Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

rootkit/nurech.bc, cannot remove, getting BSOD [RESOLVED]


  • This topic is locked This topic is locked

#31
V0x

V0x

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
That's a screensaver my son downloaded from drpepper.com. No biggie, I'll take it out.

Computer seems to be running fine. It was running fine before, just getting a random Blue Screen of Death here and there, usually after trying to log on to the internet or a website. One of them was from a Pogo desktop game, another was from clicking into an Airheads game, another was trying to run a scan through spyware doctor.

Perhaps it's not malware, after all? Usually I just reboot, and it works just fine.
  • 0

Advertisements


#32
Mike

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
You did still have malware on your PC, so it could really be from it.

Let's do an online scan with Kaspersky, but a different way so we can get it to run.

Please download ATF Cleaner by Atribune.

Caution: This program is for Windows 2000, XP and Vista only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Then,

Please do an online scan with Kaspersky WebScanner

Click on Accept

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Also do a test drive with your PC, still getting BSODS?
  • 0

#33
V0x

V0x

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Test drove, couldn't reproduce a BSOD. Hhmm...

Kaspersky says we're all clear--

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, July 30, 2008 10:14:49 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 31/07/2008
Kaspersky Anti-Virus database records: 1031689
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - Critical Areas:
C:\WINDOWS
C:\DOCUME~1\DONALD\LOCALS~1\Temp\

Scan Statistics:
Total number of scanned objects: 14924
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 00:08:07

Infected Object Name / Virus Name / Last Action
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\Internet.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WIADEBUG.LOG Object is locked skipped
C:\WINDOWS\WIASERVC.LOG Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\DOCUME~1\DONALD\LOCALS~1\Temp\etilqs_rmmljHLUYgKkol7Sj4Eu Object is locked skipped
C:\DOCUME~1\DONALD\LOCALS~1\Temp\hsperfdata_DONALD\2392 Object is locked skipped
C:\DOCUME~1\DONALD\LOCALS~1\Temp\IMG3C7.tmp Object is locked skipped
C:\DOCUME~1\DONALD\LOCALS~1\Temp\WCESLog.log Object is locked skipped

Scan process completed.
  • 0

#34
Mike

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Sounds good :)

Click START then RUN
Now type Combo-Fix /u in the runbox and click OK
Notice the space between the x and / -- That needs to be there.

Follow the steps then here:
http://www.geekstogo...44#entry1289144

Tell me how it goes :)

Edited by Mike, 31 July 2008 - 03:37 AM.

  • 0

#35
V0x

V0x

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Got another BSOD this morning. This time, I was surfing around Ebay, and my computer came to almost a screeching halt (screens would not move). ctl+alt+del wouldn't even come up, so I did a hard reboot, logged in and up pops BSOD. I hardbooted again, logged in and now it's fine. Do you suppose this is coming from Ebay?

Here's the log from combo-fix:

ComboFix 08-07-28.1 - DONALD 2008-07-31 8:10:30.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.592 [GMT -4:00]
Running from: C:\Documents and Settings\DONALD\Desktop\Combo-Fix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\ORUN32.EXE
C:\WINDOWS\system32\CMMGR32.EXE

.
((((((((((((((((((((((((( Files Created from 2008-06-28 to 2008-07-31 )))))))))))))))))))))))))))))))
.

2008-07-30 22:31 . 2008-07-30 22:31 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-07-30 22:31 . 2008-07-30 22:31 1,409 --a------ C:\WINDOWS\QTFont.for
2008-07-29 18:18 . 2008-07-29 18:18 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2008-07-29 18:18 . 2008-07-29 18:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-07-27 20:27 . 2008-07-27 20:27 250 --a------ C:\WINDOWS\gmer.ini
2008-07-27 20:22 . 2008-07-27 20:22 <DIR> d-------- C:\Deckard
2008-07-22 21:14 . 2008-07-22 21:14 <DIR> d-------- C:\WINDOWS\SYSTEM32\Dr Pepper Indiana Jones dir
2008-07-22 21:14 . 2008-07-22 21:14 202,240 --a------ C:\WINDOWS\SYSTEM32\Dr Pepper Indiana Jones.scr
2008-07-17 23:09 . 2008-07-17 23:09 <DIR> d-------- C:\fsaua.data
2008-07-17 17:56 . 2008-07-17 17:56 <DIR> d-------- C:\WINDOWS\ERUNT
2008-07-15 19:06 . 2008-07-31 08:06 <DIR> d-------- C:\Documents and Settings\DONALD\Application Data\OpenOffice.org2
2008-07-15 19:03 . 2008-07-15 19:03 <DIR> d-------- C:\Program Files\OpenOffice.org 2.4
2008-07-14 01:02 . 2008-07-14 01:11 81,208,728 --a------ C:\Documents and Settings\DONALD\jdk-6u7-windows-i586-p.exe
2008-07-14 01:01 . 2008-07-14 01:11 <DIR> d-------- C:\Documents and Settings\DONALD\.SunDownloadManager
2008-07-13 19:04 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\pavboot.sys
2008-07-13 18:21 . 2008-07-13 18:21 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-13 18:21 . 2008-07-13 18:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-07-13 18:14 . 2008-07-07 17:35 34,296 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbamcatchme.sys
2008-07-13 18:14 . 2008-07-07 17:35 17,144 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys
2008-07-13 18:13 . 2008-07-13 18:13 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-07-13 18:10 . 2008-07-13 18:10 <DIR> d-------- C:\Program Files\Common Files\Adobe AIR
2008-07-13 15:21 . 2008-07-13 15:21 <DIR> d-------- C:\Documents and Settings\DONALD\Application Data\TrojanHunter
2008-07-13 14:32 . 2008-07-13 14:32 <DIR> d-------- C:\Program Files\TrojanHunter 5.0
2008-07-13 12:41 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2008-07-13 10:49 . 2008-07-13 10:49 <DIR> d-------- C:\Documents and Settings\Administrator.D2VN4F61\Application Data\SUPERAntiSpyware.com
2008-07-13 09:38 . 2008-07-13 09:38 <DIR> d-------- C:\Documents and Settings\Administrator.D2VN4F61\Application Data\Malwarebytes
2008-07-13 09:37 . 2008-07-13 12:13 <DIR> d---s---- C:\Documents and Settings\Administrator.D2VN4F61
2008-07-12 23:26 . 2008-07-13 12:13 <DIR> d-------- C:\Program Files\Mozilla Firefox(2)
2008-07-12 22:56 . 2008-07-12 22:56 <DIR> d-------- C:\Program Files\Panda Security
2008-07-12 22:43 . 2008-07-30 22:33 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-07-12 22:43 . 2008-07-12 22:43 <DIR> d-------- C:\Documents and Settings\DONALD\Application Data\SUPERAntiSpyware.com
2008-07-12 22:13 . 2008-07-13 18:14 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-12 22:13 . 2008-07-12 22:13 <DIR> d-------- C:\Documents and Settings\DONALD\Application Data\Malwarebytes
2008-07-12 22:13 . 2008-07-12 22:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-12 22:01 . 2008-07-13 12:13 <DIR> d-------- C:\Documents and Settings\DONALD\.housecall6.6
2008-07-12 21:14 . 2008-07-13 12:14 <DIR> d---s---- C:\Documents and Settings\Administrator
2008-07-06 13:32 . 2007-12-10 13:53 81,288 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\iksyssec.sys
2008-07-06 13:32 . 2007-12-10 13:53 66,952 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\iksysflt.sys
2008-07-06 13:32 . 2008-02-01 11:55 42,376 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ikfilesec.sys
2008-07-06 13:32 . 2007-12-10 13:53 29,576 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\kcom.sys
2008-07-06 13:31 . 2008-07-30 08:09 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-07-06 13:31 . 2008-07-06 13:31 <DIR> d-------- C:\Documents and Settings\DONALD\Application Data\PC Tools
2008-06-20 13:41 . 2008-06-20 13:41 245,248 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\mswsock.dll
2008-06-20 06:44 . 2008-06-20 06:44 138,368 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\afd.sys
2008-06-11 05:30 . 2008-06-13 09:10 272,128 --------- C:\WINDOWS\SYSTEM32\DRIVERS\bthport.sys
2008-06-11 05:30 . 2008-06-13 09:10 272,128 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\bthport.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-31 12:07 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-17 21:52 --------- d-----w C:\Program Files\Java
2008-07-13 22:25 --------- d-----w C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor
2008-07-13 22:10 --------- d-----w C:\Program Files\Common Files\Adobe
2008-07-13 22:02 --------- d-----w C:\Documents and Settings\DONALD\Application Data\AdobeUM
2008-07-06 17:54 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-07-06 17:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\SYSTEM32\mswsock.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\SYSTEM32\mswsock(2)(2).dll
2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\SYSTEM32\dnsapi(2)(2).dll
2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip6.sys
2008-05-08 12:28 202,752 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\SYSTEM32\quartz.dll
2008-05-07 05:18 1,287,680 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\quartz.dll
2008-05-05 22:14 107,888 ----a-w C:\WINDOWS\SYSTEM32\CmdLineExt.dll
2008-04-24 02:16 3,591,680 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2008-04-22 07:40 625,664 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iexplore.exe
2008-04-22 07:39 70,656 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ie4uinit.exe
2008-04-22 07:39 13,824 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2008-04-20 05:07 161,792 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakui.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-06-20 23:36 1207080]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" [2005-02-24 12:57 2506752]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-02-27 11:39 1310720]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-06-30 15:33 1388544]
"IAAnotif"="C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-03-23 14:16 135168]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 14:52 339968]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 22:12 221184]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 18:54 57344]
"mmtask"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2004-09-14 10:50 53248]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2004-12-22 15:18 26112]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-12-22 15:19 98304]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-02-13 22:05 7557120]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-02-13 22:05 86016]
"LXSUPMON"="C:\WINDOWS\system32\LXSUPMON.EXE" [2002-05-13 23:10 886272]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 18:30 517768]
"zBrowser Launcher"="C:\Program Files\Logitech\iTouch\iTouch.exe" [2004-03-18 10:33 892928]
"THGuard"="C:\Program Files\TrojanHunter 5.0\THGuard.exe" [2008-07-09 18:54 1056928]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 02:38 34672]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2008-04-10 15:14 1107848]
"nwiz"="nwiz.exe" [2006-02-13 22:05 1519616 C:\WINDOWS\SYSTEM32\nwiz.exe]
"Logitech Utility"="Logi_MwX.Exe" [2004-03-03 13:50 19968 C:\WINDOWS\LOGI_MWX.EXE]

C:\Documents and Settings\DONALD\Start Menu\Programs\Startup\
OpenOffice.org 2.4.lnk - C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe [2008-01-21 15:41:28 393216]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSACM.CEGSM"= mobilev.acm

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Microsoft ActiveSync\\WCESMGR.EXE"=
"C:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 17:24]
R2 NwSapAgent;SAP Agent;C:\WINDOWS\system32\svchost.exe [2004-08-04 07:00]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;C:\WINDOWS\system32\DRIVERS\wg111v2.sys [2006-03-15 23:39]
S3 SjyPkt;SjyPkt;C:\WINDOWS\System32\Drivers\SjyPkt.sys []

*Newly Created Service* - CATCHME
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.com
O8 -: Display All Images with Full Quality - "C:\Program Files\NetZero\qsacc\appres.dll/228"
O8 -: Display Image with Full Quality - "C:\Program Files\NetZero\qsacc\appres.dll/227"
O18 -: Handler: mctp - {d7b95390-b1c5-11d0-b111-0080c712fe82} -
O18 -: WinCE Filter: image/bmp - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} -
O18 -: WinCE Filter: image/gif - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} -
O18 -: WinCE Filter: image/jpeg - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} -
O18 -: WinCE Filter: image/xbm - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} -
O18 -: WinCE Filter: text/asp - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} -
O18 -: WinCE Filter: text/html - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} -

O16 -: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} - hxxp://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
C:\WINDOWS\Downloaded Program Files\PogoWebLauncher.ocx


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-31 08:13:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-31 8:15:02
ComboFix-quarantined-files.txt 2008-07-31 12:15:00
ComboFix2.txt 2008-07-28 19:48:37

Pre-Run: 60,549,222,400 bytes free
Post-Run: 60,537,556,992 bytes free

177 --- E O F --- 2008-07-14 05:24:54
  • 0

#36
Mike

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Hi there,

Let's do this.

1. Launch Notepad, and copy/paste the contents of the quote box below into a new Notepad file. Save it with file name options.txt and save as file type: all files to your desktop.

RegSearch Options File

[Search]
CMMGR32
ORUN32

[Exclude]

[Options]
Filter=KVDLU



2. Download Registry Search to your desktop.
  • Right click on the compressed RegSearch folder, and choose "Extract All". In the box that pops open, click "Next", then "Next" again, and then "Finish". You now have another RegSearch folder on your desktop.
  • Open the new folder, and double click on regsearch.exe
  • Click "Import" in the lower left corner and browse to the options.txt file that you just saved on your desktop. Do not choose the one in the RegSearch folder itself.
  • Click OK and Registry Search will scan your registry for the file(s), and a Notepad box will open with a report.
  • Please reply here with the entire contents of the Notepad file from RegSearch.

  • 0

#37
V0x

V0x

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.5.0

; Results at 7/31/2008 12:52:50 PM for strings:
; 'cmmgr32'
; 'orun32'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\CMMGR32.EXE]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Connection Manager Profile\DefaultIcon]
@="C:\\WINDOWS\\system32\\CMMGR32.EXE,1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Connection Manager Profile\shell\open\command]
@="C:\\WINDOWS\\system32\\CMMGR32.EXE \"%1\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Connection Manager Profile\shell\Settings...\command]
@="C:\\WINDOWS\\system32\\CMMGR32.EXE /settings \"%1\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MITrain.Document\DefaultIcon]
@="C:\\WINDOWS\\Help\\SBSI\\Training\\ORUN32.EXE,0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MITrain.Document\shell\open\command]
@="C:\\WINDOWS\\Help\\SBSI\\Training\\orun32.exe -f \"%1\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Step By Step Interactive Training\SP2\KB898458\Filelist\0]
"FileName"="orun32.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Step By Step Interactive Training\SP2\KB923723\Filelist\0]
"FileName"="orun32.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\cmmgr32.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\cmmgr32.exe]
@="C:\\WINDOWS\\system32\\cmmgr32.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\ORUN32.EXE]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\ORUN32.EXE]
@="C:\\WINDOWS\\ORUN32.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls]
"C:\\WINDOWS\\Help\\SBSI\\Training\\orun32.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft Interactive Training]
"UninstallString"="C:\\WINDOWS\\IsUninst.exe -fC:\\WINDOWS\\orun32.isu"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\MUILanguages\RCV2\cmmgr32.exe]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Nls\MUILanguages\RCV2\cmmgr32.exe]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\MUILanguages\RCV2\cmmgr32.exe]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\exe]
"i"="C:\\WINDOWS\\SYSTEM32\\CMMGR32.EXE"

; End Of The Log...
  • 0

#38
Mike

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Sit tight V0x, I want to get some input from some of the more knowledgeable people here before we continue :)

I'll post back as soon as I can :)
  • 0

#39
V0x

V0x

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Not a problem, Mike! As always, I appreciate any help I can get! :)
  • 0

#40
Mike

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
The files that SDFix and ComboFix deleted are dummy files, I just 'accidentally' ignored the file size (0 bytes) :)

So from that your logs look clean to me and I believe this is a tech related issue as opposed to malware, did the BSODs only start happening when you first got the malware? Or did it happen previously?

Could you write down the error next time it happens if it happens?
  • 0

Advertisements


#41
V0x

V0x

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
I'm fairly certain that the BSODs only occurred after the malware issue. This is the first time we've ever encountered a BSOD on this computer.

I will be sure to write down the error code(s), should I run across another BSOD, and see if they tech guys have any ideas for me.

Thanks again, Mike! Have a great weekend! :)
  • 0

#42
Mike

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Thanks,

I'll let the techs handle it from here :)

Please go through the removal steps again, keeping the tools on your PC is not the best idea.

Take care and have a great day still!

Mike
  • 0

#43
Mike

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP