Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

PC Hijacked

Started by jimro , May 29 2008 06:58 PM

  • Please log in to reply

#1
jimro
Posted 29 May 2008 - 06:58 PM

jimro

    New Member

  • Member
  • Pip
  • 1 posts
Hey guys, I need your help.

My daughter's pc picked up a number of infections.

The symptoms are the uncontrolled loading of websites such as processworkathome.com
as well as porn websites.

I have seen mywebsearch, SurfingAdvisor, Zango, and attempted to manually remove these
but it seems I didn't remove them all.

I also ran combofix and spydoctor which also removed some including virtumonde.

I'm coming to you guys as a last resort and am including my hijackthis and combofix logs
below.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:27:45 PM, on 5/29/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Windows\system32\taskeng.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Hp\HP Software Update\hpwuSchd2.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hp.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: My Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL (file missing)
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [MSConfig] "C:\Windows\system32\msconfig.exe" /auto
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-3657144810-1066532442-3397969587-1007\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User 'Claire')
O4 - HKUS\S-1-5-21-3657144810-1066532442-3397969587-1007\..\Run: [60385da0] rundll32.exe "C:\Users\Claire\AppData\Local\Temp\krclfpxn.dll",b (User 'Claire')
O4 - HKUS\S-1-5-18\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe (User 'Default user')
O4 - S-1-5-21-3657144810-1066532442-3397969587-1007 Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe (User 'Claire')
O4 - S-1-5-21-3657144810-1066532442-3397969587-1007 User Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe (User 'Claire')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O8 - Extra context menu item: &Search - http://edits.mywebse...?p=ZJxdm147OFUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Fun Web Products Installer Start) - http://ak.exe.imgfar...etup1.0.1.0.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebo...toUploader3.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...ro.cab56649.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...ploader_v10.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: My Web Search Service (MyWebSearchService) - Unknown owner - C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwssvc.exe (file missing)
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 10544 bytes



ComboFix 08-05-29.1 - Jimmy 05/29/2008 17:17:41.3 - NTFSx86
Microsoft® Windows Vista™ Business 6.0.6000.0.1252.1.1033.18.190 [GMT -4:00]
Running from: C:\Users\Claire\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-04-28 to 2008-05-29 )))))))))))))))))))))))))))))))
.

2008-05-28 15:29 . 05/28/2008 03:29 PM <DIR> d-------- C:\Users\Claire\AppData\Roaming\Talkback
2008-05-28 07:54 . 05/28/2008 07:54 AM <DIR> d-------- C:\Users\Jimmy\AppData\Roaming\Talkback
2008-05-27 23:22 . 05/27/2008 11:22 PM <DIR> d-------- C:\Users\Jimmy\AppData\Roaming\Apple Computer
2008-05-27 21:58 . 05/27/2008 09:58 PM <DIR> d-------- C:\Windows\Open RegEdit
2008-05-27 21:58 . 05/27/2008 09:58 PM 72,368 --a------ C:\Program Files\irunin.dat
2008-05-27 21:20 . 05/27/2008 09:20 PM <DIR> d-------- C:\Users\Jimmy\AppData\Roaming\PC Tools
2008-05-27 21:20 . 05/29/2008 01:09 PM <DIR> d-------- C:\Program Files\Spyware Doctor
2008-05-27 21:20 . 12/10/2007 02:53 PM 81,288 --a------ C:\Windows\System32\drivers\iksyssec.sys
2008-05-27 21:20 . 12/10/2007 02:53 PM 66,952 --a------ C:\Windows\System32\drivers\iksysflt.sys
2008-05-27 21:20 . 02/01/2008 12:55 PM 42,376 --a------ C:\Windows\System32\drivers\ikfilesec.sys
2008-05-27 21:20 . 12/10/2007 02:53 PM 29,576 --a------ C:\Windows\System32\drivers\kcom.sys
2008-05-27 20:59 . 05/27/2008 08:59 PM <DIR> d-------- C:\Users\All Users\Mozilla
2008-05-27 20:54 . 05/29/2008 07:14 AM <DIR> d-------- C:\Users\All Users\Google Updater
2008-05-27 20:54 . 05/29/2008 07:14 AM <DIR> d-------- C:\ProgramData\Google Updater
2008-05-27 20:13 . 03/07/2008 08:37 PM 4,247,552 --a------ C:\Windows\System32\GameUXLegacyGDFs.dll
2008-05-27 20:13 . 03/08/2008 12:30 AM 1,686,528 --a------ C:\Windows\System32\gameux.dll
2008-05-26 08:31 . 05/26/2008 10:31 AM <DIR> d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-05-26 08:31 . 05/26/2008 10:31 AM <DIR> d-------- C:\ProgramData\Spybot - Search & Destroy
2008-05-26 08:31 . 05/26/2008 08:31 AM <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-24 12:49 . 05/25/2008 12:47 PM <DIR> d--h----- C:\$AVG8.VAULT$
2008-05-19 20:57 . 05/19/2008 08:57 PM <DIR> d-------- C:\Users\Claire\AppData\Roaming\CoreFTP
2008-05-19 20:36 . 05/19/2008 08:40 PM <DIR> d-------- C:\Users\Jimmy\AppData\Roaming\CoreFTP
2008-05-19 20:34 . 05/19/2008 08:35 PM <DIR> d-------- C:\Program Files\CoreFTP
2008-05-18 20:41 . 05/18/2008 08:42 PM <DIR> d-------- C:\Users\Public\LimeWire
2008-05-17 20:59 . 05/17/2008 08:59 PM <DIR> d-------- C:\Users\All Users\avg8
2008-05-17 20:59 . 05/17/2008 08:59 PM <DIR> d-------- C:\ProgramData\avg8
2008-05-17 20:59 . 05/17/2008 08:59 PM <DIR> d-------- C:\Program Files\AVG
2008-05-17 20:23 . 05/24/2008 09:14 PM <DIR> d-------- C:\Downloads
2008-05-17 20:22 . 05/25/2008 09:55 AM <DIR> d-------- C:\Users\Jimmy\AppData\Roaming\Free Download Manager
2008-05-17 20:22 . 05/17/2008 08:22 PM <DIR> d-------- C:\Program Files\Free Download Manager
2008-05-17 17:51 . 05/17/2008 05:51 PM <DIR> d-------- C:\Users\Claire\AppData\Roaming\SampleView
2008-05-10 09:13 . 05/10/2008 09:13 AM <DIR> d-------- C:\Users\Ashlyn\AppData\Roaming\InterVideo
2008-05-06 01:21 . 05/06/2008 01:21 AM <DIR> d-------- C:\divx
2008-05-05 17:40 . 05/06/2008 12:35 AM <DIR> d-------- C:\Users\Claire\AppData\Roaming\DivX
2008-05-05 17:35 . 05/27/2008 08:00 PM <DIR> d-------- C:\Program Files\Common Files\PX Storage Engine
2008-05-04 12:20 . 05/29/2008 04:22 PM <DIR> d-------- C:\Users\Claire\AppData\Roaming\LimeWire
2008-05-03 17:53 . 05/27/2008 08:00 PM <DIR> d-------- C:\Program Files\LimeWire
2008-04-30 18:27 . 05/27/2008 08:00 PM <DIR> d-------- C:\Users\All Users\Oberonv1005
2008-04-30 18:27 . 05/27/2008 08:00 PM <DIR> d-------- C:\ProgramData\Oberonv1005
2008-04-30 18:09 . 04/30/2008 06:09 PM <DIR> d-------- C:\Users\Jimmy\AppData\Roaming\SampleView
2008-04-29 17:47 . 05/04/2008 01:13 AM <DIR> d-------- C:\Users\Jimmy\AppData\Roaming\LimeWire
2008-04-29 08:39 . 04/29/2008 08:39 AM <DIR> d-------- C:\Users\Claire\AppData\Roaming\Hewlett-Packard

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-29 20:48 --------- d---a-w C:\ProgramData\TEMP
2008-05-29 11:20 --------- d-----w C:\Program Files\CONEXANT
2008-05-28 01:58 5,514 ----a-w C:\Program Files\irunin.xml
2008-05-28 01:56 61,270 ----a-w C:\Program Files\IRIMG2.JPG
2008-05-28 01:56 11,435 ----a-w C:\Program Files\IRIMG1.JPG
2008-05-28 00:54 --------- d-----w C:\Program Files\Google
2008-05-28 00:04 --------- d-----w C:\Program Files\Bonjour
2008-05-28 00:00 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-05-28 00:00 --------- d-----w C:\Program Files\Windows Live
2008-05-28 00:00 --------- d-----w C:\Program Files\Safari
2008-05-28 00:00 --------- d-----w C:\Program Files\QuickTime
2008-05-28 00:00 --------- d-----w C:\Program Files\MSN Games
2008-05-28 00:00 --------- d-----w C:\Program Files\Microsoft SQL Server Compact Edition
2008-05-28 00:00 --------- d-----w C:\Program Files\iTunes
2008-05-28 00:00 --------- d-----w C:\Program Files\Hp
2008-05-28 00:00 --------- d-----w C:\Program Files\Hewlett-Packard
2008-05-28 00:00 --------- d-----w C:\Program Files\Apple Software Update
2008-05-26 15:11 --------- d-----w C:\Users\Claire\AppData\Roaming\Apple Computer
2008-05-16 02:38 --------- d-----w C:\ProgramData\Microsoft Help
2008-04-29 12:39 --------- d-----w C:\ProgramData\Hewlett-Packard
2008-04-26 02:33 --------- d-----w C:\ProgramData\Oberon Media
2008-04-15 00:54 --------- d-----w C:\ProgramData\{7DDD0C26-E7D0-4422-8616-030EE13368AF}
2008-04-14 18:49 1,272,860 ----a-w C:\Users\Jimmy\VOCAL REMOVER INSTALLER.EXE
2008-04-14 00:49 --------- d-----w C:\ProgramData\WLInstaller
2008-04-13 14:37 --------- d-----w C:\Users\Jimmy\AppData\Roaming\InterVideo
2008-04-10 23:31 --------- d-----w C:\Users\Ashlyn\AppData\Roaming\Apple Computer
2008-04-04 20:42 --------- d-----w C:\ProgramData\Apple Computer
2008-04-04 20:42 --------- d-----w C:\Program Files\iPod
2008-04-01 01:38 --------- d-----w C:\Program Files\Common Files\Apple
2008-03-31 21:25 831,488 ----a-w C:\Windows\System32\divx_xx0a.dll
2008-03-31 21:25 823,296 ----a-w C:\Windows\System32\divx_xx0c.dll
2008-03-31 21:25 823,296 ----a-w C:\Windows\System32\divx_xx07.dll
2008-03-31 21:25 802,816 ----a-w C:\Windows\System32\divx_xx11.dll
2008-03-31 21:25 682,496 ----a-w C:\Windows\System32\DivX.dll
2008-03-31 21:25 161,096 ----a-w C:\Windows\System32\DivXCodecVersionChecker.exe
2008-03-21 20:30 524,288 ----a-w C:\Windows\System32\DivXsm.exe
2008-03-21 20:30 3,596,288 ----a-w C:\Windows\System32\qt-dx331.dll
2008-03-21 20:30 200,704 ----a-w C:\Windows\System32\ssldivx.dll
2008-03-21 20:30 129,784 ----a-w C:\Windows\System32\PxAFS.DLL
2008-03-21 20:30 1,044,480 ----a-w C:\Windows\System32\libdivx.dll
2008-03-21 20:28 81,920 ----a-w C:\Windows\System32\dpl100.dll
2008-03-21 20:28 593,920 ----a-w C:\Windows\System32\dpuGUI11.dll
2008-03-21 20:28 57,344 ----a-w C:\Windows\System32\dpv11.dll
2008-03-21 20:28 53,248 ----a-w C:\Windows\System32\dpuGUI10.dll
2008-03-21 20:28 344,064 ----a-w C:\Windows\System32\dpus11.dll
2008-03-21 20:28 294,912 ----a-w C:\Windows\System32\dpu11.dll
2008-03-21 20:28 294,912 ----a-w C:\Windows\System32\dpu10.dll
2008-03-21 20:28 196,608 ----a-w C:\Windows\System32\dtu100.dll
2008-03-21 20:28 12,288 ----a-w C:\Windows\System32\DivXWMPExtType.dll
2008-03-20 15:59 704,000 ----a-w C:\Windows\System32\PhotoScreensaver.scr
2008-03-20 15:59 67,584 ----a-w C:\Windows\System32\wlanhlp.dll
2008-03-20 15:59 542,720 ----a-w C:\Windows\System32\sysmain.dll
2008-03-20 15:59 502,784 ----a-w C:\Windows\System32\wlansvc.dll
2008-03-20 15:59 47,104 ----a-w C:\Windows\System32\wlanapi.dll
2008-03-20 15:59 297,984 ----a-w C:\Windows\System32\wlansec.dll
2008-03-20 15:59 290,816 ----a-w C:\Windows\System32\wlanmsm.dll
2008-03-20 15:59 24,064 ----a-w C:\Windows\System32\wtsapi32.dll
2008-03-20 15:59 2,923,520 ----a-w C:\Windows\explorer.exe
2008-03-20 15:57 194,560 ----a-w C:\Windows\System32\WebClnt.dll
2008-03-20 15:52 8,147,968 ----a-w C:\Windows\System32\wmploc.DLL
2008-03-20 15:52 7,680 ----a-w C:\Windows\System32\spwmp.dll
2008-03-20 15:52 4,096 ----a-w C:\Windows\System32\dxmasf.dll
2008-03-20 15:52 356,864 ----a-w C:\Windows\System32\MediaMetadataHandler.dll
2008-03-20 15:52 3,504,696 ----a-w C:\Windows\System32\ntkrnlpa.exe
2008-03-20 15:52 3,470,392 ----a-w C:\Windows\System32\ntoskrnl.exe
2008-03-20 15:51 9,728 ----a-w C:\Windows\System32\LAPRXY.DLL
2008-03-20 15:51 24,064 ----a-w C:\Windows\System32\netcfg.exe
2008-03-20 15:51 223,232 ----a-w C:\Windows\System32\WMASF.DLL
2008-03-20 15:51 22,016 ----a-w C:\Windows\System32\netiougc.exe
2008-03-20 15:51 2,048 ----a-w C:\Windows\System32\asferror.dll
2008-03-20 15:51 167,424 ----a-w C:\Windows\System32\tcpipcfg.dll
2008-03-20 15:51 1,327,104 ----a-w C:\Windows\System32\quartz.dll
2008-03-20 15:50 84,480 ----a-w C:\Windows\System32\INETRES.dll
2008-03-20 15:50 737,792 ----a-w C:\Windows\System32\inetcomm.dll
2008-03-20 15:48 11,776 ----a-w C:\Windows\System32\sbunattend.exe
2008-03-20 15:47 788,992 ----a-w C:\Windows\System32\rpcrt4.dll
2008-03-20 15:46 2,048 ----a-w C:\Windows\System32\tzres.dll
2008-03-19 18:44 80,896 ----a-w C:\Windows\System32\wudriver.dll
2008-03-19 18:44 549,720 ----a-w C:\Windows\System32\wuapi.dll
2008-03-19 18:44 53,080 ----a-w C:\Windows\System32\wuauclt.exe
2008-03-19 18:44 43,352 ----a-w C:\Windows\System32\wups2.dll
2008-03-19 18:44 33,624 ----a-w C:\Windows\System32\wups.dll
2008-03-19 18:44 1,712,984 ----a-w C:\Windows\System32\wuaueng.dll
2008-03-19 18:44 1,524,224 ----a-w C:\Windows\System32\wucltux.dll
2008-03-19 18:43 31,232 ----a-w C:\Windows\System32\wuapp.exe
2008-03-19 18:43 163,000 ----a-w C:\Windows\System32\wuwebv.dll
2008-03-08 04:30 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-03-08 04:30 449,536 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-03-08 04:30 2,144,256 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-03-08 04:30 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-03-08 00:22 2,560 ----a-w C:\Windows\AppPatch\AcRes.dll
2008-03-04 06:34 2,125,312 ----a-w C:\Windows\System32\CnxtAp32.dll
2008-02-29 06:51 19,000 ----a-w C:\Windows\System32\kd1394.dll
2008-02-29 06:39 40,960 ----a-w C:\Windows\System32\srclient.dll
2008-02-29 06:39 371,712 ----a-w C:\Windows\System32\srcore.dll
2008-02-29 06:38 313,856 ----a-w C:\Windows\System32\rstrui.exe
2008-02-29 06:38 16,384 ----a-w C:\Windows\System32\srdelayed.exe
2008-02-29 06:35 6,656 ----a-w C:\Windows\System32\kbd106n.dll
2008-02-29 06:34 7,168 ----a-w C:\Windows\System32\f3ahvoas.dll
2008-02-29 04:16 2,027,008 ----a-w C:\Windows\System32\win32k.sys
.

------- Sigcheck -------

.
((((((((((((((((((((((((((((( snapshot_2008-05-29_16.10.39.79 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-29 19:24:00 67,584 --s-a-w C:\Windows\bootstat.dat
+ 2008-05-29 20:20:35 67,584 --s-a-w C:\Windows\bootstat.dat
- 2008-05-29 19:24:02 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-05-29 20:20:37 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2008-05-29 19:24:02 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2008-05-29 20:20:37 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2008-05-29 19:34:39 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-05-29 20:22:28 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
- 2008-05-29 19:34:34 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-05-29 20:22:22 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
- 2008-05-29 19:37:23 7,430 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3657144810-1066532442-3397969587-1007_UserData.bin
+ 2008-05-29 20:22:53 7,454 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3657144810-1066532442-3397969587-1007_UserData.bin
- 2008-05-29 19:37:22 68,338 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-05-29 20:22:52 68,346 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-05-29 19:37:18 44,194 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-05-29 20:22:50 44,194 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [03/20/2008 11:48 AM 1232896]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [05/27/2008 08:54 PM 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\Windows\system32\igfxtray.exe" [09/12/2007 01:34 PM 141848]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [09/12/2007 01:33 PM 154136]
"Persistence"="C:\Windows\system32\igfxpers.exe" [09/12/2007 01:33 PM 129560]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [01/12/2007 09:36 AM 827392]
"hpWirelessAssistant"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [03/01/2007 05:18 PM 472776]
"WAWifiMessage"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [01/10/2007 08:12 PM 317128]
"HP Health Check Scheduler"="c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [06/05/2007 01:12 PM 71176]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM 144784]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [05/07/2007 01:47 PM 159744]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [03/28/2008 11:37 PM 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [03/30/2008 10:36 AM 267048]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [05/08/2007 04:24 PM 54840]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [02/01/2008 12:55 PM 1103240]
"MSConfig"="C:\Windows\system32\msconfig.exe" [11/02/2006 05:45 AM 222208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MyWebSearch Email Plugin"="C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe" [ ]

C:\Users\Claire\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2008-04-30 12:37:18 147456]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 05:48:20 40048]
Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 04:01:50 734872]
DVD Check.lnk - C:\Program Files\InterVideo\DVD Check\DVDCheck.exe [2008-03-17 15:57:34 192512]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\My Web Search Bar Search Scope Monitor]
C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Plugin]
C:\PROGRA~1\MYWEBS~1\bar\1.bin\M3PLUGIN.DLL

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{7060CBB7-DA25-4A9F-B7E0-1F78EDCE35EE}"= TCP:6004|C:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{6022373E-4BDC-4B21-825B-5251EF92252C}"= UDP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{82413D39-B7E5-4922-AD13-C4CA3D3580A6}"= TCP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{85FD502D-7EB1-49FE-84E6-9A0AD81F0755}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{70989A6B-6252-4F65-9243-61DDF100B6D1}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{73CE3EEA-5810-4853-BEC8-2A0AACFB1A54}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{6FABFA65-1A20-4FBA-9466-68C6B4B2CCD6}"= UDP:C:\Users\Jimmy\Desktop\LimeWire\LimeWire.exe:LimeWire
"{76ABC9B9-0BA0-4AEA-9A1C-822F3D928EC3}"= TCP:C:\Users\Jimmy\Desktop\LimeWire\LimeWire.exe:LimeWire
"{9AAD7762-FF6A-4C7A-810E-399ADD5B3F8E}"= UDP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{096A27DA-4A76-41C5-B67A-E30FF7AEA921}"= TCP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"TCP Query User{CEAA067F-7DD8-4BCF-BFAC-DF5A406B9A41}C:\\program files\\limewire\\limewire.exe"= UDP:C:\program files\limewire\limewire.exe:LimeWire
"UDP Query User{733D2501-D413-432F-B886-55FC5FB7A3E4}C:\\program files\\limewire\\limewire.exe"= TCP:C:\program files\limewire\limewire.exe:LimeWire

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

R2 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;"C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe" [01/11/2008 05:50 PM]
R2 XAudio;XAudio;C:\Windows\system32\DRIVERS\xaudio.sys [11/27/2006 10:44 PM]
R3 CnxtHdAudService;Conexant UAA Function Driver for High Definition Audio Service;C:\Windows\system32\drivers\CHDRT32.sys [03/04/2008 02:32 AM]
R3 igfx;igfx;C:\Windows\system32\DRIVERS\igdkmd32.sys [08/24/2007 08:39 AM]
S2 MyWebSearchService;My Web Search Service;C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwssvc.exe []
S3 BCM43XV;Broadcom Extensible 802.11 Network Adapter Driver;C:\Windows\system32\DRIVERS\bcmwl6.sys [11/02/2006 03:30 AM]
S3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);"c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ []
S3 R300;R300;C:\Windows\system32\DRIVERS\atikmdag.sys [11/02/2006 03:36 AM]
S3 s125bus;Sony Ericsson Device 125 driver (WDM);C:\Windows\system32\DRIVERS\s125bus.sys [04/24/2007 09:33 AM]
S3 s125mdfl;Sony Ericsson Device 125 USB WMC Modem Filter;C:\Windows\system32\DRIVERS\s125mdfl.sys [04/24/2007 09:33 AM]
S3 s125mdm;Sony Ericsson Device 125 USB WMC Modem Driver;C:\Windows\system32\DRIVERS\s125mdm.sys [04/24/2007 09:33 AM]
S3 s125mgmt;Sony Ericsson Device 125 USB WMC Device Management Drivers (WDM);C:\Windows\system32\DRIVERS\s125mgmt.sys [04/24/2007 09:33 AM]
S3 s125obex;Sony Ericsson Device 125 USB WMC OBEX Interface;C:\Windows\system32\DRIVERS\s125obex.sys [04/24/2007 09:33 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
bthsvcs REG_MULTI_SZ BthServ

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{71532757-0622-11dd-88f5-001b38c19385}]
\shell\Auto\command - boot.exe
\shell\AutoRun\command - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL boot.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-05-29 17:15:07 C:\Windows\Tasks\User_Feed_Synchronization-{339BBC0F-EB32-4360-B88F-A70664A57239}.job"
- C:\Windows\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-29 17:24:32
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\Windows\Explorer.exe
-> C:\Users\Claire\AppData\Local\Temp\krclfpxn.dll
-> C:\Users\Claire\AppData\Local\Temp\ljJCtSmj.dll
.
Completion time: 05/29/2008 17:27:51
ComboFix-quarantined-files.txt 2008-05-29 21:26:50
ComboFix2.txt 2008-05-29 20:12:22

Pre-Run: 73,245,343,744 bytes free
Post-Run: 73,219,956,736 bytes free

268 --- E O F --- 2008-05-29 18:47:08
  • 0

Advertisements

Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP