS\AppPatch\Jview.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=SysWoWCt.dll,skqncbib.dll,nhmxbjkl. dll,yzztimsn.dll,nhmxcjkl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.VDOM"= vdowave.drv
"Vids.draw"= dvideo.dll
"VIDC.SP62"= SP6X_32.DLL
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"msacm.divxa32"= DivXa32.acm
"VIDC.HFYU"= huffyuv.dll
"SENTINEL"= snti386.dll
"VIDC.MJPG"= pvmjpg21.dll

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\run-]
"RealJukeboxSystray"=C:\Program Files\Real\RealJukebox\tsystray.exe
"Yahoo! Pager"=C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run-]
"AltnetPointsManager"=c:\program files\altnet\points manager\points manager.exe -s
"ccApp"=C:\Program Files\Common Files\Symantec Shared\ccApp.exe
"ccRegVfy"=C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
"Advanced Tools Check"=C:\PROGRA~1\NORTON~1\ADVTOOLS\ADVCHK.EXE
"NPROTECT"=C:\PROGRA~1\NORTON~1\ADVTOOLS\NPROTECT. EXE
"Openwares LiveUpdate"=C:\Program Files\LiveUpdate\LiveUpdate.exe
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
"QuickTime Task"="C:\WINDOWS\SYSTEM32\qttask.exe" -atboottime
"RealTray"=C:\Program Files\Real\RealPlayer\realplay.exe SYSTEMBOOTHIDEPLAYER
"LoadQM"=loadqm.exe
"msnappau"="c:\program files\MSN Apps\Updater\01.02.3000.1001\hi\msnappau.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"ashMaiSv"=C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.ex e
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
"avast! Web Scanner"=C:\PROGRA~1\ALWILS~1\AVAST4\ASHWEBSV.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\runservices-]
"NPROTECT"=C:\PROGRA~1\NORTON~1\ADVTOOLS\NPROTECT. EXE
"ccEvtMgr"=C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
"ScriptBlocking"="C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
"RNBOStart"=C:\WINDOWS\SYSTEM\RNBOSENT\SENTSTRT.EX E

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"D:\\Program Files\\EDS\\Unigraphics NX 2.0\\UGII\\ugraf.exe"=
"D:\\Program Files\\Intuwave Ltd\\Shared\\mRouterRunTime\\mRouterRuntime.exe"=
"C:\\Program Files\\DC++\\DCPlusPlus.exe"=
"D:\\Program Files\\Real\\RealPlayer\\RealPlay.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"D:\\Program Files\\BitTorrent\\bittorrent.exe"=
"D:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"D:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"D:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"D:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"D:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"D:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"D:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"D:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"D:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"D:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"D:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"D:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"D:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"D:\Program Files\Microsoft ActiveSync\rapimgr.exe"= D:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"D:\Program Files\Microsoft ActiveSync\wcescomm.exe"= D:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"D:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= D:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"F:\\Games\\Age of Empires II\\Age Of Empires 2.exe"=
"E:\\Program Files\\Tally\\tally9.exe"=
"C:\\Program Files\\eLitecore\\Cyberoam Client for 24Online\\CyberoamClient.exe"=
"D:\\Program Files\\Tally 72\\tally72.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-16 04:50]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswF sBlk.sys [2008-05-16 04:46]
R2 Cap7134;TV Capture Card WDM Video Capture;C:\WINDOWS\system32\DRIVERS\Cap7134.sys [2002-08-25 21:30]
R2 Unigraphics License Server (uglmd);Unigraphics License Server (uglmd);"D:\Program Files\EDS\License Servers\UGNXFLEXlm\lmgrd.exe" [2003-06-30 18:05]
R3 PhTVTune;TV Capture Card WDM TV Tuner;C:\WINDOWS\system32\DRIVERS\PhTVTune.sys [2002-07-16 21:30]
S2 Tally License Server;Tally License Server (NT);E:\Program Files\Tally\tallylicserver.exe [2006-12-12 16:04]
S2 ugiipqd;Unigraphics Plot Server (ugiipqd);C:\WINDOWS\system32\spool\ugplot\ugiipqd .exe [2003-07-23 19:07]
S3 FTLUND;Lundinova Filter Driver;C:\WINDOWS\system32\drivers\ftlund.sys [2004-01-19 20:57]
S3 SPCA508A;Micro WebCam;C:\WINDOWS\system32\DRIVERS\SPCA508A.SYS [2000-08-17 14:30]

*Newly Created Service* - CATCHME
*Newly Created Service* - GMER

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
C:\WINDOWS\SYSTEM32\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl
.
Contents of the 'Scheduled Tasks' folder
"2008-06-04 13:30:02 C:\WINDOWS\Tasks\Tune-up Application Start.job"
"2004-02-25 07:00:30 C:\WINDOWS\Tasks\Maintenance-Defragment programs.job"
- C:\WINDOWS\DEFRAG.EXE
"2004-02-25 07:00:30 C:\WINDOWS\Tasks\Maintenance-Disk cleanup.job"
- C:\WINDOWS\CLEANMGR.EXE
.
************************************************** ************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-05 12:26:12
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
Completion time: 2008-06-05 12:27:04
ComboFix-quarantined-files.txt 2008-06-05 06:57:02
ComboFix4.txt 2008-06-03 09:34:54
ComboFix3.txt 2008-06-05 03:50:32
ComboFix2.txt 2008-06-05 05:24:44

Pre-Run: 114,458,624 bytes free
Post-Run: 106,184,704 bytes free

187 --- E O F --- 2008-04-26 13:02:42
  #24  
Old June 5th, 2008, 08:01 AM
purveet's Avatar
purveet purveet is offline
Member
 
Join Date: Feb 2005
Location: Bombay India
Posts: 38
HJT LOG---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:27:44 PM, on 6/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
D:\Program Files\EDS\License Servers\UGNXFLEXlm\lmgrd.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
D:\Program Files\EDS\License Servers\UGNXFLEXlm\uglmd.exe
D:\Program Files\Microsoft ActiveSync\wcescomm.exe
D:\PROGRA~1\MICROS~2\rapimgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\ACROBAT\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\hi\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\hi\msntb.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [H/PC Connection Agent] "D:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKUS\S-1-5-19\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet (User 'Default user')
O4 - Global Startup: 24Online Client.lnk = C:\Program Files\eLitecore\Cyberoam Client for 24Online\CyberoamClient.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{2E2438DE-9143-4060-A7F8-6E967E266439}: Domain = manage.cyberoam
O17 - HKLM\System\CCS\Services\Tcpip\..\{2E2438DE-9143-4060-A7F8-6E967E266439}: NameServer = 172.16.251.251
O17 - HKLM\System\CCS\Services\Tcpip\..\{D4AAB6CE-48A8-424B-A2F4-B376B57092E1}: Domain = manage.cyberoam
O20 - AppInit_DLLs: SysWoWCt.dll,skqncbib.dll,nhmxbjkl.dll,yzztimsn.dl l,nhmxcjkl.dll
O21 - SSODL: JavaView - {DA191DE0-AA86-D04E-4B87-2A3D4928BE99} - C:\WINDOWS\AppPatch\Jview.dll (file missing)
O21 - SSODL: ThunderAdvise - {97421D0D-E07F-40DF-8F07-99597B9585AD} - (no file)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Tally License Server (NT) (Tally License Server) - Unknown owner - E:\Program Files\Tally\tallylicserver.exe
O23 - Service: Unigraphics Plot Server (ugiipqd) (ugiipqd) - Unigraphics Solutions, Inc - C:\WINDOWS\system32\spool\ugplot\ugiipqd.exe
O23 - Service: Unigraphics License Server (uglmd) - Macrovision Corporation - D:\Program Files\EDS\License Servers\UGNXFLEXlm\lmgrd.exe

--
End of file - 6916 bytes
  #25  
Old June 5th, 2008, 08:27 AM
purveet's Avatar
purveet purveet is offline
Member
 
Join Date: Feb 2005
Location: Bombay India
Posts: 38
hey again...

the alerts on avast have reduced...
got a couple of alerts for wmsetup.dll
  #26  
Old June 5th, 2008, 09:38 AM
AnnMarie's Avatar
AnnMarie AnnMarie is offline
Cyber Tech Help Moderator
 
Join Date: Oct 2001
O/S: Windows Vista 32-bit
Location: New Zealand
Posts: 59,811
Ok. I think that file will be in your temp files. I'll address that shortly.

Close Internet Explorer and any open windows and run Hijack This again. Check the below entries and click on Fix Checked.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O20 - AppInit_DLLs: SysWoWCt.dll,skqncbib.dll,nhmxbjkl.dll,yzztimsn.dl l,nhmxcjkl.dll

O21 - SSODL: JavaView - {DA191DE0-AA86-D04E-4B87-2A3D4928BE99} - C:\WINDOWS\AppPatch\Jview.dll (file missing)

O21 - SSODL: ThunderAdvise - {97421D0D-E07F-40DF-8F07-99597B9585AD} - (no file)

Reboot and go here and download ATF cleaner (do not download the Recommended Download on the mirror site). Use it to remove all Temp Files, Cookies and Temp Internet Files, Java Cache and any others that you would like to remove. If you also use Opera or Firefox, also click on the cleaning options for each browser.

Next, disable your antivirus program. To do this, rightclick on the Icon in the Notification area (lower righthand corner of your screen) and choose Quit, Exit, Close or whatever option is offered. Now go here and run an online scan with BitDefender (you will need to use Internet Explorer for this scan). When the ActiveX Control has loaded, click on "Click here to scan" and grab a coffee. When BitDefender completes the scan, select the "Detected Problems" tab. Click on "Click here to export scan". Save the file as an HTML to your Desktop. Then click on the saved file and allow it to open with your browser. Go to Edit > Select All then copy the log and paste it back here.

Run Hijack This again and post a new log please. Also run ComboFix and post a new log.
  #27  
Old June 11th, 2008, 09:52 AM
purveet's Avatar
purveet purveet is offline
Member
 
Join Date: Feb 2005
Location: Bombay India
Posts: 38
hey ann... sorry for the delay... did all the scans....here are the logs

Scan path: A:\;C:\;D:\;E:\;F:\;G:\;H:\;
Statistics
Time
01:14:38
Files
198228
Folders
5685
Boot Sectors
6
Archives
3471
Packed Files
7228


Results
Identified Viruses
19
Infected Files
70
Suspect Files
0
Warnings
0
Disinfected
0
Deleted Files
69


Engines Info
Virus Definitions
1260216
Engine build
AVCORE v1.0 (build 2422) (i386) (Sep 25 2007 08:26:36)
Scan plugins
16
Archive plugins
42
Unpack plugins
7
E-mail plugins
6
System plugins
5


Scan Settings
First Action
Disinfect
Second Action
Delete
Heuristics
Yes
Enable Warnings
Yes
Scanned Extensions
*;
Exclude Extensions

Scan Emails
Yes
Scan Archives
Yes
Scan Packed
Yes
Scan Files
Yes
Scan Boot
Yes


Scanned File
Status
C:\WINDOWS\SYSTEM\SFGPack.dat=>92cc8a4b-dadf-4fcd-b03d-9da31d3cc4a0.combo=>(Embedded EXE g)
Infected with: Trojan.Veevo.B
C:\WINDOWS\SYSTEM\SFGPack.dat=>92cc8a4b-dadf-4fcd-b03d-9da31d3cc4a0.combo=>(Embedded EXE g)
Deleted
C:\WINDOWS\SYSTEM\SFGPack.dat=>92cc8a4b-dadf-4fcd-b03d-9da31d3cc4a0.combo
Update failed
C:\WINDOWS\SYSTEM\VeevoPack.dat=>afb8a913-4ba7-4eb2-b9d6-1399aac793e8.combo=>(Embedded EXE g)
Detected with: Adware.Veevo.B
C:\WINDOWS\SYSTEM\VeevoPack.dat=>afb8a913-4ba7-4eb2-b9d6-1399aac793e8.combo=>(Embedded EXE g)
Deleted
C:\WINDOWS\SYSTEM\VeevoPack.dat=>afb8a913-4ba7-4eb2-b9d6-1399aac793e8.combo
Update failed
C:\WINDOWS\SYSTEM\VeevoPack\83a38b1e-db60-4f23-83fd-26980f1e3089.combo=>(Embedded EXE g)
Detected with: Adware.Popupdefence.A
C:\WINDOWS\SYSTEM\VeevoPack\83a38b1e-db60-4f23-83fd-26980f1e3089.combo=>(Embedded EXE g)
Deleted
C:\WINDOWS\SYSTEM\VeevoPack\83a38b1e-db60-4f23-83fd-26980f1e3089.combo
Update failed
C:\WINDOWS\SYSTEM\VeevoPack\afb8a913-4ba7-4eb2-b9d6-1399aac793e8.combo=>(Embedded EXE g)
Detected with: Adware.Veevo.B
C:\WINDOWS\SYSTEM\VeevoPack\afb8a913-4ba7-4eb2-b9d6-1399aac793e8.combo=>(Embedded EXE g)
Deleted
C:\WINDOWS\SYSTEM\VeevoPack\afb8a913-4ba7-4eb2-b9d6-1399aac793e8.combo
Update failed
C:\WINDOWS\SYSTEM\SFGPack\92cc8a4b-dadf-4fcd-b03d-9da31d3cc4a0.combo=>(Embedded EXE g)
Infected with: Trojan.Veevo.B
C:\WINDOWS\SYSTEM\SFGPack\92cc8a4b-dadf-4fcd-b03d-9da31d3cc4a0.combo=>(Embedded EXE g)
Deleted
C:\WINDOWS\SYSTEM\SFGPack\92cc8a4b-dadf-4fcd-b03d-9da31d3cc4a0.combo
Update failed
C:\WINDOWS\SYSTEM32\exclean.exe
Detected with: Adware.Bargainbuddy.AN
C:\WINDOWS\SYSTEM32\exclean.exe
Deleted
C:\WINDOWS\SYSTEM32\CSUNINST.EXE
Detected with: Adware.Cometsys.I
C:\WINDOWS\SYSTEM32\CSUNINST.EXE
Deleted
C:\WINDOWS\SYSTEM32\mnmhgsrv.dll
Infected with: Trojan.PWS.OnlineGames.YZK
C:\WINDOWS\SYSTEM32\mnmhgsrv.dll
Disinfection failed
C:\WINDOWS\SYSTEM32\mnmhgsrv.dll
Delete failed
C:\WINDOWS\SYSTEM32\ismhasrv.exe
Infected with: Trojan.PWS.OnlineGames.YZJ
C:\WINDOWS\SYSTEM32\ismhasrv.exe
Deleted
C:\WINDOWS\SYSTEM32\etshabty.exe
Infected with: Trojan.PWS.OnlineGames.YZJ
C:\WINDOWS\SYSTEM32\etshabty.exe
Deleted
C:\WINDOWS\SYSTEM32\zaztamsn.exe
Infected with: Trojan.PWS.OnlineGames.YZJ
C:\WINDOWS\SYSTEM32\zaztamsn.exe
Deleted
C:\WINDOWS\SYSTEM32\dfqnabib.exe
Infected with: Trojan.PWS.OnlineGames.YZJ
C:\WINDOWS\SYSTEM32\dfqnabib.exe
Deleted
C:\WINDOWS\SYSTEM32\tjfyabyt.exe
Infected with: Trojan.PWS.OnlineGames.YZJ
C:\WINDOWS\SYSTEM32\tjfyabyt.exe
Deleted
C:\WINDOWS\SYSTEM32\lpmxajkl.exe
Infected with: Trojan.PWS.OnlineGames.YZJ
C:\WINDOWS\SYSTEM32\lpmxajkl.exe
Deleted
C:\WINDOWS\SYSTEM32\zsdjabmp.exe
Infected with: Trojan.PWS.OnlineGames.YZJ
C:\WINDOWS\SYSTEM32\zsdjabmp.exe
Deleted
C:\WINDOWS\SYSTEM32\lpsgajba.exe
Infected with: Trojan.PWS.OnlineGames.YZJ
C:\WINDOWS\SYSTEM32\lpsgajba.exe
Deleted
C:\WINDOWS\SYSTEM32\zxfhajpg.exe
Infected with: Trojan.PWS.OnlineGames.YZJ
C:\WINDOWS\SYSTEM32\zxfhajpg.exe
Deleted
C:\WINDOWS\Downloaded Program Files\HDPlugin1101.dll
Detected with: Adware.Gator.X
C:\WINDOWS\Downloaded Program Files\HDPlugin1101.dll
Deleted
C:\WINDOWS\AppPatch\Jview.dll
Infected with: Trojan.Downloader.JKBD
C:\WINDOWS\AppPatch\Jview.dll
Deleted
C:\WINDOWS\AppPatch\AcXtrnel.dll
Infected with: Generic.Malware.gPWS.C82BECA1
C:\WINDOWS\AppPatch\AcXtrnel.dll
Disinfection failed
C:\WINDOWS\AppPatch\AcXtrnel.dll
Deleted
C:\Program Files\HomeKeyLogger\KeyLogger.Dll
Infected with: Trojan.Spy.Keylogger.AI
C:\Program Files\HomeKeyLogger\KeyLogger.Dll
Deleted
C:\Program Files\Alwil Software\Avast4\DATA\moved\down[1].exe.vir
Infected with: Generic.Malware.SBdldsp.97CED6BB
C:\Program Files\Alwil Software\Avast4\DATA\moved\down[1].exe.vir
Disinfection failed
C:\Program Files\Alwil Software\Avast4\DATA\moved\down[1].exe.vir
Deleted
C:\Software\Spyware Registry Scanner\backup-20040312-112317-749.dll
Detected with: Application.Euniverse.H
  #28  
Old June 11th, 2008, 09:54 AM
purveet's Avatar
purveet purveet is offline
Member
 
Join Date: Feb 2005
Location: Bombay India
Posts: 38
C:\Software\Spyware Registry Scanner\backup-20040312-112317-749.dll
Disinfection failed
C:\Software\Spyware Registry Scanner\backup-20040312-112317-749.dll
Deleted
C:\Software\Spyware Registry Scanner\backups\backup-20050219-115555-572.dll
Detected with: Application.Euniverse.H
C:\Software\Spyware Registry Scanner\backups\backup-20050219-115555-572.dll
Disinfection failed
C:\Software\Spyware Registry Scanner\backups\backup-20050219-115555-572.dll
Deleted
C:\QooBox\Quarantine\C\Program Files\MyWay\myBar\2.bin\MYWAYPLUGINPROXY.CLASS.vir
Detected with: Adware.Mywebsearch.BC
C:\QooBox\Quarantine\C\Program
Files\MyWay\myBar\2.bin\MYWAYPLUGINPROXY.CLASS.vir
Deleted
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\dbxDgrevCh eck.dll.vir
Detected with: Adware.Agent.LX
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\dbxDgrevCh eck.dll.vir
Deleted
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\zaztamsn.e xe.vir
Infected with: Trojan.PWS.OnlineGames.YZJ
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\zaztamsn.e xe.vir
Deleted
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\yzztimsn.d ll.vir
Infected with: Trojan.PWS.OnlineGames.YZK
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\yzztimsn.d ll.vir
Disinfection failed
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\yzztimsn.d ll.vir
Deleted
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\zxcsahlp.e xe.vir
Infected with: Trojan.PWS.OnlineGames.YZJ
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\zxcsahlp.e xe.vir
Deleted
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\etshabty.e xe.vir
Infected with: Trojan.PWS.OnlineGames.YZJ
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\etshabty.e xe.vir
Deleted
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\ismhasrv.e xe.vir
Infected with: Trojan.PWS.OnlineGames.YZJ
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\ismhasrv.e xe.vir
Deleted
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\apsgdjba.d ll.vir
Infected with: Trojan.Dropper.RWY
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\apsgdjba.d ll.vir
Disinfection failed
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\apsgdjba.d ll.vir
Deleted
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\dfqnabib.e xe.vir
Infected with: Trojan.PWS.OnlineGames.YZJ
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\dfqnabib.e xe.vir
Deleted
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\ghwxattb.e xe.vir
Infected with: Trojan.PWS.OnlineGames.YZJ
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\ghwxattb.e xe.vir
Deleted
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\lpmxajkl.e xe.vir
Infected with: Trojan.PWS.OnlineGames.YZJ
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\lpmxajkl.e xe.vir
Deleted
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\lpsgajba.e xe.vir
Infected with: Trojan.PWS.OnlineGames.YZJ
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\lpsgajba.e xe.vir
Deleted
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\mnmhgsrv.d ll.vir
Infected with: Trojan.PWS.OnlineGames.YZK
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\mnmhgsrv.d ll.vir
Disinfection failed
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\mnmhgsrv.d ll.vir
Deleted
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\nhmxbjkl.d ll.vir
Infected with: Trojan.PWS.OnlineGames.YZK
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\nhmxbjkl.d ll.vir
Disinfection failed
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\nhmxbjkl.d ll.vir
Deleted
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\nhmxcjkl.d ll.vir
Infected with: Trojan.PWS.OnlineGames.YZK
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\nhmxcjkl.d ll.vir
Disinfection failed
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\nhmxcjkl.d ll.vir
Deleted
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\oswxcttb.d ll.vir
Infected with: Trojan.PWS.OnlineGames.YZK
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\oswxcttb.d ll.vir
Disinfection failed
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\oswxcttb.d ll.vir
Deleted
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\skqncbib.d ll.vir
Infected with: Trojan.PWS.OnlineGames.YZK
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\skqncbib.d ll.vir
Disinfection failed
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\skqncbib.d ll.vir
Deleted
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\tjfyabyt.e xe.vir
Infected with: Trojan.PWS.OnlineGames.YZJ
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\tjfyabyt.e xe.vir
Deleted
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\zxfhajpg.e xe.vir
Infected with: Trojan.PWS.OnlineGames.YZJ
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\zxfhajpg.e xe.vir
Deleted
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\zxptejpg.d ll.vir
Infected with: Trojan.PWS.OnlineGames.YZK
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\zxptejpg.d ll.vir
Disinfection failed
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\zxptejpg.d ll.vir
Deleted
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\axptajpg.e xe.vir
Infected with: Trojan.PWS.OnlineGames.YZJ
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\axptajpg.e xe.vir
Deleted
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\mpwdeapi.d ll.vir
Infected with: Trojan.PWS.OnlineGames.YZK
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\mpwdeapi.d ll.vir
Disinfection failed
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\mpwdeapi.d ll.vir
Deleted
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\siwdaapi.e xe.vir
Infected with: Trojan.PWS.OnlineGames.YZJ
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\siwdaapi.e xe.vir
Deleted
C:\QooBox\Quarantine\C\WINDOWS\rising453.exe.vir
Infected with: Trojan.Downloader.Agent.YTX


  #29  
Old June 11th, 2008, 09:55 AM
purveet's Avatar
purveet purveet is offline
Member
 
Join Date: Feb 2005
Location: Bombay India
Posts: 38
C:\QooBox\Quarantine\C\WINDOWS\rising453.exe.vir
Deleted
C:\QooBox\Quarantine\C\WINDOWS\AppPatch\AcXtrnel.d ll.vir
Infected with: Generic.Malware.gPWS.C82BECA1
C:\QooBox\Quarantine\C\WINDOWS\AppPatch\AcXtrnel.d ll.vir
Disinfection failed
C:\QooBox\Quarantine\C\WINDOWS\AppPatch\AcXtrnel.d ll.vir
Deleted
C:\QooBox\Quarantine\C\WINDOWS\AppPatch\Jview.dll. vir
Infected with: Trojan.Downloader.JKBD
C:\QooBox\Quarantine\C\WINDOWS\AppPatch\Jview.dll. vir
Deleted
C:\Documents and Settings\redilens\Local Settings\Temporary Internet Files\Content.IE5\I5MN892V\root[1].gif
Infected with: DeepScan:Generic.Malware.dld!!.8E2E18BD
C:\Documents and Settings\redilens\Local Settings\Temporary Internet Files\Content.IE5\I5MN892V\root[1].gif
Disinfection failed
C:\Documents and Settings\redilens\Local Settings\Temporary Internet Files\Content.IE5\I5MN892V\root[1].gif
Deleted
C:\Documents and Settings\redilens\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.26655
Infected with: Trojan.PWS.OnlineGames.YZK
C:\Documents and Settings\redilens\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.26655
Disinfection failed
C:\Documents and Settings\redilens\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.26655
Deleted
C:\Documents and Settings\redilens\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.58507
Infected with: Trojan.PWS.OnlineGames.YZK
C:\Documents and Settings\redilens\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.58507
Disinfection failed
C:\Documents and Settings\redilens\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.58507
Deleted
C:\Documents and Settings\redilens\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.95735
Infected with: Trojan.PWS.OnlineGames.YZK
C:\Documents and Settings\redilens\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.95735
Disinfection failed
C:\Documents and Settings\redilens\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.95735
Deleted
C:\Documents and Settings\redilens\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.68334
Infected with: Trojan.PWS.OnlineGames.YZK
C:\Documents and Settings\redilens\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.68334
Disinfection failed
C:\Documents and Settings\redilens\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.68334
Deleted
C:\Documents and Settings\redilens\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.42642
Infected with: Trojan.PWS.OnlineGames.YZJ
C:\Documents and Settings\redilens\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.42642
Deleted
C:\Documents and Settings\redilens\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.80717
Infected with: Trojan.PWS.OnlineGames.YZJ
C:\Documents and Settings\redilens\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.80717
Deleted
C:\Documents and Settings\redilens\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.26795
Infected with: Trojan.PWS.OnlineGames.YZJ
C:\Documents and Settings\redilens\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.26795
Deleted
C:\Documents and Settings\redilens\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.68765
Infected with: Trojan.PWS.OnlineGames.YZJ
C:\Documents and Settings\redilens\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.68765
Deleted
C:\Documents and Settings\redilens\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.30023
Infected with: Trojan.PWS.OnlineGames.YZJ
C:\Documents and Settings\redilens\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.30023
Deleted
C:\Documents and Settings\redilens\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.79186
Infected with: Trojan.PWS.OnlineGames.YZJ
C:\Documents and Settings\redilens\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.79186
Deleted
C:\Documents and Settings\redilens\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.82887
Infected with: Trojan.PWS.OnlineGames.YZJ
C:\Documents and Settings\redilens\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.82887
Deleted
C:\Documents and Settings\redilens\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.34886
Infected with: Trojan.PWS.OnlineGames.YZJ
C:\Documents and Settings\redilens\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.34886
Deleted
C:\Documents and Settings\redilens\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.17360
Infected with: Trojan.PWS.OnlineGames.YZJ
C:\Documents and Settings\redilens\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.17360
Deleted
C:\Documents and Settings\redilens\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.37857
Infected with: Trojan.PWS.OnlineGames.YZJ
C:\Documents and Settings\redilens\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.37857
Deleted
C:\Documents and Settings\redilens\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.13225
Infected with: Trojan.PWS.OnlineGames.YZK
C:\Documents and Settings\redilens\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.13225
Disinfection failed
C:\Documents and Settings\redilens\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.13225
Deleted
C:\Documents and Settings\redilens\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.70204
Infected with: Trojan.PWS.OnlineGames.YZK
C:\Documents and Settings\redilens\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.70204
Disinfection failed
C:\Documents and Settings\redilens\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.70204
Deleted
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\YNEPATI9\root[1].gif
Infected with: DeepScan:Generic.Malware.dld!!.8E2E18BD
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\YNEPATI9\root[1].gif
Disinfection failed
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\YNEPATI9\root[1].gif
Deleted
  #30  
Old June 11th, 2008, 09:55 AM
purveet's Avatar
purveet purveet is offline
Member
 
Join Date: Feb 2005
Location: Bombay India
Posts: 38
ComboFix 08-06-01.6 - redilens 2008-06-11 14:13:40.5 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.439 [GMT 5.5:30]
Running from: C:\Documents and Settings\redilens\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\jashbbty.sys
C:\WINDOWS\system32\smmhbsrv.sys
C:\WINDOWS\system32\xfztbmsn.sys

.
((((((((((((((((((((((((( Files Created from 2008-05-11 to 2008-06-11 )))))))))))))))))))))))))))))))
.

2008-06-11 11:55 . 2008-06-11 11:55 <DIR> d-------- C:\WINDOWS\LastGood
2008-06-11 11:55 . 2008-06-11 11:55 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-06-10 15:24 . 2008-06-11 11:02 24 --a------ C:\WINDOWS\SYSTEM32\toqnabib.sys
2008-06-10 15:23 . 2008-06-11 11:02 24 --a------ C:\WINDOWS\SYSTEM32\wymxajkl.sys
2008-06-05 10:56 . 2008-06-05 10:56 250 --a------ C:\WINDOWS\gmer.ini
2008-06-05 10:42 . 2008-06-05 10:42 <DIR> d-------- C:\gmer
2008-06-04 14:20 . 2008-06-04 14:20 <DIR> d-------- C:\Documents and Settings\redilens\Application Data\Malwarebytes
2008-06-04 14:20 . 2008-06-04 14:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-04 14:20 . 2008-05-30 01:06 34,296 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbamcatchme.sys
2008-06-04 14:20 . 2008-05-30 01:06 15,864 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys
2008-06-04 14:16 . 2008-06-04 14:16 <DIR> d-------- C:\Program Files\Common Files\Download Manager

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-05-07 09:43 79,272 ----a-w C:\Documents and Settings\redilens\Application Data\GDIPFONTCACHEV1.DAT
2008-04-29 08:02 --------- d-sh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-04-29 08:02 --------- d-----w C:\Program Files\Windows Live
2008-04-29 08:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-04-28 07:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\SYSTEM32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\SYSTEM32\dllcache\win32k.sys
2003-12-05 14:09 266 --sh--w C:\Program Files\desktop.ini
2003-12-05 14:09 11,079 ---h--w C:\Program Files\folder.htt
2004-08-08 09:49 538,120 --sh--w C:\WINDOWS\SYSTEM32\mnmhgsrv.dll
2004-08-08 09:52 520 --sh--w C:\WINDOWS\SYSTEM32\snfybbyt.sys
2004-08-08 09:52 513,544 --sh--w C:\WINDOWS\SYSTEM32\ozfyebyt.dll
2004-08-08 09:54 520 --sh--w C:\WINDOWS\SYSTEM32\gpsgajba.sys
2004-08-08 09:54 520 --sh--w C:\WINDOWS\SYSTEM32\xsdjbbmp.sys
2004-08-08 09:54 520 --sh--w C:\WINDOWS\SYSTEM32\xzfhbjpg.sys
2004-08-08 09:54 513,544 --sh--w C:\WINDOWS\SYSTEM32\yxfhcjpg.dll
2004-08-08 09:53 520 --sh--w C:\WINDOWS\SYSTEM32\rnmxajkl.sys
2004-08-08 09:53 520 --sh--w C:\WINDOWS\SYSTEM32\aoqnabib.sys
.

((((((((((((((((((((((((((((( snapshot@2008-06-03_15.04.21.56 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-06-11 06:25:26 45,056 ----a-w C:\WINDOWS\BDOSCAN8\avxdisk.dll
+ 2008-06-11 06:25:26 10,240 ----a-w C:\WINDOWS\BDOSCAN8\avxs.dll
+ 2008-06-11 06:25:28 27,136 ----a-w C:\WINDOWS\BDOSCAN8\avxt.dll
+ 2008-06-11 06:25:52 181,760 ----a-w C:\WINDOWS\BDOSCAN8\bdcore.dll
+ 2008-01-09 09:31:48 118,784 ----a-w C:\WINDOWS\BDOSCAN8\bdupd.dll
+ 2008-01-09 09:31:48 53,248 ----a-w C:\WINDOWS\BDOSCAN8\ipsupd.dll
+ 2008-06-11 06:26:06 142,848 ----a-w C:\WINDOWS\BDOSCAN8\libfn.dll
+ 2008-06-11 06:25:34 86,016 ----a-w C:\WINDOWS\BDOSCAN8\librtvr.dll
+ 2008-01-09 09:31:48 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
- 2008-06-03 05:41:18 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-11 06:13:52 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-01-09 09:31:48 118,784 ----a-w C:\WINDOWS\Downloaded Program Files\bdupd.dll
+ 2008-01-09 09:31:48 53,248 ----a-w C:\WINDOWS\Downloaded Program Files\ipsupd.dll
+ 2008-06-05 05:26:34 884,736 ----a-w C:\WINDOWS\gmer.dll
+ 2008-04-17 15:43:02 811,008 ----a-w C:\WINDOWS\gmer.exe
+ 2008-06-05 05:26:34 85,969 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\gmer.sys
+ 2008-06-11 06:14:20 16,384 ----a-w C:\WINDOWS\TEMP\Perflib_Perfdata_3c4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7C8D1401-A58D-A81C-CD24-A5915C4517C7}]
2004-08-08 15:19 538120 ---hs---- C:\WINDOWS\system32\mnmhgsrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\shelliconoverlayidentifiers\Sl owFile Icon Overlay]
@={7D688A77-C613-11D0-999B-00C04FD655E1}

[HKEY_CLASSES_ROOT\CLSID\{7D688A77-C613-11D0-999B-00C04FD655E1}]
2005-09-23 08:35 8450560 --a------ C:\WINDOWS\SYSTEM32\SHELL32.DLL

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-02 02:52 3739648]
"H/PC Connection Agent"="D:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2005-11-15 19:44 1200128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp. exe" [2008-05-16 04:49 79224]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.e xe" [2001-07-09 10:50 155648]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" [ ]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
24Online Client.lnk - C:\Program Files\eLitecore\Cyberoam Client for 24Online\CyberoamClient.exe [2004-01-06 11:12:46 245760]
Microsoft Office.lnk - D:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\shellexecutehooks]
"{7C8D1401-A58D-A81C-CD24-A5915C4517C7}"= C:\WINDOWS\system32\mnmhgsrv.dll [2004-08-08 15:19 538120]
"{1DB3C525-5271-46F7-887A-D4E1ADAA7632}"= C:\WINDOWS\system32\hfrdzx.dll [ ]
"{45AADFAA-DD36-42AB-83AD-0521BBF58C24}"= C:\WINDOWS\system32\zdesfx.dll [ ]
"{5E907A48-400E-4EA8-9792-FFAE052D59E9}"= C:\WINDOWS\system32\pedadt.dll [ ]
"{1E51C0FD-EE36-434B-AD2A-FD1FF3731C38}"= C:\WINDOWS\system32\wyrsdj.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.VDOM"= vdowave.drv
"Vids.draw"= dvideo.dll
"VIDC.SP62"= SP6X_32.DLL
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"msacm.divxa32"= DivXa32.acm
"VIDC.HFYU"= huffyuv.dll
"SENTINEL"= snti386.dll
"VIDC.MJPG"= pvmjpg21.dll

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\run-]
"RealJukeboxSystray"=C:\Program Files\Real\RealJukebox\tsystray.exe
"Yahoo! Pager"=C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run-]
"AltnetPointsManager"=c:\program files\altnet\points manager\points manager.exe -s
"ccApp"=C:\Program Files\Common Files\Symantec Shared\ccApp.exe
"ccRegVfy"=C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
"Advanced Tools Check"=C:\PROGRA~1\NORTON~1\ADVTOOLS\ADVCHK.EXE
"NPROTECT"=C:\PROGRA~1\NORTON~1\ADVTOOLS\NPROTECT. EXE
"Openwares LiveUpdate"=C:\Program Files\LiveUpdate\LiveUpdate.exe
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
"QuickTime Task"="C:\WINDOWS\SYSTEM32\qttask.exe" -atboottime
"RealTray"=C:\Program Files\Real\RealPlayer\realplay.exe SYSTEMBOOTHIDEPLAYER
"LoadQM"=loadqm.exe
"msnappau"="c:\program files\MSN Apps\Updater\01.02.3000.1001\hi\msnappau.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"ashMaiSv"=C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.ex e
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
"avast! Web Scanner"=C:\PROGRA~1\ALWILS~1\AVAST4\ASHWEBSV.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\runservices-]
"NPROTECT"=C:\PROGRA~1\NORTON~1\ADVTOOLS\NPROTECT. EXE
"ccEvtMgr"=C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
"ScriptBlocking"="C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
"RNBOStart"=C:\WINDOWS\SYSTEM\RNBOSENT\SENTSTRT.EX E

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"D:\\Program Files\\EDS\\Unigraphics NX 2.0\\UGII\\ugraf.exe"=
"D:\\Program Files\\Intuwave Ltd\\Shared\\mRouterRunTime\\mRouterRuntime.exe"=
"C:\\Program Files\\DC++\\DCPlusPlus.exe"=
"D:\\Program Files\\Real\\RealPlayer\\RealPlay.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"D:\\Program Files\\BitTorrent\\bittorrent.exe"=
"D:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"D:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"D:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"D:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"D:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"D:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"D:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"D:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"D:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"D:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"D:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"D:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"D:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"D:\Program Files\Microsoft ActiveSync\rapimgr.exe"= D:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"D:\Program Files\Microsoft ActiveSync\wcescomm.exe"= D:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"D:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= D:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"F:\\Games\\Age of Empires II\\Age Of Empires 2.exe"=
"E:\\Program Files\\Tally\\tally9.exe"=
"C:\\Program Files\\eLitecore\\Cyberoam Client for 24Online\\CyberoamClient.exe"=
"D:\\Program Files\\Tally 72\\tally72.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-16 04:50]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswF sBlk.sys [2008-05-16 04:46]
R2 Cap7134;TV Capture Card WDM Video Capture;C:\WINDOWS\system32\DRIVERS\Cap7134.sys [2002-08-25 21:30]
R2 Tally License Server;Tally License Server (NT);E:\Program Files\Tally\tallylicserver.exe [2006-12-12 16:04]
R2 ugiipqd;Unigraphics Plot Server (ugiipqd);C:\WINDOWS\system32\spool\ugplot\ugiipqd .exe [2003-07-23 19:07]
R2 Unigraphics License Server (uglmd);Unigraphics License Server (uglmd);"D:\Program Files\EDS\License Servers\UGNXFLEXlm\lmgrd.exe" [2003-06-30 18:05]
R3 PhTVTune;TV Capture Card WDM TV Tuner;C:\WINDOWS\system32\DRIVERS\PhTVTune.sys [2002-07-16 21:30]
S3 FTLUND;Lundinova Filter Driver;C:\WINDOWS\system32\drivers\ftlund.sys [2004-01-19 20:57]
S3 SPCA508A;Micro WebCam;C:\WINDOWS\system32\DRIVERS\SPCA508A.SYS [2000-08-17 14:30]

*Newly Created Service* - CATCHME

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
C:\WINDOWS\SYSTEM32\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl
.
Contents of the 'Scheduled Tasks' folder
"2008-06-07 08:30:02 C:\WINDOWS\Tasks\Tune-up Application Start.job"
"2004-02-25 07:00:30 C:\WINDOWS\Tasks\Maintenance-Defragment programs.job"
- C:\WINDOWS\DEFRAG.EXE
"2004-02-25 07:00:30 C:\WINDOWS\Tasks\Maintenance-Disk cleanup.job"
- C:\WINDOWS\CLEANMGR.EXE
.
************************************************** ************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-11 14:16:04
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
Completion time: 2008-06-11 14:17:01
ComboFix-quarantined-files.txt 2008-06-11 08:46:58
ComboFix5.txt 2008-06-03 09:34:54
ComboFix4.txt 2008-06-05 03:50:32
ComboFix3.txt 2008-06-05 05:24:44
ComboFix2.txt 2008-06-05 06:57:06

Pre-Run: 100,454,400 bytes free
Post-Run: 90,308,608 bytes free

206 --- E O F --- 2008-04-26 13:02:42
Closed Topic

Bookmarks

Topic Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump




All times are GMT +1. The time now is 07:17 PM.