Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Medichi2.exe


  • Please log in to reply

#1
beer guy

beer guy

    New Member

  • Member
  • Pip
  • 1 posts
ComboFix 07-12-21.4 - Compaq_Owner 2007-12-24 1:57:55.1 - NTFSx86
Running from: C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\0TSHMVK9\ComboFix[1].exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users.\documents\settings\config.ini
C:\Documents and Settings\All Users.\documents\settings\ivn4.dll
C:\Documents and Settings\Jenna\Start Menu\Programs\Internet Speed Monitor
C:\Documents and Settings\Jenna\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk
C:\Documents and Settings\Jenna\Start Menu\Programs\Outerinfo
C:\Documents and Settings\Jenna\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Program Files\Common Files\Yazzle1552OinAdmin.exe
C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe
C:\Program Files\ISM
C:\Program Files\ISM\Uninstall.exe
C:\Program Files\ISM2
C:\Program Files\ISM2\adhydraupd.exe
C:\Program Files\ISM2\ISMPack7.exe
C:\Program Files\QdrModule
C:\Program Files\QdrModule\dic.gz
C:\Program Files\QdrModule\kwd.gz
C:\Program Files\QdrPack
C:\Program Files\QdrPack\dicts.gz
C:\Program Files\QdrPack\trgts.gz
C:\Program Files\racle~1
C:\svchost.exe
C:\WINDOWS\system32\90665.exe
C:\WINDOWS\system32\96312.exe
C:\WINDOWS\system32\dobe~1
C:\WINDOWS\system32\icqmlib.exe
C:\WINDOWS\system32\iepref32.dll
C:\WINDOWS\system32\ierplc.dll
C:\WINDOWS\system32\install.exe
C:\WINDOWS\system32\ips.dll
C:\WINDOWS\system32\lanmandrv.sys
C:\WINDOWS\system32\lanmanwrk.exe
C:\WINDOWS\system32\laprxy.dllexe
C:\WINDOWS\system32\ocxapi.dll
C:\WINDOWS\system32\ocxloader.exe
C:\WINDOWS\system32\ppatch~1
C:\WINDOWS\system32\qmopt.dll
C:\WINDOWS\system32\rasqervy.dll
C:\WINDOWS\system32\regscan.exe
C:\WINDOWS\system32\sdfinacs.dll
C:\WINDOWS\system32\wcpisvcc.exe
C:\WINDOWS\system32\wuasirvy.dll
D:\Autorun.inf
C:\Documents and Settings\All Users.\documents\settings

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_LANMANDRV
-------\LEGACY_NETWORK_MONITOR
-------\lanmandrv


((((((((((((((((((((((((( Files Created from 2007-11-24 to 2007-12-24 )))))))))))))))))))))))))))))))
.

2007-12-24 17:54 . 2007-12-24 17:55 <DIR> d-------- C:\Documents and Settings\Compaq_Owner\Application Data\MSNInstaller
2007-12-24 14:06 . 2007-12-24 02:03 <DIR> d-------- C:\Program Files\Norton 360
2007-12-24 14:05 . 2007-12-24 13:27 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-12-24 14:05 . 2007-12-24 13:27 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2007-12-24 14:04 . 2007-12-24 13:27 <DIR> d-------- C:\Program Files\Symantec
2007-12-24 13:31 . 2007-12-24 13:31 <DIR> d-------- C:\Documents and Settings\Compaq_Owner\Application Data\SupportSoft
2007-12-24 12:36 . 2007-12-24 11:08 74,608 --a------ C:\WINDOWS\TrueInstall.exe
2007-12-24 10:39 . 2007-12-24 12:42 <DIR> d-------- C:\Documents and Settings\Compaq_Owner\Application Data\TrueSwitch
2007-12-23 17:19 . 2007-12-24 02:03 9,216 --a------ C:\WINDOWS\medichi2.exe
2007-12-23 17:19 . 2007-12-24 02:03 5,632 --a------ C:\WINDOWS\medichi.exe
2007-12-23 13:58 . 2007-12-23 13:58 244 --ah----- C:\sqmnoopt00.sqm
2007-12-23 13:58 . 2007-12-23 13:58 244 --ah----- C:\sqmdata00.sqm
2007-12-23 09:14 . 2007-12-23 09:14 0 --a------ C:\WINDOWS\system32\hidrwupd.dll
2007-12-22 13:22 . 2007-10-10 18:55 6,065,664 --------- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-12-22 13:22 . 2007-06-30 22:31 2,455,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2007-12-22 13:22 . 2007-06-30 22:36 991,232 --------- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2007-12-22 13:22 . 2007-10-10 18:55 459,264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-12-22 13:22 . 2007-10-10 18:55 383,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-12-22 13:22 . 2007-10-10 18:55 267,776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-12-22 13:22 . 2007-10-10 18:55 63,488 --------- C:\WINDOWS\system32\dllcache\icardie.dll
2007-12-22 13:22 . 2007-10-10 18:55 52,224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-12-22 13:22 . 2007-10-10 05:59 13,824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-12-22 13:09 . 2007-12-22 13:09 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-12-22 12:50 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2007-12-22 12:50 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2007-12-22 12:50 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2007-12-22 12:50 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2007-12-21 19:07 . 2007-02-28 04:10 2,180,352 --------- C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2007-12-21 19:07 . 2007-02-28 04:08 2,136,064 --------- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2007-12-21 19:07 . 2007-02-28 03:38 2,057,600 --------- C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2007-12-21 19:07 . 2007-02-28 03:38 2,015,744 --------- C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2007-12-21 19:02 . 2006-06-01 13:47 163,840 --------- C:\WINDOWS\system32\dllcache\jgdw400.dll
2007-12-21 19:02 . 2006-06-01 13:47 27,648 --------- C:\WINDOWS\system32\dllcache\jgpl400.dll
2007-12-21 18:58 . 2006-05-05 04:41 453,120 --------- C:\WINDOWS\system32\dllcache\mrxsmb.sys
2007-12-20 22:18 . 2007-12-24 16:41 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-20 22:18 . 2007-12-20 22:18 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-18 15:07 . 2007-12-24 13:27 10,740 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-12-18 15:07 . 2007-12-24 13:27 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-12-18 15:01 . 2007-12-18 15:01 <DIR> d-------- C:\Documents and Settings\All Users\Symantec Temporary Files
2007-12-16 13:24 . 2007-12-16 13:24 630,784 --a------ C:\Documents and Settings\Compaq_Owner\GoToAssist_chat2way__317_en.exe
2007-12-15 18:12 . 2007-12-15 18:12 8,711 --a------ C:\info.exe
2007-12-14 08:05 . 2007-12-22 08:00 <DIR> d-------- C:\Program Files\RegistryFix
2007-12-07 08:02 . 2007-12-24 02:04 5 --a------ C:\WINDOWS\system32\sdfixwcs.dll
2007-12-07 07:56 . 2007-12-22 08:00 <DIR> d-------- C:\Program Files\MSN Messenger
2007-12-07 07:55 . 2007-12-07 07:55 <DIR> d-------- C:\Program Files\Snapfish Picture Mover
2007-12-07 06:34 . 2007-12-07 06:34 1,291,776 --a------ C:\WINDOWS\MailSwitch.ocx
2007-12-07 03:15 . 2007-12-07 07:54 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-12-06 21:22 . 2007-12-06 21:22 <DIR> d-------- C:\Documents and Settings\Jenna\Contacts
2007-12-06 15:51 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2007-12-06 14:20 . 2007-12-22 08:00 <DIR> d-------- C:\Documents and Settings\Compaq_Owner\Contacts
2007-12-06 14:09 . 2007-12-06 14:17 <DIR> d-------- C:\Program Files\Windows Live
2007-12-06 14:09 . 2007-12-07 07:56 <DIR> d----c--- C:\Program Files\Common Files\WindowsLiveInstaller
2007-12-06 14:09 . 2007-12-06 14:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2007-12-05 19:24 . 2007-12-23 12:22 17,920 --a------ C:\WINDOWS\msacm32.drv
2007-12-05 19:24 . 2007-12-24 02:05 138 --a------ C:\WINDOWS\system32\wuasirvy.dll
2007-12-03 11:58 . 2007-12-03 11:58 <DIR> d-------- C:\Documents and Settings\Compaq_Owner\Application Data\Motive
2007-11-30 23:57 . 2007-11-30 23:57 317,616 --a------ C:\WINDOWS\system32\drivers\srtspl.sys
2007-11-30 23:57 . 2007-11-30 23:57 279,088 --a------ C:\WINDOWS\system32\drivers\srtsp.sys
2007-11-30 23:57 . 2007-11-30 23:57 43,696 --a------ C:\WINDOWS\system32\drivers\srtspx.sys
2007-11-30 23:57 . 2007-11-30 23:57 10,549 --a------ C:\WINDOWS\system32\drivers\srtspx.cat
2007-11-30 23:57 . 2007-11-30 23:57 10,549 --a------ C:\WINDOWS\system32\drivers\srtspl.cat
2007-11-30 23:57 . 2007-11-30 23:57 10,545 --a------ C:\WINDOWS\system32\drivers\srtsp.cat
2007-11-30 23:57 . 2007-11-30 23:57 1,430 --a------ C:\WINDOWS\system32\drivers\srtspl.inf
2007-11-30 23:57 . 2007-11-30 23:57 1,421 --a------ C:\WINDOWS\system32\drivers\srtspx.inf
2007-11-30 23:57 . 2007-11-30 23:57 1,415 --a------ C:\WINDOWS\system32\drivers\srtsp.inf
2007-11-30 06:26 . 2007-12-06 14:17 <DIR> d-------- C:\Documents and Settings\Compaq_Owner\Application Data\Aim
2007-11-24 11:26 . 2007-11-24 11:25 37,376 --a------ C:\WINDOWS\system32\KernelDrv.exe
2007-11-24 11:26 . 2007-12-22 22:16 12,288 --a------ C:\WINDOWS\system32\Dll.dll
2007-11-24 11:25 . 2007-12-24 16:34 26,290 --a------ C:\WINDOWS\system32\kcopt.dll
2007-11-24 11:25 . 2007-12-24 16:34 5,845 --a------ C:\WINDOWS\system32\ksvcl.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-25 01:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-12-24 18:19 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\MSN6
2007-12-24 07:01 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-12-23 22:18 53,248 ----a-w C:\WINDOWS\system32\drivers\beep.sys
2007-12-23 19:32 --------- d-----w C:\Program Files\DYMO Label
2007-12-19 12:01 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\Symantec
2007-12-17 21:25 --------- d-----w C:\Program Files\AIM
2007-12-16 20:03 --------- d-----w C:\Documents and Settings\Jenna\Application Data\MSN6
2007-12-14 16:05 --------- d-----w C:\Program Files\Verizon
2007-12-08 20:45 --------- d-----w C:\Program Files\Motorola Phone Tools
2007-12-07 12:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-12-06 19:16 --------- d-----w C:\Program Files\WildTangent
2007-12-04 23:11 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-30 02:33 --------- d-----w C:\Program Files\AOD
2007-11-30 02:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-11-23 01:22 --------- d-----w C:\Program Files\LimeWire
2007-11-19 16:43 --------- d-----w C:\Program Files\Motive
2007-11-19 16:43 --------- d-----w C:\Program Files\Common Files\Motive
2007-11-18 22:53 --------- d-----w C:\Program Files\Real
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-09-04 12:17 24,192 -c--a-w C:\Documents and Settings\Compaq_Owner\usbsermptxp.sys
2007-09-04 12:17 22,768 -c--a-w C:\Documents and Settings\Compaq_Owner\usbsermpt.sys
2007-06-18 21:22 24,192 -c--a-w C:\Documents and Settings\Jenna\usbsermptxp.sys
2007-06-18 21:22 22,768 -c--a-w C:\Documents and Settings\Jenna\usbsermpt.sys
2006-08-25 17:35 53,850 -c--a-w C:\Documents and Settings\Compaq_Owner\Application Data\FNTCACHE.BIN
2006-08-19 16:02 807,173 -c--a-w C:\Documents and Settings\Jenna\Application Data\FNTCACHE.BIN
2006-08-17 15:59 14,200 -c--a-w C:\Documents and Settings\Jenna\Application Data\perfc012.dat
2006-07-24 04:30 375 -c--a-w C:\Documents and Settings\Compaq_Owner\Application Data\perfc012.dat
2006-05-17 02:17 188 -c--a-w C:\Documents and Settings\Jenna\Application Data\wklnhst.dat
2006-02-04 16:06 774,144 -c--a-w C:\Program Files\RngInterstitial.dll
2006-02-04 14:19 389,120 -c--a-w C:\Documents and Settings\Compaq_Owner\remote.exe
2006-02-01 20:55 0 -c--a-w C:\Documents and Settings\Compaq_Owner\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 07:00]
"Medichi"="medichi.exe" [2007-12-24 02:03 C:\WINDOWS\medichi.exe]
"Medichi2"="medichi2.exe" [2007-12-24 02:03 C:\WINDOWS\medichi2.exe]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-07-17 20:54]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Compaq Connections.lnk - C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe [2005-11-12 19:51:38]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 15:05:56]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 1 (0x1)
"DisableTaskMgr"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 1 (0x1)
"DisableTaskMgr"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoControlPanel"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoControlPanel"= 1 (0x1)
"NoWindowsUpdate"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ivn4reg]
C:\Documents and Settings\All Users\Documents\Settings\ivn4.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NaturalColorLoad.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NaturalColorLoad.lnk
backup=C:\WINDOWS\pss\NaturalColorLoad.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^TotalMedia Backup & Record Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\TotalMedia Backup & Record Monitor.lnk
backup=C:\WINDOWS\pss\TotalMedia Backup & Record Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
2007-07-17 20:54 116072 --a------ C:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 07:00 15360 --a------ C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
2006-06-20 21:36 1207080 --a------ C:\Program Files\Microsoft ActiveSync\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
2006-05-09 19:24 50760 --a------ C:\Program Files\Common Files\AOL\1138844902\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-02-16 23:11 49152 --a------ C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPBootOp]
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe /run

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2006-09-12 00:58 229952 --a------ C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelDrv.exe]
2007-11-24 11:25 37376 --a------ C:\WINDOWS\System32\KernelDrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Medichi]
medichi.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Medichi2]
medichi2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
2003-09-13 21:36 50688 --a------ C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\Program Files\MSN Messenger\msnmsgr.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SFP]
C:\Program Files\Common Files\Verizon Online\SFP\vzSFPWin.EXE /s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2005-11-10 13:03 36975 --a------ C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Verizon_McciTrayApp]
2007-03-11 16:37 936960 --a------ C:\Program Files\Verizon\McciTrayApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WatchDog]
2004-08-13 23:42 36864 --------- C:\Program Files\mobile PhoneTools\WatchDog.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA]
C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe /startup C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Viewpoint Manager Service"=2 (0x2)
"usnjsvc"=3 (0x3)
"MDM"=2 (0x2)
"LightScribeService"=2 (0x2)
"iPod Service"=3 (0x3)
"Ati HotKey Poller"=2 (0x2)


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2d435b36-e506-11d9-9b78-e6b009352ae7}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

*Newly Created Service* - COMHOST
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-24 02:05:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

C:\WINDOWS\medichi.exe [2888] 0x88EB0DA0

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-24 2:08:17 - machine was rebooted
.
2007-12-24 10:22:08 --- E O F ---
  • 0

Advertisements


#2
racenutalways

racenutalways

    Member 1K

  • Retired Staff
  • 1,663 posts
Hello beer guy and welcome to G2G, you have a few infections in there, let's get started. Please, keep me updated to how the machine is running.
You have combofix running from a temp file, seeing that temp files get deleted, download it from here and place it on your desktop, much easier to find this way.

Download ComboFix from Here or Here to your Desktop.

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\medichi2.exe
C:\WINDOWS\medichi.exe
C:\WINDOWS\system32\hidrwupd.dll
C:\WINDOWS\system32\kcopt.dll
C:\WINDOWS\system32\ksvcl.dll
C:\Documents and Settings\All Users\Documents\Settings\ivn4.dll
C:\WINDOWS\System32\KernelDrv.exe

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Medichi"=-
"Medichi2"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ivn4reg]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelDrv.exe]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Medichi]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Medichi2]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=-
"DisableTaskMgr"=-

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=-
"DisableTaskMgr"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoControlPanel"=-

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoControlPanel"=-
"NoWindowsUpdate"=-



3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Click here to download HJTsetup.exe
  • Save HJTsetup.exe to your desktop.
  • Doubleclick on the HJTsetup.exe icon on your desktop.
  • By default it will install to C:\Program Files\Hijack This.
  • Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
  • Put a check by Create a desktop icon then click Next again.
  • Continue to follow the rest of the prompts from there.
  • At the final dialogue box click Finish and it will launch Hijack This.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you also use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you also use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.


SUPERAntiSpyware Home Edition (free version) - Download - Home Page

1. Install it and double-click the icon on your desktop to run it.
2. It will ask if you want to update the program definitions, click Yes.
3. Under Configuration and Preferences, click the Preferences button.
4. Click the Scanning Control tab.
5. Under Scanner Options make sure the following are checked:

1. Close browsers before scanning
2. Scan for tracking cookies
3. Terminate memory threats before quarantining.
4. Please leave the others unchecked.
5. Click the Close button to leave the control center screen.

6. On the main screen, under Scan for Harmful Software click Scan your computer.
7. On the left check C:\Fixed Drive.
8. On the right, under Complete Scan, choose Perform Complete Scan.
9. Click Next to start the scan. Please be patient while it scans your computer.
10. After the scan is complete a summary box will appear. Click OK.
11. Make sure everything in the white box has a check next to it, then click Next.
12. It will quarantine what it found and if it asks if you want to reboot, click Yes.
13. To retrieve the removal information for me please do the following:

1. After reboot, double-click the SUPERAntispyware icon on your desktop.
2. Click Preferences. Click the Statistics/Logs tab.
3. Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
4. It will open in your default text editor (such as Notepad/Wordpad).
5. Please highlight everything in the notepad, then right-click and choose copy.

14. Click close and close again to exit the program.
15. Save the log information. If needed (still infected) paste this info along with your HijackThis log.

So, what I need from you are the HJT, new combofix, Super AS and SDfix logs.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP