Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Trojan-Dropper.Agent and Rootkit.agent [RESOLVED]

Started by graisbeck , Jan 25 2008 12:19 PM

  • This topic is locked This topic is locked

#16
graisbeck
Posted 29 January 2008 - 02:36 PM

graisbeck

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts
Hi Tigger93, heres the two logs you requested with protection and internet disabled.

Thanks again.



ComboFix 08-01-29.3 - Gary 2008-01-29 20:17:37.5 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.2132 [GMT 0:00]
Running from: C:\Users\Gary\Desktop\ComboFix.exe
Command switches used :: /KillAll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Windows\system32\drivers\core.cache.dsk . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-29 )))))))))))))))))))))))))))))))
.

2008-01-27 14:41 . 2008-01-27 14:41 <DIR> d-------- C:\ProgramData\Apple Computer
2008-01-27 14:41 . 2008-01-27 14:41 <DIR> d-------- C:\Program Files\QuickTime
2008-01-27 14:36 . 2008-01-27 14:36 <DIR> d-------- C:\ProgramData\Apple
2008-01-27 14:36 . 2008-01-27 14:36 <DIR> d-------- C:\Program Files\Apple Software Update
2008-01-26 16:17 . 2008-01-27 16:38 167,545 --a------ C:\Windows\System32\drivers\core.cache.dsk
2008-01-25 18:12 . 2008-01-25 18:12 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-23 20:13 . 2008-01-23 20:18 <DIR> d-------- C:\N360_BACKUP
2008-01-22 21:48 . 2008-01-22 21:48 <DIR> d-------- C:\ProgramData\WLInstaller
2008-01-22 21:48 . 2008-01-22 21:56 <DIR> d-------- C:\Program Files\Windows Live
2008-01-22 21:48 . 2008-01-22 21:56 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-01-22 20:47 . 2008-01-22 20:47 <DIR> d-------- C:\ProgramData\Grisoft
2008-01-22 17:32 . 2008-01-22 17:32 <DIR> d-------- C:\Users\Gary\AppData\Roaming\PC Tools
2008-01-22 17:32 . 2008-01-29 18:06 <DIR> d-a------ C:\ProgramData\TEMP
2008-01-22 17:32 . 2008-01-26 08:33 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-01-22 17:32 . 2007-12-10 14:53 81,288 --a------ C:\Windows\System32\drivers\iksyssec.sys
2008-01-22 17:32 . 2007-12-10 14:53 66,952 --a------ C:\Windows\System32\drivers\iksysflt.sys
2008-01-22 17:32 . 2007-12-10 14:53 41,864 --a------ C:\Windows\System32\drivers\ikfilesec.sys
2008-01-22 17:32 . 2007-12-10 14:53 29,576 --a------ C:\Windows\System32\drivers\kcom.sys
2008-01-22 17:20 . 2008-01-22 17:20 86,144 --a------ C:\Windows\System32\drivers\fsrrecc.sys
2008-01-20 16:11 . 2008-01-20 16:11 <DIR> d-------- C:\Users\Gary\AppData\Roaming\PixelMetrics
2008-01-20 16:10 . 2008-01-20 16:10 <DIR> d-------- C:\Program Files\CaptureWiz
2008-01-20 16:10 . 2007-12-21 16:10 82 --a------ C:\ProgramData\SUMQU0C1-FE20-APII-YE7M-BEDSDWMY5R6A.dat
2008-01-16 18:39 . 2008-01-17 18:10 <DIR> d-------- C:\Program Files\Google
2008-01-16 18:34 . 2007-09-24 23:31 69,632 --a------ C:\Windows\System32\javacpl.cpl
2008-01-16 18:33 . 2008-01-16 18:34 <DIR> d-------- C:\Program Files\Java
2008-01-16 18:26 . 2008-01-16 18:26 <DIR> d-------- C:\Program Files\Common Files\Java
2008-01-13 14:58 . 2008-01-13 14:58 <DIR> d-------- C:\Users\Gary\AppData\Roaming\CyberLink
2008-01-10 15:27 . 2008-01-10 15:27 90,112 --a------ C:\Windows\System32\QuickTimeVR.qtx
2008-01-10 15:27 . 2008-01-10 15:27 57,344 --a------ C:\Windows\System32\QuickTime.qts
2008-01-08 22:49 . 2008-01-08 22:49 802,816 --a------ C:\Windows\System32\drivers\tcpip.sys
2008-01-08 22:49 . 2008-01-08 22:49 216,760 --a------ C:\Windows\System32\drivers\netio.sys
2008-01-08 22:49 . 2008-01-08 22:49 167,424 --a------ C:\Windows\System32\tcpipcfg.dll
2008-01-08 22:49 . 2008-01-08 22:49 24,064 --a------ C:\Windows\System32\netcfg.exe
2008-01-08 22:49 . 2008-01-08 22:49 22,016 --a------ C:\Windows\System32\netiougc.exe
2008-01-08 22:47 . 2008-01-08 22:47 4,247,552 --a------ C:\Windows\System32\GameUXLegacyGDFs.dll
2008-01-08 22:47 . 2008-01-08 22:47 1,686,016 --a------ C:\Windows\System32\gameux.dll
2008-01-08 22:47 . 2008-01-08 22:47 1,060,920 --a------ C:\Windows\System32\drivers\ntfs.sys
2008-01-08 22:47 . 2008-01-08 22:47 211,000 --a------ C:\Windows\System32\drivers\volsnap.sys
2008-01-08 22:47 . 2008-01-08 22:47 154,624 --a------ C:\Windows\System32\drivers\nwifi.sys
2008-01-08 22:47 . 2008-01-08 22:47 109,624 --a------ C:\Windows\System32\drivers\ataport.sys
2008-01-08 22:47 . 2008-01-08 22:47 45,112 --a------ C:\Windows\System32\drivers\pciidex.sys
2008-01-08 22:47 . 2008-01-08 22:47 21,560 --a------ C:\Windows\System32\drivers\atapi.sys
2008-01-08 22:47 . 2008-01-08 22:47 15,928 --a------ C:\Windows\System32\drivers\pciide.sys
2008-01-08 22:47 . 2008-01-08 22:47 11,776 --a------ C:\Windows\System32\sbunattend.exe
2008-01-07 13:01 . 2008-01-07 13:01 <DIR> d-------- C:\Program Files\Bonjour
2008-01-07 12:08 . 2008-01-07 12:08 <DIR> d-------- C:\Program Files\PowerISO
2008-01-07 11:26 . 2003-06-18 17:31 17,920 --a------ C:\Windows\System32\mdimon.dll
2008-01-07 11:26 . 2008-01-07 11:26 376 --a------ C:\Windows\ODBC.INI
2008-01-07 11:24 . 2008-01-07 11:24 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-01-07 11:24 . 2008-01-07 11:24 <DIR> d-------- C:\Program Files\Common Files\L&H
2008-01-07 11:23 . 2008-01-07 11:23 <DIR> d-------- C:\Windows\PCHEALTH
2008-01-07 11:23 . 2008-01-07 11:23 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-01-07 11:23 . 2008-01-07 11:23 <DIR> d-------- C:\Program Files\Microsoft Works
2008-01-06 13:18 . 2008-01-06 13:18 <DIR> d-------- C:\Program Files\Common Files\Hewlett-Packard
2008-01-06 13:17 . 2008-01-06 21:35 <DIR> d-------- C:\Program Files\Hewlett-Packard
2008-01-03 22:46 . 2008-01-06 13:55 <DIR> d-------- C:\ProgramData\FLEXnet
2008-01-03 22:36 . 2008-01-03 22:36 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2008-01-03 22:10 . 2008-01-03 22:10 <DIR> d-------- C:\Program Files\SmartFTP Client 2.5 Setup Files
2008-01-03 22:10 . 2008-01-03 22:10 <DIR> d-------- C:\Program Files\SmartFTP Client
2008-01-03 18:07 . 2008-01-03 18:07 <DIR> d-------- C:\Downloads
2008-01-03 17:54 . 2008-01-03 18:05 600 --ah----- C:\IPH.PH
2008-01-02 22:42 . 2008-01-02 22:42 <DIR> d-------- C:\Users\Gary\AppData\Roaming\SmartFTP
2008-01-02 22:21 . 2008-01-02 22:21 <DIR> d-------- C:\Program Files\BitComet
2008-01-02 17:48 . 2008-01-02 17:48 <DIR> d-------- C:\Users\Gary\AppData\Roaming\Symantec
2008-01-02 17:35 . 2008-01-02 17:35 <DIR> d-------- C:\Windows\Downloaded Installations
2008-01-02 17:35 . 2008-01-24 22:08 <DIR> d-------- C:\Users\Gary\AppData\Roaming\AOL
2008-01-02 17:35 . 2008-01-02 17:35 <DIR> d-------- C:\ProgramData\Viewpoint
2008-01-02 17:35 . 2008-01-02 17:35 <DIR> d-------- C:\Program Files\Viewpoint
2008-01-02 17:35 . 2008-01-02 17:35 <DIR> d-------- C:\Program Files\Common Files\Nullsoft
2008-01-02 17:34 . 2006-11-01 20:18 33,588 --a------ C:\Windows\System32\drivers\wanatw4.sys
2008-01-02 17:33 . 2008-01-02 17:38 <DIR> d-------- C:\ProgramData\AOL
2008-01-02 17:33 . 2008-01-02 17:35 <DIR> d-------- C:\Program Files\Common Files\aolshare
2008-01-02 17:33 . 2008-01-02 17:35 <DIR> d-------- C:\Program Files\Common Files\aol
2008-01-02 17:33 . 2008-01-02 17:36 <DIR> d-------- C:\Program Files\AOL 9.0 VR
2008-01-02 17:33 . 2008-01-02 17:33 335 --a------ C:\Windows\nsreg.dat
2008-01-02 17:19 . 2008-01-02 17:19 <DIR> d-------- C:\ProgramData\AOL Downloads
2008-01-02 17:06 . 2007-05-29 13:55 22,112 --a------ C:\Windows\System32\drivers\COH_Mon.sys
2008-01-02 17:06 . 2007-05-29 13:55 10,592 --a------ C:\Windows\System32\drivers\COH_Mon.cat
2008-01-02 17:06 . 2007-05-29 13:55 705 --a------ C:\Windows\System32\drivers\COH_Mon.inf
2008-01-01 22:11 . 2008-01-01 22:11 <DIR> d-------- C:\perflogs
2008-01-01 21:53 . 2007-07-17 12:21 186,256 --a------ C:\Windows\System32\SymNPPWA.dll
2008-01-01 19:03 . 2008-01-01 19:03 16 --a------ C:\Windows\System32\coh.cache
2008-01-01 18:55 . 2008-01-01 18:55 8,147,968 --a------ C:\Windows\System32\wmploc.DLL
2008-01-01 18:55 . 2008-01-01 18:55 356,864 --a------ C:\Windows\System32\MediaMetadataHandler.dll
2008-01-01 18:55 . 2008-01-01 18:55 7,680 --a------ C:\Windows\System32\spwmp.dll
2008-01-01 18:55 . 2008-01-01 18:55 4,096 --a------ C:\Windows\System32\msdxm.ocx
2008-01-01 18:55 . 2008-01-01 18:55 4,096 --a------ C:\Windows\System32\dxmasf.dll
2008-01-01 18:54 . 2008-01-01 18:54 1,327,104 --a------ C:\Windows\System32\quartz.dll
2008-01-01 18:54 . 2008-01-01 18:54 223,232 --a------ C:\Windows\System32\WMASF.DLL
2008-01-01 18:54 . 2008-01-01 18:54 9,728 --a------ C:\Windows\System32\LAPRXY.DLL
2008-01-01 18:54 . 2008-01-01 18:54 2,048 --a------ C:\Windows\System32\asferror.dll
2008-01-01 18:53 . 2008-01-01 18:53 1,244,672 --a------ C:\Windows\System32\mcmde.dll
2008-01-01 18:52 . 2008-01-23 17:56 <DIR> d-------- C:\Program Files\Norton 360
2008-01-01 18:50 . 2008-01-16 22:22 <DIR> d-------- C:\ProgramData\Symantec
2008-01-01 18:50 . 2008-01-01 21:52 <DIR> d-------- C:\Program Files\Symantec
2008-01-01 18:50 . 2008-01-01 18:50 130,048 --a------ C:\Windows\System32\drivers\srv2.sys
2008-01-01 18:50 . 2008-01-01 18:50 101,888 --a------ C:\Windows\System32\drivers\mrxsmb.sys
2008-01-01 18:50 . 2008-01-01 18:50 84,992 --a------ C:\Windows\System32\drivers\srvnet.sys
2008-01-01 18:50 . 2008-01-01 18:50 58,368 --a------ C:\Windows\System32\drivers\mrxsmb20.sys
2008-01-01 18:49 . 2008-01-10 18:05 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-23 20:46 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-01-13 14:58 --------- d-----w C:\ProgramData\CyberLink
2008-01-09 17:25 --------- d-----w C:\Program Files\Windows Sidebar
2008-01-09 17:25 --------- d-----w C:\Program Files\Windows Mail
2008-01-08 22:47 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-01-08 22:47 449,024 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-01-08 22:47 2,143,744 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-01-08 22:47 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-01-01 21:52 805 ----a-w C:\Windows\system32\drivers\SYMEVENT.INF
2008-01-01 21:52 123,952 ----a-w C:\Windows\system32\drivers\SYMEVENT.SYS
2008-01-01 21:52 10,740 ----a-w C:\Windows\system32\drivers\SYMEVENT.CAT
2008-01-01 21:43 174 --sha-w C:\Program Files\desktop.ini
2008-01-01 19:32 --------- d-----w C:\Program Files\Windows Calendar
2008-01-01 18:57 8,192 ----a-w C:\Windows\System32\riched32.dll
2008-01-01 18:57 77,824 ----a-w C:\Windows\System32\rascfg.dll
2008-01-01 18:57 704,000 ----a-w C:\Windows\System32\PhotoScreensaver.scr
2008-01-01 18:57 70,144 ----a-w C:\Windows\system32\drivers\pacer.sys
2008-01-01 18:57 694,784 ----a-w C:\Windows\System32\localspl.dll
2008-01-01 18:57 67,584 ----a-w C:\Windows\System32\wlanhlp.dll
2008-01-01 18:57 619,008 ----a-w C:\Windows\system32\drivers\dxgkrnl.sys
2008-01-01 18:57 61,952 ----a-w C:\Windows\system32\drivers\wanarp.sys
2008-01-01 18:57 542,720 ----a-w C:\Windows\System32\sysmain.dll
2008-01-01 18:57 52,736 ----a-w C:\Windows\System32\rasdiag.dll
2008-01-01 18:57 502,784 ----a-w C:\Windows\System32\wlansvc.dll
2008-01-01 18:57 48,640 ----a-w C:\Windows\system32\drivers\ndproxy.sys
2008-01-01 18:57 47,104 ----a-w C:\Windows\System32\wlanapi.dll
2008-01-01 18:57 384,000 ----a-w C:\Windows\System32\netcfgx.dll
2008-01-01 18:57 36,864 ----a-w C:\Windows\System32\cdd.dll
2008-01-01 18:57 33,280 ----a-w C:\Windows\System32\traffic.dll
2008-01-01 18:57 32,768 ----a-w C:\Windows\System32\rasmxs.dll
2008-01-01 18:57 297,984 ----a-w C:\Windows\System32\wlansec.dll
2008-01-01 18:57 290,816 ----a-w C:\Windows\System32\wlanmsm.dll
2008-01-01 18:57 286,208 ----a-w C:\Windows\System32\ipnathlp.dll
2008-01-01 18:57 28,344 ----a-w C:\Windows\system32\drivers\battc.sys
2008-01-01 18:57 258,232 ----a-w C:\Windows\system32\drivers\acpi.sys
2008-01-01 18:57 24,064 ----a-w C:\Windows\System32\wtsapi32.dll
2008-01-01 18:57 22,016 ----a-w C:\Windows\System32\rasser.dll
2008-01-01 18:57 20,920 ----a-w C:\Windows\system32\drivers\compbatt.sys
2008-01-01 18:57 20,480 ----a-w C:\Windows\system32\drivers\ndistapi.sys
2008-01-01 18:57 2,923,520 ----a-w C:\Windows\explorer.exe
2008-01-01 18:57 2,027,008 ----a-w C:\Windows\System32\win32k.sys
2008-01-01 18:57 15,360 ----a-w C:\Windows\System32\pacerprf.dll
2008-01-01 18:57 134,656 ----a-w C:\Windows\System32\dps.dll
2008-01-01 18:57 13,824 ----a-w C:\Windows\System32\wshqos.dll
2008-01-01 18:57 13,824 ----a-w C:\Windows\System32\icsunattend.exe
2008-01-01 18:52 88,576 ----a-w C:\Windows\System32\avifil32.dll
2008-01-01 18:52 82,944 ----a-w C:\Windows\System32\mciavi32.dll
2008-01-01 18:52 8,138,240 ----a-w C:\Windows\System32\ssBranded.scr
2008-01-01 18:52 712,192 ----a-w C:\Windows\System32\WindowsCodecs.dll
2008-01-01 18:52 69,632 ----a-w C:\Windows\System32\sendmail.dll
2008-01-01 18:52 65,024 ----a-w C:\Windows\System32\avicap32.dll
2008-01-01 18:52 61,440 ----a-w C:\Windows\System32\ntprint.exe
2008-01-01 18:52 31,232 ----a-w C:\Windows\System32\msvidc32.dll
2008-01-01 18:52 269,824 ----a-w C:\Windows\System32\schannel.dll
2008-01-01 18:52 220,160 ----a-w C:\Windows\System32\ntprint.dll
2008-01-01 18:52 123,904 ----a-w C:\Windows\System32\msvfw32.dll
2008-01-01 18:52 120,320 ----a-w C:\Windows\System32\dhcpcsvc6.dll
2008-01-01 18:52 12,800 ----a-w C:\Windows\System32\msrle32.dll
2008-01-01 18:52 10,240 ----a-w C:\Windows\System32\dhcpcmonitor.dll
2008-01-01 18:52 1,984,512 ----a-w C:\Windows\System32\authui.dll
2008-01-01 18:51 84,480 ----a-w C:\Windows\System32\INETRES.dll
2008-01-01 18:51 824,832 ----a-w C:\Windows\System32\wininet.dll
2008-01-01 18:51 737,792 ----a-w C:\Windows\System32\inetcomm.dll
2008-01-01 18:51 56,320 ----a-w C:\Windows\System32\iesetup.dll
2008-01-01 18:51 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2008-01-01 18:51 26,624 ----a-w C:\Windows\System32\ieUnatt.exe
2007-11-30 23:57 43,696 ----a-w C:\Windows\system32\drivers\srtspx.sys
2007-11-30 23:57 317,616 ----a-w C:\Windows\system32\drivers\srtspl.sys
2007-11-30 23:57 279,088 ----a-w C:\Windows\system32\drivers\srtsp.sys
2007-11-30 23:57 10,549 ----a-w C:\Windows\system32\drivers\srtspx.cat
2007-11-30 23:57 10,549 ----a-w C:\Windows\system32\drivers\srtspl.cat
2007-11-30 23:57 10,545 ----a-w C:\Windows\system32\drivers\srtsp.cat
2007-11-30 23:57 1,430 ----a-w C:\Windows\system32\drivers\srtspl.inf
2007-11-30 23:57 1,421 ----a-w C:\Windows\system32\drivers\srtspx.inf
2007-11-30 23:57 1,415 ----a-w C:\Windows\system32\drivers\srtsp.inf
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-08 22:47 1232896]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 12:35 125440]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-01-16 18:42 171448]

R1 IDSvix86;Symantec Intrusion Prevention Driver;C:\PROGRA~2\Symantec\DEFINI~1\SymcData\idsdefs\20080122.002\IDSvix86.sys [2007-12-04 18:05]
R3 HCW713x;Hauppauge 713x VU PCI TV Card;C:\Windows\system32\DRIVERS\HCW713x.sys [2007-09-19 09:52]
R3 rt61x86;Ralink RT61 Wireless Driver for Windows Vista;C:\Windows\system32\DRIVERS\netr61.sys [2007-09-19 09:53]
R3 SYMNDISV;SYMNDISV;C:\Windows\system32\Drivers\SYMNDISV.SYS [2007-01-09 14:32]
S3 NETw3v32;Intel® PRO/Wireless 3945ABG Adapter Driver for Windows Vista 32 Bit;C:\Windows\system32\DRIVERS\NETw3v32.sys [2006-11-02 07:30]
S3 Ph3xIB32;Philips 713x VU PCI TV Card;C:\Windows\system32\DRIVERS\Ph3xIB32.sys [2006-11-02 08:27]
S3 RTL8169;Realtek 8169 NT Driver;C:\Windows\system32\DRIVERS\Rtlh86.sys [2006-11-02 07:30]

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-01-29 18:16:30 C:\Windows\Tasks\At1.job"
- C:\ComboFix\kmd.exe
"2008-01-29 20:19:42 C:\Windows\Tasks\At2.job"
- C:\ComboFix\kmd.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-29 20:20:04
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehRecvr.exe
.
**************************************************************************
.
Completion time: 2008-01-29 20:21:58 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-29 20:21:53
ComboFix2.txt 2008-01-29 20:06:02
ComboFix3.txt 2008-01-28 21:24:10
ComboFix4.txt 2008-01-27 20:02:24
.
2008-01-25 17:22:31 --- E O F ---








Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:25:01, on 29/01/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16575)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\Users\Gary\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: (no name) - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (no file)
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll/206 (file missing)
O13 - Gopher Prefix:
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.su...ows-i586-jc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 5922 bytes
  • 0

Advertisements

#17
graisbeck
Posted 30 January 2008 - 06:36 AM

graisbeck

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts
Hi again, I should of mentioned that the link you supplied for combofix at sUBs was dead, so I installed it from a previous link.
  • 0

#18
Tigger93
Posted 31 January 2008 - 09:00 PM

Tigger93

    Trusted Helper

  • Retired Staff
  • 1,870 posts
Sorry for the delay, been very sick. :)

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\Windows\System32\drivers\fsrrecc.sys
C:\Windows\System32\drivers\core.cache.dsk



3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

  • 0

#19
graisbeck
Posted 01 February 2008 - 11:58 AM

graisbeck

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts
Sorry to hear you've not been well. Thanks again for your help :)




ComboFix 08-02.01.6 - Gary 2008-02-01 17:40:01.6 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.2096 [GMT 0:00]
Running from: C:\Users\Gary\Desktop\ComboFix.exe
Command switches used :: C:\Users\Gary\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\Windows\System32\drivers\core.cache.dsk
C:\Windows\System32\drivers\fsrrecc.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Windows\System32\drivers\core.cache.dsk
C:\Windows\System32\drivers\fsrrecc.sys
C:\ProgramData\Microsoft\Network\Downloader\qmgr0.dat
C:\ProgramData\Microsoft\Network\Downloader\qmgr1.dat
C:\Windows\System32\drivers\core.cache.dsk
C:\Windows\System32\drivers\fsrrecc.sys

----- BITS: Possible infected sites -----

hxxp://www.download.windowsupdate.com
hxxp://au.download.windowsupdate.com

.
((((((((((((((((((((((((( Files Created from 2008-01-01 to 2008-02-01 )))))))))))))))))))))))))))))))
.

2008-01-30 23:29 . 2008-02-01 06:16 91,700 --a------ C:\Windows\System32\drivers\klin.dat
2008-01-30 23:29 . 2008-01-30 23:35 85,860 --a------ C:\Windows\System32\drivers\klick.dat
2008-01-30 23:28 . 2008-02-01 17:44 <DIR> d-------- C:\ProgramData\Kaspersky Lab
2008-01-30 23:28 . 2008-01-30 23:28 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-01-30 23:28 . 2008-02-01 17:44 2,542,880 --ahs---- C:\Windows\System32\drivers\fidbox.dat
2008-01-30 23:28 . 2008-02-01 17:42 37,220 --ahs---- C:\Windows\System32\drivers\fidbox.idx
2008-01-30 21:30 . 2008-01-30 21:30 <DIR> d-------- C:\Users\Gary\AppData\Roaming\Thunderbird
2008-01-30 21:30 . 2008-01-30 21:30 <DIR> d-------- C:\Program Files\Mozilla Thunderbird
2008-01-27 14:41 . 2008-01-27 14:41 <DIR> d-------- C:\ProgramData\Apple Computer
2008-01-27 14:41 . 2008-01-27 14:41 <DIR> d-------- C:\Program Files\QuickTime
2008-01-27 14:36 . 2008-01-27 14:36 <DIR> d-------- C:\ProgramData\Apple
2008-01-27 14:36 . 2008-01-27 14:36 <DIR> d-------- C:\Program Files\Apple Software Update
2008-01-25 18:12 . 2008-01-25 18:12 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-23 20:13 . 2008-01-23 20:18 <DIR> d-------- C:\N360_BACKUP
2008-01-22 21:48 . 2008-01-22 21:48 <DIR> d-------- C:\ProgramData\WLInstaller
2008-01-22 21:48 . 2008-01-22 21:56 <DIR> d-------- C:\Program Files\Windows Live
2008-01-22 21:48 . 2008-01-22 21:56 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-01-22 20:47 . 2008-01-22 20:47 <DIR> d-------- C:\ProgramData\Grisoft
2008-01-22 17:32 . 2008-01-22 17:32 <DIR> d-------- C:\Users\Gary\AppData\Roaming\PC Tools
2008-01-22 17:32 . 2008-01-29 21:38 <DIR> d-a------ C:\ProgramData\TEMP
2008-01-22 17:32 . 2008-01-26 08:33 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-01-22 17:32 . 2007-12-10 14:53 81,288 --a------ C:\Windows\System32\drivers\iksyssec.sys
2008-01-22 17:32 . 2007-12-10 14:53 66,952 --a------ C:\Windows\System32\drivers\iksysflt.sys
2008-01-22 17:32 . 2007-12-10 14:53 41,864 --a------ C:\Windows\System32\drivers\ikfilesec.sys
2008-01-22 17:32 . 2007-12-10 14:53 29,576 --a------ C:\Windows\System32\drivers\kcom.sys
2008-01-20 16:11 . 2008-01-20 16:11 <DIR> d-------- C:\Users\Gary\AppData\Roaming\PixelMetrics
2008-01-20 16:10 . 2008-01-20 16:10 <DIR> d-------- C:\Program Files\CaptureWiz
2008-01-20 16:10 . 2007-12-21 16:10 82 --a------ C:\ProgramData\SUMQU0C1-FE20-APII-YE7M-BEDSDWMY5R6A.dat
2008-01-16 18:39 . 2008-01-17 18:10 <DIR> d-------- C:\Program Files\Google
2008-01-16 18:34 . 2007-09-24 23:31 69,632 --a------ C:\Windows\System32\javacpl.cpl
2008-01-16 18:33 . 2008-01-16 18:34 <DIR> d-------- C:\Program Files\Java
2008-01-16 18:26 . 2008-01-16 18:26 <DIR> d-------- C:\Program Files\Common Files\Java
2008-01-13 14:58 . 2008-01-13 14:58 <DIR> d-------- C:\Users\Gary\AppData\Roaming\CyberLink
2008-01-10 15:27 . 2008-01-10 15:27 90,112 --a------ C:\Windows\System32\QuickTimeVR.qtx
2008-01-10 15:27 . 2008-01-10 15:27 57,344 --a------ C:\Windows\System32\QuickTime.qts
2008-01-08 22:49 . 2008-01-08 22:49 802,816 --a------ C:\Windows\System32\drivers\tcpip.sys
2008-01-08 22:49 . 2008-01-08 22:49 216,760 --a------ C:\Windows\System32\drivers\netio.sys
2008-01-08 22:49 . 2008-01-08 22:49 167,424 --a------ C:\Windows\System32\tcpipcfg.dll
2008-01-08 22:49 . 2008-01-08 22:49 24,064 --a------ C:\Windows\System32\netcfg.exe
2008-01-08 22:49 . 2008-01-08 22:49 22,016 --a------ C:\Windows\System32\netiougc.exe
2008-01-08 22:47 . 2008-01-08 22:47 4,247,552 --a------ C:\Windows\System32\GameUXLegacyGDFs.dll
2008-01-08 22:47 . 2008-01-08 22:47 1,686,016 --a------ C:\Windows\System32\gameux.dll
2008-01-08 22:47 . 2008-01-08 22:47 1,060,920 --a------ C:\Windows\System32\drivers\ntfs.sys
2008-01-08 22:47 . 2008-01-08 22:47 211,000 --a------ C:\Windows\System32\drivers\volsnap.sys
2008-01-08 22:47 . 2008-01-08 22:47 154,624 --a------ C:\Windows\System32\drivers\nwifi.sys
2008-01-08 22:47 . 2008-01-08 22:47 109,624 --a------ C:\Windows\System32\drivers\ataport.sys
2008-01-08 22:47 . 2008-01-08 22:47 45,112 --a------ C:\Windows\System32\drivers\pciidex.sys
2008-01-08 22:47 . 2008-01-08 22:47 21,560 --a------ C:\Windows\System32\drivers\atapi.sys
2008-01-08 22:47 . 2008-01-08 22:47 15,928 --a------ C:\Windows\System32\drivers\pciide.sys
2008-01-08 22:47 . 2008-01-08 22:47 11,776 --a------ C:\Windows\System32\sbunattend.exe
2008-01-07 13:01 . 2008-01-07 13:01 <DIR> d-------- C:\Program Files\Bonjour
2008-01-07 12:08 . 2008-01-07 12:08 <DIR> d-------- C:\Program Files\PowerISO
2008-01-07 11:26 . 2007-04-09 13:23 28,040 --a------ C:\Windows\System32\mdimon.dll
2008-01-07 11:26 . 2008-01-07 11:26 376 --a------ C:\Windows\ODBC.INI
2008-01-07 11:24 . 2008-01-07 11:24 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-01-07 11:24 . 2008-01-07 11:24 <DIR> d-------- C:\Program Files\Common Files\L&H
2008-01-07 11:23 . 2008-01-07 11:23 <DIR> d-------- C:\Windows\PCHEALTH
2008-01-07 11:23 . 2008-01-07 11:23 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-01-07 11:23 . 2008-01-29 21:25 <DIR> d-------- C:\Program Files\Microsoft Works
2008-01-06 13:18 . 2008-01-06 13:18 <DIR> d-------- C:\Program Files\Common Files\Hewlett-Packard
2008-01-06 13:17 . 2008-01-06 21:35 <DIR> d-------- C:\Program Files\Hewlett-Packard
2008-01-03 22:46 . 2008-01-06 13:55 <DIR> d-------- C:\ProgramData\FLEXnet
2008-01-03 22:36 . 2008-01-03 22:36 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2008-01-03 22:10 . 2008-01-03 22:10 <DIR> d-------- C:\Program Files\SmartFTP Client 2.5 Setup Files
2008-01-03 22:10 . 2008-01-03 22:10 <DIR> d-------- C:\Program Files\SmartFTP Client
2008-01-03 18:07 . 2008-01-03 18:07 <DIR> d-------- C:\Downloads
2008-01-02 22:42 . 2008-01-02 22:42 <DIR> d-------- C:\Users\Gary\AppData\Roaming\SmartFTP
2008-01-02 22:21 . 2008-01-02 22:21 <DIR> d-------- C:\Program Files\BitComet
2008-01-02 17:48 . 2008-01-02 17:48 <DIR> d-------- C:\Users\Gary\AppData\Roaming\Symantec
2008-01-02 17:35 . 2008-01-02 17:35 <DIR> d-------- C:\Windows\Downloaded Installations
2008-01-02 17:35 . 2008-01-24 22:08 <DIR> d-------- C:\Users\Gary\AppData\Roaming\AOL
2008-01-02 17:35 . 2008-01-02 17:35 <DIR> d-------- C:\ProgramData\Viewpoint
2008-01-02 17:35 . 2008-01-02 17:35 <DIR> d-------- C:\Program Files\Viewpoint
2008-01-02 17:35 . 2008-01-02 17:35 <DIR> d-------- C:\Program Files\Common Files\Nullsoft
2008-01-02 17:34 . 2006-11-01 20:18 33,588 --a------ C:\Windows\System32\drivers\wanatw4.sys
2008-01-02 17:33 . 2008-01-02 17:38 <DIR> d-------- C:\ProgramData\AOL
2008-01-02 17:33 . 2008-01-02 17:35 <DIR> d-------- C:\Program Files\Common Files\aolshare
2008-01-02 17:33 . 2008-01-31 23:12 <DIR> d-------- C:\Program Files\Common Files\aol
2008-01-02 17:33 . 2008-01-02 17:36 <DIR> d-------- C:\Program Files\AOL 9.0 VR
2008-01-02 17:33 . 2008-01-02 17:33 335 --a------ C:\Windows\nsreg.dat
2008-01-02 17:19 . 2008-01-02 17:19 <DIR> d-------- C:\ProgramData\AOL Downloads
2008-01-01 22:11 . 2008-01-01 22:11 <DIR> d-------- C:\perflogs
2008-01-01 18:55 . 2008-01-01 18:55 8,147,968 --a------ C:\Windows\System32\wmploc.DLL
2008-01-01 18:55 . 2008-01-01 18:55 356,864 --a------ C:\Windows\System32\MediaMetadataHandler.dll
2008-01-01 18:55 . 2008-01-01 18:55 7,680 --a------ C:\Windows\System32\spwmp.dll
2008-01-01 18:55 . 2008-01-01 18:55 4,096 --a------ C:\Windows\System32\msdxm.ocx
2008-01-01 18:55 . 2008-01-01 18:55 4,096 --a------ C:\Windows\System32\dxmasf.dll
2008-01-01 18:54 . 2008-01-01 18:54 1,327,104 --a------ C:\Windows\System32\quartz.dll
2008-01-01 18:54 . 2008-01-01 18:54 223,232 --a------ C:\Windows\System32\WMASF.DLL
2008-01-01 18:54 . 2008-01-01 18:54 9,728 --a------ C:\Windows\System32\LAPRXY.DLL
2008-01-01 18:54 . 2008-01-01 18:54 2,048 --a------ C:\Windows\System32\asferror.dll
2008-01-01 18:53 . 2008-01-01 18:53 1,244,672 --a------ C:\Windows\System32\mcmde.dll
2008-01-01 18:52 . 2008-01-30 23:21 <DIR> d-------- C:\Program Files\Norton 360
2008-01-01 18:50 . 2008-01-30 23:25 <DIR> d-------- C:\ProgramData\Symantec
2008-01-01 18:50 . 2008-01-01 18:50 130,048 --a------ C:\Windows\System32\drivers\srv2.sys
2008-01-01 18:50 . 2008-01-01 18:50 101,888 --a------ C:\Windows\System32\drivers\mrxsmb.sys
2008-01-01 18:50 . 2008-01-01 18:50 84,992 --a------ C:\Windows\System32\drivers\srvnet.sys
2008-01-01 18:50 . 2008-01-01 18:50 58,368 --a------ C:\Windows\System32\drivers\mrxsmb20.sys
2008-01-01 18:49 . 2008-01-30 23:25 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-01-01 18:49 . 2008-01-01 18:49 3,504,824 --a------ C:\Windows\System32\ntkrnlpa.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-23 20:46 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-01-13 14:58 --------- d-----w C:\ProgramData\CyberLink
2008-01-09 17:25 --------- d-----w C:\Program Files\Windows Sidebar
2008-01-09 17:25 --------- d-----w C:\Program Files\Windows Mail
2008-01-08 22:47 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-01-08 22:47 449,024 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-01-08 22:47 2,143,744 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-01-08 22:47 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-01-01 21:43 174 --sha-w C:\Program Files\desktop.ini
2008-01-01 19:32 --------- d-----w C:\Program Files\Windows Calendar
2008-01-01 18:57 8,192 ----a-w C:\Windows\System32\riched32.dll
2008-01-01 18:57 77,824 ----a-w C:\Windows\System32\rascfg.dll
2008-01-01 18:57 704,000 ----a-w C:\Windows\System32\PhotoScreensaver.scr
2008-01-01 18:57 70,144 ----a-w C:\Windows\system32\drivers\pacer.sys
2008-01-01 18:57 694,784 ----a-w C:\Windows\System32\localspl.dll
2008-01-01 18:57 67,584 ----a-w C:\Windows\System32\wlanhlp.dll
2008-01-01 18:57 619,008 ----a-w C:\Windows\system32\drivers\dxgkrnl.sys
2008-01-01 18:57 61,952 ----a-w C:\Windows\system32\drivers\wanarp.sys
2008-01-01 18:57 542,720 ----a-w C:\Windows\System32\sysmain.dll
2008-01-01 18:57 52,736 ----a-w C:\Windows\System32\rasdiag.dll
2008-01-01 18:57 502,784 ----a-w C:\Windows\System32\wlansvc.dll
2008-01-01 18:57 48,640 ----a-w C:\Windows\system32\drivers\ndproxy.sys
2008-01-01 18:57 47,104 ----a-w C:\Windows\System32\wlanapi.dll
2008-01-01 18:57 384,000 ----a-w C:\Windows\System32\netcfgx.dll
2008-01-01 18:57 36,864 ----a-w C:\Windows\System32\cdd.dll
2008-01-01 18:57 33,280 ----a-w C:\Windows\System32\traffic.dll
2008-01-01 18:57 32,768 ----a-w C:\Windows\System32\rasmxs.dll
2008-01-01 18:57 297,984 ----a-w C:\Windows\System32\wlansec.dll
2008-01-01 18:57 290,816 ----a-w C:\Windows\System32\wlanmsm.dll
2008-01-01 18:57 286,208 ----a-w C:\Windows\System32\ipnathlp.dll
2008-01-01 18:57 28,344 ----a-w C:\Windows\system32\drivers\battc.sys
2008-01-01 18:57 258,232 ----a-w C:\Windows\system32\drivers\acpi.sys
2008-01-01 18:57 24,064 ----a-w C:\Windows\System32\wtsapi32.dll
2008-01-01 18:57 22,016 ----a-w C:\Windows\System32\rasser.dll
2008-01-01 18:57 20,920 ----a-w C:\Windows\system32\drivers\compbatt.sys
2008-01-01 18:57 20,480 ----a-w C:\Windows\system32\drivers\ndistapi.sys
2008-01-01 18:57 2,923,520 ----a-w C:\Windows\explorer.exe
2008-01-01 18:57 2,027,008 ----a-w C:\Windows\System32\win32k.sys
2008-01-01 18:57 15,360 ----a-w C:\Windows\System32\pacerprf.dll
2008-01-01 18:57 134,656 ----a-w C:\Windows\System32\dps.dll
2008-01-01 18:57 13,824 ----a-w C:\Windows\System32\wshqos.dll
2008-01-01 18:57 13,824 ----a-w C:\Windows\System32\icsunattend.exe
2008-01-01 18:52 88,576 ----a-w C:\Windows\System32\avifil32.dll
2008-01-01 18:52 82,944 ----a-w C:\Windows\System32\mciavi32.dll
2008-01-01 18:52 8,138,240 ----a-w C:\Windows\System32\ssBranded.scr
2008-01-01 18:52 712,192 ----a-w C:\Windows\System32\WindowsCodecs.dll
2008-01-01 18:52 69,632 ----a-w C:\Windows\System32\sendmail.dll
2008-01-01 18:52 65,024 ----a-w C:\Windows\System32\avicap32.dll
2008-01-01 18:52 61,440 ----a-w C:\Windows\System32\ntprint.exe
2008-01-01 18:52 31,232 ----a-w C:\Windows\System32\msvidc32.dll
2008-01-01 18:52 269,824 ----a-w C:\Windows\System32\schannel.dll
2008-01-01 18:52 220,160 ----a-w C:\Windows\System32\ntprint.dll
2008-01-01 18:52 123,904 ----a-w C:\Windows\System32\msvfw32.dll
2008-01-01 18:52 120,320 ----a-w C:\Windows\System32\dhcpcsvc6.dll
2008-01-01 18:52 12,800 ----a-w C:\Windows\System32\msrle32.dll
2008-01-01 18:52 10,240 ----a-w C:\Windows\System32\dhcpcmonitor.dll
2008-01-01 18:52 1,984,512 ----a-w C:\Windows\System32\authui.dll
2008-01-01 18:51 84,480 ----a-w C:\Windows\System32\INETRES.dll
2008-01-01 18:51 824,832 ----a-w C:\Windows\System32\wininet.dll
2008-01-01 18:51 737,792 ----a-w C:\Windows\System32\inetcomm.dll
2008-01-01 18:51 56,320 ----a-w C:\Windows\System32\iesetup.dll
2008-01-01 18:51 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2008-01-01 18:51 26,624 ----a-w C:\Windows\System32\ieUnatt.exe
2007-12-07 15:30 103,776 ----a-w C:\Windows\System32\AOLDial.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-08 22:47 1232896]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 12:35 125440]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-01-16 18:42 171448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" [2007-06-28 12:51 218376]
"HostManager"="C:\Program Files\Common Files\AOL\1199295236\ee\AOLSoftware.exe" [2006-11-14 14:01 50736]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\KASPER~1\KASPER~1.0\r3hook.dll,C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll

R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;C:\Windows\system32\DRIVERS\klim6.sys [2007-04-04 14:59]
R3 moufiltr;Mouse Filter;C:\Windows\system32\DRIVERS\moufiltr.sys [2007-01-09 09:22]
R3 Ph3xIB32;Philips 713x VU PCI TV Card;C:\Windows\system32\DRIVERS\Ph3xIB32.sys [2007-04-03 10:43]
R3 rt61x86;Ralink RT61 Wireless Driver for Windows Vista;C:\Windows\system32\DRIVERS\netr61.sys [2007-09-28 13:37]
S3 HCW713x;Hauppauge 713x VU PCI TV Card;C:\Windows\system32\DRIVERS\HCW713x.sys [2007-09-19 09:52]
S3 NETw3v32;Intel® PRO/Wireless 3945ABG Adapter Driver for Windows Vista 32 Bit;C:\Windows\system32\DRIVERS\NETw3v32.sys [2006-11-02 07:30]
S3 RTL8169;Realtek 8169 NT Driver;C:\Windows\system32\DRIVERS\Rtlh86.sys [2006-11-02 07:30]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-29 18:16:30 C:\Windows\Tasks\At1.job"
- C:\ComboFix\kmd.exe
"2008-01-29 20:19:42 C:\Windows\Tasks\At2.job"
- C:\ComboFix\kmd.exe
"2008-02-01 17:43:41 C:\Windows\Tasks\At3.job"
- C:\ComboFix\kmd.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-01 17:44:24
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Common Files\aol\1199295236\ee\aolsoftware.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehRecvr.exe
.
**************************************************************************
.
Completion time: 2008-02-01 17:47:27 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-01 17:47:16
ComboFix2.txt 2008-01-29 20:06:02
ComboFix3.txt 2008-01-28 21:24:10
ComboFix4.txt 2008-01-27 20:02:24
.
2008-01-30 20:01:49 --- E O F ---








Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:52:57, on 01/02/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16575)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Common Files\aol\1199295236\ee\aolsoftware.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Gary\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - (no file)
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1199295236\ee\AOLSoftware.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: (no name) - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - (no file)
O9 - Extra button: (no name) - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (no file)
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll/206 (file missing)
O13 - Gopher Prefix:
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.su...ows-i586-jc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\r3hook.dll,C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 5847 bytes
  • 0

#20
Tigger93
Posted 01 February 2008 - 02:11 PM

Tigger93

    Trusted Helper

  • Retired Staff
  • 1,870 posts
Looks like we go it. :)

Still having any problems?
  • 0

#21
graisbeck
Posted 01 February 2008 - 05:01 PM

graisbeck

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts
No problems at all Tigger93, thanks again for all your help, it's much appreciated. :)

Gary
  • 0

#22
Tigger93
Posted 11 February 2008 - 05:10 PM

Tigger93

    Trusted Helper

  • Retired Staff
  • 1,870 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP