Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Bagle Worm, cant access Antivirus/hijackthis!plz help [RESOLVED]


  • This topic is locked This topic is locked

#31
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts

does it make a difference that my backup drive is not connected at the moment??? i had to disconnect it before when i was getting black screen and it wasnt recognized... is there a good chance this backup drive is infected as well?



Yes Dave, there is a good chance that it is also infected, so don't plug it in again just yet OK.

Tell me something, what type of drive is it, is it a USB external drive, one of the ones that you plug into a USB port? Also when you had it plugged in, what drive letter did it have, was it E, G or F?

Now could you complete the Kaspersky scan and post me that log along with a HijackThis log please.
  • 0

Advertisements


#32
verve

verve

    Member

  • Topic Starter
  • Member
  • PipPip
  • 71 posts
scan is almost finished with one virus found so far.

the drive is not usb, its built into the pc inside it..i think SATA, but dont take my word on that cause im not so literate with these things. i believe it was an E: drive.


thanx
  • 0

#33
verve

verve

    Member

  • Topic Starter
  • Member
  • PipPip
  • 71 posts
found quite a bit of stuff....



-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, March 25, 2008 12:02:25 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 24/03/2008
Kaspersky Anti-Virus database records: 659498
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 182377
Number of viruses found: 9
Number of infected objects: 53
Number of suspicious objects: 0
Duration of the scan process: 01:33:05

Infected Object Name / Virus Name / Last Action
C:\autorun.inf\lpt3.This folder was created by Flash_Disinfector Object is locked skipped
C:\Deckard\System Scanner\20080324214018\backup\DOCUME~1\dave\LOCALS~1\Temp\Av-test.txt Infected: EICAR-Test-File skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\dave\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\dave\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\dave\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\dave\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\dave\Local Settings\History\History.IE5\MSHist012008032420080325\index.dat Object is locked skipped
C:\Documents and Settings\dave\Local Settings\Temp\Perflib_Perfdata_79c.dat Object is locked skipped
C:\Documents and Settings\dave\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\dave\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\dave\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\QooBox\Quarantine\Registry_backups\Service_srosa.reg.dat Infected: Trojan-Downloader.Win32.Bagle.hp skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{BCA76585-1AC2-4C75-8162-9F03C41856B0}\RP141\A0030628.exe/Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped
C:\System Volume Information\_restore{BCA76585-1AC2-4C75-8162-9F03C41856B0}\RP141\A0030628.exe RAR: infected - 1 skipped
C:\System Volume Information\_restore{BCA76585-1AC2-4C75-8162-9F03C41856B0}\RP145\A0031121.exe/Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped
C:\System Volume Information\_restore{BCA76585-1AC2-4C75-8162-9F03C41856B0}\RP145\A0031121.exe RAR: infected - 1 skipped
C:\System Volume Information\_restore{BCA76585-1AC2-4C75-8162-9F03C41856B0}\RP181\A0038475.dll Infected: Trojan-PSW.Win32.OnLineGames.rrx skipped
C:\System Volume Information\_restore{BCA76585-1AC2-4C75-8162-9F03C41856B0}\RP181\A0038487.dll Infected: Trojan-PSW.Win32.OnLineGames.rrx skipped
C:\System Volume Information\_restore{BCA76585-1AC2-4C75-8162-9F03C41856B0}\RP181\A0038492.exe Infected: Trojan-PSW.Win32.OnLineGames.rry skipped
C:\System Volume Information\_restore{BCA76585-1AC2-4C75-8162-9F03C41856B0}\RP181\A0039518.exe Infected: Trojan-PSW.Win32.OnLineGames.rry skipped
C:\System Volume Information\_restore{BCA76585-1AC2-4C75-8162-9F03C41856B0}\RP181\A0039519.dll Infected: Trojan-PSW.Win32.OnLineGames.rrx skipped
C:\System Volume Information\_restore{BCA76585-1AC2-4C75-8162-9F03C41856B0}\RP181\A0040504.dll Infected: Trojan-PSW.Win32.OnLineGames.rrx skipped
C:\System Volume Information\_restore{BCA76585-1AC2-4C75-8162-9F03C41856B0}\RP182\A0040535.exe Infected: Trojan-PSW.Win32.OnLineGames.rry skipped
C:\System Volume Information\_restore{BCA76585-1AC2-4C75-8162-9F03C41856B0}\RP182\A0041531.dll Infected: Trojan-PSW.Win32.OnLineGames.rrx skipped
C:\System Volume Information\_restore{BCA76585-1AC2-4C75-8162-9F03C41856B0}\RP184\A0041682.dll Infected: Trojan-PSW.Win32.OnLineGames.rrx skipped
C:\System Volume Information\_restore{BCA76585-1AC2-4C75-8162-9F03C41856B0}\RP203\A0044584.exe Infected: Trojan-Downloader.Win32.Bagle.ma skipped
C:\System Volume Information\_restore{BCA76585-1AC2-4C75-8162-9F03C41856B0}\RP205\A0044690.sys Infected: Trojan-Downloader.Win32.Bagle.ma skipped
C:\System Volume Information\_restore{BCA76585-1AC2-4C75-8162-9F03C41856B0}\RP206\A0044751.sys Infected: Trojan-Downloader.Win32.Bagle.ma skipped
C:\System Volume Information\_restore{BCA76585-1AC2-4C75-8162-9F03C41856B0}\RP207\A0044752.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{BCA76585-1AC2-4C75-8162-9F03C41856B0}\RP207\A0044753.sys Infected: Trojan-Downloader.Win32.Bagle.ma skipped
C:\System Volume Information\_restore{BCA76585-1AC2-4C75-8162-9F03C41856B0}\RP207\A0044803.sys Infected: Trojan-Downloader.Win32.Bagle.ma skipped
C:\System Volume Information\_restore{BCA76585-1AC2-4C75-8162-9F03C41856B0}\RP207\A0044804.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{BCA76585-1AC2-4C75-8162-9F03C41856B0}\RP207\A0044805.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{BCA76585-1AC2-4C75-8162-9F03C41856B0}\RP208\A0044829.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{BCA76585-1AC2-4C75-8162-9F03C41856B0}\RP208\A0044830.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{BCA76585-1AC2-4C75-8162-9F03C41856B0}\RP208\A0044831.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{BCA76585-1AC2-4C75-8162-9F03C41856B0}\RP208\A0044834.sys Infected: Trojan-Downloader.Win32.Bagle.ma skipped
C:\System Volume Information\_restore{BCA76585-1AC2-4C75-8162-9F03C41856B0}\RP209\A0044860.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{BCA76585-1AC2-4C75-8162-9F03C41856B0}\RP209\A0044861.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{BCA76585-1AC2-4C75-8162-9F03C41856B0}\RP209\A0044862.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{BCA76585-1AC2-4C75-8162-9F03C41856B0}\RP209\A0044865.sys Infected: Trojan-Downloader.Win32.Bagle.ma skipped
C:\System Volume Information\_restore{BCA76585-1AC2-4C75-8162-9F03C41856B0}\RP209\A0044912.sys Infected: Trojan-Downloader.Win32.Bagle.ma skipped
C:\System Volume Information\_restore{BCA76585-1AC2-4C75-8162-9F03C41856B0}\RP209\A0044988.exe Infected: Trojan-Downloader.Win32.Bagle.ma skipped
C:\System Volume Information\_restore{BCA76585-1AC2-4C75-8162-9F03C41856B0}\RP209\A0044989.exe Infected: Trojan-Downloader.Win32.Bagle.ma skipped
C:\System Volume Information\_restore{BCA76585-1AC2-4C75-8162-9F03C41856B0}\RP209\A0045032.exe Infected: Trojan-Downloader.Win32.Bagle.ma skipped
C:\System Volume Information\_restore{BCA76585-1AC2-4C75-8162-9F03C41856B0}\RP209\A0046013.exe Infected: Trojan-Downloader.Win32.Bagle.ma skipped
C:\System Volume Information\_restore{BCA76585-1AC2-4C75-8162-9F03C41856B0}\RP209\A0047013.sys Infected: Trojan-Downloader.Win32.Bagle.ma skipped
C:\System Volume Information\_restore{BCA76585-1AC2-4C75-8162-9F03C41856B0}\RP209\A0047014.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{BCA76585-1AC2-4C75-8162-9F03C41856B0}\RP209\A0047015.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{BCA76585-1AC2-4C75-8162-9F03C41856B0}\RP209\A0047065.exe Infected: Trojan-Downloader.Win32.Bagle.lv skipped
C:\System Volume Information\_restore{BCA76585-1AC2-4C75-8162-9F03C41856B0}\RP209\A0047076.exe Infected: Trojan-Downloader.Win32.Bagle.ma skipped
C:\System Volume Information\_restore{BCA76585-1AC2-4C75-8162-9F03C41856B0}\RP209\A0048079.exe Infected: Trojan-Downloader.Win32.Bagle.ma skipped
C:\System Volume Information\_restore{BCA76585-1AC2-4C75-8162-9F03C41856B0}\RP209\A0049079.sys Infected: Trojan-Downloader.Win32.Bagle.ma skipped
C:\System Volume Information\_restore{BCA76585-1AC2-4C75-8162-9F03C41856B0}\RP209\A0049081.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{BCA76585-1AC2-4C75-8162-9F03C41856B0}\RP209\A0049082.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{BCA76585-1AC2-4C75-8162-9F03C41856B0}\RP210\A0049144.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{BCA76585-1AC2-4C75-8162-9F03C41856B0}\RP210\A0049146.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{BCA76585-1AC2-4C75-8162-9F03C41856B0}\RP210\A0049148.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{BCA76585-1AC2-4C75-8162-9F03C41856B0}\RP210\A0049154.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{BCA76585-1AC2-4C75-8162-9F03C41856B0}\RP210\A0049160.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{BCA76585-1AC2-4C75-8162-9F03C41856B0}\RP210\A0049162.exe Infected: Trojan.Win32.Pakes.ciw skipped
C:\System Volume Information\_restore{BCA76585-1AC2-4C75-8162-9F03C41856B0}\RP210\A0049172.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{BCA76585-1AC2-4C75-8162-9F03C41856B0}\RP210\A0049195.exe Infected: Trojan-Downloader.Win32.Bagle.ma skipped
C:\System Volume Information\_restore{BCA76585-1AC2-4C75-8162-9F03C41856B0}\RP215\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.
  • 0

#34
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
We are in luck Dave, what was found is either in your System Restore points, or in Combofix's quarantine, so we are safe.

Now before we deal with your Backup Drive, lets clear your system restore of the crap!

Reset and Re-enable your System Restore to remove any infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are infected, but that's good news).

Turn OFF System Restore.
  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • Check Turn off System Restore.
  • Click Apply, and then click OK.
Restart your computer.

Turn ON System Restore.
  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • UN-Check Turn off System Restore.
  • Click Apply, and then click OK.

System Restore will now be active again.

Now lets set a new restore point
  • Go to Start, then Programs, then Accessories, then System Tools
  • Choose System Restore
  • When the program starts, make sure that Create a Restore Point is checked, the click Next
  • Give the restore point a name, then click Create, then Close to complete.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Next, lets install the Recovery Console so that if we have a problem again it is easy to get back to it.

Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System.

Posted Image

Download the file & save it as it's originally named, next to ComboFix.exe.

Posted Image

Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open. Please post the contents of that log, then we'll get started on you Backup Drive.

Regards,
RatHat
  • 0

#35
verve

verve

    Member

  • Topic Starter
  • Member
  • PipPip
  • 71 posts
there you go rathat.


WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
  • 0

#36
verve

verve

    Member

  • Topic Starter
  • Member
  • PipPip
  • 71 posts
i still get errors when i restart my pc i never had before this virus..i have to notepad files opening at startup which i think have something to do with the desktop.ini files i see in a few places...is this related to the virus?
  • 0

#37
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Could you reboot and post me the content of the Notepad files.

Thanks,
RatHat
  • 0

#38
verve

verve

    Member

  • Topic Starter
  • Member
  • PipPip
  • 71 posts
[.ShellClassInfo]
[email protected]%SystemRoot%\system32\shell32.dll,-21787

[.ShellClassInfo]
[email protected]%SystemRoot%\system32\shell32.dll,-21787


both look identical and they are both called desktop.ini

i still cant start avast or any other antyspywere except for etrust pestpatrol which for some reason keeps starting automatically (probably because avast wont start)... am i supposed to be disinfected now? because the problem still seems to be there...


dave
  • 0

#39
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
You are not clean completely yet Dave, but I believe a lot of it has gone now.

Could you run Combofix for me again please, and post me the log so we can see what turns up. Also run DSS again after Combofix, and post me that log.

Regards,
RatHat
  • 0

#40
verve

verve

    Member

  • Topic Starter
  • Member
  • PipPip
  • 71 posts
ComboFix 08-03-24.1 - dave 2008-03-25 1:38:45.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1567 [GMT 0:00]
Running from: C:\Documents and Settings\dave\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-02-25 to 2008-03-25 )))))))))))))))))))))))))))))))
.

2008-03-24 22:18 . 2008-03-24 22:18 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-24 22:18 . 2008-03-24 22:18 <DIR> d-------- C:\Documents and Settings\dave\Application Data\Malwarebytes
2008-03-24 22:18 . 2008-03-24 22:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-24 21:00 . 2004-08-03 23:56 24,576 --a------ C:\WINDOWS\system32\CF_init.exe
2008-03-24 19:45 . 2008-03-24 19:45 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-24 19:42 . 2008-03-24 19:42 <DIR> d-------- C:\Deckard
2008-03-24 12:39 . 2008-03-24 12:43 <DIR> d-------- C:\Combo-Fix
2008-03-21 16:05 . 2008-03-22 11:34 <DIR> d-------- C:\Program Files\WH GBP Casino
2008-03-21 16:05 . 2007-06-22 17:02 107,520 --a------ C:\WINDOWS\system32\UnCasino5.exe
2008-03-21 16:04 . 2008-03-22 18:26 <DIR> d-------- C:\Program Files\William Hill Poker
2008-03-19 19:10 . 2004-08-04 00:56 16,384 --a------ C:\WINDOWS\system32\ipsink.ax
2008-03-19 19:10 . 2004-08-04 00:56 16,384 --a--c--- C:\WINDOWS\system32\dllcache\ipsink.ax
2008-03-19 19:10 . 2004-08-03 23:10 15,360 --a------ C:\WINDOWS\system32\drivers\StreamIP.sys
2008-03-19 19:10 . 2004-08-03 23:10 15,360 --a--c--- C:\WINDOWS\system32\dllcache\streamip.sys
2008-03-19 19:10 . 2004-08-03 23:10 11,136 --a------ C:\WINDOWS\system32\drivers\SLIP.sys
2008-03-19 19:10 . 2004-08-03 23:10 11,136 --a--c--- C:\WINDOWS\system32\dllcache\slip.sys
2008-03-19 19:10 . 2004-08-03 23:10 10,880 --a------ C:\WINDOWS\system32\drivers\NdisIP.sys
2008-03-19 19:10 . 2004-08-03 23:10 10,880 --a--c--- C:\WINDOWS\system32\dllcache\ndisip.sys
2008-03-19 19:10 . 2004-08-03 22:58 5,504 --a------ C:\WINDOWS\system32\drivers\MSTEE.sys
2008-03-19 19:10 . 2004-08-03 22:58 5,504 --a--c--- C:\WINDOWS\system32\dllcache\mstee.sys
2008-03-19 19:07 . 2004-08-03 23:10 48,128 --a------ C:\WINDOWS\system32\drivers\61883.sys
2008-03-19 19:07 . 2004-08-03 23:10 48,128 --a--c--- C:\WINDOWS\system32\dllcache\61883.sys
2008-03-19 18:56 . 2008-03-19 18:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Vara Software
2008-03-19 18:50 . 2008-03-19 18:50 <DIR> d-------- C:\Documents and Settings\dave\Application Data\Vara Software
2008-03-19 18:29 . 2005-08-13 02:11 61,312 --a------ C:\WINDOWS\system32\drivers\ohci1394.sys
2008-03-19 18:29 . 2005-08-13 02:11 61,312 --a--c--- C:\WINDOWS\system32\dllcache\ohci1394.sys
2008-03-19 18:29 . 2004-08-03 23:10 53,248 --a------ C:\WINDOWS\system32\drivers\1394bus.sys
2008-03-19 18:29 . 2004-08-03 23:10 53,248 --a--c--- C:\WINDOWS\system32\dllcache\1394bus.sys
2008-03-19 18:29 . 2001-08-17 13:46 6,400 --a------ C:\WINDOWS\system32\drivers\enum1394.sys
2008-03-19 18:29 . 2001-08-17 13:46 6,400 --a--c--- C:\WINDOWS\system32\dllcache\enum1394.sys
2008-03-16 14:31 . 2001-11-05 09:23 299,923 --a------ C:\WINDOWS\system32\drivers\sonyhcs.sys
2008-03-16 14:31 . 2002-10-15 22:41 102,220 --a------ C:\WINDOWS\system32\drivers\sonypvs1.sys
2008-03-16 14:31 . 2001-07-03 20:33 53,248 --a------ C:\WINDOWS\system32\SONYHCY.DLL
2008-03-16 14:31 . 2001-11-05 09:23 38,739 --a------ C:\WINDOWS\system32\drivers\sonyhcc.sys
2008-03-16 14:31 . 2001-11-05 09:23 6,097 --a------ C:\WINDOWS\system32\drivers\sonyhcb.sys
2008-03-16 14:31 . 2001-07-03 20:39 3,654 --a------ C:\WINDOWS\system32\drivers\Sonyhcp.dll
2008-03-05 18:38 . 2008-03-24 21:50 54,156 --a------ C:\WINDOWS\QTFont.qfn
2008-03-05 18:38 . 2008-03-05 18:38 1,409 --a------ C:\WINDOWS\system32\tmp10298.FOT
2008-03-05 18:38 . 2008-03-05 18:38 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-03 20:05 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-03-03 19:45 . 2008-03-03 23:15 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-03-03 19:45 . 2008-03-03 23:15 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-03-03 17:58 . 2008-03-03 17:58 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-03 17:58 . 2008-03-03 17:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-03 15:31 . 2007-08-01 10:03 93,184 --a------ C:\WINDOWS\system32\UnPoker.exe
2008-03-02 17:07 . 2007-11-28 14:03 1,048,576 --a------ C:\WINDOWS\P5B-ASUS-1803.ROM
2008-03-02 17:05 . 2008-03-02 17:07 606,107 --a------ C:\WINDOWS\P5B-ASUS-1803.zip
2008-03-02 16:51 . 2007-11-02 09:29 1,048,576 --a------ C:\WINDOWS\P5B-ASUS-1705.ROM
2008-03-02 16:48 . 2008-03-02 16:51 603,850 --a------ C:\WINDOWS\P5B1705.zip
2008-03-02 16:31 . 2007-01-30 15:40 1,048,576 --a------ C:\WINDOWS\P5B-ASUS-1102.ROM
2008-03-02 16:31 . 2008-03-02 16:31 583,607 --a------ C:\WINDOWS\P5B-1102.zip
2008-03-02 16:16 . 2006-10-26 20:35 1,048,576 --a------ C:\WINDOWS\P5B-0806.ROM
2008-03-02 16:15 . 2008-03-02 16:16 579,246 --a------ C:\WINDOWS\P5B-0806.zip
2008-03-02 16:01 . 2006-10-02 17:42 1,048,576 --a------ C:\WINDOWS\P5B-0701.ROM
2008-03-02 16:00 . 2008-03-02 16:01 577,571 --a------ C:\WINDOWS\P5B-0701.zip
2008-03-02 15:46 . 2006-09-06 20:32 1,048,576 --a------ C:\WINDOWS\P5B-ASUS-0509.ROM
2008-03-02 15:41 . 2008-03-02 15:46 575,646 --a------ C:\WINDOWS\P5B-0509.zip
2008-03-02 14:11 . 2008-03-02 14:36 <DIR> d-------- C:\Program Files\ASUS
2008-03-02 14:11 . 2006-01-10 08:50 24,576 --a------ C:\WINDOWS\system32\AsIO.dll
2008-03-02 14:11 . 2005-12-22 02:22 5,685 --a------ C:\WINDOWS\system32\drivers\AsIO.sys
2008-03-02 14:11 . 2005-07-05 10:43 5,120 --a------ C:\WINDOWS\system32\drivers\AsInsHelp64.sys
2008-03-02 14:11 . 2005-07-05 10:43 3,328 --a------ C:\WINDOWS\system32\drivers\AsInsHelp32.sys
2008-03-02 14:09 . 2008-03-02 14:09 <DIR> dr------- C:\WINDOWS\AsDmiHtm
2008-02-29 21:34 . 2008-02-29 21:34 <DIR> d-------- C:\Program Files\Classic Menu for Office
2008-02-29 21:34 . 2008-03-23 01:32 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-29 16:48 . 2008-02-29 16:48 <DIR> d-------- C:\Documents and Settings\dave\Application Data\GridIron
2008-02-29 16:47 . 2008-02-29 16:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\GridIron Software
2008-02-29 15:51 . 2006-10-26 19:56 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll
2008-02-29 15:49 . 2008-02-29 15:49 <DIR> d-------- C:\Program Files\MSBuild
2008-02-29 15:49 . 2008-02-29 15:49 <DIR> d-------- C:\Program Files\Microsoft Works
2008-02-29 15:48 . 2008-02-29 15:48 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-02-29 15:40 . 2008-03-12 03:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-02-29 15:39 . 2008-02-29 15:39 <DIR> dr-h----- C:\MSOCache
2008-02-29 15:18 . 2008-03-04 00:10 <DIR> d-------- C:\Program Files\PowerISO

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-23 15:44 --------- d-----w C:\Program Files\XoftSpySE
2008-03-20 16:03 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-13 09:54 --------- d-----w C:\Documents and Settings\dave\Application Data\BSplayer Pro
2008-03-12 00:03 --------- d-----w C:\Documents and Settings\dave\Application Data\Ahead
2008-03-04 00:14 --------- d-----w C:\Program Files\Vtune
2008-03-04 00:08 --------- d-----w C:\Program Files\MagicISO
2008-03-04 00:06 --------- d-----w C:\Program Files\Common Files\Teleca Shared
2008-03-04 00:05 --------- d-----w C:\Program Files\Common Files\LightScribe
2008-03-03 23:58 --------- d-----w C:\Program Files\Bonjour
2008-03-03 23:58 --------- d-----w C:\Program Files\Avant Browser
2008-02-22 14:24 --------- d-----w C:\Program Files\GenArts
2008-02-14 15:42 --------- d-----w C:\Program Files\Disc2Phone
2008-02-14 15:30 --------- d-----w C:\Documents and Settings\dave\Application Data\Teleca
2008-02-14 15:29 --------- d-----w C:\Documents and Settings\dave\Application Data\Sony Ericsson
2008-02-14 15:27 --------- d-----w C:\Program Files\Sony Ericsson
2008-02-14 15:27 --------- d-----w C:\Program Files\Common Files\Sony Ericsson Shared
2008-02-14 15:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Teleca
2008-02-14 15:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sony Ericsson
2008-02-12 23:56 --------- d-----w C:\Program Files\Vertus Fluid Mask 3
2008-02-12 23:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\VertusTech
2008-01-31 19:25 --------- d-----w C:\Program Files\DivX
2008-01-31 13:57 --------- d-----w C:\Program Files\THQ
2008-01-31 13:37 --------- d-----w C:\Program Files\Ulead Systems
2008-01-17 00:49 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-01-15 15:40 3,727,360 ----a-w C:\WINDOWS\system32\sapphire_ae.dll
2008-01-09 11:18 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2008-01-09 11:18 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2008-01-09 11:18 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2008-01-09 11:18 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2008-01-09 11:16 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2008-01-09 11:16 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2008-01-09 11:16 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2008-01-09 11:16 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2008-01-09 11:16 682,496 ----a-w C:\WINDOWS\system32\DivX.dll
2008-01-09 11:16 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2006-06-23 06:48 32,768 ----a-w C:\WINDOWS\inf\UpdateUSB.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2006-04-10 08:19 729088]
"JMB36X Configure"="C:\WINDOWS\system32\JMRaidTool.exe" [2006-06-02 08:45 385024]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2006-05-01 10:07 843776]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-10-04 17:14 8491008]
"nwiz"="nwiz.exe" [2007-10-04 17:14 1626112 C:\WINDOWS\system32\nwiz.exe]
"CTSysVol"="C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 09:51 57344]
"P17Helper"="P17.dll" [2005-05-03 11:38 64512 C:\WINDOWS\system32\P17.dll]
"CreativeTaskScheduler"="C:\Program Files\Creative\Shared Files\CTSched.exe" [2006-01-09 02:43 53340]
"Adobe_ID0EYTHM"="C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [2007-03-20 15:40 1884160]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-12-04 19:25 180269]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-03-23 23:44 79224]
"CaISSDT"="C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe" [2006-04-21 14:42 165416]
"atwtusb"="atwtusb.exe" [2005-09-21 18:08 290816 C:\WINDOWS\system32\ATWTUSB.EXE]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2005-06-02 13:22 28160 C:\WINDOWS\KHALMNPR.Exe]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 00:00 90112]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-03-20 17:34 213936]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-10-04 17:14 81920]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]
"AsusServiceProvider"="C:\Program Files\ASUS\AASP\1.00.01\aaCenter.exe" [2006-06-30 14:57 582144]
"Ai Nap"="C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe" [2006-07-10 15:49 1093632]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-11-14 21:34 155648]
"eTrustPPAP"="C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe" [2008-01-02 21:14 258048]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-03 23:56 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2008-01-11 16:55:20 450560]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"C:\\Program Files\\Avant Browser\\avant.exe"=
"C:\\Program Files\\Sorenson Media\\Sorenson Squeeze\\Squeeze.exe"=
"C:\\Program Files\\InterVideo\\DVD8\\WinDVD.exe"=
"C:\\Program Files\\Adobe\\Adobe After Effects CS3\\Support Files\\AfterFX.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\William Hill Poker\\UA.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

S1 aiptektp;HyperPen;C:\WINDOWS\system32\DRIVERS\aiptektp.sys [2004-07-07 16:02]

.
Contents of the 'Scheduled Tasks' folder
"2008-03-25 01:24:32 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
"2008-01-07 16:23:56 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-25 01:39:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-25 1:40:14
ComboFix-quarantined-files.txt 2008-03-25 01:40:00
ComboFix2.txt 2008-03-24 21:39:28
ComboFix3.txt 2008-03-24 21:06:16
.
2008-03-12 03:03:09 --- E O F ---
  • 0

Advertisements


#41
verve

verve

    Member

  • Topic Starter
  • Member
  • PipPip
  • 71 posts
Its 2am here and i got work tomorrow so will have to get back to you in the morning..will wake up early to see what the next steps are...

thanks a lot for the help man!


dave



Deckard's System Scanner v20071014.68
Run by dave on 2008-03-25 01:41:06
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as dave.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:41:08, on 25/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20733)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Creative\Shared Files\CTSched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe
C:\WINDOWS\system32\atwtusb.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\ASUS\AASP\1.00.01\aaCenter.exe
C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\dave\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\dave.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft....k/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [JMB36X Configure] C:\WINDOWS\system32\JMRaidTool.exe boot
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [CreativeTaskScheduler] "C:\Program Files\Creative\Shared Files\CTSched.exe" /logon
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [CaISSDT] "C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"
O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [AsusServiceProvider] C:\Program Files\ASUS\AASP\1.00.01\aaCenter.exe
O4 - HKLM\..\Run: [Ai Nap] "C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://site.ebrary.c...s/ebraryRdr.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://crucial.com/c.../cpcScanner.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

--
End of file - 9810 bytes

-- Files created between 2008-02-25 and 2008-03-25 -----------------------------

2008-03-25 01:10:22 0 d-------- C:\cmdcons
2008-03-24 22:18:42 0 d-------- C:\Documents and Settings\dave\Application Data\Malwarebytes
2008-03-24 22:18:38 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-24 22:18:38 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-24 20:52:04 0 drahs---- C:\autorun.inf
2008-03-24 19:45:38 0 d-------- C:\Program Files\Trend Micro
2008-03-24 12:39:22 0 d-------- C:\Combo-Fix
2008-03-23 23:40:46 68096 --a------ C:\WINDOWS\system32\zip.exe
2008-03-23 23:40:46 98816 --a------ C:\WINDOWS\system32\sed.exe
2008-03-23 23:40:46 80412 --a------ C:\WINDOWS\system32\grep.exe
2008-03-23 23:40:46 73728 --a------ C:\WINDOWS\system32\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-03-21 16:05:40 107520 --a------ C:\WINDOWS\system32\UnCasino5.exe <Not Verified; ; UnCasino Application>
2008-03-21 16:05:08 0 d-------- C:\Program Files\WH GBP Casino
2008-03-21 16:04:00 0 d-------- C:\Program Files\William Hill Poker
2008-03-19 18:56:22 0 d-------- C:\Documents and Settings\All Users\Application Data\Vara Software
2008-03-19 18:50:16 0 d-------- C:\Documents and Settings\dave\Application Data\Vara Software
2008-03-16 14:31:49 3654 --a------ C:\WINDOWS\system32\drivers\Sonyhcp.dll
2008-03-09 12:20:58 0 d-------- C:\958f7957514ceef8862ed3ec8f6dd584
2008-03-03 20:05:59 44928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS <Not Verified; Panda Software; Panda® Antivirus>
2008-03-03 17:58:42 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-03 17:58:40 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-03 15:31:00 93184 --a------ C:\WINDOWS\system32\UnPoker.exe <Not Verified; ; UnCasino Application>
2008-03-02 14:11:30 5685 --a------ C:\WINDOWS\system32\drivers\AsIO.sys
2008-03-02 14:11:30 24576 --a------ C:\WINDOWS\system32\AsIO.dll <Not Verified; ; AsIO Dynamic Link Library>
2008-03-02 14:11:27 5120 --a------ C:\WINDOWS\system32\drivers\AsInsHelp64.sys
2008-03-02 14:11:27 3328 --a------ C:\WINDOWS\system32\drivers\AsInsHelp32.sys
2008-03-02 14:11:27 0 d-------- C:\Program Files\ASUS
2008-03-02 14:09:15 0 dr------- C:\WINDOWS\AsDmiHtm
2008-02-29 21:34:44 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-29 21:34:39 0 d-------- C:\Program Files\Classic Menu for Office
2008-02-29 16:48:05 0 d-------- C:\Documents and Settings\dave\Application Data\GridIron
2008-02-29 16:47:06 0 d-------- C:\Documents and Settings\All Users\Application Data\GridIron Software
2008-02-29 15:49:43 0 d-------- C:\Program Files\Microsoft Works
2008-02-29 15:49:33 0 d-------- C:\Program Files\MSBuild
2008-02-29 15:48:04 0 d-------- C:\Program Files\Microsoft.NET
2008-02-29 15:40:54 0 d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-02-29 15:39:20 0 dr-h----- C:\MSOCache
2008-02-29 15:18:51 0 d-------- C:\Program Files\PowerISO


-- Find3M Report ---------------------------------------------------------------

2008-03-23 22:22:02 0 d-------- C:\Program Files\Messenger
2008-03-23 15:44:14 0 d-------- C:\Program Files\XoftSpySE
2008-03-20 19:02:42 0 d-------- C:\Documents and Settings\dave\Application Data\Adobe
2008-03-20 16:03:14 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-03-13 09:54:01 0 d-------- C:\Documents and Settings\dave\Application Data\BSplayer Pro
2008-03-12 00:03:06 0 d-------- C:\Documents and Settings\dave\Application Data\Ahead
2008-03-04 00:14:46 0 d-------- C:\Program Files\Vtune
2008-03-04 00:08:11 0 d-------- C:\Program Files\MagicISO
2008-03-04 00:06:11 0 d-------- C:\Program Files\Common Files\Teleca Shared
2008-03-04 00:05:16 0 d-------- C:\Program Files\Common Files\LightScribe
2008-03-03 23:58:38 0 d-------- C:\Program Files\Bonjour
2008-03-03 23:58:37 0 d-------- C:\Program Files\Avant Browser
2008-02-29 15:49:03 0 d-------- C:\Program Files\Common Files
2008-02-22 14:24:53 0 d-------- C:\Program Files\GenArts
2008-02-14 15:42:11 0 d-------- C:\Program Files\Disc2Phone
2008-02-14 15:30:29 0 d-------- C:\Documents and Settings\dave\Application Data\Teleca
2008-02-14 15:29:53 0 d-------- C:\Documents and Settings\dave\Application Data\Sony Ericsson
2008-02-14 15:27:39 0 d-------- C:\Program Files\Common Files\Sony Ericsson Shared
2008-02-14 15:27:05 0 d-------- C:\Program Files\Sony Ericsson
2008-02-12 23:56:49 0 d-------- C:\Program Files\Vertus Fluid Mask 3
2008-02-12 23:56:23 1024 --a------ C:\WINDOWS\system32\u1xi0qt.dll
2008-02-12 23:56:22 1024 --a------ C:\WINDOWS\system32\grcauth2.dll
2008-02-12 23:56:22 1024 --a------ C:\WINDOWS\system32\grcauth1.dll
2008-01-31 19:25:52 0 d-------- C:\Program Files\DivX
2008-01-31 13:57:24 0 d-------- C:\Program Files\THQ
2008-01-31 13:37:08 0 d-------- C:\Program Files\Ulead Systems
2008-01-18 18:07:49 1025 --a------ C:\WINDOWS\system32\clauth2.dll
2008-01-18 18:07:49 1025 --a------ C:\WINDOWS\system32\clauth1.dll
2008-01-15 15:40:52 3727360 --a------ C:\WINDOWS\system32\sapphire_ae.dll <Not Verified; GenArts, Inc.; GenArts, Inc. Sapphire Plug-ins>
2008-01-09 11:18:12 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-01-09 11:16:10 196608 --a------ C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2008-01-09 11:16:10 81920 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2008-01-09 11:16:02 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2008-01-09 11:16:02 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2008-01-09 11:16:02 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2008-01-09 11:16:02 682496 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [10/04/2006 08:19]
"JMB36X Configure"="C:\WINDOWS\system32\JMRaidTool.exe" [02/06/2006 08:45]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [01/05/2006 10:07]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [04/10/2007 17:14]
"nwiz"="nwiz.exe" [04/10/2007 17:14 C:\WINDOWS\system32\nwiz.exe]
"CTSysVol"="C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [31/10/2005 09:51]
"P17Helper"="P17.dll" [03/05/2005 11:38 C:\WINDOWS\system32\P17.dll]
"CreativeTaskScheduler"="C:\Program Files\Creative\Shared Files\CTSched.exe" [09/01/2006 02:43]
"Adobe_ID0EYTHM"="C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [20/03/2007 15:40]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [04/12/2007 19:25]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [23/03/2008 23:44]
"CaISSDT"="C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe" [21/04/2006 14:42]
"atwtusb"="atwtusb.exe" [21/09/2005 18:08 C:\WINDOWS\system32\ATWTUSB.EXE]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [02/06/2005 13:22 C:\WINDOWS\KHALMNPR.Exe]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [11/05/2000 00:00]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [20/03/2006 17:34]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [04/10/2007 17:14]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [27/10/2006 00:47]
"AsusServiceProvider"="C:\Program Files\ASUS\AASP\1.00.01\aaCenter.exe" [30/06/2006 14:57]
"Ai Nap"="C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe" [10/07/2006 15:49]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [14/11/2007 21:34]
"eTrustPPAP"="C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe" [02/01/2008 21:14]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [03/08/2004 23:56]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [18/10/2007 11:34]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [11/01/2008 16:55:20]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)
"DisableRegistryTools"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"




-- End of Deckard's System Scanner: finished at 2008-03-25 01:41:26 ------------
  • 0

#42
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
OK Dave, lets clear up the Desktop.ini problem;

Firstly, I would like to make sure that you can view hidden files and folders;
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading SELECT Show hidden files and folders.
  • UNCHECK the Hide protected operating system files (recommended) option.
  • UNCHECK the Hide extensions for known file types option.
  • Click Yes to confirm.
  • Click OK.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Now open Windows Explorer and navigate to each of the following folders one at a time

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
C:\Documents and Settings\All Users\Start Menu\Programs
C:\Documents and Settings\All Users\Start Menu


In each folder, see if it contains a Desktop.ini file

Verify that the file contains the following lines by opening the file with Notepad:

[.ShellClassInfo]
[email protected]%SystemRoot%\system32\shell32.dll,-21787


If the file contains these lines, right-click the file, click Delete, and then click Yes when you are prompted to confirm the deletion.

Restart your computer and verify that the issue is resolved.

Let me know how you get on.
  • 0

#43
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
This can wait till morning Dave, but I will be in bed when you get up, so I'll catch you when I get up.

Regards,
RatHat
  • 0

#44
verve

verve

    Member

  • Topic Starter
  • Member
  • PipPip
  • 71 posts
didnt help. this time only one notepad opened, but the same thing. the desktop ini files are back where they were before i deleted them and i just noticed another one in the accessories folder. so im guessing there's loads of them around.

also when i open my C: drive there's loads of files/notepads/and combofix folders that were never there before i started this topic thread. should they all still be there?
  • 0

#45
verve

verve

    Member

  • Topic Starter
  • Member
  • PipPip
  • 71 posts
Did a search for desktop.ini and found more than 25 of them all over my pc. especially in My docs....
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP