Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Trojan Horse Generic_c.WPY

Started by runnee , Sep 19 2008 08:19 AM

  • Please log in to reply

#1
runnee
Posted 19 September 2008 - 08:19 AM

runnee

    New Member

  • Member
  • Pip
  • 1 posts
Hello guys,

My system is free of virus for a long time but lately, my system seem to have been infected with a virus. AVG popped up today when I switched on my computer, Trojan Horse Generic_c.WPY. This was the virus that I saw. Files infected is c:\WINDOWS\backupuser.exe and some java.exe files. I really need some help!

Regards and thanks alot.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:42:03 PM, on 9/19/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Razer\Diamondback\razerhid.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\MICROS~2\rapimgr.exe
C:\Program Files\Razer\Diamondback\razertra.exe
C:\Program Files\Razer\Diamondback\razerofa.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\HJT\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft....gitCheckError=3
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Dimondback] C:\Program Files\Razer\Diamondback\razerhid.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zon...kr.cab56986.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zon...wn.cab56986.cab
O16 - DPF: {AA07EBD2-EBDD-4BD6-9F8F-114BD513492C} (NeffyLauncherCtl Class) - http://dist.globalga...ffyLauncher.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zon...er.cab56986.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Windows_XP - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\MSINFO\backupuser.exe (file missing)

--
End of file - 7060 bytes

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/19/2008 at 06:14 PM

Application Version : 4.21.1004

Core Rules Database Version : 3573
Trace Rules Database Version: 1561

Scan type : Quick Scan
Total Scan Time : 00:19:04

Memory items scanned : 404
Memory threats detected : 0
Registry items scanned : 330
Registry threats detected : 29
File items scanned : 5308
File threats detected : 28

Unclassified.Oreans32
HKLM\System\ControlSet001\Services\oreans32
C:\WINDOWS\SYSTEM32\DRIVERS\OREANS32.SYS
HKLM\System\ControlSet001\Enum\Root\LEGACY_oreans32
HKLM\System\ControlSet003\Services\oreans32
HKLM\System\ControlSet003\Enum\Root\LEGACY_oreans32
HKLM\System\CurrentControlSet\Services\oreans32
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_oreans32
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#DeviceDesc
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Capabilities
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000\LogConf
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000\Control
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000\Control#ActiveService
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#Type
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#Start
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#ErrorControl
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#ImagePath
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#DisplayName
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Security
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Security#Security
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum#0
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum#Count
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum#NextInstance

Adware.Tracking Cookie
C:\Documents and Settings\Administrator\Cookies\[email protected]
C:\Documents and Settings\Administrator\Cookies\[email protected]
C:\Documents and Settings\Administrator\Cookies\[email protected]
C:\Documents and Settings\Administrator\Cookies\[email protected]
C:\Documents and Settings\Administrator\Cookies\[email protected]
C:\Documents and Settings\Administrator\Cookies\[email protected]
C:\Documents and Settings\Administrator\Cookies\[email protected]
C:\Documents and Settings\Administrator\Cookies\[email protected]
C:\Documents and Settings\Administrator\Cookies\[email protected]
C:\Documents and Settings\Administrator\Cookies\[email protected]
C:\Documents and Settings\Administrator\Cookies\[email protected]
C:\Documents and Settings\Administrator\Cookies\[email protected]
C:\Documents and Settings\Administrator\Cookies\[email protected]
C:\Documents and Settings\Administrator\Cookies\[email protected]
C:\Documents and Settings\Administrator\Cookies\[email protected]
C:\Documents and Settings\Administrator\Cookies\[email protected]
C:\Documents and Settings\Administrator\Cookies\[email protected]
C:\Documents and Settings\Administrator\Cookies\[email protected]
C:\Documents and Settings\Administrator\Cookies\[email protected]
C:\Documents and Settings\Administrator\Cookies\[email protected]
C:\Documents and Settings\Administrator\Cookies\[email protected]
C:\Documents and Settings\Administrator\Cookies\[email protected]
C:\Documents and Settings\Administrator\Cookies\[email protected]
C:\Documents and Settings\Administrator\Cookies\[email protected]lick.txt
C:\Documents and Settings\Administrator\Cookies\[email protected]
C:\Documents and Settings\Administrator\Cookies\[email protected]
C:\Documents and Settings\Administrator\Cookies\[email protected]

ComboFix 08-09-16.05 - Administrator 2008-09-19 18:19:34.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.572 [GMT 8:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\ijjistarter_verinfo.dat
C:\WINDOWS\help\svchost.exe
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\Packet.dll
C:\WINDOWS\system32\pthreadVC.dll
C:\WINDOWS\system32\wpcap.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2008-08-19 to 2008-09-19 )))))))))))))))))))))))))))))))
.

2008-09-19 17:51 . 2008-09-19 17:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-09-19 17:50 . 2008-09-19 17:51 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-09-19 17:50 . 2008-09-19 17:50 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-09-19 17:44 . 2008-09-19 17:44 <DIR> d-------- C:\HJT
2008-09-19 17:35 . 2008-09-19 17:36 <DIR> d-------- C:\Documents and Settings\Administrator\.housecall6.6
2008-09-19 17:35 . 2008-09-19 17:35 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-09-17 13:52 . 2008-09-17 13:52 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sports Interactive
2008-09-16 01:09 . 2008-09-16 01:09 1,094 --a------ C:\WINDOWS\system32\080916.hlp
2008-09-16 00:11 . 2008-09-16 00:11 8 --a------ C:\WINDOWS\system32\080915.hlp
2008-09-14 22:20 . 2008-09-14 22:23 <DIR> d--h----- C:\Program Files\Zero G Registry
2008-09-14 22:20 . 2008-09-17 13:51 <DIR> d-------- C:\Program Files\Sports Interactive
2008-09-14 22:19 . 2008-09-14 22:19 <DIR> d--h----- C:\Documents and Settings\Administrator\InstallAnywhere
2008-09-07 16:53 . 2008-09-07 16:53 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-09-06 21:57 . 2008-09-06 22:24 1,464 --a------ C:\WINDOWS\system32\080906.hlp
2008-09-06 13:07 . 2006-08-23 20:00 444,096 --a------ C:\WINDOWS\update_java32.exe
2008-09-05 23:04 . 2008-09-05 23:04 244 --ah----- C:\sqmnoopt00.sqm
2008-09-05 23:04 . 2008-09-05 23:04 232 --ah----- C:\sqmdata00.sqm
2008-09-04 23:12 . 2008-05-09 18:53 512,000 -----c--- C:\WINDOWS\system32\dllcache\jscript.dll
2008-09-04 23:12 . 2008-05-09 18:53 430,080 -----c--- C:\WINDOWS\system32\dllcache\vbscript.dll
2008-09-04 23:12 . 2008-07-08 04:26 253,952 -----c--- C:\WINDOWS\system32\dllcache\es.dll
2008-09-04 23:12 . 2008-05-09 18:53 180,224 -----c--- C:\WINDOWS\system32\dllcache\scrobj.dll
2008-09-04 23:12 . 2008-05-09 18:53 172,032 -----c--- C:\WINDOWS\system32\dllcache\scrrun.dll
2008-09-04 23:12 . 2008-05-08 19:24 155,648 -----c--- C:\WINDOWS\system32\dllcache\wscript.exe
2008-09-04 23:12 . 2008-05-09 16:45 135,168 -----c--- C:\WINDOWS\system32\dllcache\cscript.exe
2008-09-04 23:12 . 2008-05-09 18:53 90,112 -----c--- C:\WINDOWS\system32\dllcache\wshext.dll
2008-09-04 23:12 . 2008-06-25 00:43 74,240 -----c--- C:\WINDOWS\system32\dllcache\mscms.dll
2008-09-04 23:11 . 2008-06-26 16:15 1,499,136 -----c--- C:\WINDOWS\system32\dllcache\shdocvw.dll
2008-09-04 23:11 . 2008-06-26 16:15 619,520 -----c--- C:\WINDOWS\system32\dllcache\urlmon.dll
2008-09-04 23:07 . 2008-04-12 03:04 691,712 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-09-04 23:07 . 2008-05-01 22:33 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll
2008-09-04 23:06 . 2008-06-20 19:51 361,600 -----c--- C:\WINDOWS\system32\dllcache\tcpip.sys
2008-09-04 23:06 . 2008-06-21 01:46 245,248 -----c--- C:\WINDOWS\system32\dllcache\mswsock.dll
2008-09-04 23:06 . 2008-06-20 19:08 225,856 -----c--- C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-09-04 23:06 . 2008-06-21 01:46 147,968 -----c--- C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-09-04 23:06 . 2008-06-20 19:40 138,496 -----c--- C:\WINDOWS\system32\dllcache\afd.sys
2008-09-04 23:03 . 2004-08-04 06:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-09-03 23:03 . 2008-09-03 23:03 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-09-03 23:03 . 2008-09-03 23:03 <DIR> d-------- C:\WINDOWS\system32\bits
2008-09-03 23:03 . 2008-09-03 23:03 <DIR> d-------- C:\WINDOWS\l2schemas
2008-09-03 23:00 . 2008-09-03 23:00 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-09-02 23:58 . 2004-08-17 20:00 1,884,160 -rahs---- C:\System Volume Information.exe
2008-09-02 01:14 . 2008-09-02 01:14 <DIR> dr-h----- C:\Documents and Settings\Administrator\Application Data\SecuROM
2008-09-02 01:14 . 2008-09-02 01:14 107,888 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2008-09-02 00:14 . 2008-09-02 00:14 <DIR> d-------- C:\Program Files\KONAMI
2008-08-31 22:01 . 2008-08-31 22:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Pure Networks
2008-08-28 15:40 . 2007-03-12 16:42 3,495,784 --a------ C:\WINDOWS\system32\d3dx9_33.dll
2008-08-28 15:40 . 2006-11-29 13:06 3,426,072 --a------ C:\WINDOWS\system32\d3dx9_32.dll
2008-08-28 15:40 . 2006-09-28 16:05 2,414,360 --a------ C:\WINDOWS\system32\d3dx9_31.dll
2008-08-28 15:40 . 2007-03-12 16:42 1,123,696 --a------ C:\WINDOWS\system32\D3DCompiler_33.dll
2008-08-28 15:40 . 2007-03-15 16:57 443,752 --a------ C:\WINDOWS\system32\d3dx10_33.dll
2008-08-28 15:40 . 2007-04-04 18:55 261,480 --a------ C:\WINDOWS\system32\xactengine2_7.dll
2008-08-28 15:40 . 2007-01-24 15:27 255,848 --a------ C:\WINDOWS\system32\xactengine2_6.dll
2008-08-28 15:40 . 2006-12-08 12:02 251,672 --a------ C:\WINDOWS\system32\xactengine2_5.dll
2008-08-28 15:40 . 2006-09-28 16:05 237,848 --a------ C:\WINDOWS\system32\xactengine2_4.dll
2008-08-28 15:40 . 2007-03-05 12:42 15,128 --a------ C:\WINDOWS\system32\x3daudio1_1.dll
2008-08-28 15:33 . 2008-08-30 23:39 <DIR> d-------- C:\singtelsim
2008-08-20 23:01 . 2008-08-20 23:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\IJJIGame

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-19 09:58 --------- d-----w C:\Documents and Settings\Administrator\Application Data\uTorrent
2008-09-19 09:50 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-09-18 19:00 --------- d-----w C:\Documents and Settings\Administrator\Application Data\mIRC
2008-09-18 17:05 --------- d-----w C:\Program Files\mIRC
2008-09-18 16:51 --------- d-----w C:\Program Files\Warcraft III
2008-09-17 11:57 --------- d-----w C:\Program Files\Steam
2008-09-10 10:42 --------- d-----w C:\Program Files\Octoshape Streaming Services
2008-09-10 10:41 --------- d-----w C:\Program Files\Bonjour
2008-09-10 10:41 --------- d-----w C:\Program Files\AC Tool
2008-09-08 03:56 --------- d-----w C:\Program Files\Temp
2008-09-04 15:06 --------- d-----w C:\Program Files\MSN Messenger
2008-09-01 16:33 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-30 05:11 97,928 ----a-w C:\WINDOWS\system32\drivers\avgldx86.sys
2008-08-29 09:51 --------- d-----w C:\Documents and Settings\Administrator\Application Data\dvdcss
2008-08-20 17:12 --------- d--h--w C:\Documents and Settings\Administrator\Application Data\ijjigame
2008-08-18 12:33 --------- d-----w C:\Program Files\NHN USA
2008-08-13 15:33 --------- d-----w C:\Program Files\Java
2008-08-12 15:42 --------- d-----w C:\Program Files\PHM
2008-08-12 09:21 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-08-12 08:28 --------- d-----w C:\Program Files\Common Files\INCA Shared
2008-08-09 15:26 --------- d-----w C:\Program Files\tsk
2008-08-06 17:14 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Joost
2008-08-05 13:24 --------- d-----w C:\Program Files\FlashGet
2008-08-05 13:22 --------- d-----w C:\Program Files\GamesCampus
2008-08-02 06:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\NexonUS
2008-07-27 10:24 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Hamachi
2008-07-27 08:30 25,280 ----a-w C:\WINDOWS\system32\drivers\hamachi.sys
2008-07-26 09:17 65,536 ----a-w C:\WINDOWS\IFinst27.exe
2008-07-26 04:06 --------- d-----w C:\Program Files\Neffy
2008-07-18 14:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-18 14:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-18 14:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-18 14:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-18 14:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-18 14:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-18 14:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-18 14:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-18 14:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
2008-07-18 14:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-04 08:44 10,520 ----a-w C:\WINDOWS\system32\avgrsstx.dll
2008-06-24 16:43 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 15:09 666,112 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-09-03 1576176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-06-29 8466432]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-06-29 81920]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2006-09-27 208952]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"Dimondback"="C:\Program Files\Razer\Diamondback\razerhid.exe" [2007-01-18 147456]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-08-30 1235736]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 413696]
"nwiz"="nwiz.exe" [2007-06-29 C:\WINDOWS\system32\nwiz.exe]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 C:\WINDOWS\soundman.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-11-07 1294336]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"StartMenuLogOff"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 16:28 352256 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a------ 2007-04-04 06:29 165784 C:\Program Files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]
--a------ 2007-12-10 10:12 695808 C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-04-06 10:56 1271032 C:\Program Files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"usnjsvc"=3 (0x3)
"Apple Mobile Device"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\mIRC\\mirc.exe"=
"C:\\Documents and Settings\\Administrator\\Desktop\\Lancraft_1.01b.exe"=
"C:\\Program Files\\TrackMania Nations ESWC\\TmNationsESWC.exe"=
"C:\\Program Files\\Temp\\BackgroundDownloader.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\Steam\\steamapps\\[email protected]\\half-life\\hl.exe"=
"C:\\Program Files\\Steam\\steamapps\\[email protected]\\counter-strike\\hl.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"C:\\Program Files\\Steam\\steamapps\\[email protected]\\day of defeat\\hl.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\ijji\\ENGLISH\\u_gbound.exe"=
"C:\\ijji\\ENGLISH\\Gunbound Revolution\\GunBound.gme"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Sports Interactive\\Football Manager 2008\\fm.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"36099:TCP"= 36099:TCP:Utorrent1
"36099:UDP"= 36099:UDP:Utorrent2

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-08-30 97928]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-08-30 875288]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-30 231704]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-07-04 76040]
R3 Razerlow;Razerlow USB Filter Driver;C:\WINDOWS\system32\Drivers\Razerlow.sys [2005-04-24 13225]
S2 Windows_XP;Windows_XP;C:\Program Files\Common Files\Microsoft Shared\MSINFO\backupuser.exe [ ]
S3 XDva037;XDva037;C:\WINDOWS\system32\XDva037.sys [ ]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3ab89249-469c-11dd-9ebf-0013d3da3906}]
\Shell\Auto\command - K:\backupuser.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL backupuser.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5b29c3b5-352b-11dd-9ea8-0013d3da3906}]
\Shell\Auto\command - K:\backupuser.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL backupuser.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bc04ba82-5060-11dc-8d91-0013d3da3906}]
\Shell\AutoRun\command - K:\
\Shell\explore\Command - RECYCLED\INFO.exe
\Shell\open\Command - RECYCLED\INFO.exe
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

Notify-WgaLogon - (no file)
MSConfigStartUp-MP3 CD Extractor - C:\Program Files\MP3 CD Extractor\CD-Extractor.exe
MSConfigStartUp-Octoshape Streaming Services - C:\Program Files\Octoshape Streaming Services\Administrator\OctoshapeClient.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\hddql6ty.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE -
FF -: plugin - C:\Documents and Settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npijjiFFPlugin1.dll
FF -: plugin - C:\Program Files\Octoshape Streaming Services\Administrator\octoprogram-L03-NMS0806110_SUA_900\npoctoshape.dll
FF -: plugin - C:\Program Files\Octoshape Streaming Services\Administrator\octoprogram-L03-NMS0806260_SUA_000\npoctoshape.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-19 18:27:26
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\MICROS~2\rapimgr.exe
C:\Program Files\Razer\Diamondback\razertra.exe
C:\Program Files\Razer\Diamondback\razerofa.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
.
**************************************************************************
.
Completion time: 2008-09-19 18:40:09 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-19 10:39:44

Pre-Run: 25,364,602,880 bytes free
Post-Run: 26,036,699,136 bytes free

265 --- E O F --- 2008-09-12 15:17:01
  • 0

Advertisements

Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Forum
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP