Sign In
Create Account
1
Ran Rootrepeal after finally cleaning my computer of the TDSS hell and found this still showing up:
Service name: UACd.sys
Image Path: C:\WinNT\system32\drivers\UACqfwowxdapamixevdy.sys
However, I believe I deleted that file beforehand instead of choosing "Wipe" from Rootrepeal and then running MBAM.
I see it in my registry and only get an error when trying to delete it in Normal or Safe mode.
Any suggestions?
Thank you in advance!
-
This topic is locked
Back to top
#2
Posted 20 July 2009 - 03:20 PM
-
- Moderators
-
- 16,155 posts
Malware BBQ'er
- Gender:Male
- Location:127.0.0.1
Hi ya and welcome to the MBAM help forums 
If the file UACqfwowxdapamixevdy.sys has been removed by MBAM then this is just the orphaned service key.The malware changed the permissions on the key to make it hard to remove.
STEP 01
[indent]Please visit this webpage for instructions for downloading ComboFix to your DESKTOP : how-to-use-combofix
Please ensure you read this guide carefully and install the Recovery Console first.
NOTE!!: You must save and run ComboFix.exe on your DESKTOP and not from any other folder.
Also, DO NOT click the mouse or launch any other applications while this is running or it may stall the program
Additional links to download the tool:
ComboFix.exe
ComboFix.exe
Note: The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
Once installed, you should see a blue screen prompt that says:
The Recovery Console was successfully installed.
Please continue as follows:
If the file UACqfwowxdapamixevdy.sys has been removed by MBAM then this is just the orphaned service key.The malware changed the permissions on the key to make it hard to remove.
STEP 01
[indent]Please visit this webpage for instructions for downloading ComboFix to your DESKTOP : how-to-use-combofix
Please ensure you read this guide carefully and install the Recovery Console first.
NOTE!!: You must save and run ComboFix.exe on your DESKTOP and not from any other folder.
Also, DO NOT click the mouse or launch any other applications while this is running or it may stall the program
Additional links to download the tool:
ComboFix.exe
ComboFix.exe
Note: The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
Once installed, you should see a blue screen prompt that says:
The Recovery Console was successfully installed.
Please continue as follows:
- Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
- Click Yes to allow ComboFix to continue scanning for malware.
- When the tool is finished, it will produce a report for you.
- Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.
#3
Posted 20 July 2009 - 07:21 PM
-
- Members
-
- 4 posts
New Member
Thank you.
After I was hit with that rootkit for letting a friend on my computer, I Google'd around and came across this website. I'm glad it exists and I'll be more than happy to recommend it to my friends as well.
But, back to this matter...
ComboFix.txt 10.61K
67 downloads
HijackThis Log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:16:13 PM, on 7/20/2009
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\system32\CTsvcCDA.exe
C:\WINNT\System32\svchost.exe
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Creative\SBAudigy4\DVDAudio\CTDVDDET.EXE
C:\Program Files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\Program Files\D-Link\RangeBooster G WDA-2320\AirPlusCFG.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINNT\system32\internat.exe
C:\WINNT\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\DAP\DAPBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Catcher Class - {ADECBED6-0366-4377-A739-E69DFBA04663} - C:\Program Files\Moyea\YouTube Downloader\MoyeaCth.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033 -lock
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy4\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [RCSystem] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" RCSystem * -Startup
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [D-Link RangeBooster G WDA-2320] C:\Program Files\D-Link\RangeBooster G WDA-2320\AirPlusCFG.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [KeePass Password Safe] "C:\Program Files\KeePass Password Safe\KeePass.exe"
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Mozilla Firefox.lnk = C:\Program Files\Mozilla Firefox\firefox.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Wetrix\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.4.2.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1239868587986
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\system32\CTsvcCDA.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: JCDPFMP - Unknown owner - C:\DOCUME~1\Wetrix\LOCALS~1\Temp\JCDPFMP.exe (file missing)
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
--
End of file - 7040 bytes
After I was hit with that rootkit for letting a friend on my computer, I Google'd around and came across this website. I'm glad it exists and I'll be more than happy to recommend it to my friends as well.
But, back to this matter...
ComboFix.txt 10.61K
67 downloadsHijackThis Log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:16:13 PM, on 7/20/2009
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\system32\CTsvcCDA.exe
C:\WINNT\System32\svchost.exe
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Creative\SBAudigy4\DVDAudio\CTDVDDET.EXE
C:\Program Files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\Program Files\D-Link\RangeBooster G WDA-2320\AirPlusCFG.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINNT\system32\internat.exe
C:\WINNT\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\DAP\DAPBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Catcher Class - {ADECBED6-0366-4377-A739-E69DFBA04663} - C:\Program Files\Moyea\YouTube Downloader\MoyeaCth.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033 -lock
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy4\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [RCSystem] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" RCSystem * -Startup
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [D-Link RangeBooster G WDA-2320] C:\Program Files\D-Link\RangeBooster G WDA-2320\AirPlusCFG.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [KeePass Password Safe] "C:\Program Files\KeePass Password Safe\KeePass.exe"
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Mozilla Firefox.lnk = C:\Program Files\Mozilla Firefox\firefox.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Wetrix\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.4.2.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1239868587986
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\system32\CTsvcCDA.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: JCDPFMP - Unknown owner - C:\DOCUME~1\Wetrix\LOCALS~1\Temp\JCDPFMP.exe (file missing)
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
--
End of file - 7040 bytes
#4
Posted 20 July 2009 - 07:48 PM
-
- Moderators
-
- 16,155 posts
Malware BBQ'er
- Gender:Male
- Location:127.0.0.1
Hi ya,
Would you be so kind to copy and paste the contents of combofix.txt to your next reply so it appears as HJT report and not as attached document.
Thanks in advance
Would you be so kind to copy and paste the contents of combofix.txt to your next reply so it appears as HJT report and not as attached document.
Thanks in advance
#5
Posted 20 July 2009 - 08:25 PM
-
- Members
-
- 4 posts
New Member
ComboFix 09-07-19.04 - Wetrix 07/20/2009 12:05.1.1 - FAT32x86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.2047.1692 [GMT -8:00]
Running from: c:\documents and settings\Wetrix\Desktop\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\docume~1\Wetrix\LOCALS~1\Temp\CmdLineExt02.dll
c:\documents and settings\Wetrix\Local Settings\Temp\CmdLineExt02.dll
c:\winnt\Web\default.htt
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_UACd.sys
((((((((((((((((((((((((( Files Created from 2009-06-20 to 2009-07-20 )))))))))))))))))))))))))))))))
.
2009-07-20 20:12 . 2009-07-20 20:12 16384 ----a-w- c:\winnt\system32\Perflib_Perfdata_510.dat
2009-07-20 20:12 . 2009-07-20 20:12 16384 ----a-w- c:\winnt\system32\Perflib_Perfdata_244.dat
2009-07-20 02:43 . 2009-07-20 02:43 -------- d-----w- c:\program files\CCleaner
2009-07-19 23:42 . 2009-07-19 23:43 -------- d-----w- c:\documents and settings\Wetrix\DoctorWeb
2009-07-19 19:00 . 2009-07-13 21:36 38160 ----a-w- c:\winnt\system32\drivers\mbamswissarmy.sys
2009-07-19 19:00 . 2009-07-19 19:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-19 19:00 . 2009-07-13 21:36 18456 ----a-w- c:\winnt\system32\drivers\mbam.sys
2009-07-19 18:50 . 2009-07-19 18:50 -------- d-----w- c:\documents and settings\Wetrix\Application Data\Malwarebytes
2009-07-19 18:50 . 2009-07-19 18:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-16 18:33 . 2009-02-05 21:06 23152 ----a-w- c:\winnt\system32\drivers\aswRdr.sys
2009-07-16 18:33 . 2009-02-05 21:06 51376 ----a-w- c:\winnt\system32\drivers\aswTdi.sys
2009-07-16 18:33 . 2009-02-05 21:05 26944 ----a-w- c:\winnt\system32\drivers\aavmker4.sys
2009-07-16 18:33 . 2009-02-05 21:04 97480 ----a-w- c:\winnt\system32\AvastSS.scr
2009-07-16 18:33 . 2009-02-05 21:08 93296 ----a-w- c:\winnt\system32\drivers\aswmon.sys
2009-07-16 18:33 . 2009-02-05 21:08 94032 ----a-w- c:\winnt\system32\drivers\aswmon2.sys
2009-07-16 18:33 . 2009-02-05 21:07 114768 ----a-w- c:\winnt\system32\drivers\aswSP.sys
2009-07-16 18:33 . 2009-02-05 21:07 20560 ----a-w- c:\winnt\system32\drivers\aswFsBlk.sys
2009-07-16 18:33 . 2009-02-05 21:11 1256296 ----a-w- c:\winnt\system32\aswBoot.exe
2009-07-16 18:33 . 2009-07-16 18:33 -------- d-----w- c:\program files\Alwil Software
2009-07-16 17:54 . 2005-07-13 08:22 138000 ----a-w- c:\winnt\system32\dllcache\faxui.dll
2009-07-16 09:43 . 2009-07-16 09:43 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-07-13 07:39 . 2009-07-13 07:39 -------- d-----w- c:\program files\Uniblue
2009-07-13 07:16 . 2007-01-18 12:00 3968 ----a-w- c:\winnt\system32\drivers\AvgArCln.sys
2009-07-13 01:49 . 2009-07-13 01:49 664 ----a-w- c:\winnt\system32\d3d9caps.dat
2009-07-12 06:54 . 2009-07-12 06:55 -------- d-----w- c:\program files\AVG
2009-07-12 06:13 . 2009-07-12 06:13 -------- d-----w- c:\documents and settings\Wetrix\Local Settings\Application Data\Blizzard Entertainment
2009-06-22 08:28 . 2009-06-22 08:28 -------- d-----w- c:\program files\SystemRequirementsLab
2009-06-22 08:28 . 2009-06-22 08:28 207872 ----a-w- c:\documents and settings\Wetrix\Application Data\SystemRequirementsLab\SRLProxy_srl_4.dll
2009-06-22 08:28 . 2009-06-22 08:28 207872 ----a-w- c:\documents and settings\Wetrix\Application Data\SystemRequirementsLab\SRLProxy_srl_3.dll
2009-06-22 08:28 . 2009-06-22 08:28 207872 ----a-w- c:\documents and settings\Wetrix\Application Data\SystemRequirementsLab\SRLProxy_srl_2.dll
2009-06-22 08:28 . 2009-06-22 08:28 207872 ----a-w- c:\documents and settings\Wetrix\Application Data\SystemRequirementsLab\SRLProxy_srl_1.dll
2009-06-22 08:28 . 2009-06-22 08:28 -------- d-----w- c:\documents and settings\Wetrix\Application Data\SystemRequirementsLab
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-15 07:57 . 2009-07-15 07:57 -------- d-----w- c:\program files\ANI
2009-07-15 07:57 . 2009-07-15 07:57 -------- d-----w- c:\program files\D-Link
2009-06-16 04:48 . 1999-12-07 20:00 81168 ----a-w- c:\winnt\system32\fontsub.dll
2009-06-16 04:48 . 1999-12-07 20:00 165136 ----a-w- c:\winnt\system32\t2embed.dll
2009-06-03 03:23 . 2006-08-11 20:43 1225728 ----a-w- c:\winnt\system32\quartz.dll
2009-06-01 06:06 . 2007-11-25 03:05 54328 ----a-w- c:\documents and settings\Wetrix\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-07 06:41 . 1999-12-07 20:00 263440 ----a-w- c:\winnt\system32\LOCALSPL.DLL
2009-05-01 06:02 . 2009-05-01 06:02 1579630 ----a-w- c:\winnt\system32\nvdata.bin
2009-04-24 09:54 . 1999-12-07 20:00 95504 ----a-w- c:\winnt\system32\WIN32SPL.DLL
2009-04-22 13:38 . 2009-04-22 13:38 437008 ----a-w- c:\winnt\system32\rpcrt4.dll
2009-04-21 23:15 . 2009-04-21 23:15 576512 ----a-w- c:\winnt\system32\WININET.DLL
2006-08-11 18:22 . 2006-08-11 18:22 21952 ---h--w- c:\program files\folder.htt
2009-06-18 02:23 . 2008-08-23 02:50 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"KeePass Password Safe"="c:\program files\KeePass Password Safe\KeePass.exe" [2009-02-12 757248]
"internat.exe"="internat.exe" - c:\winnt\system32\internat.exe [1999-12-07 20752]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelliType"="c:\program files\Microsoft Hardware\Keyboard\type32.exe" [2001-03-20 45056]
"DAEMON Tools-1033"="c:\program files\D-Tools\daemon.exe" [2004-08-23 81920]
"Jet Detection"="c:\program files\Creative\SBLive\PROGRAM\ADGJDet.exe" [2001-11-29 28672]
"CTDVDDET"="c:\program files\Creative\SBAudigy4\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"CTSysVol"="c:\program files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe" [2005-02-16 57344]
"RCSystem"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-06-17 49152]
"AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-06-17 49152]
"NvCplDaemon"="c:\winnt\system32\NvCpl.dll" [2007-04-19 7700480]
"NvMediaCenter"="c:\winnt\system32\NvMcTray.dll" [2007-04-19 86016]
"D-Link RangeBooster G WDA-2320"="c:\program files\D-Link\RangeBooster G WDA-2320\AirPlusCFG.exe" [2005-12-15 2490368]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"Synchronization Manager"="mobsync.exe" - c:\winnt\system32\mobsync.exe [2003-06-19 111376]
"nwiz"="nwiz.exe" - c:\winnt\system32\nwiz.exe [2007-04-19 1626112]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [2003-06-19 186640]
c:\documents and settings\Wetrix\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Mozilla Firefox.lnk - c:\program files\Mozilla Firefox\firefox.exe [2008-8-22 307704]
R0 axwhisky;axwhisky;c:\winnt\system32\drivers\axwhisky.sys [7/2/2003 5:41 PM 5248]
R0 axwskbus;axwskbus;c:\winnt\system32\drivers\axwskbus.sys [7/2/2003 4:49 PM 124160]
R1 aswSP;avast! Self Protection;c:\winnt\system32\drivers\aswSP.sys [7/16/2009 10:33 AM 114768]
R2 aswFsBlk;aswFsBlk;c:\winnt\system32\drivers\aswFsBlk.sys [7/16/2009 10:33 AM 20560]
R2 aswMon;avast! Standard Shield Support;c:\winnt\system32\drivers\aswmon.sys [7/16/2009 10:33 AM 93296]
R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\winnt\system32\drivers\A3AB.sys [8/25/2005 3:00 PM 466880]
R3 usbhub20;USB 2.0 Root Hub Support;c:\winnt\system32\drivers\usbhub20.sys [8/11/2006 10:50 AM 49776]
S1 atitray;atitray;\??\c:\program files\Radeon Omega Drivers\v3.8.360\ATI Tray Tools\atitray.sys --> c:\program files\Radeon Omega Drivers\v3.8.360\ATI Tray Tools\atitray.sys [?]
S3 3cisaadi;3Com Windows Modem Driver ISA ADI;c:\winnt\system32\drivers\3cisaadi.sys [8/11/2006 10:15 AM 792176]
S3 cpuz132;cpuz132;c:\winnt\system32\drivers\cpuz132_x32.sys [5/4/2009 6:20 PM 12672]
S3 FA31X;NETGEAR FA311/FA312 NDIS 5.0 Miniport Driver;c:\winnt\system32\drivers\FA31XND5.SYS [9/3/2001 2:12 PM 22040]
S3 JCDPFMP;JCDPFMP;c:\docume~1\Wetrix\LOCALS~1\Temp\JCDPFMP.exe --> c:\docume~1\Wetrix\LOCALS~1\Temp\JCDPFMP.exe [?]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - IPNAT
*NewlyCreated* - RASAUTO
*NewlyCreated* - SHAREDACCESS
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-POINTER - point32.exe
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: &Download with &DAP - c:\progra~1\DAP\dapextie.htm
IE: Download &all with DAP - c:\progra~1\DAP\dapextie2.htm
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Wetrix\Start Menu\Programs\IMVU\Run IMVU.lnk
LSP: %SystemRoot%\system32\msafd.dll
DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Wetrix\Application Data\Mozilla\Firefox\Profiles\xrlryv72.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-20 12:12
Windows 5.0.2195 Service Pack 4 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(260)
c:\winnt\system32\wzcdlg.dll
c:\winnt\system32\WZCSAPI.DLL
- - - - - - - > 'explorer.exe'(5508)
c:\winnt\AppPatch\AcLayers.DLL
c:\program files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll
c:\winnt\system32\SHDOCVW.DLL
.
Completion time: 2009-07-20 12:15 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-20 20:15
Pre-Run: 1,336,541,184 bytes free
Post-Run: 4,608,098,304 bytes free
151
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.2047.1692 [GMT -8:00]
Running from: c:\documents and settings\Wetrix\Desktop\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\docume~1\Wetrix\LOCALS~1\Temp\CmdLineExt02.dll
c:\documents and settings\Wetrix\Local Settings\Temp\CmdLineExt02.dll
c:\winnt\Web\default.htt
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_UACd.sys
((((((((((((((((((((((((( Files Created from 2009-06-20 to 2009-07-20 )))))))))))))))))))))))))))))))
.
2009-07-20 20:12 . 2009-07-20 20:12 16384 ----a-w- c:\winnt\system32\Perflib_Perfdata_510.dat
2009-07-20 20:12 . 2009-07-20 20:12 16384 ----a-w- c:\winnt\system32\Perflib_Perfdata_244.dat
2009-07-20 02:43 . 2009-07-20 02:43 -------- d-----w- c:\program files\CCleaner
2009-07-19 23:42 . 2009-07-19 23:43 -------- d-----w- c:\documents and settings\Wetrix\DoctorWeb
2009-07-19 19:00 . 2009-07-13 21:36 38160 ----a-w- c:\winnt\system32\drivers\mbamswissarmy.sys
2009-07-19 19:00 . 2009-07-19 19:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-19 19:00 . 2009-07-13 21:36 18456 ----a-w- c:\winnt\system32\drivers\mbam.sys
2009-07-19 18:50 . 2009-07-19 18:50 -------- d-----w- c:\documents and settings\Wetrix\Application Data\Malwarebytes
2009-07-19 18:50 . 2009-07-19 18:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-16 18:33 . 2009-02-05 21:06 23152 ----a-w- c:\winnt\system32\drivers\aswRdr.sys
2009-07-16 18:33 . 2009-02-05 21:06 51376 ----a-w- c:\winnt\system32\drivers\aswTdi.sys
2009-07-16 18:33 . 2009-02-05 21:05 26944 ----a-w- c:\winnt\system32\drivers\aavmker4.sys
2009-07-16 18:33 . 2009-02-05 21:04 97480 ----a-w- c:\winnt\system32\AvastSS.scr
2009-07-16 18:33 . 2009-02-05 21:08 93296 ----a-w- c:\winnt\system32\drivers\aswmon.sys
2009-07-16 18:33 . 2009-02-05 21:08 94032 ----a-w- c:\winnt\system32\drivers\aswmon2.sys
2009-07-16 18:33 . 2009-02-05 21:07 114768 ----a-w- c:\winnt\system32\drivers\aswSP.sys
2009-07-16 18:33 . 2009-02-05 21:07 20560 ----a-w- c:\winnt\system32\drivers\aswFsBlk.sys
2009-07-16 18:33 . 2009-02-05 21:11 1256296 ----a-w- c:\winnt\system32\aswBoot.exe
2009-07-16 18:33 . 2009-07-16 18:33 -------- d-----w- c:\program files\Alwil Software
2009-07-16 17:54 . 2005-07-13 08:22 138000 ----a-w- c:\winnt\system32\dllcache\faxui.dll
2009-07-16 09:43 . 2009-07-16 09:43 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-07-13 07:39 . 2009-07-13 07:39 -------- d-----w- c:\program files\Uniblue
2009-07-13 07:16 . 2007-01-18 12:00 3968 ----a-w- c:\winnt\system32\drivers\AvgArCln.sys
2009-07-13 01:49 . 2009-07-13 01:49 664 ----a-w- c:\winnt\system32\d3d9caps.dat
2009-07-12 06:54 . 2009-07-12 06:55 -------- d-----w- c:\program files\AVG
2009-07-12 06:13 . 2009-07-12 06:13 -------- d-----w- c:\documents and settings\Wetrix\Local Settings\Application Data\Blizzard Entertainment
2009-06-22 08:28 . 2009-06-22 08:28 -------- d-----w- c:\program files\SystemRequirementsLab
2009-06-22 08:28 . 2009-06-22 08:28 207872 ----a-w- c:\documents and settings\Wetrix\Application Data\SystemRequirementsLab\SRLProxy_srl_4.dll
2009-06-22 08:28 . 2009-06-22 08:28 207872 ----a-w- c:\documents and settings\Wetrix\Application Data\SystemRequirementsLab\SRLProxy_srl_3.dll
2009-06-22 08:28 . 2009-06-22 08:28 207872 ----a-w- c:\documents and settings\Wetrix\Application Data\SystemRequirementsLab\SRLProxy_srl_2.dll
2009-06-22 08:28 . 2009-06-22 08:28 207872 ----a-w- c:\documents and settings\Wetrix\Application Data\SystemRequirementsLab\SRLProxy_srl_1.dll
2009-06-22 08:28 . 2009-06-22 08:28 -------- d-----w- c:\documents and settings\Wetrix\Application Data\SystemRequirementsLab
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-15 07:57 . 2009-07-15 07:57 -------- d-----w- c:\program files\ANI
2009-07-15 07:57 . 2009-07-15 07:57 -------- d-----w- c:\program files\D-Link
2009-06-16 04:48 . 1999-12-07 20:00 81168 ----a-w- c:\winnt\system32\fontsub.dll
2009-06-16 04:48 . 1999-12-07 20:00 165136 ----a-w- c:\winnt\system32\t2embed.dll
2009-06-03 03:23 . 2006-08-11 20:43 1225728 ----a-w- c:\winnt\system32\quartz.dll
2009-06-01 06:06 . 2007-11-25 03:05 54328 ----a-w- c:\documents and settings\Wetrix\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-07 06:41 . 1999-12-07 20:00 263440 ----a-w- c:\winnt\system32\LOCALSPL.DLL
2009-05-01 06:02 . 2009-05-01 06:02 1579630 ----a-w- c:\winnt\system32\nvdata.bin
2009-04-24 09:54 . 1999-12-07 20:00 95504 ----a-w- c:\winnt\system32\WIN32SPL.DLL
2009-04-22 13:38 . 2009-04-22 13:38 437008 ----a-w- c:\winnt\system32\rpcrt4.dll
2009-04-21 23:15 . 2009-04-21 23:15 576512 ----a-w- c:\winnt\system32\WININET.DLL
2006-08-11 18:22 . 2006-08-11 18:22 21952 ---h--w- c:\program files\folder.htt
2009-06-18 02:23 . 2008-08-23 02:50 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"KeePass Password Safe"="c:\program files\KeePass Password Safe\KeePass.exe" [2009-02-12 757248]
"internat.exe"="internat.exe" - c:\winnt\system32\internat.exe [1999-12-07 20752]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelliType"="c:\program files\Microsoft Hardware\Keyboard\type32.exe" [2001-03-20 45056]
"DAEMON Tools-1033"="c:\program files\D-Tools\daemon.exe" [2004-08-23 81920]
"Jet Detection"="c:\program files\Creative\SBLive\PROGRAM\ADGJDet.exe" [2001-11-29 28672]
"CTDVDDET"="c:\program files\Creative\SBAudigy4\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"CTSysVol"="c:\program files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe" [2005-02-16 57344]
"RCSystem"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-06-17 49152]
"AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-06-17 49152]
"NvCplDaemon"="c:\winnt\system32\NvCpl.dll" [2007-04-19 7700480]
"NvMediaCenter"="c:\winnt\system32\NvMcTray.dll" [2007-04-19 86016]
"D-Link RangeBooster G WDA-2320"="c:\program files\D-Link\RangeBooster G WDA-2320\AirPlusCFG.exe" [2005-12-15 2490368]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"Synchronization Manager"="mobsync.exe" - c:\winnt\system32\mobsync.exe [2003-06-19 111376]
"nwiz"="nwiz.exe" - c:\winnt\system32\nwiz.exe [2007-04-19 1626112]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [2003-06-19 186640]
c:\documents and settings\Wetrix\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Mozilla Firefox.lnk - c:\program files\Mozilla Firefox\firefox.exe [2008-8-22 307704]
R0 axwhisky;axwhisky;c:\winnt\system32\drivers\axwhisky.sys [7/2/2003 5:41 PM 5248]
R0 axwskbus;axwskbus;c:\winnt\system32\drivers\axwskbus.sys [7/2/2003 4:49 PM 124160]
R1 aswSP;avast! Self Protection;c:\winnt\system32\drivers\aswSP.sys [7/16/2009 10:33 AM 114768]
R2 aswFsBlk;aswFsBlk;c:\winnt\system32\drivers\aswFsBlk.sys [7/16/2009 10:33 AM 20560]
R2 aswMon;avast! Standard Shield Support;c:\winnt\system32\drivers\aswmon.sys [7/16/2009 10:33 AM 93296]
R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\winnt\system32\drivers\A3AB.sys [8/25/2005 3:00 PM 466880]
R3 usbhub20;USB 2.0 Root Hub Support;c:\winnt\system32\drivers\usbhub20.sys [8/11/2006 10:50 AM 49776]
S1 atitray;atitray;\??\c:\program files\Radeon Omega Drivers\v3.8.360\ATI Tray Tools\atitray.sys --> c:\program files\Radeon Omega Drivers\v3.8.360\ATI Tray Tools\atitray.sys [?]
S3 3cisaadi;3Com Windows Modem Driver ISA ADI;c:\winnt\system32\drivers\3cisaadi.sys [8/11/2006 10:15 AM 792176]
S3 cpuz132;cpuz132;c:\winnt\system32\drivers\cpuz132_x32.sys [5/4/2009 6:20 PM 12672]
S3 FA31X;NETGEAR FA311/FA312 NDIS 5.0 Miniport Driver;c:\winnt\system32\drivers\FA31XND5.SYS [9/3/2001 2:12 PM 22040]
S3 JCDPFMP;JCDPFMP;c:\docume~1\Wetrix\LOCALS~1\Temp\JCDPFMP.exe --> c:\docume~1\Wetrix\LOCALS~1\Temp\JCDPFMP.exe [?]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - IPNAT
*NewlyCreated* - RASAUTO
*NewlyCreated* - SHAREDACCESS
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-POINTER - point32.exe
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: &Download with &DAP - c:\progra~1\DAP\dapextie.htm
IE: Download &all with DAP - c:\progra~1\DAP\dapextie2.htm
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Wetrix\Start Menu\Programs\IMVU\Run IMVU.lnk
LSP: %SystemRoot%\system32\msafd.dll
DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Wetrix\Application Data\Mozilla\Firefox\Profiles\xrlryv72.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-20 12:12
Windows 5.0.2195 Service Pack 4 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(260)
c:\winnt\system32\wzcdlg.dll
c:\winnt\system32\WZCSAPI.DLL
- - - - - - - > 'explorer.exe'(5508)
c:\winnt\AppPatch\AcLayers.DLL
c:\program files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll
c:\winnt\system32\SHDOCVW.DLL
.
Completion time: 2009-07-20 12:15 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-20 20:15
Pre-Run: 1,336,541,184 bytes free
Post-Run: 4,608,098,304 bytes free
151
#6
Posted 20 July 2009 - 08:39 PM
-
- Moderators
-
- 16,155 posts
Malware BBQ'er
- Gender:Male
- Location:127.0.0.1
Hi ya,
Your logs are looking good to go
Any more issue's ?
Your logs are looking good to go
Any more issue's ?
#7
Posted 20 July 2009 - 08:50 PM
-
- Members
-
- 4 posts
New Member
Yeah, it removed my registry with pointer32, which has affected my keyboard and mouse software.
How would I repair that?
And thank you once again.
How would I repair that?
And thank you once again.
#8
Posted 21 July 2009 - 01:53 PM
-
- Moderators
-
- 16,155 posts
Malware BBQ'er
- Gender:Male
- Location:127.0.0.1
Hi ya,
Not sure why CF has gone after that entry but it is easily restored.
Navigate to C:\QooBox
Locate file named HKLM-Run-POINTER.reg.dat
Rename it to HKLM-Run-POINTER.reg
Then double click on the file to remerge the data back into your registry.
Reboot to see if that solve's the issue.
Thanks in advance
Not sure why CF has gone after that entry but it is easily restored.
Navigate to C:\QooBox
Locate file named HKLM-Run-POINTER.reg.dat
Rename it to HKLM-Run-POINTER.reg
Then double click on the file to remerge the data back into your registry.
Reboot to see if that solve's the issue.
Thanks in advance
1 user(s) are reading this topic
0 members, 1 guests, 0 anonymous users
