Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Showing the report form root repeal

Started by ENO123 , Nov 10 2009 01:24 PM

  • Please log in to reply

#1
ENO123
Posted 10 November 2009 - 01:24 PM

ENO123

    New Member

  • Member
  • Pip
  • 4 posts
hello all I dont know if I placed this in the right spot so if im wrong please forgive me, Ive downloaded root repeal and got the report.

Just to make things short my Malware bytes dosent work and my advanced system care is cooked too,
my antivirus cant find anything wrong (I use Avira anti virus Btw) and my intrenet avoids sites that help with viruses and spyware =/.

I get alot of btcar sites..and old session sites...
I dont know what the report is saying but please help >_<

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/10/14 15:18
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF02E7000 Size: 49152 File Visible: No Signed: -
Status: -

Name: win32k.sys:1
Image Path: C:\WINDOWS\win32k.sys:1
Address: 0xF7947000 Size: 20480 File Visible: No Signed: -
Status: -

Name: win32k.sys:2
Image Path: C:\WINDOWS\win32k.sys:2
Address: 0xF769F000 Size: 61440 File Visible: No Signed: -
Status: -

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "<unknown>" at address 0xf7b7f94e

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0xf7b7f944

#: 063 Function Name: NtDeleteKey
Status: Hooked by "<unknown>" at address 0xf7b7f953

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "<unknown>" at address 0xf7b7f95d

#: 098 Function Name: NtLoadKey
Status: Hooked by "<unknown>" at address 0xf7b7f962

#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0xf7b7f930

#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0xf7b7f935

#: 193 Function Name: NtReplaceKey
Status: Hooked by "<unknown>" at address 0xf7b7f96c

#: 204 Function Name: NtRestoreKey
Status: Hooked by "<unknown>" at address 0xf7b7f967

#: 247 Function Name: NtSetValueKey
Status: Hooked by "<unknown>" at address 0xf7b7f958

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0xf7b7f93f

==EOF==

Edited by ENO123, 10 November 2009 - 01:39 PM.

  • 0

Advertisements

#2
Rorschach112
Posted 10 November 2009 - 04:59 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
hi

Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you don't know how to disable them then just continue on.

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.
  • 0

#3
ENO123
Posted 12 November 2009 - 10:59 AM

ENO123

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Thanks for repying I didnt expect such speed...Btw I cant use the internet to get to this site..so I have to use my flash drive to get all the programs and transfer them over.
heres what combo gave me.



ComboFix 09-11-11.02 - Oney 10/16/2009 12:41.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.446.155 [GMT -7:00]
Running from: c:\documents and settings\Oney\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\AppPatch\Custom\{deb7008b-681e-4a4a-8aae-cc833e8216ce}.sdb

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\eventlog.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}


((((((((((((((((((((((((( Files Created from 2009-09-16 to 2009-10-16 )))))))))))))))))))))))))))))))
.

2009-10-14 21:40 . 2009-10-14 21:54 -------- d-----w- c:\windows\QS
2009-10-14 20:13 . 2009-10-14 20:52 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2009-10-14 20:07 . 2009-10-14 21:33 -------- d-----w- c:\program files\STOPzilla!
2009-10-14 20:07 . 2009-10-14 20:07 -------- d-----w- c:\program files\Common Files\iS3
2009-10-14 20:07 . 2009-10-14 21:33 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2009-10-14 09:32 . 2009-10-14 09:32 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2009-10-14 09:25 . 2009-10-14 09:25 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-10-14 08:41 . 2009-10-16 19:25 0 ----a-r- c:\windows\win32k.sys
2009-10-08 21:52 . 2007-07-19 07:40 264576 ----a-w- c:\windows\system32\drivers\RTL8187B.sys
2009-10-07 23:33 . 2009-10-07 23:33 152576 ----a-w- c:\documents and settings\Oney\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-09-18 07:25 . 2009-09-18 09:08 -------- d-----w- c:\program files\ElcomSoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-16 19:34 . 2009-08-14 03:21 -------- d-----w- c:\documents and settings\Oney\Application Data\U3
2009-10-14 20:18 . 2009-10-14 20:18 432 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2009-10-11 11:17 . 2009-01-25 00:25 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-07 23:35 . 2009-02-24 21:04 -------- d-----w- c:\program files\Java
2009-10-06 00:05 . 2009-01-10 09:31 -------- d-----w- c:\program files\EuphRO
2009-09-18 09:30 . 2009-07-30 02:29 -------- d-----w- c:\program files\DivX
2009-09-18 09:19 . 2007-05-01 20:01 -------- d-----w- c:\program files\Microsoft Works
2009-09-12 00:12 . 2008-07-12 19:54 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-12 00:12 . 2008-07-12 19:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-12 00:11 . 2009-09-12 00:11 -------- d-----w- c:\documents and settings\Oney\Application Data\IObit
2009-09-12 00:11 . 2009-09-12 00:11 -------- d-----w- c:\program files\IObit
2009-09-11 14:18 . 2006-02-28 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2006-02-28 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-03 22:25 . 2009-09-03 22:25 -------- d-----w- c:\program files\Microsoft
2009-08-31 10:33 . 2009-08-28 01:59 1816264 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-08-29 08:08 . 2006-02-28 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-27 16:52 . 2008-07-12 20:52 34776 ----a-w- c:\documents and settings\Oney\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-26 20:56 . 2008-04-14 17:49 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-26 20:53 . 2008-04-14 17:49 -------- d-----w- c:\program files\Common Files\InstallShield
2009-08-26 20:46 . 2009-08-26 20:46 -------- d-----w- c:\program files\MSECache
2009-08-26 20:35 . 2009-08-26 20:00 602 ----a-w- c:\documents and settings\MistaSpinnaz\Application Data\wklnhst.dat
2009-08-26 20:02 . 2009-08-26 20:02 -------- d-----w- c:\documents and settings\MistaSpinnaz\Application Data\Template
2009-08-26 19:51 . 2009-08-06 00:45 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-08-26 08:00 . 2006-02-28 12:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-25 03:20 . 2009-02-15 06:15 -------- d-----w- c:\program files\TechSmith
2009-08-25 03:17 . 2009-08-25 03:17 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-23 07:33 . 2009-08-23 07:33 152576 ----a-w- c:\documents and settings\Oney\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-08-22 10:38 . 2009-08-22 10:38 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-08-17 22:47 . 2009-08-17 22:47 -------- d-----w- c:\program files\Gravity
2009-08-17 02:42 . 2009-07-21 01:47 34 ----a-w- c:\documents and settings\MistaSpinnaz\jagex_runescape_preferences.dat
2009-08-15 10:58 . 2009-08-15 10:58 29926 ----a-r- c:\documents and settings\Oney\Application Data\Microsoft\Installer\{394BE3D9-7F57-4638-A8D1-1D88671913B7}\_18be6784.exe
2009-08-15 10:58 . 2009-08-15 10:58 29422 ----a-r- c:\documents and settings\Oney\Application Data\Microsoft\Installer\{394BE3D9-7F57-4638-A8D1-1D88671913B7}\_294823.exe
2009-08-12 21:13 . 2009-08-12 21:13 30888 ----a-w- c:\documents and settings\MistaSpinnaz\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-07 02:24 . 2007-05-01 19:46 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-07 02:24 . 2007-05-01 19:46 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-07 02:24 . 2007-07-31 02:19 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-07 02:24 . 2007-05-01 19:46 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-07 02:24 . 2007-05-01 19:46 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-08-07 02:24 . 2006-02-28 12:00 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-07 02:23 . 2007-05-01 19:46 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-07 02:23 . 2009-01-24 03:42 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-07 02:23 . 2009-01-24 03:42 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-07 02:23 . 2007-05-01 19:46 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-06 05:18 . 2009-05-21 06:06 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-08-05 09:01 . 2006-02-28 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-05 03:44 . 2006-02-28 12:00 2189184 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2004-08-03 22:59 2066048 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-07-26 23:44 . 2009-07-26 23:44 48448 ----a-w- c:\windows\system32\sirenacm.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Advanced SystemCare 3"="c:\program files\IObit\Advanced SystemCare 3\AWC.exe" [2009-06-30 2329224]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-06-29 344064]
"EPSON Stylus CX3800 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE" [2005-02-07 98304]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\soundman.exe [2006-08-09 577536]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
MediaKey.lnk - c:\program files\MediaKey\MagicRun.exe [2007-5-3 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.sys

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R1 kbfilter;Keyboard Filter Driver;c:\windows\system32\drivers\kbfilter.sys [5/3/2007 12:50 PM 11889]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [8/2/2009 12:31 PM 108289]
R3 RTL8187B;TRENDnet TEW-424UB 54M USB Dongle;c:\windows\system32\drivers\RTL8187B.sys [10/8/2009 2:52 PM 264576]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder

2009-10-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\Oney\Application Data\Mozilla\Firefox\Profiles\fojqvox5.default\
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
Toolbar-SITEguard - (no file)
WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-16 12:52
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(792)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3508)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-10-16 12:58 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-16 19:58

Pre-Run: 55,579,422,720 bytes free
Post-Run: 59,385,421,824 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 8B08C94235BAD21076F8C30B15036E64

Edited by ENO123, 12 November 2009 - 02:59 PM.

  • 0

#4
Rorschach112
Posted 13 November 2009 - 05:41 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
hi



1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

DirLook::
c:\windows\QS

File::
c:\windows\win32k.sys


Folder::

Registry::

Driver::


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.




Download TFC to your desktop
  • Open the file and close any other windows.
  • It will close all programs itself when run, make sure to let it run uninterrupted.
  • Click the Start button to begin the process. The program should not take long to finish its job
  • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean




Please download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.






Go to Kaspersky website and perform an online antivirus scan.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

  • 0

#5
ENO123
Posted 16 November 2009 - 04:13 PM

ENO123

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
here what i got for ya sry for the delay.


ComboFix 09-11-11.02 - Oney 11/14/2009 19:39.2.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.446.126 [GMT -8:00]
Running from: c:\documents and settings\Oney\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Oney\Desktop\CFScript.txt.txt
AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
* Created a new restore point

FILE ::
"c:\windows\win32k.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\win32k.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}


((((((((((((((((((((((((( Files Created from 2009-10-15 to 2009-11-15 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-16 19:34 . 2009-08-14 03:21 -------- d-----w- c:\documents and settings\Oney\Application Data\U3
2009-10-14 21:33 . 2009-10-14 20:07 -------- d-----w- c:\program files\STOPzilla!
2009-10-14 21:33 . 2009-10-14 20:07 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2009-10-14 20:52 . 2009-10-14 20:13 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2009-10-14 20:18 . 2009-10-14 20:18 432 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2009-10-14 20:07 . 2009-10-14 20:07 -------- d-----w- c:\program files\Common Files\iS3
2009-10-11 11:17 . 2009-01-25 00:25 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-07 23:35 . 2009-02-24 21:04 -------- d-----w- c:\program files\Java
2009-10-07 23:33 . 2009-10-07 23:33 152576 ----a-w- c:\documents and settings\Oney\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-10-06 00:05 . 2009-01-10 09:31 -------- d-----w- c:\program files\EuphRO
2009-09-18 09:30 . 2009-07-30 02:29 -------- d-----w- c:\program files\DivX
2009-09-18 09:19 . 2007-05-01 20:01 -------- d-----w- c:\program files\Microsoft Works
2009-09-18 09:08 . 2009-09-18 07:25 -------- d-----w- c:\program files\ElcomSoft
2009-09-11 14:18 . 2006-02-28 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2006-02-28 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-31 10:33 . 2009-08-28 01:59 1816264 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-08-29 08:08 . 2006-02-28 12:00 916480 ------w- c:\windows\system32\wininet.dll
2009-08-27 16:52 . 2008-07-12 20:52 34776 ----a-w- c:\documents and settings\Oney\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-26 20:35 . 2009-08-26 20:00 602 ----a-w- c:\documents and settings\MistaSpinnaz\Application Data\wklnhst.dat
2009-08-26 19:51 . 2009-08-06 00:45 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-08-26 08:00 . 2006-02-28 12:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-23 07:33 . 2009-08-23 07:33 152576 ----a-w- c:\documents and settings\Oney\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\windows\QS ----

2009-10-14 21:50 . 2009-10-14 21:50 327680 ----a-w- c:\windows\QS\BACKUP\7d9aee322b2900.bup
2009-10-14 21:49 . 2009-10-14 21:54 1242 ----a-w- c:\windows\QS\LOGS\LASTLOG.TXT
2009-10-14 21:46 . 2009-10-14 21:49 53621788 ----a-w- c:\windows\QS\DAT\mferuntime.dat
2009-10-14 21:46 . 2009-10-14 21:54 1246 ----a-w- c:\windows\QS\LOGS\LOG.TXT
2009-10-14 21:46 . 2009-10-14 21:48 3537493 ----a-w- c:\windows\QS\DAT\avvclean.dat
2009-10-14 21:46 . 2009-10-14 21:48 1531869 ----a-w- c:\windows\QS\DAT\avvnames.dat
2009-10-14 21:46 . 2009-10-14 21:48 81640133 ----a-w- c:\windows\QS\DAT\avvscan.dat
2009-10-14 21:40 . 2009-06-17 20:54 3116365 ----a-w- c:\windows\QS\QS.EXE
2009-06-03 09:40 . 2009-06-03 09:40 5644 ----a-w- c:\windows\QS\ENGINE\config.dat
2009-06-03 09:40 . 2009-06-03 09:40 3170424 ----a-w- c:\windows\QS\ENGINE\mcscan32.dll


((((((((((((((((((((((((((((( SnapShot@2009-10-16_19.53.01 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-12 02:41 . 2009-07-12 02:41 97280 c:\windows\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_473666fd\ATL80.dll
+ 2009-11-15 03:48 . 2009-11-15 03:48 16384 c:\windows\Temp\Perflib_Perfdata_6b4.dat
+ 2006-02-28 12:00 . 2009-11-15 03:53 67516 c:\windows\system32\perfc009.dat
- 2006-02-28 12:00 . 2009-09-18 09:34 67516 c:\windows\system32\perfc009.dat
+ 2006-02-28 12:00 . 2009-11-15 03:53 432686 c:\windows\system32\perfh009.dat
- 2006-02-28 12:00 . 2009-09-18 09:34 432686 c:\windows\system32\perfh009.dat
+ 2007-05-01 12:37 . 2009-10-19 03:28 169096 c:\windows\system32\FNTCACHE.DAT
- 2007-05-01 12:37 . 2009-08-26 21:41 169096 c:\windows\system32\FNTCACHE.DAT
+ 2009-10-17 07:15 . 2009-10-17 07:15 248832 c:\windows\Installer\2721cde.msi
+ 2006-02-28 12:00 . 2009-08-14 13:21 1850624 c:\windows\system32\win32k.sys
+ 2009-01-08 07:56 . 2009-08-14 13:21 1850624 c:\windows\system32\dllcache\win32k.sys
+ 2009-01-10 07:37 . 2009-11-05 17:36 26768832 c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Advanced SystemCare 3"="c:\program files\IObit\Advanced SystemCare 3\AWC.exe" [2009-06-30 2329224]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-06-29 344064]
"EPSON Stylus CX3800 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE" [2005-02-07 98304]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\soundman.exe [2006-08-09 577536]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
MediaKey.lnk - c:\program files\MediaKey\MagicRun.exe [2007-5-3 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.sys

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R1 kbfilter;Keyboard Filter Driver;c:\windows\system32\drivers\kbfilter.sys [5/3/2007 11:50 AM 11889]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [8/2/2009 11:31 AM 108289]
S3 RTL8187B;TRENDnet TEW-424UB 54M USB Dongle;c:\windows\system32\drivers\RTL8187B.sys [10/8/2009 1:52 PM 264576]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder

2009-10-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\Oney\Application Data\Mozilla\Firefox\Profiles\fojqvox5.default\
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-14 19:50
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(640)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3884)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-11-15 19:56 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-15 03:56
ComboFix2.txt 2009-10-16 19:58

Pre-Run: 59,271,548,928 bytes free
Post-Run: 59,258,560,512 bytes free

- - End Of File - - B6526DB8AC5921DB32BB3B02BD6833FE
  • 0

#6
Rorschach112
Posted 16 November 2009 - 06:05 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
and the other logs
  • 0

#7
ENO123
Posted 22 November 2009 - 03:50 AM

ENO123

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
what other logs?
  • 0

#8
Rorschach112
Posted 22 November 2009 - 10:18 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
mbam and kaspersky in my above post
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP