Sign In
Create Account
0
Here's my HT log..with the suspect item in bold. I've run MBAM on it, it finds it ans say it will delete it on next boot but does not. Also tried Combofix, and it still pops up. No odd behavior per se, but still would like to get rid of it.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:21:01 PM, on 3/21/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Fisher-Price\FP3 Player\sspnotifier.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\MemTurbo30\MemTurbo.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Wolf\Desktop\Apps\RootRepeal.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe
O4 - HKLM\..\Run: [HPHUPD06] C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SSP Notifier] C:\Program Files\Fisher-Price\FP3 Player\sspnotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Kfobibux] rundll32.exe "C:\WINDOWS\adoresiq.dll",e
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\IGN\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Startup: MemTurbo.lnk = C:\Program Files\MemTurbo30\MemTurbo.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: APC UPS Status.lnk = C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\digital imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\digital imaging\bin\hpqthb08.exe
O4 - Global Startup: Net Send GUI.lnk = C:\Program Files\Fomine Net Send GUI\NetSendGUI.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: SEAGULL J Walk Java Client 3_3C12 - http://kronos/jwalk/jwalk_ie.cab
O16 - DPF: SEAGULL J Walk Java Client 4_0C10 - http://kronos/jwalk/jwalk_ie.cab
O16 - DPF: {245338C3-BCA3-4A2C-A7B7-53345999A8E8} (WSpell ActiveX Spelling Checker V5.15) - http://magic/magic/wspell.cab
O16 - DPF: {25B82430-A083-4C36-9D72-A4868E744CE2} (MGCSpellCheckAM.MDictionaryAM) - http://magic/magic/wspellAM.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {CAFEEFAC-0014-0001-0007-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_07) -
O16 - DPF: {F651630F-2847-4A80-8701-AD96312C9237} (IBTransferCtl Control) - https://imagedirect.dell.com/ImageDirect/Ca.../IBTransfer.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{37683A15-7486-45B6-A5BD-8847B5777486}: NameServer = 192.168.1.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{37683A15-7486-45B6-A5BD-8847B5777486}: NameServer = 192.168.1.1
O17 - HKLM\System\CS3\Services\Tcpip\..\{37683A15-7486-45B6-A5BD-8847B5777486}: NameServer = 192.168.1.1
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe
--
End of file - 10512 bytes
-
This topic is locked
Back to top
#2
Posted 21 March 2009 - 10:35 PM
-
- Members
-
- 5 posts
New Member
Here is my MBAM log.
Malwarebytes' Anti-Malware 1.34
Database version: 1881
Windows 5.1.2600 Service Pack 3
3/21/2009 6:34:51 PM
mbam-log-2009-03-21 (18-34-51).txt
Scan type: Quick Scan
Objects scanned: 69560
Time elapsed: 4 minute(s), 48 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kfobibux (Trojan.Agent) -> Delete on reboot.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\adoresiq.dll (Trojan.Agent) -> Delete on reboot.
On reboot, it reappears..sometimes with a different .dll name.
Malwarebytes' Anti-Malware 1.34
Database version: 1881
Windows 5.1.2600 Service Pack 3
3/21/2009 6:34:51 PM
mbam-log-2009-03-21 (18-34-51).txt
Scan type: Quick Scan
Objects scanned: 69560
Time elapsed: 4 minute(s), 48 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kfobibux (Trojan.Agent) -> Delete on reboot.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\adoresiq.dll (Trojan.Agent) -> Delete on reboot.
On reboot, it reappears..sometimes with a different .dll name.
#3
Posted 22 March 2009 - 01:15 AM
-
- Members
-
- 5 posts
New Member
Annnd here's a Combofix log
ComboFix 09-03-19.02 - Wolf 2009-03-21 20:56:48.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1540 [GMT -4:00]
Running from: c:\documents and settings\Wolf\Desktop\ComboFix.exe
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)
.
((((((((((((((((((((((((( Files Created from 2009-02-22 to 2009-03-22 )))))))))))))))))))))))))))))))
.
2009-03-21 18:20 . 2009-03-21 18:20 <DIR> d-------- c:\program files\Trend Micro
2009-03-21 10:59 . 2009-03-21 10:59 <DIR> d-------- C:\VundoFix Backups
2009-03-15 14:41 . 2009-03-15 14:41 29,942,840 --a------ c:\windows\Disneyland 0o18.bmp
2009-03-15 14:35 . 2009-03-15 14:35 23,970,872 --a------ c:\windows\Disneyland 018.bmp
2009-03-01 11:41 . 2009-03-02 00:52 <DIR> d-------- c:\documents and settings\Wolf\Application Data\vlc
2009-02-26 18:44 . 2009-02-26 18:46 <DIR> d-------- C:\DS
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-21 22:05 --------- d-----w c:\program files\Mozilla Thunderbird
2009-03-21 15:52 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-21 15:02 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-03-21 14:32 --------- d-----w c:\documents and settings\Wolf\Application Data\uTorrent
2009-03-21 14:25 --------- d-----w c:\program files\uTorrent
2009-03-03 00:19 --------- d-----w c:\program files\Trillian
2009-02-11 14:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 14:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-02-08 15:48 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-07 23:17 --------- d-----w c:\documents and settings\Wolf\Application Data\Thunderbird
2009-02-03 12:09 --------- d-----w c:\documents and settings\Wolf\Application Data\Vso
2007-05-25 23:57 92,064 ----a-w c:\documents and settings\Wolf\mqdmmdm.sys
2007-05-25 23:57 9,232 ----a-w c:\documents and settings\Wolf\mqdmmdfl.sys
2007-05-25 23:57 79,328 ----a-w c:\documents and settings\Wolf\mqdmserd.sys
2007-05-25 23:57 66,656 ----a-w c:\documents and settings\Wolf\mqdmbus.sys
2007-05-25 23:57 6,208 ----a-w c:\documents and settings\Wolf\mqdmcmnt.sys
2007-05-25 23:57 5,936 ----a-w c:\documents and settings\Wolf\mqdmwhnt.sys
2007-05-25 23:57 4,048 ----a-w c:\documents and settings\Wolf\mqdmcr.sys
2007-05-25 23:57 25,600 ----a-w c:\documents and settings\Wolf\usbsermptxp.sys
2007-05-25 23:57 22,768 ----a-w c:\documents and settings\Wolf\usbsermpt.sys
2007-04-29 23:55 76 ---ha-w c:\program files\Desktop.ini
2006-10-16 23:02 81,920 ----a-w c:\documents and settings\Wolf\Application Data\ezpinst.exe
2006-10-16 23:02 47,360 ----a-w c:\documents and settings\Wolf\Application Data\pcouffin.sys
2006-01-10 00:31 2,539 ----a-w c:\documents and settings\Wolf\settings.dat
2004-09-05 23:31 507 ----a-w c:\program files\WS_FTP.LOG
2008-12-17 21:59 67,688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-12-17 21:59 54,368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-17 21:59 34,944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-12-17 21:59 46,712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-12-17 21:59 172,136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.
((((((((((((((((((((((((((((( SnapShot_2009-03-21_16.33.02.43 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-04-14 00:12:08 156,160 ----a-w c:\windows\uyacuficawa.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400]
"igndlm.exe"="c:\program files\IGN\Download Manager\DLM.exe" [2007-03-05 1103480]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 454784]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb11.exe" [2004-04-06 172032]
"HPHUPD06"="c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-07 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2005-01-12 241664]
"HPHmon06"="c:\windows\system32\hphmon06.exe" [2004-06-07 659456]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2006-10-25 35328]
"SSP Notifier"="c:\program files\Fisher-Price\FP3 Player\sspnotifier.exe" [2006-07-12 20480]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-01-10 385024]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-01-15 267048]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-07-24 266497]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"Kfobibux"="c:\windows\uyacuficawa.dll" [2008-04-13 156160]
"MSConfig"="c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2008-04-13 169984]
"SoundMan"="SOUNDMAN.EXE" [2004-01-08 c:\windows\SOUNDMAN.EXE]
"nwiz"="nwiz.exe" [2008-05-16 c:\windows\system32\nwiz.exe]
c:\documents and settings\Wolf\Start Menu\Programs\Startup\
MemTurbo.lnk - c:\program files\MemTurbo30\MemTurbo.exe [2004-12-25 424448]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2006-04-08 221247]
HP Digital Imaging Monitor.lnk - c:\program files\HP\digital imaging\bin\hpqtra08.exe [2004-05-28 241664]
HP Image Zone Fast Start.lnk - c:\program files\HP\digital imaging\bin\hpqthb08.exe [2004-05-29 53248]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.AP41"= APmpg4v1.dll
"VIDC.MPG4"= APmpg4v1.dll
"VIDC.MP42"= APmpg4v1.dll
"VIDC.DIV3"= APmpg4v1.dll
"VIDC.DIV4"= APmpg4v1.dll
"VIDC.MP43"= APmpg4v1.dll
"vidc.jxvd"= JetMPVx.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli kbagkbe.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Net Send GUI.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Net Send GUI.lnk
backup=c:\windows\pss\Net Send GUI.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kfobibux]
--a------ 2008-04-13 20:12 156160 c:\windows\uyacuficawa.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickGammaLoader]
--a------ 2004-09-30 17:12 6144 c:\program files\QuickGamma\QuickGammaLoader.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-10 16:27 385024 c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2006-03-30 16:45 313472 c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VGAUtil]
--a------ 2004-09-17 13:32 552960 c:\program files\GigaByte\VGA Utility Manager\G-vga.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2006-10-25 01:37 35328 c:\program files\Winamp\winampa.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\games\\battlefield 2\\BF2.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\TVersity\\Media Server\\MediaServer.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
R0 ntcdrdrv;ntcdrdrv;c:\windows\system32\drivers\ntcdrdrv.sys [2007-03-26 13184]
R2 io.sys;IO.DLL Driver;c:\windows\system32\drivers\io.sys [2004-07-12 5152]
S3 cusbohcn;cusbohcn;\??\c:\docume~1\Wolf\LOCALS~1\Temp\cusbohcn.sys --> c:\docume~1\Wolf\LOCALS~1\Temp\cusbohcn.sys [?]
S3 DCamUSBVeo532;Veo Web Camera;c:\windows\system32\Drivers\ubVeo532.sys --> c:\windows\system32\Drivers\ubVeo532.sys [?]
S3 HwIOctl;HwIOctl;\??\c:\program files\Setup Files\MS-6702 v2.20\HwIOctl.sys --> c:\program files\Setup Files\MS-6702 v2.20\HwIOctl.sys [?]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2007-05-25 17792]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2007-05-25 7680]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [2007-05-25 21504]
S3 scsiscan;SCSI Scanner Driver;c:\windows\system32\drivers\scsiscan.sys [2004-12-25 11520]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{451769a2-1a2a-11dd-a5ee-000c76e49d8a}]
\Shell\AutoRun\command - M:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ae7d85b4-fd2b-11d8-a0a3-806d6172696f}]
\Shell\AutoRun\command - E:\Autorun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fafdd1ff-4aad-11dd-a5f5-000c76e49d8a}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder
2009-03-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
2009-03-21 c:\windows\Tasks\HP Usg Daily FY04.job
- c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\pexpress\hphped06.exe [2004-06-07 00:53]
.
.
------- Supplementary Scan -------
.
IE: Download ALL with IDA
IE: Download with IDA
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: Documents and Settings
Trusted Zone: ntelos.com\owa
TCP: {37683A15-7486-45B6-A5BD-8847B5777486} = 192.168.1.1
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: SEAGULL J Walk Java Client 3_3C12 - hxxp://kronos/jwalk/jwalk_ie.cab
DPF: SEAGULL J Walk Java Client 4_0C10 - hxxp://kronos/jwalk/jwalk_ie.cab
DPF: {245338C3-BCA3-4A2C-A7B7-53345999A8E8} - hxxp://magic/magic/wspell.cab
DPF: {25B82430-A083-4C36-9D72-A4868E744CE2} - hxxp://magic/magic/wspellAM.cab
DPF: {F651630F-2847-4A80-8701-AD96312C9237} - hxxps://imagedirect.dell.com/ImageDirect/CabFile/IBTransfer.cab
FF - ProfilePath - c:\documents and settings\Wolf\Application Data\Mozilla\Firefox\Profiles\jgghr65l.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
FF - component: c:\documents and settings\Wolf\Application Data\Mozilla\Firefox\Profiles\jgghr65l.default\extensions\{0784CD66-62FE-4cef-ABF4-F8ED9B654ACC}\components\tab_effect_xpcom.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - plugin: c:\documents and settings\Wolf\Application Data\Mozilla\Firefox\Profiles\jgghr65l.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\program files\IGN\Download Manager\npfpdlm.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPUploader.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-21 21:04:33
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1957994488-854245398-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
@Denied: (Full) (LocalSystem)
[HKEY_USERS\S-1-5-21-1957994488-854245398-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:ca,82,0c,83,a6,79,a7,49,dc,f8,1a,e5,f0,8c,b3,a0,eb,6d,35,11,ee,d0,13,
01,dd,8d,00,26,02,07,93,c1,95,a5,b1,77,13,68,48,81,2f,a6,ea,e7,2c,01,59,f1,\
"??"=hex:32,b7,6b,f2,25,26,85,b5,ee,d7,95,5d,ae,b1,f5,ad
[HKEY_LOCAL_MACHINE\software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:4c,19,6f,01,cf,02,c1,41,b2,1f,f4,05,90,c2,cc,88,17,47,be,f8,9b,ba,5a,
8f,43,a3,62,93,a2,1e,6a,a3,64,b5,c4,4b,de,a3,95,2e,eb,4f,3b,c0,5b,46,e9,1e,\
"??"=hex:83,54,c4,b7,46,d2,38,d5,c4,17,6d,70,83,62,31,6f
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'lsass.exe'(988)
c:\windows\kbagkbe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe
c:\program files\APC\APC PowerChute Personal Edition\mainserv.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\CTSVCCDA.EXE
c:\program files\Executive Software\Diskeeper\DkService.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
c:\windows\system32\UAService7.exe
c:\windows\system32\rundll32.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\HP\digital imaging\bin\hpqgalry.exe
c:\program files\APC\APC PowerChute Personal Edition\apcsystray.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\program files\Java\jre1.6.0_07\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2009-03-21 21:12:43 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-22 01:12:17
ComboFix2.txt 2009-03-21 20:35:30
ComboFix3.txt 2008-12-06 16:13:02
Pre-Run: 17,324,957,696 bytes free
Post-Run: 17,310,318,592 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
237 --- E O F --- 2009-03-15 07:04:39
ComboFix 09-03-19.02 - Wolf 2009-03-21 20:56:48.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1540 [GMT -4:00]
Running from: c:\documents and settings\Wolf\Desktop\ComboFix.exe
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)
.
((((((((((((((((((((((((( Files Created from 2009-02-22 to 2009-03-22 )))))))))))))))))))))))))))))))
.
2009-03-21 18:20 . 2009-03-21 18:20 <DIR> d-------- c:\program files\Trend Micro
2009-03-21 10:59 . 2009-03-21 10:59 <DIR> d-------- C:\VundoFix Backups
2009-03-15 14:41 . 2009-03-15 14:41 29,942,840 --a------ c:\windows\Disneyland 0o18.bmp
2009-03-15 14:35 . 2009-03-15 14:35 23,970,872 --a------ c:\windows\Disneyland 018.bmp
2009-03-01 11:41 . 2009-03-02 00:52 <DIR> d-------- c:\documents and settings\Wolf\Application Data\vlc
2009-02-26 18:44 . 2009-02-26 18:46 <DIR> d-------- C:\DS
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-21 22:05 --------- d-----w c:\program files\Mozilla Thunderbird
2009-03-21 15:52 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-21 15:02 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-03-21 14:32 --------- d-----w c:\documents and settings\Wolf\Application Data\uTorrent
2009-03-21 14:25 --------- d-----w c:\program files\uTorrent
2009-03-03 00:19 --------- d-----w c:\program files\Trillian
2009-02-11 14:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 14:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-02-08 15:48 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-07 23:17 --------- d-----w c:\documents and settings\Wolf\Application Data\Thunderbird
2009-02-03 12:09 --------- d-----w c:\documents and settings\Wolf\Application Data\Vso
2007-05-25 23:57 92,064 ----a-w c:\documents and settings\Wolf\mqdmmdm.sys
2007-05-25 23:57 9,232 ----a-w c:\documents and settings\Wolf\mqdmmdfl.sys
2007-05-25 23:57 79,328 ----a-w c:\documents and settings\Wolf\mqdmserd.sys
2007-05-25 23:57 66,656 ----a-w c:\documents and settings\Wolf\mqdmbus.sys
2007-05-25 23:57 6,208 ----a-w c:\documents and settings\Wolf\mqdmcmnt.sys
2007-05-25 23:57 5,936 ----a-w c:\documents and settings\Wolf\mqdmwhnt.sys
2007-05-25 23:57 4,048 ----a-w c:\documents and settings\Wolf\mqdmcr.sys
2007-05-25 23:57 25,600 ----a-w c:\documents and settings\Wolf\usbsermptxp.sys
2007-05-25 23:57 22,768 ----a-w c:\documents and settings\Wolf\usbsermpt.sys
2007-04-29 23:55 76 ---ha-w c:\program files\Desktop.ini
2006-10-16 23:02 81,920 ----a-w c:\documents and settings\Wolf\Application Data\ezpinst.exe
2006-10-16 23:02 47,360 ----a-w c:\documents and settings\Wolf\Application Data\pcouffin.sys
2006-01-10 00:31 2,539 ----a-w c:\documents and settings\Wolf\settings.dat
2004-09-05 23:31 507 ----a-w c:\program files\WS_FTP.LOG
2008-12-17 21:59 67,688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-12-17 21:59 54,368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-17 21:59 34,944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-12-17 21:59 46,712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-12-17 21:59 172,136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.
((((((((((((((((((((((((((((( SnapShot_2009-03-21_16.33.02.43 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-04-14 00:12:08 156,160 ----a-w c:\windows\uyacuficawa.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400]
"igndlm.exe"="c:\program files\IGN\Download Manager\DLM.exe" [2007-03-05 1103480]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 454784]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb11.exe" [2004-04-06 172032]
"HPHUPD06"="c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-07 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2005-01-12 241664]
"HPHmon06"="c:\windows\system32\hphmon06.exe" [2004-06-07 659456]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2006-10-25 35328]
"SSP Notifier"="c:\program files\Fisher-Price\FP3 Player\sspnotifier.exe" [2006-07-12 20480]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-01-10 385024]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-01-15 267048]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-07-24 266497]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"Kfobibux"="c:\windows\uyacuficawa.dll" [2008-04-13 156160]
"MSConfig"="c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2008-04-13 169984]
"SoundMan"="SOUNDMAN.EXE" [2004-01-08 c:\windows\SOUNDMAN.EXE]
"nwiz"="nwiz.exe" [2008-05-16 c:\windows\system32\nwiz.exe]
c:\documents and settings\Wolf\Start Menu\Programs\Startup\
MemTurbo.lnk - c:\program files\MemTurbo30\MemTurbo.exe [2004-12-25 424448]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2006-04-08 221247]
HP Digital Imaging Monitor.lnk - c:\program files\HP\digital imaging\bin\hpqtra08.exe [2004-05-28 241664]
HP Image Zone Fast Start.lnk - c:\program files\HP\digital imaging\bin\hpqthb08.exe [2004-05-29 53248]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.AP41"= APmpg4v1.dll
"VIDC.MPG4"= APmpg4v1.dll
"VIDC.MP42"= APmpg4v1.dll
"VIDC.DIV3"= APmpg4v1.dll
"VIDC.DIV4"= APmpg4v1.dll
"VIDC.MP43"= APmpg4v1.dll
"vidc.jxvd"= JetMPVx.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli kbagkbe.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Net Send GUI.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Net Send GUI.lnk
backup=c:\windows\pss\Net Send GUI.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kfobibux]
--a------ 2008-04-13 20:12 156160 c:\windows\uyacuficawa.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickGammaLoader]
--a------ 2004-09-30 17:12 6144 c:\program files\QuickGamma\QuickGammaLoader.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-10 16:27 385024 c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2006-03-30 16:45 313472 c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VGAUtil]
--a------ 2004-09-17 13:32 552960 c:\program files\GigaByte\VGA Utility Manager\G-vga.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2006-10-25 01:37 35328 c:\program files\Winamp\winampa.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\games\\battlefield 2\\BF2.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\TVersity\\Media Server\\MediaServer.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
R0 ntcdrdrv;ntcdrdrv;c:\windows\system32\drivers\ntcdrdrv.sys [2007-03-26 13184]
R2 io.sys;IO.DLL Driver;c:\windows\system32\drivers\io.sys [2004-07-12 5152]
S3 cusbohcn;cusbohcn;\??\c:\docume~1\Wolf\LOCALS~1\Temp\cusbohcn.sys --> c:\docume~1\Wolf\LOCALS~1\Temp\cusbohcn.sys [?]
S3 DCamUSBVeo532;Veo Web Camera;c:\windows\system32\Drivers\ubVeo532.sys --> c:\windows\system32\Drivers\ubVeo532.sys [?]
S3 HwIOctl;HwIOctl;\??\c:\program files\Setup Files\MS-6702 v2.20\HwIOctl.sys --> c:\program files\Setup Files\MS-6702 v2.20\HwIOctl.sys [?]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2007-05-25 17792]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2007-05-25 7680]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [2007-05-25 21504]
S3 scsiscan;SCSI Scanner Driver;c:\windows\system32\drivers\scsiscan.sys [2004-12-25 11520]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{451769a2-1a2a-11dd-a5ee-000c76e49d8a}]
\Shell\AutoRun\command - M:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ae7d85b4-fd2b-11d8-a0a3-806d6172696f}]
\Shell\AutoRun\command - E:\Autorun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fafdd1ff-4aad-11dd-a5f5-000c76e49d8a}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder
2009-03-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
2009-03-21 c:\windows\Tasks\HP Usg Daily FY04.job
- c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\pexpress\hphped06.exe [2004-06-07 00:53]
.
.
------- Supplementary Scan -------
.
IE: Download ALL with IDA
IE: Download with IDA
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: Documents and Settings
Trusted Zone: ntelos.com\owa
TCP: {37683A15-7486-45B6-A5BD-8847B5777486} = 192.168.1.1
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: SEAGULL J Walk Java Client 3_3C12 - hxxp://kronos/jwalk/jwalk_ie.cab
DPF: SEAGULL J Walk Java Client 4_0C10 - hxxp://kronos/jwalk/jwalk_ie.cab
DPF: {245338C3-BCA3-4A2C-A7B7-53345999A8E8} - hxxp://magic/magic/wspell.cab
DPF: {25B82430-A083-4C36-9D72-A4868E744CE2} - hxxp://magic/magic/wspellAM.cab
DPF: {F651630F-2847-4A80-8701-AD96312C9237} - hxxps://imagedirect.dell.com/ImageDirect/CabFile/IBTransfer.cab
FF - ProfilePath - c:\documents and settings\Wolf\Application Data\Mozilla\Firefox\Profiles\jgghr65l.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
FF - component: c:\documents and settings\Wolf\Application Data\Mozilla\Firefox\Profiles\jgghr65l.default\extensions\{0784CD66-62FE-4cef-ABF4-F8ED9B654ACC}\components\tab_effect_xpcom.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - plugin: c:\documents and settings\Wolf\Application Data\Mozilla\Firefox\Profiles\jgghr65l.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\program files\IGN\Download Manager\npfpdlm.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPUploader.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-21 21:04:33
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1957994488-854245398-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
@Denied: (Full) (LocalSystem)
[HKEY_USERS\S-1-5-21-1957994488-854245398-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:ca,82,0c,83,a6,79,a7,49,dc,f8,1a,e5,f0,8c,b3,a0,eb,6d,35,11,ee,d0,13,
01,dd,8d,00,26,02,07,93,c1,95,a5,b1,77,13,68,48,81,2f,a6,ea,e7,2c,01,59,f1,\
"??"=hex:32,b7,6b,f2,25,26,85,b5,ee,d7,95,5d,ae,b1,f5,ad
[HKEY_LOCAL_MACHINE\software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:4c,19,6f,01,cf,02,c1,41,b2,1f,f4,05,90,c2,cc,88,17,47,be,f8,9b,ba,5a,
8f,43,a3,62,93,a2,1e,6a,a3,64,b5,c4,4b,de,a3,95,2e,eb,4f,3b,c0,5b,46,e9,1e,\
"??"=hex:83,54,c4,b7,46,d2,38,d5,c4,17,6d,70,83,62,31,6f
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'lsass.exe'(988)
c:\windows\kbagkbe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe
c:\program files\APC\APC PowerChute Personal Edition\mainserv.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\CTSVCCDA.EXE
c:\program files\Executive Software\Diskeeper\DkService.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
c:\windows\system32\UAService7.exe
c:\windows\system32\rundll32.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\HP\digital imaging\bin\hpqgalry.exe
c:\program files\APC\APC PowerChute Personal Edition\apcsystray.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\program files\Java\jre1.6.0_07\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2009-03-21 21:12:43 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-22 01:12:17
ComboFix2.txt 2009-03-21 20:35:30
ComboFix3.txt 2008-12-06 16:13:02
Pre-Run: 17,324,957,696 bytes free
Post-Run: 17,310,318,592 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
237 --- E O F --- 2009-03-15 07:04:39
#4
Posted 22 March 2009 - 01:41 AM
-
- Members
-
- 5 posts
New Member
I should clarify the reason for the difference in the suspect .dll name in the logs. In between getting those logs I tried deleting the dll in safe mode, as well as manually removing the registry key, so it showed back up with a different name.
Any and all help will be greatly appreciated, thanks.
Any and all help will be greatly appreciated, thanks.
#5
Posted 22 March 2009 - 02:10 PM
-
- Members
-
- 5 posts
New Member
Ok, think I got it. I replaced my lsass.exe, and deleted the 2 .dlls in question via the recovery console. MBAM runs clean now, as does HJT.
1 user(s) are reading this topic
0 members, 1 guests, 0 anonymous users
