Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Help Needed with viruses

Started by lafar , Mar 04 2008 07:02 AM

  • Please log in to reply

#1
lafar
Posted 04 March 2008 - 07:02 AM

lafar

    New Member

  • Member
  • Pip
  • 1 posts
Hello,
First of all thank you for taking time and helping me with my problem:)
Few days ago i got infected with mirc/irc flood trojan which got picked up by Trend Micro Internet security Pro 08. I did online scns with
  • kaspersky
  • ewido
  • ca
  • housecall
  • S&D
  • Adaware
Today i did scan with Trend Micro sysclean that picked up pak_generic.001 on my system. Even though all the above apps say that I'm clean now i still thin there is something wrong with my system. For example ,I'm unable to perform windows updates. IE just hangs and will not continue to the updates page.
Please find below logs of Hijacthis and combofix.
I would be greatly appreciated for any help .

Thanks

Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:42:03 PM, on 4/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.h...a...&pf=desktop
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: TransactionProtector BHO - {C1656CCA-D2EA-4A32-94AE-AE0B180E6449} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O3 - Toolbar: Transaction Protector - {E7620C98-FCCC-40E5-92EC-C7685D2E1E40} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ftutil2] "rundll32.exe" ftutil2.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Easy Synchronization] "C:\Program Files\Logitech\Easy Synchronization\LogitechEasySync.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [VoipCheapCom] "C:\Program Files\VoipCheapCom\VoipCheapCom.exe" -nosplash -minimized
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - S-1-5-18 Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'SYSTEM')
O4 - .DEFAULT Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Global Startup: Bitmeter2.lnk = C:\Program Files\Codebox\BitMeter\BitMeter2.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://citrix.cofcqld.com.au
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewi...oOnlineScan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/b...lineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1193745264187
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1204291929734
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://ca.com/us/sec...nfo/webscan.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...241/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F5C2CE95-1E6B-48F6-8F89-D0A4888548E4}: NameServer = 10.1.1.1
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Logitech Easy Synchronization - Unknown owner - C:\Program Files\Logitech\Easy Synchronization\servicestub.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: spoolsv.exe - Unknown owner - C:\WINDOWS\system\dcache\data\scan\Service.exe (file missing)
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-ufad.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe

--
End of file - 10493 bytes

Startup list:

StartupList report, 4/03/2008, 10:42:57 PM
StartupList version: 1.52.2
Started from : C:\Program Files\Trend Micro\HijackThis\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Bitmeter2.lnk = C:\Program Files\Codebox\BitMeter\BitMeter2.exe
Bluetooth.lnk = ?
Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ehTray = C:\WINDOWS\ehome\ehtray.exe
ftutil2 = "rundll32.exe" ftutil2.dll,SetWriteCacheMode
AlwaysReady Power Message APP = ARPWRMSG.EXE
NvCplDaemon = "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
nwiz = "nwiz.exe" /installquiet /keeploaded /nodetect
Recguard = C:\WINDOWS\SMINST\RECGUARD.EXE
HPBootOp = "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
SunJavaUpdateSched = "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
RTHDCPL = RTHDCPL.EXE
UfSeAgnt.exe = "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
Kernel and Hardware Abstraction Layer = KHALMNPR.EXE
Easy Synchronization = "C:\Program Files\Logitech\Easy Synchronization\LogitechEasySync.exe"
Windows Defender = "C:\Program Files\Windows Defender\MSASCui.exe" -hide

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
OE = "C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe"
VoipCheapCom = "C:\Program Files\VoipCheapCom\VoipCheapCom.exe" -nosplash -minimized

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
Skype add-on (mastermind) - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll - {22BF413B-C6D2-4d91-82A9-A0F997BA588C}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
TransactionProtector BHO - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll - {C1656CCA-D2EA-4A32-94AE-AE0B180E6449}

--------------------------------------------------

Enumerating Task Scheduler jobs:

MP Scheduled Scan.job

--------------------------------------------------

Enumerating Download Program Files:

[ewidoOnlineScan Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\EWIDOO~1.DLL
CODEBASE = http://downloads.ewi...oOnlineScan.cab

[Symantec AntiVirus scanner]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\CONFLICT.1\avsniff.dll
CODEBASE = http://security.syma...bin/AvSniff.cab

[{56762DEC-6B0D-4AB4-A8AD-989993B5D08B}]
CODEBASE = http://www.eset.eu/b...lineScanner.cab

[WUWebControl Class]
InProcServer32 = C:\WINDOWS\system32\wuweb.dll
CODEBASE = http://www.update.mi...b?1193745264187

[Symantec RuFSI Utility Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\CONFLICT.1\rufsi.dll
CODEBASE = http://security.syma...n/bin/cabsa.cab

[MUWebControl Class]
InProcServer32 = C:\WINDOWS\system32\muweb.dll
CODEBASE = http://www.update.mi...b?1204291929734

[WScanCtl Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\webscan.dll
CODEBASE = http://ca.com/us/sec...nfo/webscan.cab

[a-squared Scanner]
InProcServer32 = C:\WINDOWS\DOWNLO~1\asquared.ocx
CODEBASE = http://ax.emsisoft.com/asquared.cab

[McFreeScan Class]
InProcServer32 = C:\WINDOWS\McAfee.com\FreeScan\mcfscan.dll
CODEBASE = http://download.mcaf...241/mcfscan.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll
WPDShServiceObj: C:\WINDOWS\system32\WPDShServiceObj.dll

--------------------------------------------------
End of report, 6,521 bytes
Report generated in 0.078 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only


Combofix

ComboFix 08-03-04.2 - HP_Administrator 2008-03-04 22:30:59.1 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1152 [GMT 10:00]
Running from: C:\Documents and Settings\HP_Administrator\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\Cache
E:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_OULTRAF
-------\oUltraf


((((((((((((((((((((((((( Files Created from 2008-02-04 to 2008-03-04 )))))))))))))))))))))))))))))))
.

2008-03-03 20:14 . 2008-03-03 20:14 164 --a------ C:\install.dat
2008-03-03 15:42 . 2008-03-03 15:42 230 --a------ C:\WINDOWS\system32\spupdsvc.inf
2008-03-03 12:29 . 2008-03-03 12:29 <DIR> d-------- C:\Program Files\Lavasoft
2008-03-03 08:39 . 2008-03-03 08:39 <DIR> d-------- C:\Program Files\Windows Defender
2008-03-03 08:38 . 2008-03-03 16:04 7,036 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-03-02 10:49 . 2008-03-02 10:49 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-03-01 23:34 . 2008-03-01 23:34 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_LHidFilt_01005.Wdf
2008-03-01 23:33 . 2008-03-01 23:33 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\InstallShield
2008-03-01 23:33 . 2007-09-21 03:00 53,248 --a------ C:\WINDOWS\system32\LBTCoIns.DLL
2008-03-01 17:55 . 2008-03-01 17:55 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Bluetooth Software
2008-03-01 17:50 . 2008-03-01 17:50 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Logitech
2008-03-01 17:50 . 2008-03-01 17:53 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\Logitech
2008-03-01 17:50 . 2005-10-05 12:00 47,104 --a------ C:\WINDOWS\system32\drivers\vserial.sys
2008-03-01 17:50 . 2005-10-05 12:00 18,167 --a------ C:\WINDOWS\system32\drivers\vsb.sys
2008-03-01 17:49 . 2007-11-15 10:06 301,656 --a------ C:\WINDOWS\system32\BtCoreIf.dll
2008-03-01 17:49 . 2007-11-15 10:07 170,512 --a------ C:\WINDOWS\system32\kemutb.dll
2008-03-01 17:49 . 2007-11-15 10:07 141,840 --a------ C:\WINDOWS\system32\KemUtil.dll
2008-03-01 17:49 . 2007-11-15 10:07 117,264 --a------ C:\WINDOWS\system32\KemWnd.dll
2008-03-01 17:49 . 2007-11-15 10:07 76,304 --a------ C:\WINDOWS\system32\KemXML.dll
2008-03-01 17:49 . 2007-09-21 03:10 55,824 --a------ C:\WINDOWS\KHALMNPR.Exe
2008-03-01 17:49 . 2007-09-21 03:10 36,240 --a------ C:\WINDOWS\system32\drivers\LMouFilt.Sys
2008-03-01 17:49 . 2007-09-21 03:10 35,088 --a------ C:\WINDOWS\system32\drivers\LHidFilt.Sys
2008-03-01 17:49 . 2006-12-22 16:50 27,536 --a------ C:\WINDOWS\system32\drivers\frmupgr.sys
2008-03-01 17:49 . 2008-03-01 17:49 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2008-03-01 17:46 . 2008-03-01 17:46 <DIR> d-------- C:\Program Files\WIDCOMM
2008-03-01 17:46 . 2006-12-05 07:33 863,402 --a------ C:\WINDOWS\system32\drivers\btkrnl.sys
2008-03-01 17:46 . 2006-12-05 07:33 329,901 --a------ C:\WINDOWS\system32\drivers\btaudio.sys
2008-03-01 17:46 . 2006-12-05 07:33 106,557 --a------ C:\WINDOWS\system32\btw_ci.dll
2008-03-01 17:46 . 2006-12-05 07:33 67,672 --a------ C:\WINDOWS\system32\drivers\btwusb.sys
2008-03-01 17:46 . 2006-12-05 07:33 47,907 --a------ C:\WINDOWS\system32\drivers\btwhid.sys
2008-03-01 17:46 . 2006-12-05 07:33 30,459 --a------ C:\WINDOWS\system32\drivers\btport.sys
2008-03-01 16:57 . 2008-03-01 16:57 <DIR> d-------- C:\WINDOWS\kdefense
2008-03-01 16:57 . 2008-03-01 16:57 849,920 --a------ C:\WINDOWS\system32\kdfinj.dll
2008-03-01 16:57 . 2008-03-03 15:35 726,568 --a------ C:\WINDOWS\system32\kdfmgr.exe
2008-03-01 16:57 . 2008-03-03 15:35 192,512 --a------ C:\WINDOWS\system32\kdfvmgr.exe
2008-03-01 16:57 . 2008-03-03 15:35 77,824 --a------ C:\WINDOWS\system32\kdfapi.dll
2008-03-01 16:57 . 2008-03-03 15:35 53,248 --a------ C:\WINDOWS\system32\Kdfhok.dll
2008-03-01 14:57 . 2008-03-01 14:57 <DIR> d-------- C:\WINDOWS\LocalSSL
2008-03-01 14:56 . 2008-03-01 14:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trend Micro
2008-03-01 14:56 . 2007-12-24 17:37 52,496 --a------ C:\WINDOWS\system32\drivers\tmactmon.sys
2008-03-01 14:56 . 2007-12-24 17:37 52,240 --a------ C:\WINDOWS\system32\drivers\tmevtmgr.sys
2008-03-01 14:54 . 2008-03-02 23:26 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-01 10:57 . 2008-03-01 14:37 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\HouseCall 6.6
2008-03-01 00:17 . 2008-03-01 00:17 <DIR> d-------- C:\WINDOWS\McAfee.com
2008-02-29 18:00 . 2007-12-24 17:37 138,384 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-02-29 07:46 . 2006-06-15 23:45 514 --a------ C:\WINDOWS\password.reg
2008-02-29 07:46 . 2006-06-15 23:46 334 --a------ C:\WINDOWS\make.bat
2008-02-29 07:45 . 2008-03-01 02:08 <DIR> d-------- C:\WINDOWS\system32\cam
2008-02-26 19:15 . 2008-02-26 19:23 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\VoipCheapCom
2008-02-26 19:11 . 2008-03-03 19:12 <DIR> d-------- C:\Program Files\VoipCheapCom
2008-02-07 17:39 . 2008-02-07 17:39 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\Windows Desktop Search
2008-02-07 17:38 . 2008-02-07 17:38 <DIR> d-------- C:\Program Files\Windows Desktop Search

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-04 07:06 --------- d-----w C:\Documents and Settings\LocalService\Application Data\VMware
2008-03-04 07:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\VMware
2008-03-04 07:05 0 ----a-w C:\WINDOWS\system32\drivers\lvuvc.hs
2008-03-03 05:44 --------- d-----w C:\Program Files\Hewlett-Packard
2008-03-03 02:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-03 02:28 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-02 13:28 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\Skype
2008-03-02 12:36 --------- d-----w C:\Program Files\DivX
2008-03-02 11:21 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\skypePM
2008-03-02 08:34 --------- d-----w C:\Program Files\Oberon Media
2008-03-01 15:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-03-01 13:34 --------- d-----w C:\Program Files\Common Files\LogiShrd
2008-03-01 13:33 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-01 13:33 --------- d-----w C:\Program Files\Common Files\Logitech
2008-03-01 09:39 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\uTorrent
2008-03-01 07:50 --------- d-----w C:\Program Files\Logitech
2008-03-01 07:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Logitech
2008-03-01 04:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\BitDefender
2008-02-07 07:34 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\VMware
2008-02-04 11:51 --------- d-----w C:\Program Files\Citrix
2008-02-03 08:10 --------- d-----w C:\Program Files\VMware
2008-02-03 08:10 --------- d-----w C:\Program Files\Common Files\VMware
2008-02-02 09:10 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\IE7Pro
2007-12-15 10:48 90,112 ----a-w C:\WINDOWS\DUMPbb12.tmp
2007-11-24 11:35 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2007-11-20 06:55 447 ----a-w C:\Documents and Settings\HP_Administrator\reset.cmd
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{E7620C98-FCCC-40E5-92EC-C7685D2E1E40}

[HKEY_CLASSES_ROOT\clsid\{e7620c98-fccc-40e5-92ec-c7685d2e1e40}]
[HKEY_CLASSES_ROOT\TSToolbar.TSProtectorBar.1]
[HKEY_CLASSES_ROOT\TypeLib\{EC525605-2266-4775-8F78-A68A6446465C}]
[HKEY_CLASSES_ROOT\TSToolbar.TSProtectorBar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 14:00 15360]
"OE"="C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2007-09-18 12:30 488712]
"VoipCheapCom"="C:\Program Files\VoipCheapCom\VoipCheapCom.exe" [2007-02-20 14:23 7202360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 19:56 64512]
"ftutil2"="rundll32.exe" [2004-08-10 14:00 33280 C:\WINDOWS\system32\rundll32.exe]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-02 22:19 77312 C:\WINDOWS\arpwrmsg.exe]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-10 14:00 33280 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2007-08-28 01:59 1626112 C:\WINDOWS\system32\nwiz.exe]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2005-07-22 21:14 237568]
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-11-10 10:29 249856]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"RTHDCPL"="RTHDCPL.EXE" [2007-10-25 03:57 16855552 C:\WINDOWS\RTHDCPL.EXE]
"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-01-21 12:16 1393928]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-09-21 03:10 55824 C:\WINDOWS\KHALMNPR.Exe]
"Easy Synchronization"="C:\Program Files\Logitech\Easy Synchronization\LogitechEasySync.exe" [2005-10-05 12:00 53248]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]

C:\Documents and Settings\Default User\Start Menu\Programs\Startup\
Pin.lnk - C:\hp\bin\CLOAKER.EXE [2006-02-02 08:56:55 27136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Bitmeter2.lnk - C:\Program Files\Codebox\BitMeter\BitMeter2.exe [2007-09-30 18:52:10 1392640]
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-11-29 22:37:20 561213]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2008-03-01 23:33:54 784912]
Windows Desktop Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2007-02-05 15:40:46 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2007-02-05 15:39 294400]
"{FE24CD78-7C63-465D-8787-4EDF7FC79895}"= C:\Program Files\Logitech\Easy Synchronization\shellexecutehook.dll [2005-10-05 12:00 69632]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll 2007-11-15 10:10 72208 c:\Program Files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Gadu-Gadu\\gg.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\VoipCheapCom\\VoipCheapCom.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

S2 spoolsv.exe;spoolsv.exe;C:\WINDOWS\system\dcache\data\scan\Service.exe []

.
Contents of the 'Scheduled Tasks' folder
"2008-03-04 07:16:20 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-04 22:35:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
.
**************************************************************************
.
Completion time: 2008-03-04 22:36:49 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-04 12:36:46
.
2008-03-03 05:20:32 --- E O F ---
  • 0

Advertisements

Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP