Please Help!!
Downloader.Delf.AST [CLOSED]
#1
Posted 11 February 2008 - 12:35 PM
Please Help!!
#2
Posted 11 February 2008 - 02:52 PM
Download ComboFix from one of the locations below, and save it to your Desktop.
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
#3
Posted 11 February 2008 - 04:23 PM
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.470 [GMT -5:00]
Running from: C:\Documents and Settings\ac0bb\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\ac0bb\g2mdlhlpx.exe
C:\WINDOWS\Downloaded Program Files\Temp
C:\WINDOWS\system32\comdlg32d.dll
C:\WINDOWS\system32\dmocxt.dll
C:\WINDOWS\system32\drivers\jnisnsfb.dat
C:\WINDOWS\Tasks.\At1.job
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_IPRIP
-------\LEGACY_JCPFMPLZ
-------\LEGACY_OZMBIQRE
-------\Iprip
-------\jcpfmplz
-------\nm
-------\ozmbiqre
((((((((((((((((((((((((( Files Created from 2008-01-12 to 2008-02-12 )))))))))))))))))))))))))))))))
.
2008-02-09 16:15 . 2004-08-27 11:44 3,467 --a------ C:\WINDOWS\saplogon.ini
2008-02-09 16:15 . 2004-08-27 11:37 184 --a------ C:\WINDOWS\SAPMSG.ini
2008-02-09 16:09 . 2008-02-09 16:09 <DIR> d-------- C:\Program Files\Common Files\ESRI
2008-02-09 16:09 . 2005-09-23 09:55 1,146,880 --a------ C:\WINDOWS\system32\wdba.dll
2008-02-09 16:09 . 2003-10-21 21:47 56,832 --a------ C:\WINDOWS\system32\grfcxl32.dll
2008-02-09 16:09 . 2003-10-21 21:47 34,816 --a------ C:\WINDOWS\system32\grsapx32.dll
2008-02-09 16:06 . 2006-09-12 21:44 352,256 --a------ C:\WINDOWS\system32\sapfcpl.cpl
2008-02-09 16:06 . 2005-03-03 12:56 229,376 --a------ C:\WINDOWS\system32\wdpdxl50.olb
2008-02-09 16:06 . 1998-06-26 20:22 68,640 --a------ C:\WINDOWS\system32\Gauge32.OCX
2008-02-09 16:06 . 2005-03-03 12:56 31,060 --a------ C:\WINDOWS\system32\wdpdvba.olb
2008-02-09 16:05 . 2008-02-09 16:05 <DIR> d-------- C:\Program Files\SAP
2008-02-09 16:05 . 2008-02-09 16:14 <DIR> d-------- C:\Program Files\Common Files\SAP Shared
2008-02-09 16:04 . 2008-02-09 16:10 <DIR> d--h----- C:\WINDOWS\SAPwksta
2008-02-09 15:42 . 2008-02-09 15:42 <DIR> d-------- C:\Program Files\Common Files\Sage
2008-02-09 15:42 . 2008-02-09 15:42 <DIR> d-------- C:\Program Files\Business Objects
2008-02-09 15:42 . 2008-02-09 15:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sage
2008-02-09 12:31 . 2008-02-09 12:29 691,545 --a------ C:\WINDOWS\unins000.exe
2008-02-09 12:31 . 2008-02-09 12:31 3,449 --a------ C:\WINDOWS\unins000.dat
2008-02-08 16:38 . 2008-02-08 16:38 99,614,720 --a------ C:\SLX_ac0bb_dat.sxd
2008-02-08 15:26 . 2008-02-08 15:26 1,188,375 --a------ C:\WINDOWS\system32\libeay32.dll
2008-02-08 15:26 . 2008-02-08 15:26 246,545 --a------ C:\WINDOWS\system32\libssl32.dll
2008-02-08 15:26 . 2008-02-08 15:26 35,072 --a------ C:\WINDOWS\system32\mzyqpkmp.dat
2008-02-08 15:25 . 2008-02-08 15:26 741,632 --a------ C:\WINDOWS\system32\bivfeksr.dat
2008-02-08 15:25 . 2008-02-08 15:25 42,752 --a------ C:\WINDOWS\system32\pukxcmwc.dat
2008-02-08 15:25 . 2008-02-08 15:25 36,608 --a------ C:\WINDOWS\system32\fomxwdms.dat
2008-02-08 11:23 . 2008-02-08 11:40 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-08 11:12 . 2008-02-08 11:12 <DIR> d-------- C:\Documents and Settings\ac0bb\Application Data\AdwareBot
2008-02-02 16:29 . 2008-02-02 16:29 <DIR> d-------- C:\Program Files\Common Files\Deterministic Networks
2008-02-02 15:37 . 2000-03-23 12:50 446,464 -ra------ C:\WINDOWS\system32\hhactivex.dll
2008-02-02 15:37 . 1999-05-07 13:24 414,944 --a------ C:\WINDOWS\system32\COMCT332.OCX
2008-02-02 15:37 . 1998-11-10 10:46 328,480 --a------ C:\WINDOWS\system32\ssa3d30.ocx
2008-02-02 15:37 . 2002-01-08 17:00 176,128 --a------ C:\WINDOWS\system32\RcdScan.dll
2008-02-02 15:37 . 1998-09-24 12:03 171,967 --a------ C:\WINDOWS\system32\Odbcjet.hlp
2008-02-02 15:37 . 1998-09-24 12:03 7,348 --a------ C:\WINDOWS\system32\Odbcjet.cnt
2008-02-02 15:22 . 2007-10-30 12:20 360,064 --a------ C:\WINDOWS\system32\drivers\tcpip.sys
2008-02-02 15:22 . 2007-10-30 12:20 360,064 --a------ C:\WINDOWS\system32\dllcache\tcpip.sys
2008-01-31 13:17 . 2008-01-31 13:17 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\AVG7
2008-01-31 10:57 . 2008-01-31 10:57 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-01-31 10:57 . 2008-01-31 10:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-31 10:57 . 2008-02-12 16:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-01-31 10:57 . 2008-02-08 11:55 <DIR> d-------- C:\Documents and Settings\ac0bb\Application Data\AVG7
2008-01-29 00:03 . 2008-02-08 15:25 120,576 --a------ C:\WINDOWS\system32\twqgrbsz.dat
2008-01-28 23:56 . 2008-02-09 22:50 <DIR> d-------- C:\WINDOWS\system32\AppCert
2008-01-15 11:20 . 2001-08-17 22:36 99,328 --a------ C:\WINDOWS\system32\srusd.dll
2008-01-15 11:20 . 2001-08-17 22:36 99,328 --a------ C:\WINDOWS\system32\dllcache\srusd.dll
2008-01-15 11:20 . 2001-08-17 22:36 71,680 --a------ C:\WINDOWS\system32\fnfilter.dll
2008-01-15 11:20 . 2001-08-17 22:36 71,680 --a------ C:\WINDOWS\system32\dllcache\fnfilter.dll
2008-01-15 11:20 . 2001-08-17 13:53 6,784 --a------ C:\WINDOWS\system32\drivers\serscan.sys
2008-01-15 11:20 . 2001-08-17 13:53 6,784 --a------ C:\WINDOWS\system32\dllcache\serscan.sys
2008-01-15 10:31 . 2008-01-15 10:31 <DIR> d-------- C:\Program Files\Linksys Wireless-G Print Server
2008-01-15 10:31 . 2006-10-18 18:32 37,248 --a------ C:\WINDOWS\system32\lknuhub.sys
2008-01-15 10:31 . 2006-10-18 18:32 37,248 --a------ C:\WINDOWS\system32\drivers\lknuhub.sys
2008-01-15 10:31 . 2006-10-18 18:32 11,648 --a------ C:\WINDOWS\system32\lknucmp.sys
2008-01-15 10:31 . 2006-10-18 18:32 11,648 --a------ C:\WINDOWS\system32\drivers\lknucmp.sys
2008-01-15 10:31 . 2006-10-18 18:32 11,136 --a------ C:\WINDOWS\system32\drivers\lknuhst.sys
2008-01-15 10:31 . 2006-10-18 18:35 1,393 --a------ C:\WINDOWS\system32\lknucmp.inf
2008-01-15 10:31 . 2006-10-18 18:36 1,371 --a------ C:\WINDOWS\system32\lknuhub.inf
2008-01-15 10:30 . 2007-02-28 21:58 813 -ra------ C:\setup.iss
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-11 20:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\pdf995
2008-02-10 21:36 --------- d-----w C:\Program Files\SalesLogix
2008-02-10 15:25 --------- d-----w C:\Program Files\PokerStars
2008-02-09 21:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\SalesLogix
2008-02-09 20:41 --------- d-----w C:\Documents and Settings\ac0bb\Application Data\SalesLogix
2008-02-09 20:37 --------- d-----w C:\Documents and Settings\ac0bb\Application Data\U3
2008-02-09 19:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-09 17:35 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-08 03:02 --------- d-----w C:\Documents and Settings\ac0bb\Application Data\MSNGames
2008-02-06 03:33 --------- d-----w C:\Documents and Settings\ac0bb\Application Data\Move Networks
2008-02-02 20:37 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-31 05:25 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-01-31 00:24 --------- d-----w C:\Program Files\Wave Systems Corp
2008-01-31 00:24 --------- d-----w C:\Program Files\Broadcom
2008-01-07 17:01 --------- d-----w C:\Program Files\Skyline
2008-01-07 17:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skyline
2008-01-01 18:34 --------- d-----w C:\Program Files\TabPlayer
2008-01-01 18:07 --------- d-----w C:\Program Files\Guitar Pro 5
2007-12-28 17:25 --------- d-----w C:\Program Files\Google
2007-12-19 20:07 --------- d-----w C:\Documents and Settings\ac0bb\Application Data\ArcSoft
2007-12-19 05:16 --------- d-----w C:\Documents and Settings\ac0bb\Application Data\Lexmark Productivity Studio
2007-12-14 04:16 --------- d-----w C:\Program Files\Wheelock NACEVAC 5
2007-12-13 15:36 --------- d-----w C:\Documents and Settings\ac0bb\Application Data\webex
2007-12-13 15:00 202,827 ----a-w C:\WINDOWS\system32\atasnt40.dll
2007-12-12 06:38 --------- d-----w C:\Program Files\Verizon Wireless
2007-12-12 06:38 --------- d-----w C:\Program Files\Novatel Wireless
2007-12-12 05:49 --------- d-----w C:\Documents and Settings\Chris\Application Data\MSNGames
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HijackThis startup scan"="C:\Documents and Settings\ac0bb\Desktop\Personal\HijackThis.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2005-12-19 08:08 1347584]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2006-11-21 20:09 842584]
"PSDiagnosticM"="C:\Program Files\Linksys Wireless-G Print Server\PSDiagnosticM.exe" [2007-02-27 16:29 315392]
"Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [2004-08-04 05:00 143360]
"vptray"="C:\PROGRA~1\SYMANT~1\\vptray.exe" [2005-06-23 18:27 85696]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-31 13:22 579072]
"ccApp"="-" []
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 05:00 110592 C:\WINDOWS\system32\bthprops.cpl]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-31 10:57 219136]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
AutoCAD LT Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart17.exe [2006-03-05 16:13:54 11000]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-06-30 14:26:14 24576]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 15:23:32 74308]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"DisallowRun"= 1 (0x1)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"DisallowRun"= 1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\disallowrun]
"Protected system files1"= avgupsvc.exe
"Protected system files2"= avgamsvr.exe
"Protected system files3"= avgcc.exe
"Protected system files4"= nod32kui.exe
"Protected system files5"= nod32krn.exe
"Protected system files6"= ccSetMgr.exe
"Protected system files7"= ccEvtMgr.exe
"Protected system files8"= DefWatch.exe
"Protected system files9"= SavRoam.exe
"Protected system files10"= Rtvscan.exe
"Protected system files11"= VPTray.exe
"Protected system files12"= ccApp.exe
"Protected system files13"= AluSchedulerSvc.exe
"Protected system files14"= nod32.exe
"Protected system files15"= nod32ra.exe
"Protected system files16"= UpdaterUI.exe
"Protected system files17"= tbmon.exe
"Protected system files18"= Mcshield.exe
"Protected system files19"= SHSTAT.exe
"Protected system files20"= ashMaiSv.exe
"Protected system files21"= ashServ.exe
"Protected system files22"= ashWebSv.exe
"Protected system files23"= aswUpdSv.exe
"Protected system files24"= AVGUARD.exe
"Protected system files25"= AVWUPSRV.exe
"Protected system files26"= avscan.exe
"Protected system files27"= guardgui.exe
"Protected system files28"= VxMon.exe
"Protected system files29"= AVGNT.exe
"Protected system files30"= avgemc.exe
"Protected system files31"= avp.exe
"Protected system files32"= avp.com
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer\disallowrun]
"Protected system files1"= avgupsvc.exe
"Protected system files2"= avgamsvr.exe
"Protected system files3"= avgcc.exe
"Protected system files4"= nod32kui.exe
"Protected system files5"= nod32krn.exe
"Protected system files6"= ccSetMgr.exe
"Protected system files7"= ccEvtMgr.exe
"Protected system files8"= DefWatch.exe
"Protected system files9"= SavRoam.exe
"Protected system files10"= Rtvscan.exe
"Protected system files11"= VPTray.exe
"Protected system files12"= ccApp.exe
"Protected system files13"= AluSchedulerSvc.exe
"Protected system files14"= nod32.exe
"Protected system files15"= nod32ra.exe
"Protected system files16"= UpdaterUI.exe
"Protected system files17"= tbmon.exe
"Protected system files18"= Mcshield.exe
"Protected system files19"= SHSTAT.exe
"Protected system files20"= ashMaiSv.exe
"Protected system files21"= ashServ.exe
"Protected system files22"= ashWebSv.exe
"Protected system files23"= aswUpdSv.exe
"Protected system files24"= AVGUARD.exe
"Protected system files25"= AVWUPSRV.exe
"Protected system files26"= avscan.exe
"Protected system files27"= guardgui.exe
"Protected system files28"= VxMon.exe
"Protected system files29"= AVGNT.exe
"Protected system files30"= avgemc.exe
"Protected system files31"= avp.exe
"Protected system files32"= avp.com
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2006-03-13 13:11 233472]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoCAD LT Startup Accelerator.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutoCAD LT Startup Accelerator.lnk
backup=C:\WINDOWS\pss\AutoCAD LT Startup Accelerator.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 18:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
--a------ 2004-08-04 05:00 110592 C:\WINDOWS\system32\bthprops.cpl
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BuildBU]
--a------ 2004-02-19 06:23 61440 c:\dell\bldbubg.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter2.0]
--------- 2004-07-20 09:34 851968 C:\Program Files\Brother\ControlCenter2\brctrcen.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
--a------ 2006-04-06 14:58 1032192 C:\Program Files\Dell\QuickSet\quickset.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Document Manager]
C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2005-12-09 20:29 49152 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ECenter]
--a------ 2006-06-15 10:07 49152 c:\dell\E-Center\gtb.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
--a------ 2006-06-30 14:26 169984 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
--a------ 2005-12-13 16:45 118784 C:\WINDOWS\system32\igfxpers.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
--a------ 2005-12-13 16:44 98304 C:\WINDOWS\system32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
--a------ 2004-04-14 14:04 40960 C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-07-31 17:44 271672 C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ModemOnHold]
--------- 2003-09-10 02:24 20480 C:\Program Files\NetWaiting\netWaiting.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsmqIntCert]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
--a------ 2004-04-14 13:46 57393 C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-06-29 05:24 286720 C:\Program Files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetDefPrt]
--------- 2004-05-25 09:16 49152 C:\Program Files\Brother\Brmfl04b\BrStDvPt.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
--a------ 2006-03-24 16:30 282624 C:\WINDOWS\stsystra.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
-ra------ 2003-10-14 09:22 155648 C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 00:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\appcertdlls]
appsecdll REG_EXPAND_SZ C:\WINDOWS\system32\AppCert\wsil32.dll
R2 SalesLogix Server Service;SalesLogix Server;"C:\Program Files\SalesLogix\SLXServer.exe" [2007-07-09 07:20]
R2 SlxSearch;SalesLogix SpeedSearch;"C:\Program Files\SalesLogix\SpeedSearch\Bin\SLXSearchService.exe" [2007-07-09 07:20]
R3 EraserUtilDrv10741;EraserUtilDrv10741;C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10741.sys [2008-01-22 04:00]
R3 lknuhst;Linksys Network USB Host Controller;C:\WINDOWS\system32\DRIVERS\lknuhst.sys [2006-10-18 18:32]
R3 LKNUHUB;Linksys Network USB Root Hub;C:\WINDOWS\system32\DRIVERS\lknuhub.sys [2006-10-18 18:32]
S3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\Drivers\BrScnUsb.sys [2003-12-19 20:15]
S3 BrSerIf;Brother MFC Serial Port Interface WDM Driver;C:\WINDOWS\system32\Drivers\BrSerIf.sys [2004-06-12 04:27]
S3 BrUsbSer;Brother MFC USB Serial WDM Driver;C:\WINDOWS\system32\Drivers\BrUsbSer.sys [2004-01-10 03:28]
S3 FTD2XX;FTD2XX.SYS FT8U2XX device driver;C:\WINDOWS\system32\Drivers\FTD2XX.sys [2004-10-15 16:49]
S3 LKNUCMP;Linksys Network USB Composite Device;C:\WINDOWS\system32\DRIVERS\lknucmp.sys [2006-10-18 18:32]
S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\system32\svchost.exe [2004-08-04 05:00]
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\system32\svchost.exe [2004-08-04 05:00]
S3 p2psvc;Peer Networking;C:\WINDOWS\system32\svchost.exe [2004-08-04 05:00]
S3 PCASp50;PCASp50 NDIS Protocol Driver;C:\WINDOWS\system32\drivers\PCASp50.sys []
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\system32\svchost.exe [2004-08-04 05:00]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder
"2008-02-09 08:00:00 C:\WINDOWS\Tasks\AdwareBot Scheduled Scan.job"
- C:\Program Files\AdwareBot\AdwareBot.exe
- C:\Program Files\AdwareBot
"2008-02-11 20:10:01 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2008-02-12 21:55:00 C:\WINDOWS\Tasks\User_Feed_Synchronization-{F4DBB58D-BF78-4C7B-8145-783A3E248B19}.job"
- C:\WINDOWS\system32\msfeedssync.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-12 16:47:37
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\system32\msdtc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\lotus\notes\ntmulti.exe
C:\Program Files\SalesLogix\SLXLoggingServer.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\SalesLogix\SLXSystem.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-02-12 16:56:01 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-12 21:55:52
.
2008-02-02 21:11:58 --- E O F ---
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:16, on 2008-02-12
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\lotus\notes\ntmulti.exe
C:\Program Files\SalesLogix\SLXServer.exe
C:\Program Files\SalesLogix\SLXLoggingServer.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\SalesLogix\SpeedSearch\Bin\SLXSearchService.exe
C:\PROGRA~1\Grisoft\AVG7\avgw.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\SalesLogix\SLXSystem.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe
C:\Program Files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Money Toolbar Add-in\StockDataClient.exe
C:\Program Files\Weather Add-in for Windows Live Toolbar\WeatherDataClient.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [ccApp] -
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{7155250B-24F7-4187-B77C-CA2C9C1BF869}: NameServer = 66.174.95.44 69.78.96.14
O23 - Service: SalesLogix Server (SalesLogix Server Service) - Sage Software, Inc. - C:\Program Files\SalesLogix\SLXServer.exe
O23 - Service: SalesLogix SpeedSearch (SlxSearch) - Sage Software, Inc. - C:\Program Files\SalesLogix\SpeedSearch\Bin\SLXSearchService.exe
--
End of file - 2939 bytes
#4
Posted 11 February 2008 - 05:56 PM
1. Close any open browsers.
2. Open notepad and copy/paste the text in the quotebox below into it:
File::
C:\WINDOWS\system32\mzyqpkmp.dat
C:\WINDOWS\system32\bivfeksr.dat
C:\WINDOWS\system32\pukxcmwc.dat
C:\WINDOWS\system32\fomxwdms.dat
C:\WINDOWS\system32\twqgrbsz.dat
C:\WINDOWS\system32\AppCert\wsil32.dll
E:\LaunchU3.exe
Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls]
"AppSecDll"=-
Save this as CFScript.txt, in the same location as ComboFix.exe
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at "C:\ComboFix.txt"
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
#5
Posted 17 February 2008 - 04:30 PM
If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users