Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Infected file C:\WINNT\SYSTEM32\funfsnv.dll not able to

Started by mshill1975 , Jul 18 2008 06:00 PM

  • Please log in to reply

#1
mshill1975
Posted 18 July 2008 - 06:00 PM

mshill1975

    New Member

  • Member
  • Pip
  • 6 posts
Ran Norton;

Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: Downloader
File: C:\WINNT\SYSTEM32\funfsnv.dll
Location: C:\WINNT\SYSTEM32
Computer: DG7B9R01
User: Administrator
Action taken: Clean failed : Delete failed : Access denied
Date found: Fri Jul 18 18:41:52 2008


Now what?

Thanks,
Matt
  • 0

Advertisements

#2
loophole
Posted 18 July 2008 - 06:27 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Posted ImageClick here to download HJTInstall.exe
  • Save HJTInstall.exe to your desktop.
  • Doubleclick on the HJTInstall.exe icon on your desktop.
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed, it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

  • 0

#3
mshill1975
Posted 18 July 2008 - 09:31 PM

mshill1975

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:25:59 PM, on 7/18/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\System32\cisvc.exe
C:\WINNT\System32\CTsvcCDA.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\nvsvc32.exe
C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINNT\System32\mspmspsv.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\devldr32.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\ImageMate CompactFlash USB\SandIcon.Exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINNT\system32\ICO.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\CreateCD.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINNT\system32\ctfmon.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINNT\System32\cidaemon.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINNT\winhlp32.exe
C:\WINNT\SYSTEM32\RUNDLL32.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINNT\System32\WBEM\WinMgmt.exe

R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://internetsearchservice.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: Ask Search Assistant BHO - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: WarningBHO Class - {9989F1F6-70DE-4244-AC9F-6672983681A0} - C:\Program Files\AntiSpyCheck 2.1\IEWarning32.dll (file missing)
O2 - BHO: (no name) - {A49E097A-D6EF-4B2F-8B0F-1230E998587F} - C:\Program Files\Web Technologies\iebt.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: 238044 helper - {C0F371D7-926D-4700-B65E-63BFF1197205} - C:\WINNT\system32\238044\238044.dll
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Internet Service - {F99D0C20-F8E1-43B6-AB24-3F16BFAEA77B} - C:\Program Files\Web Technologies\iebr.dll (file missing)
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [zBrowser Launcher] "C:\Program Files\Logitech\iTouch\iTouch.exe"
O4 - HKLM\..\Run: [SandIcon] "C:\ImageMate CompactFlash USB\SandIcon.Exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Synchronization Manager] "mobsync.exe" /logon
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WINP] C:\WINNT\winmic.exe
O4 - HKLM\..\Run: [CreateCD] "C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\CreateCD.exe" -r
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKLM\..\Policies\Explorer\Run: [start] C:\Program Files\Web Technologies\iebtm.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.iexplorer...om/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.iexplorer...om/redirect.php (file missing)
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in Trusted Zone, should be Internet Zone
O16 - DPF: DigiChat Applet - http://host16.digich...s/Client_IE.cab
O16 - DPF: {1DF36010-E276-11D4-A7C0-00C04F0453DD} (Stamps.com Secure Postal Account Registration) - https://secure.stamp...16/sdcregie.cab
O16 - DPF: {4E7BD74F-2B8D-469E-DEFA-EB76B1D5FA7D} - http://lovefreegames...LFG-toolbar.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai....23/cpbrkpie.cab
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo....plorer1_9us.cab
O16 - DPF: {DAB941D8-BC94-4819-AB4D-5598C65FA3FE} - http://tb.searchitqu...com/v30/siq.cab
O16 - DPF: {EF0DBA6F-43CE-4B26-9808-2AB38FA0DB29} (MSN Money Ticker) - http://fdl.msn.com/p.../v13/ticker.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6BB7084D-EF77-4D29-826E-39CFB64F4A92}: NameServer = 68.94.156.1,68.94.157.1
O22 - SharedTaskScheduler: eulogical - {99f8405b-63d1-421a-83bb-7b4b0642ac28} - C:\WINNT\system32\funfsnv.dll
O23 - Service: Cpmcatciipp - Dell Computer Corporation. - (no file)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: WUSB54GCSVC - GEMTEKS - C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe

--
End of file - 9067 bytes
  • 0

#4
loophole
Posted 18 July 2008 - 10:47 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi :)

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
  • 0

#5
mshill1975
Posted 18 July 2008 - 11:29 PM

mshill1975

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
ComboFix 08-07-18.1 - Administrator 07/19/2008 0:01:36.1 - FAT32x86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.121 [GMT -5:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\My Documents\My Documents.url
C:\Documents and Settings\Administrator\My Documents\My Pictures\My Pictures.url
C:\Program Files\Common Files\WinSoftware
C:\Program Files\Common Files\WinSoftware\CrXML.dll
C:\Program Files\Common Files\WinSoftware\PCheck.dll
C:\Program Files\Web Technologies
C:\Program Files\Web Technologies\myd.ico
C:\Program Files\Web Technologies\mym.ico
C:\Program Files\Web Technologies\myp.ico
C:\Program Files\Web Technologies\myv.ico
C:\Program Files\Web Technologies\ot.ico
C:\Program Files\Web Technologies\ts.ico
C:\WINNT\Downloaded Program Files\UWFX5LP_0001_0614NetInstaller.exe
C:\WINNT\emdat.tm
C:\WINNT\emdat.tmp
C:\WINNT\regsvr.exe
C:\WINNT\SYSTEM32\238044
C:\WINNT\SYSTEM32\238044\238044.dll
C:\WINNT\system32\Cache
C:\WINNT\system32\Update.exe
C:\WINNT\Web\default.htt

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_RDRIV
-------\Service_rdriv


((((((((((((((((((((((((( Files Created from 2008-06-19 to 2008-07-19 )))))))))))))))))))))))))))))))
.

2008-07-18 22:24 . 08-07-18 22:24 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-18 22:24 . 08-07-18 22:24 <DIR> d-------- C:\New Folder
2008-07-16 01:53 . 08-07-16 01:53 19,387 --a------ C:\WINNT\SYSTEM32\DRIVERS\AegisP.sys
2008-07-16 01:52 . 08-07-16 01:52 <DIR> d-------- C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor
2008-07-16 01:52 . 05-11-24 19:51 245,248 --a------ C:\WINNT\SYSTEM32\rt73.sys
2008-07-16 01:52 . 03-10-13 15:30 94,208 --a------ C:\WINNT\SYSTEM32\GTW32N50.dll
2008-07-16 01:52 . 05-11-03 17:41 32,768 --a------ C:\WINNT\SYSTEM32\GTGina.dll
2008-07-16 01:52 . 03-09-25 23:28 31,930 --a------ C:\WINNT\SYSTEM32\GTNDIS3.VXD
2008-07-16 01:52 . 05-02-01 18:18 17,992 --a------ C:\WINNT\SYSTEM32\DRIVERS\bcm42rly.sys
2008-07-16 01:52 . 05-02-01 18:18 17,992 --a------ C:\WINNT\SYSTEM32\bcm42rly.sys
2008-07-16 01:52 . 05-02-01 18:18 17,992 --a------ C:\WINNT\bcm42rly.sys
2008-07-16 01:52 . 03-09-25 22:15 15,872 --a------ C:\WINNT\SYSTEM32\GTNDIS5.sys
2008-07-16 01:52 . 05-12-06 04:24 7,846 --a------ C:\WINNT\SYSTEM32\rt73.cat
2008-07-16 01:51 . 08-07-16 01:51 1,361 --a------ C:\WINNT\SYSTEM32\WLAN.INI
2008-06-28 20:16 . 03-03-15 23:15 90,112 --a------ C:\WINNT\unvise32.exe
2008-06-28 12:05 . 08-06-28 12:05 <DIR> d-------- C:\WINNT\D45EC2594A194656B588C2C360DD18EA.TMP
2008-06-27 13:20 . 08-06-27 13:20 <DIR> d-------- C:\FOUND.000
2008-06-26 16:04 . 08-06-26 16:05 <DIR> d-------- C:\Program Files\DreamCatcher
2008-06-26 13:55 . 02-12-11 17:34 208,896 --a------ C:\WINNT\SYSTEM32\wmpns.dll
2008-06-26 13:19 . 08-06-26 13:19 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Dealio
2008-06-26 13:17 . 02-12-11 18:50 301,712 --a------ C:\WINNT\SYSTEM32\drmclien.dll
2008-06-26 13:17 . 02-12-11 17:34 82,432 --a------ C:\WINNT\SYSTEM32\drmstor.dll
2008-06-21 12:35 . 08-06-21 12:35 <DIR> d-------- C:\Program Files\AskSBar
2008-06-21 12:35 . 08-01-04 20:56 1,526,640 --a------ C:\WINNT\WRSetup.dll
2008-06-21 12:35 . 08-01-04 20:34 163,696 --a------ C:\WINNT\SYSTEM32\DRIVERS\ssidrv.sys
2008-06-21 12:35 . 08-01-04 20:34 23,920 --a------ C:\WINNT\SYSTEM32\DRIVERS\sskbfd.sys
2008-06-21 12:35 . 08-01-04 20:34 21,872 --a------ C:\WINNT\SYSTEM32\DRIVERS\sshrmd.sys
2008-06-21 12:35 . 08-01-04 20:34 20,336 --a------ C:\WINNT\SYSTEM32\DRIVERS\SSFS0BB9.sys
2008-06-21 12:33 . 08-06-21 12:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2008-06-19 20:11 . 08-06-19 20:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-19 20:10 . 08-06-19 20:54 141 --a------ C:\WINNT\My Video.url
2008-06-19 20:10 . 08-06-19 20:54 141 --a------ C:\WINNT\My Music.url

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-04 00:06 36,864 ----a-w C:\WINNT\uneng.exe
2008-06-03 20:46 --------- d-----w C:\Program Files\DVDVideoSoft
2008-06-03 20:46 --------- d-----w C:\Program Files\Common Files\DVDVideoSoft
2008-06-03 00:05 --------- d-----w C:\Documents and Settings\Administrator\Application Data\IEPro
2008-06-03 00:04 --------- d-----w C:\Program Files\IEPro
2008-06-02 00:22 --------- d-----w C:\Documents and Settings\Administrator\Application Data\LimeWire
2008-06-02 00:21 --------- d-----w C:\Program Files\LimeWire
2008-05-20 17:05 --------- d-----w C:\Program Files\Citrix
2008-05-20 17:05 --------- d-----w C:\Documents and Settings\Administrator\Application Data\ICAClient
2005-07-27 20:13 277 ----a-w C:\Program Files\index.htm
2005-07-27 20:08 277 ----a-w C:\Program Files\Web Site 1.htm
2005-05-24 14:19 262,144 ----a-w C:\Program Files\Uninstall My Web Search.dll
2004-09-15 08:54 31,465 ------w C:\Program Files\2wconfig.dll
2004-09-15 08:52 393,216 ------w C:\Program Files\2PortalMon.exe
2004-09-15 08:51 290,816 ------w C:\Program Files\Uninstaller.exe
2004-09-15 08:51 163,840 ------w C:\Program Files\GoHomePortal.exe
2004-09-15 08:50 622,592 ------w C:\Program Files\WebWorks.exe
2004-09-15 08:50 180,224 ------w C:\Program Files\WCAG.exe
2004-09-15 08:50 167,936 ------w C:\Program Files\WirelessConsoleApp.exe
2004-09-15 08:49 135,168 ------w C:\Program Files\WebSec.dll
2004-09-15 08:48 364,544 ------w C:\Program Files\RGWProv.dll
2004-09-15 08:47 266,240 ------w C:\Program Files\NetAPI.dll
2004-09-15 08:47 139,264 ------w C:\Program Files\Endec.dll
2004-09-15 08:42 9,158 ------w C:\Program Files\Language.ini
2004-09-15 08:42 368,726 ------w C:\Program Files\PRISMAPI.dll
2004-09-15 08:42 3,157 ------w C:\Program Files\2wconfig.ini
2004-09-15 08:42 27,478 ------w C:\Program Files\SysTrayMenu_256.bmp
2004-09-15 08:42 208,993 ------w C:\Program Files\CardPres.exe
2001-04-10 12:58 271 ---ha-w C:\Program Files\DESKTOP.INI
2001-04-10 12:58 21,952 ---ha-w C:\Program Files\FOLDER.HTT
2000-07-26 12:00 32,528 ----a-w C:\WINNT\INF\WBFIRDMA.SYS
2005-09-12 16:20 153,600 --sha-r C:\WINNT\SYSTEM32\ms-dos.pif
.

------- Sigcheck -------

01-02-20 13:09 8192 d36a33c21eeed5a6c1daecb7c80a1909 C:\WINNT\SYSTEM32\CTFMON.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2}]
08-06-21 12:35 66912 --a------ C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="ctfmon.exe" [01-02-20 13:09 8192 C:\WINNT\SYSTEM32\CTFMON.EXE]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINNT\system32\NvCpl.dll" [05-07-20 21:07 7110656]
"zBrowser Launcher"="C:\Program Files\Logitech\iTouch\iTouch.exe" [01-03-28 01:59 168013]
"SandIcon"="C:\ImageMate CompactFlash USB\SandIcon.Exe" [00-11-13 11:36 131072]
"HPDJ Taskbar Utility"="C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe" [01-11-19 20:10 196608]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [05-05-14 00:20 278528]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [05-06-14 17:49 98304]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [02-07-30 11:35 77824]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [05-07-17 21:08 180269]
"CreateCD"="C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\CreateCD.exe" [01-03-22 10:20 245760]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [08-01-04 20:56 5367664]
"Synchronization Manager"="mobsync.exe" [03-06-19 12:05 111376 C:\WINNT\SYSTEM32\mobsync.exe]
"nwiz"="nwiz.exe" [05-07-20 21:07 1519616 C:\WINNT\SYSTEM32\nwiz.exe]
"Mouse Suite 98 Daemon"="ICO.EXE" [01-08-23 11:23 45056 C:\WINNT\SYSTEM32\ico.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-19 12:05 186640]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{99f8405b-63d1-421a-83bb-7b4b0642ac28}"= "C:\WINNT\system32\funfsnv.dll" [01-07-24 21:18 13312]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= mmdrv.dll
"aux1"= ctwdm32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

R0 aaatimeo;aaatimeo;C:\WINNT\system32\DRIVERS\aaatimeo.sys [00-11-21 16:19 ]
R0 Fd16_700;Fd16_700;C:\WINNT\system32\DRIVERS\fd16_700.sys [99-09-25 11:11 ]
R0 idebd;idebd;C:\WINNT\system32\DRIVERS\idebd.sys [00-05-30 00:00 ]
R0 intelata;intelata;C:\WINNT\system32\DRIVERS\intelata.sys [00-05-30 00:00 ]
R1 cmosa;cmosa;C:\WINNT\system32\DRIVERS\cmosa.sys [00-11-30 14:17 ]
R3 Winacpci;Winacpci;C:\WINNT\system32\DRIVERS\winacpci.sys [00-05-12 19:17 ]
S0 cda1000;cda1000;C:\WINNT\system32\DRIVERS\cda1000.sys [00-12-14 13:14 ]
S2 tcaicchg;tcaicchg;C:\WINNT\System32\tcaicchg.sys []
S3 pelmouse;Mouse Suite Driver;C:\WINNT\system32\DRIVERS\pelmouse.sys [01-01-09 16:49 ]
S3 pelusblf;USB Mouse Low Filter Driver;C:\WINNT\system32\DRIVERS\pelusblf.sys [01-10-08 11:46 ]
S3 usbprint;Microsoft USB PRINTER Class;C:\WINNT\system32\DRIVERS\usbprint.sys [03-06-19 12:05 ]
S3 WDCFX_AT;USB Storage Adapter FX_AT (WDC);C:\WINNT\system32\DRIVERS\WDCFX_AT.SYS [04-08-02 14:50 ]
S3 WlanUIG;2Wire 802.11g USB Driver;C:\WINNT\system32\DRIVERS\WlanUIG.sys [04-05-16 19:46 ]

*Newly Created Service* - IPNAT
*Newly Created Service* - SHAREDACCESS
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-WINP - C:\WINNT\winmic.exe


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-19 00:08:40
Windows 5.0.2195 Service Pack 4 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-19 0:12:42 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-19 05:12:28

Pre-Run: 19,383,517,184 bytes free
Post-Run: 21,480,964,096 bytes free

174













Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:24:53 AM, on 7/19/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\System32\cisvc.exe
C:\WINNT\System32\CTsvcCDA.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\nvsvc32.exe
C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
C:\WINNT\system32\devldr32.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\ImageMate CompactFlash USB\SandIcon.Exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINNT\system32\ICO.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\CreateCD.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINNT\explorer.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\WINNT\System32\cidaemon.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vpc32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://internetsearchservice.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: Ask Search Assistant BHO - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [zBrowser Launcher] "C:\Program Files\Logitech\iTouch\iTouch.exe"
O4 - HKLM\..\Run: [SandIcon] "C:\ImageMate CompactFlash USB\SandIcon.Exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CreateCD] "C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\CreateCD.exe" -r
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O16 - DPF: DigiChat Applet - http://host16.digich...s/Client_IE.cab
O16 - DPF: {1DF36010-E276-11D4-A7C0-00C04F0453DD} (Stamps.com Secure Postal Account Registration) - https://secure.stamp...16/sdcregie.cab
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo....plorer1_9us.cab
O16 - DPF: {DAB941D8-BC94-4819-AB4D-5598C65FA3FE} - http://tb.searchitqu...com/v30/siq.cab
O16 - DPF: {EF0DBA6F-43CE-4B26-9808-2AB38FA0DB29} (MSN Money Ticker) - http://fdl.msn.com/p.../v13/ticker.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6BB7084D-EF77-4D29-826E-39CFB64F4A92}: NameServer = 68.94.156.1,68.94.157.1
O22 - SharedTaskScheduler: eulogical - {99f8405b-63d1-421a-83bb-7b4b0642ac28} - C:\WINNT\system32\funfsnv.dll
O23 - Service: Cpmcatciipp - Dell Computer Corporation. - (no file)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: WUSB54GCSVC - GEMTEKS - C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe

--
End of file - 7643 bytes
  • 0

#6
mshill1975
Posted 18 July 2008 - 11:33 PM

mshill1975

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
I run Norton antivirus and Webroot spysweeper; Anything else you'd recommend to keep things running smoothly? Youve been an incredible help, by the way.

-Matt
  • 0

#7
loophole
Posted 19 July 2008 - 12:05 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hello, Lets get rid of that file and make sure nothong else is lurking

Open notepad and copy/paste the text in RED below into it:


File::
C:\WINNT\system32\funfsnv.dl
Registry::
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{99f8405b-63d1-421a-83bb-7b4b0642ac28}"=-

Save this as CFScript.txt, in the same location as ComboFix.exe (desktop)

Posted Image


Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt
  • 0

#8
mshill1975
Posted 19 July 2008 - 01:32 PM

mshill1975

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
ComboFix 08-07-18.1 - Administrator 07/19/2008 14:16:16.2 - FAT32x86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.77 [GMT -5:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINNT\system32\funfsnv.dl
.

((((((((((((((((((((((((( Files Created from 2008-06-19 to 2008-07-19 )))))))))))))))))))))))))))))))
.

2008-07-19 14:16 . 08-07-19 14:16 16,384 --a----t- C:\WINNT\SYSTEM32\Perflib_Perfdata_41c.dat
2008-07-19 00:41 . 07-07-30 19:18 34,136 --a------ C:\WINNT\SYSTEM32\wucltui.dll.mui
2008-07-19 00:41 . 07-07-30 19:19 25,944 --a------ C:\WINNT\SYSTEM32\wuaucpl.cpl.mui
2008-07-19 00:41 . 07-07-30 19:19 25,944 --a------ C:\WINNT\SYSTEM32\wuapi.dll.mui
2008-07-19 00:41 . 07-07-30 19:18 20,312 --a------ C:\WINNT\SYSTEM32\wuaueng.dll.mui
2008-07-18 22:24 . 08-07-18 22:24 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-18 22:24 . 08-07-18 22:24 <DIR> d-------- C:\New Folder
2008-07-16 01:53 . 08-07-16 01:53 19,387 --a------ C:\WINNT\SYSTEM32\DRIVERS\AegisP.sys
2008-07-16 01:52 . 08-07-16 01:52 <DIR> d-------- C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor
2008-07-16 01:52 . 05-11-24 19:51 245,248 --a------ C:\WINNT\SYSTEM32\rt73.sys
2008-07-16 01:52 . 03-10-13 15:30 94,208 --a------ C:\WINNT\SYSTEM32\GTW32N50.dll
2008-07-16 01:52 . 05-11-03 17:41 32,768 --a------ C:\WINNT\SYSTEM32\GTGina.dll
2008-07-16 01:52 . 03-09-25 23:28 31,930 --a------ C:\WINNT\SYSTEM32\GTNDIS3.VXD
2008-07-16 01:52 . 05-02-01 18:18 17,992 --a------ C:\WINNT\SYSTEM32\DRIVERS\bcm42rly.sys
2008-07-16 01:52 . 05-02-01 18:18 17,992 --a------ C:\WINNT\SYSTEM32\bcm42rly.sys
2008-07-16 01:52 . 05-02-01 18:18 17,992 --a------ C:\WINNT\bcm42rly.sys
2008-07-16 01:52 . 03-09-25 22:15 15,872 --a------ C:\WINNT\SYSTEM32\GTNDIS5.sys
2008-07-16 01:52 . 05-12-06 04:24 7,846 --a------ C:\WINNT\SYSTEM32\rt73.cat
2008-07-16 01:51 . 08-07-16 01:51 1,361 --a------ C:\WINNT\SYSTEM32\WLAN.INI
2008-06-28 20:16 . 03-03-15 23:15 90,112 --a------ C:\WINNT\unvise32.exe
2008-06-28 12:05 . 08-06-28 12:05 <DIR> d-------- C:\WINNT\D45EC2594A194656B588C2C360DD18EA.TMP
2008-06-27 13:20 . 08-06-27 13:20 <DIR> d-------- C:\FOUND.000
2008-06-26 16:04 . 08-06-26 16:05 <DIR> d-------- C:\Program Files\DreamCatcher
2008-06-26 13:55 . 02-12-11 17:34 208,896 --a------ C:\WINNT\SYSTEM32\wmpns.dll
2008-06-26 13:19 . 08-06-26 13:19 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Dealio
2008-06-26 13:17 . 02-12-11 18:50 301,712 --a------ C:\WINNT\SYSTEM32\drmclien.dll
2008-06-26 13:17 . 02-12-11 17:34 82,432 --a------ C:\WINNT\SYSTEM32\drmstor.dll
2008-06-21 12:35 . 08-06-21 12:35 <DIR> d-------- C:\Program Files\AskSBar
2008-06-21 12:35 . 08-01-04 20:56 1,526,640 --a------ C:\WINNT\WRSetup.dll
2008-06-21 12:35 . 08-01-04 20:34 163,696 --a------ C:\WINNT\SYSTEM32\DRIVERS\ssidrv.sys
2008-06-21 12:35 . 08-01-04 20:34 23,920 --a------ C:\WINNT\SYSTEM32\DRIVERS\sskbfd.sys
2008-06-21 12:35 . 08-01-04 20:34 21,872 --a------ C:\WINNT\SYSTEM32\DRIVERS\sshrmd.sys
2008-06-21 12:35 . 08-01-04 20:34 20,336 --a------ C:\WINNT\SYSTEM32\DRIVERS\SSFS0BB9.sys
2008-06-21 12:33 . 08-06-21 12:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2008-06-19 20:11 . 08-06-19 20:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-19 20:10 . 08-06-19 20:54 141 --a------ C:\WINNT\My Video.url
2008-06-19 20:10 . 08-06-19 20:54 141 --a------ C:\WINNT\My Music.url

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-04 00:06 36,864 ----a-w C:\WINNT\uneng.exe
2008-06-03 20:46 --------- d-----w C:\Program Files\DVDVideoSoft
2008-06-03 20:46 --------- d-----w C:\Program Files\Common Files\DVDVideoSoft
2008-06-03 00:05 --------- d-----w C:\Documents and Settings\Administrator\Application Data\IEPro
2008-06-03 00:04 --------- d-----w C:\Program Files\IEPro
2008-06-02 00:22 --------- d-----w C:\Documents and Settings\Administrator\Application Data\LimeWire
2008-06-02 00:21 --------- d-----w C:\Program Files\LimeWire
2008-05-20 17:05 --------- d-----w C:\Program Files\Citrix
2008-05-20 17:05 --------- d-----w C:\Documents and Settings\Administrator\Application Data\ICAClient
2005-07-27 20:13 277 ----a-w C:\Program Files\index.htm
2005-07-27 20:08 277 ----a-w C:\Program Files\Web Site 1.htm
2005-05-24 14:19 262,144 ----a-w C:\Program Files\Uninstall My Web Search.dll
2004-09-15 08:54 31,465 ------w C:\Program Files\2wconfig.dll
2004-09-15 08:52 393,216 ------w C:\Program Files\2PortalMon.exe
2004-09-15 08:51 290,816 ------w C:\Program Files\Uninstaller.exe
2004-09-15 08:51 163,840 ------w C:\Program Files\GoHomePortal.exe
2004-09-15 08:50 622,592 ------w C:\Program Files\WebWorks.exe
2004-09-15 08:50 180,224 ------w C:\Program Files\WCAG.exe
2004-09-15 08:50 167,936 ------w C:\Program Files\WirelessConsoleApp.exe
2004-09-15 08:49 135,168 ------w C:\Program Files\WebSec.dll
2004-09-15 08:48 364,544 ------w C:\Program Files\RGWProv.dll
2004-09-15 08:47 266,240 ------w C:\Program Files\NetAPI.dll
2004-09-15 08:47 139,264 ------w C:\Program Files\Endec.dll
2004-09-15 08:42 9,158 ------w C:\Program Files\Language.ini
2004-09-15 08:42 368,726 ------w C:\Program Files\PRISMAPI.dll
2004-09-15 08:42 3,157 ------w C:\Program Files\2wconfig.ini
2004-09-15 08:42 27,478 ------w C:\Program Files\SysTrayMenu_256.bmp
2004-09-15 08:42 208,993 ------w C:\Program Files\CardPres.exe
2001-04-10 12:58 271 ---ha-w C:\Program Files\DESKTOP.INI
2001-04-10 12:58 21,952 ---ha-w C:\Program Files\FOLDER.HTT
2000-07-26 12:00 32,528 ----a-w C:\WINNT\INF\WBFIRDMA.SYS
2005-09-12 16:20 153,600 --sha-r C:\WINNT\SYSTEM32\ms-dos.pif
.

------- Sigcheck -------

01-02-20 13:09 8192 d36a33c21eeed5a6c1daecb7c80a1909 C:\WINNT\SYSTEM32\CTFMON.EXE
.
((((((((((((((((((((((((((((( snapshot@Sat 2008-07-19_ 0.11.38.65 )))))))))))))))))))))))))))))))))))))))))
.
- 2005-05-26 09:16:24 75,544 ----a-w C:\WINNT\SYSTEM32\cdm.dll
+ 2007-07-31 00:19:20 92,504 ----a-w C:\WINNT\SYSTEM32\cdm.dll
- 2005-05-26 09:16:24 75,544 ----a-w C:\WINNT\SYSTEM32\dllcache\cdm.dll
+ 2007-07-31 00:19:20 92,504 ----a-w C:\WINNT\SYSTEM32\dllcache\cdm.dll
- 2005-05-26 09:16:30 124,184 ----a-w C:\WINNT\SYSTEM32\dllcache\wuauclt.exe
+ 2007-07-31 00:19:16 53,080 ----a-w C:\WINNT\SYSTEM32\dllcache\wuauclt.exe
- 2005-05-26 09:16:30 1,343,768 ----a-w C:\WINNT\SYSTEM32\dllcache\wuaueng.dll
+ 2007-07-31 00:19:42 1,712,984 ----a-w C:\WINNT\SYSTEM32\dllcache\wuaueng.dll
+ 2007-07-31 00:18:40 33,624 ----a-w C:\WINNT\SYSTEM32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.0.6000.381\wups.dll
+ 2007-07-31 00:19:12 43,352 ----a-w C:\WINNT\SYSTEM32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.0.6000.381\wups2.dll
- 2005-05-26 09:16:30 465,176 ----a-w C:\WINNT\SYSTEM32\wuapi.dll
+ 2007-07-31 00:19:36 549,720 ----a-w C:\WINNT\SYSTEM32\wuapi.dll
- 2005-05-26 09:16:30 124,184 ----a-w C:\WINNT\SYSTEM32\wuauclt.exe
+ 2007-07-31 00:19:16 53,080 ----a-w C:\WINNT\SYSTEM32\wuauclt.exe
- 2005-05-26 09:16:30 1,343,768 ----a-w C:\WINNT\SYSTEM32\wuaueng.dll
+ 2007-07-31 00:19:42 1,712,984 ----a-w C:\WINNT\SYSTEM32\wuaueng.dll
- 2005-05-26 09:16:30 127,256 ----a-w C:\WINNT\SYSTEM32\wucltui.dll
+ 2007-07-31 00:19:32 325,976 ----a-w C:\WINNT\SYSTEM32\wucltui.dll
- 2005-05-26 09:19:32 173,536 ----a-w C:\WINNT\SYSTEM32\wuweb.dll
+ 2007-07-31 00:19:28 203,096 ----a-w C:\WINNT\SYSTEM32\wuweb.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2}]
08-06-21 12:35 66912 --a------ C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="ctfmon.exe" [01-02-20 13:09 8192 C:\WINNT\SYSTEM32\CTFMON.EXE]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINNT\system32\NvCpl.dll" [05-07-20 21:07 7110656]
"zBrowser Launcher"="C:\Program Files\Logitech\iTouch\iTouch.exe" [01-03-28 01:59 168013]
"SandIcon"="C:\ImageMate CompactFlash USB\SandIcon.Exe" [00-11-13 11:36 131072]
"HPDJ Taskbar Utility"="C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe" [01-11-19 20:10 196608]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [05-05-14 00:20 278528]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [05-06-14 17:49 98304]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [02-07-30 11:35 77824]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [05-07-17 21:08 180269]
"CreateCD"="C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\CreateCD.exe" [01-03-22 10:20 245760]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [08-01-04 20:56 5367664]
"Synchronization Manager"="mobsync.exe" [03-06-19 12:05 111376 C:\WINNT\SYSTEM32\mobsync.exe]
"nwiz"="nwiz.exe" [05-07-20 21:07 1519616 C:\WINNT\SYSTEM32\nwiz.exe]
"Mouse Suite 98 Daemon"="ICO.EXE" [01-08-23 11:23 45056 C:\WINNT\SYSTEM32\ico.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-19 12:05 186640]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= mmdrv.dll
"aux1"= ctwdm32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

R0 aaatimeo;aaatimeo;C:\WINNT\system32\DRIVERS\aaatimeo.sys [00-11-21 16:19 ]
R0 Fd16_700;Fd16_700;C:\WINNT\system32\DRIVERS\fd16_700.sys [99-09-25 11:11 ]
R0 idebd;idebd;C:\WINNT\system32\DRIVERS\idebd.sys [00-05-30 00:00 ]
R0 intelata;intelata;C:\WINNT\system32\DRIVERS\intelata.sys [00-05-30 00:00 ]
R1 cmosa;cmosa;C:\WINNT\system32\DRIVERS\cmosa.sys [00-11-30 14:17 ]
R3 Winacpci;Winacpci;C:\WINNT\system32\DRIVERS\winacpci.sys [00-05-12 19:17 ]
S0 cda1000;cda1000;C:\WINNT\system32\DRIVERS\cda1000.sys [00-12-14 13:14 ]
S2 tcaicchg;tcaicchg;C:\WINNT\System32\tcaicchg.sys []
S3 pelmouse;Mouse Suite Driver;C:\WINNT\system32\DRIVERS\pelmouse.sys [01-01-09 16:49 ]
S3 pelusblf;USB Mouse Low Filter Driver;C:\WINNT\system32\DRIVERS\pelusblf.sys [01-10-08 11:46 ]
S3 usbprint;Microsoft USB PRINTER Class;C:\WINNT\system32\DRIVERS\usbprint.sys [03-06-19 12:05 ]
S3 WDCFX_AT;USB Storage Adapter FX_AT (WDC);C:\WINNT\system32\DRIVERS\WDCFX_AT.SYS [04-08-02 14:50 ]
S3 WlanUIG;2Wire 802.11g USB Driver;C:\WINNT\system32\DRIVERS\WlanUIG.sys [04-05-16 19:46 ]

*Newly Created Service* - IPNAT
*Newly Created Service* - RASAUTO
*Newly Created Service* - SHAREDACCESS
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-19 14:18:29
Windows 5.0.2195 Service Pack 4 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-19 14:19:22
ComboFix-quarantined-files.txt 2008-07-19 19:19:12
ComboFix2.txt 2008-07-19 05:12:46

Pre-Run: 21,498,036,224 bytes free
Post-Run: 21,487,976,448 bytes free

175
  • 0

#9
mshill1975
Posted 19 July 2008 - 01:35 PM

mshill1975

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
OK....did that get rid of it?
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP