Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

worm.win32.netsky


  • Please log in to reply

#1
hixyousuck

hixyousuck

    New Member

  • Member
  • Pip
  • 1 posts
I have Webroot AntiVirus with Spysweeper. I've ran that a few times and got different types of trojan viruses, malware and rouge antivirus's. The sweep could never finish because it got to a certain file/folder and wouldn't continue progress. It is called drwtsn32.log. Now, when I turn the computer on I get a message saying that my computer is infected with worm.win32.netsky and it describes the worm and tells me to run a full system scan. My desktop background is black and green with big, bold, red letters saying my system is infected. I've followed all the steps in the malware and spyware cleaning guide. MBAM won't run, it says window's cannot locate the file. I've tried saving it under another name and it said the same thing. RootRepeal won't start up. It shows a gray box saying initializing, and then stalls the computer. I was trying to get my OTL log and when it was scanning "NetSvcs settings" it stalls and says it's not responding. I'm not sure what to do from here, help would be greatly appreciated.


EDIT
I know this probably wasn't the best idea ever, but since nothing in the cleaning guide was working, I decided to run ComboFix and LopSD. I had seen it on another post, and I'm not sure if I did more harm than good. The worm message and rouge security systems are gone and the desktop no longer has the warning, but I believe things are still infected. MBAM still won't start. It's telling me the same thing. As well as RootRepeal and OTL. I'm going to post the logs I got from ComboFix and LopSD, hopfully this will be some help. Thanks!



ComboFix


ComboFix 09-11-29.06 - Colleen 11/30/2009 6:25.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.510.222 [GMT -5:00]
Running from: c:\documents and settings\Colleen\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Colleen\Application Data\02000000bd87e325573C.manifest
c:\documents and settings\Colleen\Application Data\02000000bd87e325573O.manifest
c:\documents and settings\Colleen\Application Data\02000000bd87e325573P.manifest
c:\documents and settings\Colleen\Application Data\02000000bd87e325573S.manifest
c:\documents and settings\Colleen\Application Data\Microsoft\Internet Explorer\Quick Launch\Advanced Virus Remover.lnk
c:\documents and settings\Colleen\Desktop\Advanced Virus Remover.lnk
c:\documents and settings\Colleen\Local Settings\Application Data\{95A94777-F5F8-4C78-A0B5-08E7D1969146}
c:\documents and settings\Colleen\Local Settings\Application Data\{95A94777-F5F8-4C78-A0B5-08E7D1969146}\chrome.manifest
c:\documents and settings\Colleen\Local Settings\Application Data\{95A94777-F5F8-4C78-A0B5-08E7D1969146}\chrome\content\_cfg.js
c:\documents and settings\Colleen\Local Settings\Application Data\{95A94777-F5F8-4C78-A0B5-08E7D1969146}\chrome\content\c.js
c:\documents and settings\Colleen\Local Settings\Application Data\{95A94777-F5F8-4C78-A0B5-08E7D1969146}\chrome\content\overlay.xul
c:\documents and settings\Colleen\Local Settings\Application Data\{95A94777-F5F8-4C78-A0B5-08E7D1969146}\install.rdf
c:\documents and settings\Colleen\Start Menu\Advanced Virus Remover.lnk
c:\documents and settings\Marty\Favorites\Online Security Test.url
c:\progra~1\Webroot\SPYSWE~1\Backup\ntSVc.ocx
c:\program files\AskSearch\bin\DeFAultsearch.dll
c:\program files\Fast Browser Search
c:\program files\Fast Browser Search\fbstoolbar.manifest
c:\program files\Fast Browser Search\icons.bmp
c:\program files\Fast Browser Search\IE\1.bat
c:\program files\Fast Browser Search\IE\about.html
c:\program files\Fast Browser Search\IE\affid.dat
c:\program files\Fast Browser Search\IE\basis.xml
c:\program files\Fast Browser Search\IE\basis_br.xml
c:\program files\Fast Browser Search\IE\basis_de.xml
c:\program files\Fast Browser Search\IE\basis_en.xml
c:\program files\Fast Browser Search\IE\basis_es.xml
c:\program files\Fast Browser Search\IE\basis_fr.xml
c:\program files\Fast Browser Search\IE\basis_it.xml
c:\program files\Fast Browser Search\IE\basis_nr.xml
c:\program files\Fast Browser Search\IE\basis_pt.xml
c:\program files\Fast Browser Search\IE\basis_ru.xml
c:\program files\Fast Browser Search\IE\basis_tr.xml
c:\program files\Fast Browser Search\IE\BHO.dll
c:\program files\Fast Browser Search\IE\ClearRecycleBin.exe
c:\program files\Fast Browser Search\IE\error.html
c:\program files\Fast Browser Search\IE\FBSPlugin.dll
c:\program files\Fast Browser Search\IE\fbsSearchProvider.xml
c:\program files\Fast Browser Search\IE\sgpUpdater.xml
c:\program files\Fast Browser Search\IE\SGPUpdaterS.exe
c:\program files\Fast Browser Search\IE\tbhelper.dll
c:\program files\Fast Browser Search\IE\tbs_include_script_003175.js
c:\program files\Fast Browser Search\IE\tbs_include_script_005064.js
c:\program files\Fast Browser Search\IE\tbs_include_script_012817.js
c:\program files\Fast Browser Search\IE\Toolbar Help.htm
c:\program files\Fast Browser Search\IE\uninstalSGP.exe
c:\program files\Fast Browser Search\IE\version.txt
c:\program files\Fast Browser Search\info.txt
c:\program files\Fast Browser Search\local.xml
c:\program files\Fast Browser Search\logobg.bmp
c:\program files\Fast Browser Search\MTWBtoolbar.html
c:\program files\Fast Browser Search\search.bmp
c:\program files\Fast Browser Search\search_br.bmp
c:\program files\Fast Browser Search\search_de.bmp
c:\program files\Fast Browser Search\search_es.bmp
c:\program files\Fast Browser Search\search_fr.bmp
c:\program files\Fast Browser Search\search_it.bmp
c:\program files\Fast Browser Search\search_pt.bmp
c:\program files\Fast Browser Search\search_ru.bmp
c:\program files\Fast Browser Search\SearchGuardPlus.ico
c:\program files\Fast Browser Search\SGPU.ico
c:\program files\INSTALL.LOG
c:\program files\Need2Find
c:\program files\Need2Find\bar\1.bin\N2FFXTBR.JAR
c:\program files\Need2Find\bar\1.bin\N2NTSTBR.JAR
c:\program files\Need2Find\bar\1.bin\PARTNER.DAT
c:\program files\Need2Find\bar\Cache\00126104
c:\program files\Need2Find\bar\Cache\00176C66
c:\program files\Need2Find\bar\Cache\files.ini
c:\program files\Need2Find\bar\History\search
c:\program files\Need2Find\bar\Settings\prevcfg.htm
c:\program files\SGPSA
c:\program files\SGPSA\BHO.dll
c:\windows\Downloaded Program Files\RdxIE.dll
c:\windows\ezurudafiq.vbs
c:\windows\fanajoxata.dll
c:\windows\Fonts\acrsecB.fon
c:\windows\Fonts\acrsecI.fon
c:\windows\GnuHashes.ini
c:\windows\ivysy.reg
c:\windows\juwahur.inf
c:\windows\msa.exe
c:\windows\smdat32a.sys
c:\windows\smdat32m.sys
c:\windows\system32\11478.exe
c:\windows\system32\116411297.dat
c:\windows\System32\12520850y.exe
c:\windows\system32\14502.exe
c:\windows\system32\14938.exe
c:\windows\system32\15724.exe
c:\windows\system32\16827.exe
c:\windows\system32\17347.exe
c:\windows\system32\18467.exe
c:\windows\system32\19169.exe
c:\windows\system32\19181.exe
c:\windows\system32\19486.exe
c:\windows\system32\21091.exe
c:\windows\system32\21101.exe
c:\windows\system32\215651
c:\windows\system32\21687.exe
c:\windows\system32\23281.exe
c:\windows\system32\24464.exe
c:\windows\system32\26500.exe
c:\windows\system32\26846.exe
c:\windows\system32\26962.exe
c:\windows\system32\28145.exe
c:\windows\system32\29358.exe
c:\windows\system32\31981.exe
c:\windows\system32\32009.exe
c:\windows\system32\32719.exe
c:\windows\system32\3858.exe
c:\windows\system32\407.exe
c:\windows\system32\41.exe
c:\windows\system32\4186.exe
c:\windows\system32\5287.exe
c:\windows\system32\5520.exe
c:\windows\system32\5705.exe
c:\windows\system32\6334.exe
c:\windows\system32\certstore.dat
c:\windows\system32\critical_warning.html
c:\windows\system32\Data
c:\windows\system32\dewukobe.dll
c:\windows\system32\fawuruvo.dll
c:\windows\system32\ganafihe.dll
c:\windows\system32\GroupPolicy000.dat
c:\windows\system32\icekafi.reg
c:\windows\system32\jeribejo.dll
c:\windows\system32\kabifoti.dll
c:\windows\system32\kilatape.dll
c:\windows\system32\kisafigu.dll
c:\windows\system32\labesina.dll
c:\windows\system32\ludotoja.dll
c:\windows\system32\mikasova.dll
c:\windows\system32\pagifali.dll
c:\windows\system32\polelure.dll
c:\windows\system32\vopeside.dll
c:\windows\system32\wavemile.dll
c:\windows\system32\wibotelo.dll
c:\windows\system32\winhelper86.dll
c:\windows\system32\winlogon86.exe
c:\windows\system32\winupdate86.exe
c:\windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
c:\windows\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job
c:\windows\Tasks\wlqsipev.job
C:\xcrashdump.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat . . . . failed to delete
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat . . . . failed to delete

----- BITS: Possible infected sites -----

hxxp://82.98.231.102
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Legacy_HIDSERVNLA
-------\Service_6to4
-------\Service_HidServNla


((((((((((((((((((((((((( Files Created from 2009-10-28 to 2009-11-30 )))))))))))))))))))))))))))))))
.

2009-11-30 11:22 . 2009-11-30 11:22 -------- d-sha-r- \cmdcons
2009-11-30 11:19 . 2009-11-30 11:41 -------- d-----w- \ComboFix
2009-11-30 11:19 . 2009-11-30 11:40 -------- d-----w- \Qoobox
2009-11-30 09:18 . 2009-11-30 09:18 -------- d-----w- c:\documents and settings\Colleen\Application Data\Malwarebytes
2009-11-30 09:17 . 2009-11-30 11:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-27 20:33 . 2009-11-27 20:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-27 01:21 . 2009-11-27 01:21 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft
2009-11-25 20:55 . 2009-11-25 20:55 -------- d-----w- c:\program files\Common Files\AlphaAntUninstall

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-30 10:50 . 2006-01-18 22:26 -------- d-----w- c:\documents and settings\Colleen\Application Data\Plaxo
2009-11-27 16:04 . 2009-04-09 00:46 164 -c--a-w- c:\windows\install.dat
2009-11-10 07:39 . 2005-12-31 21:41 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-06 20:19 . 2007-07-26 01:12 1563008 ----a-w- c:\windows\WRSetup.dll
2009-10-19 03:44 . 2009-10-19 03:39 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
2008-09-07 05:58 . 2008-09-07 05:58 19822 ----a-w- c:\program files\Common Files\decekiku.sys
2009-08-28 22:00 . 2009-08-28 22:00 3 --sha-w- c:\windows\system32\berikeki.dll
2009-08-28 22:00 . 2009-08-28 22:00 54272 --sha-w- c:\windows\system32\defisebe.dll
2009-08-29 22:00 . 2009-08-29 22:00 61440 --sha-w- c:\windows\system32\denekilo.dll
2007-04-03 02:23 . 2007-04-03 02:23 848 -csha-w- c:\windows\system32\KGyGaAvL.sys
2009-08-28 22:00 . 2009-08-28 22:00 3 --sha-w- c:\windows\system32\ronigofu.dll
2009-08-29 10:03 . 2009-08-29 10:03 53760 --sha-w- c:\windows\system32\vopereso.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{417a9748-a6b2-490c-bd3e-6f7ada97c3b3}]
2009-08-29 10:03 53760 --sha-w- c:\windows\system32\vopereso.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\BackupIconOverlayId]
@="{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}"
[HKEY_CLASSES_ROOT\CLSID\{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}]
2009-04-06 17:26 238968 ----a-w- c:\program files\Webroot\Spy Sweeper\Backup\CtxMenu_1_0_0_10.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-11-15 1670144]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell AIO Printer A920"="c:\program files\Dell AIO Printer A920\dlbkbmgr.exe" [2004-04-15 270336]
"CTSysVol"="c:\program files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-05 53248]
"igfxhkcmd"="c:\windows\System32\hkcmd.exe" [2005-09-20 77824]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
"P17Helper"="P17.dll" - c:\windows\system32\P17.dll [2004-06-10 60928]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696]
Event Reminder.lnk - c:\program files\PrintMaster 16\pmremind.exe [2004-1-20 339968]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=""
"FirewallOverride"=""

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [11/6/2009 12:00 PM 29808]
R2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\Spy Sweeper\WRConsumerService.exe [2/13/2009 12:25 AM 1201640]
S2 Zwangi Service;Zwangi Service;"c:\documents and settings\All Users\Application Data\Zwangi\zwangi110.exe" "c:\program files\Zwangi\zwangi.dll" Service --> c:\documents and settings\All Users\Application Data\Zwangi\zwangi110.exe [?]
S3 daqdrv;daqdrv;\??\c:\windows\System32\daqdrv.sys --> c:\windows\System32\daqdrv.sys [?]
S3 npggsvc;nProtect GameGuard Service;c:\windows\System32\GameMon.des -service --> c:\windows\System32\GameMon.des -service [?]
S3 z520bus;Sony Ericsson 520 driver (WDM);c:\windows\system32\drivers\z520bus.sys [7/26/2005 1:13 PM 57648]
S3 z520mdfl;Sony Ericsson 520 USB WMC Modem Filter;c:\windows\system32\drivers\z520mdfl.sys [7/26/2005 1:15 PM 8336]
S3 z520mdm;Sony Ericsson 520 USB WMC Modem Drivers;c:\windows\system32\drivers\z520mdm.sys [7/26/2005 1:15 PM 93488]
S3 z520mgmt;Sony Ericsson 520 USB WMC Device Management Drivers;c:\windows\system32\drivers\z520mgmt.sys [7/26/2005 1:16 PM 84928]
S3 z520obex;Sony Ericsson 520 USB WMC OBEX Interface Drivers;c:\windows\system32\drivers\z520obex.sys [7/26/2005 1:18 PM 82864]
.
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\System32\blank.htm
uStart Page = hxxp://www.google.com
mLocal Page = c:\windows\system32\blank.htm
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Search - http://kl.bar.need2f...earch.html?p=KL
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Colleen\Start Menu\Programs\IMVU\Run IMVU.lnk
TCP: {C8DF9384-CA62-4D74-8BDD-FAAAFD370066} = 83.149.115.182
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {1011E032-5CF3-4795-B751-3AA5E008CCA6} - hxxp://download.verizon.net/sfp/Cabs/max_update/VOLUpdate_1-0-0.cab
DPF: {36A4B20A-2B75-4101-86CE-F9B03CA4B91C} - hxxp://bgweb.nowcdn.co.kr/bin/DownStarter.cab
DPF: {C49134CC-B5EF-458C-A442-E8DFE7B4645F} - hxxp://www.yoyogames.com/downloads/activex/YoYo.cab
FF - ProfilePath - c:\documents and settings\Colleen\Application Data\Mozilla\Firefox\Profiles\g8gxms79.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Ask
FF - prefs.js: browser.startup.homepage - hxxp://google.com/
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=101664&gct=&gc=1&q=
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKCU-Run-Aim6 - c:\program files\AIM6\aim6.exe
HKCU-Run-Messenger (Yahoo!) - c:\program files\Yahoo!\Messenger\YahooMessenger.exe
HKCU-Run-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
HKCU-RunServices-Windows Security Service - pgyoe.exe
HKLM-Run-ydvpnemv - c:\documents and settings\Owner\Local Settings\Application Data\feesdc\fogxsysguard.exe
HKLM-Run-iysiywdr - c:\documents and settings\Owner\Local Settings\Application Data\wgbfyw\ysgssysguard.exe
HKLM-Run-vugiguges - c:\windows\system32\ludotoja.dll
HKLM-Run-nolemahalo - wavemile.dll
HKU-Default-Run-Windows Security Service - pgyoe.exe
HKU-Default-RunServices-Windows Security Service - pgyoe.exe
SharedTaskScheduler-{d112306e-5ddd-48d0-8aa4-b350b23c241a} - c:\windows\system32\tepidike.dll
SharedTaskScheduler-{7cbe72d6-3dcd-4bbc-994b-fda8b95dd4fe} - c:\windows\system32\ludotoja.dll
SSODL-mizemabey-{d112306e-5ddd-48d0-8aa4-b350b23c241a} - c:\windows\system32\tepidike.dll
SSODL-gowalonuz-{7cbe72d6-3dcd-4bbc-994b-fda8b95dd4fe} - c:\windows\system32\ludotoja.dll
Notify-90cbf6d5573 - c:\windows\System32\iasnap32.dll
Notify-__c00F9104 - c:\windows\System32\__c00F9104.dat



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-30 06:40
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x82339618]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf85acaac
\Driver\ACPI -> ACPI.sys @ 0xf84f1740
\Driver\atapi -> atapi.sys @ 0xf846603c
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x8058e444
ParseProcedure -> ntoskrnl.exe @ 0x8055a85b
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x8058e444
ParseProcedure -> ntoskrnl.exe @ 0x8055a85b
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\System32\GameMon.des -service"
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\smss.exe
c:\windows\system32\csrss.exe
c:\windows\system32\winlogon.exe
c:\windows\system32\services.exe
c:\windows\system32\lsass.exe
c:\windows\system32\svchost.exe
c:\windows\System32\svchost.exe
c:\windows\System32\svchost.exe
c:\windows\system32\svchost.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\spoolsv.exe
c:\windows\system32\LEXPPS.EXE
c:\windows\System32\alg.exe
c:\windows\System32\CTsvcCDA.EXE
c:\windows\System32\svchost.exe
c:\windows\System32\wdfmgr.exe
c:\program files\Webroot\Spy Sweeper\SpySweeper.exe
c:\windows\System32\MsPMSPSv.exe
c:\windows\system32\rundll32.exe
c:\program files\Dell AIO Printer A920\dlbkbmon.exe
.
**************************************************************************
.
Completion time: 2009-11-30 06:52 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-30 11:51

Pre-Run: 7,934,992,384 bytes free
Post-Run: 7,925,940,224 bytes free

winxpsp1_en_hom_bf.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect

- - End Of File - - 3F7E109BC74E99669A5187861B4F310C




LopSD



--------------------\\ Lop S&D 4.2.5-0 XP/Vista

Microsoft Windows XP Home Edition ( v5.1.2600 ) Service Pack 1
X86-based PC ( Uniprocessor Free : Intel® Pentium® 4 CPU 2.80GHz )
BIOS : Phoenix ROM BIOS PLUS Version 1.10 A10
USER : Colleen ( Administrator )
BOOT : Normal boot
A:\ (USB)
C:\ (Local Disk) - NTFS - Total:33 Go (Free:7 Go)
D:\ (CD or DVD)
E:\ (CD or DVD)

"C:\Lop SD" ( MAJ : 19-12-2008|23:40 )
Option : [1] ( Mon 11/30/2009| 6:58 )

--------------------\\ Listing folders in APPLIC~1

[03/29/2007|11:40] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Adobe
[02/22/2008|11:59] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> AOL
[06/19/2009|01:37] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> AOL Downloads
[02/24/2007|01:20] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> AOL OCP
[09/27/2007|05:54] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Apple
[07/05/2007|10:14] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Apple Computer
[04/18/2008|06:07] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> BearShare Applications
[03/02/2006|10:46] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Broderbund Software
[12/31/2005|04:41] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> BVRP Software
[06/23/2009|02:28] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Google
[10/13/2007|08:52] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> HipSoft
[01/19/2006|11:20] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Intuit
[11/27/2009|03:33] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Malwarebytes
[10/09/2007|12:40] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Microsoft
[01/12/2007|07:04] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Motive
[07/05/2007|02:47] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Mozilla
[01/01/2006|03:09] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> MSN6
[09/28/2008|03:50] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> NeoEdge Networks
[03/02/2006|11:00] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Riverdeep Interactive Learning Limited
[12/24/2006|04:03] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> SpinTop Games
[04/11/2008|12:51] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> TEMP
[08/07/2006|01:58] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Trymedia
[08/29/2009|05:47] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Viewpoint
[02/13/2009|12:27] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Webroot
[08/18/2006|06:08] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Windows Genuine Advantage
[10/18/2009|10:44] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> WinZip
[04/08/2009|07:08] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Yahoo!
[06/01/2008|04:52] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> YoYoGames

[03/10/2007|12:14] C:\DOCUME~1\APPLIC~1\APPLIC~1\<DIR> Microsoft

[01/17/2006|11:41] C:\DOCUME~1\Colleen\APPLIC~1\<DIR> acccore
[02/04/2006|03:32] C:\DOCUME~1\Colleen\APPLIC~1\<DIR> Adobe
[05/01/2006|02:33] C:\DOCUME~1\Colleen\APPLIC~1\<DIR> AdobeUM
[07/25/2006|12:59] C:\DOCUME~1\Colleen\APPLIC~1\<DIR> AOL
[08/11/2006|11:17] C:\DOCUME~1\Colleen\APPLIC~1\<DIR> Apple Computer
[12/24/2006|04:40] C:\DOCUME~1\Colleen\APPLIC~1\<DIR> ArcSoft
[09/14/2008|05:41] C:\DOCUME~1\Colleen\APPLIC~1\<DIR> BearShare
[10/04/2006|11:20] C:\DOCUME~1\Colleen\APPLIC~1\<DIR> Corel
[05/01/2006|04:33] C:\DOCUME~1\Colleen\APPLIC~1\<DIR> Creative
[01/06/2007|11:52] C:\DOCUME~1\Colleen\APPLIC~1\<DIR> DivX
[07/16/2009|02:24] C:\DOCUME~1\Colleen\APPLIC~1\<DIR> FrostWire
[10/20/2006|02:10] C:\DOCUME~1\Colleen\APPLIC~1\<DIR> FUJIFILM
[06/19/2009|06:29] C:\DOCUME~1\Colleen\APPLIC~1\<DIR> Google
[01/15/2006|07:40] C:\DOCUME~1\Colleen\APPLIC~1\<DIR> Identities
[06/19/2007|01:29] C:\DOCUME~1\Colleen\APPLIC~1\<DIR> IMVU
[01/15/2006|07:54] C:\DOCUME~1\Colleen\APPLIC~1\<DIR> Macromedia
[11/30/2009|04:18] C:\DOCUME~1\Colleen\APPLIC~1\<DIR> Malwarebytes
[12/21/2006|02:11] C:\DOCUME~1\Colleen\APPLIC~1\<DIR> Microsoft
[08/12/2008|09:07] C:\DOCUME~1\Colleen\APPLIC~1\<DIR> Mozilla
[07/17/2007|05:55] C:\DOCUME~1\Colleen\APPLIC~1\<DIR> MSN6
[03/10/2007|09:28] C:\DOCUME~1\Colleen\APPLIC~1\<DIR> MySpace
[11/30/2009|05:50] C:\DOCUME~1\Colleen\APPLIC~1\<DIR> Plaxo
[03/03/2007|08:25] C:\DOCUME~1\Colleen\APPLIC~1\<DIR> Real
[01/16/2006|05:38] C:\DOCUME~1\Colleen\APPLIC~1\<DIR> Sun
[01/12/2007|05:51] C:\DOCUME~1\Colleen\APPLIC~1\<DIR> Viewpoint
[03/07/2006|06:27] C:\DOCUME~1\Colleen\APPLIC~1\<DIR> Webroot
[06/25/2007|12:31] C:\DOCUME~1\Colleen\APPLIC~1\<DIR> Yahoo!


[12/31/2005|02:05] C:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> Microsoft

[01/24/2007|01:39] C:\DOCUME~1\LOCALS~1\APPLIC~1\<DIR> Help
[12/31/2005|02:05] C:\DOCUME~1\LOCALS~1\APPLIC~1\<DIR> Microsoft
[08/10/2006|11:32] C:\DOCUME~1\LOCALS~1\APPLIC~1\<DIR> Webroot

[09/11/2008|05:10] C:\DOCUME~1\Marty\APPLIC~1\<DIR> acccore
[03/30/2008|08:04] C:\DOCUME~1\Marty\APPLIC~1\<DIR> Adobe
[04/04/2006|03:10] C:\DOCUME~1\Marty\APPLIC~1\<DIR> AdobeUM
[07/25/2006|12:59] C:\DOCUME~1\Marty\APPLIC~1\<DIR> AOL
[01/17/2006|04:52] C:\DOCUME~1\Marty\APPLIC~1\<DIR> Apple Computer
[12/24/2006|01:59] C:\DOCUME~1\Marty\APPLIC~1\<DIR> ArcSoft
[09/12/2006|05:52] C:\DOCUME~1\Marty\APPLIC~1\<DIR> Corel
[03/30/2006|05:57] C:\DOCUME~1\Marty\APPLIC~1\<DIR> Creative
[12/28/2006|02:27] C:\DOCUME~1\Marty\APPLIC~1\<DIR> DivX
[04/01/2008|12:10] C:\DOCUME~1\Marty\APPLIC~1\<DIR> funkitron
[09/25/2006|03:11] C:\DOCUME~1\Marty\APPLIC~1\<DIR> Google
[02/02/2006|05:12] C:\DOCUME~1\Marty\APPLIC~1\<DIR> Help
[01/15/2006|07:52] C:\DOCUME~1\Marty\APPLIC~1\<DIR> Identities
[07/10/2008|12:39] C:\DOCUME~1\Marty\APPLIC~1\<DIR> LimeWire
[10/19/2009|08:00] C:\DOCUME~1\Marty\APPLIC~1\<DIR> Macromedia
[09/28/2008|03:50] C:\DOCUME~1\Marty\APPLIC~1\<DIR> Microsoft
[09/17/2008|07:30] C:\DOCUME~1\Marty\APPLIC~1\<DIR> Mozilla
[11/16/2008|12:33] C:\DOCUME~1\Marty\APPLIC~1\<DIR> MSN6
[03/10/2007|04:32] C:\DOCUME~1\Marty\APPLIC~1\<DIR> MySpace
[10/18/2007|12:28] C:\DOCUME~1\Marty\APPLIC~1\<DIR> Real
[02/14/2006|03:58] C:\DOCUME~1\Marty\APPLIC~1\<DIR> Sun
[06/05/2008|03:44] C:\DOCUME~1\Marty\APPLIC~1\<DIR> Viewpoint
[08/11/2006|05:39] C:\DOCUME~1\Marty\APPLIC~1\<DIR> Webroot
[10/18/2007|12:24] C:\DOCUME~1\Marty\APPLIC~1\<DIR> Yahoo!

[12/31/2005|02:05] C:\DOCUME~1\NETWOR~1\APPLIC~1\<DIR> Microsoft


--------------------\\ Scheduled Tasks located in C:\WINDOWS\Tasks

[11/17/2009 10:31 PM][--a------] C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[11/30/2009 06:39 AM][--ah-----] C:\WINDOWS\tasks\SA.DAT
[07/16/2003 03:36 PM][-r-h-c---] C:\WINDOWS\tasks\desktop.ini

--------------------\\ Listing Folders in C:\Program Files

[12/31/2005|04:42] C:\Program Files\<DIR> ABBYY FineReader 6.0
[01/17/2006|12:46] C:\Program Files\<DIR> Adobe
[09/27/2009|08:01] C:\Program Files\<DIR> AIM Search
[02/24/2007|01:20] C:\Program Files\<DIR> AOL
[12/06/2006|11:05] C:\Program Files\<DIR> AOL Games
[09/27/2007|05:54] C:\Program Files\<DIR> Apple Software Update
[05/18/2009|12:06] C:\Program Files\<DIR> AskSearch
[03/28/2006|12:40] C:\Program Files\<DIR> City Interactive
[11/30/2009|06:31] C:\Program Files\<DIR> Common Files
[12/31/2005|02:03] C:\Program Files\<DIR> ComPlus Applications
[09/07/2008|01:03] C:\Program Files\<DIR> Coupons
[12/31/2005|05:30] C:\Program Files\<DIR> Creative
[12/31/2005|04:41] C:\Program Files\<DIR> Dell A920
[07/04/2009|03:48] C:\Program Files\<DIR> Dell AIO Printer A920
[07/05/2007|03:33] C:\Program Files\<DIR> Disc2Phone
[10/18/2007|12:24] C:\Program Files\<DIR> DivX
[11/14/2006|02:38] C:\Program Files\<DIR> Elecard
[09/27/2008|08:58] C:\Program Files\<DIR> FamilySearch
[12/31/2005|04:41] C:\Program Files\<DIR> FaxTools
[02/24/2008|12:08] C:\Program Files\<DIR> FinePixViewer
[01/24/2008|10:55] C:\Program Files\<DIR> GameData
[07/25/2008|10:00] C:\Program Files\<DIR> Global Star Software
[11/10/2009|02:39] C:\Program Files\<DIR> InstallShield Installation Information
[12/31/2005|05:14] C:\Program Files\<DIR> Intel
[01/28/2008|08:25] C:\Program Files\<DIR> Internet Explorer
[01/31/2006|12:56] C:\Program Files\<DIR> ItsDeductible2005
[10/15/2007|09:28] C:\Program Files\<DIR> Java
[05/05/2008|03:56] C:\Program Files\<DIR> Kazaa
[08/17/2009|02:26] C:\Program Files\<DIR> LimeWire
[11/30/2009|06:01] C:\Program Files\<DIR> Malwarebytes' Anti-Malware
[08/06/2008|05:38] C:\Program Files\<DIR> Maxis
[02/14/2008|10:15] C:\Program Files\<DIR> Messenger
[12/31/2005|02:09] C:\Program Files\<DIR> microsoft frontpage
[03/24/2006|10:45] C:\Program Files\<DIR> Microsoft Office
[12/31/2005|02:04] C:\Program Files\<DIR> Movie Maker
[11/30/2009|06:55] C:\Program Files\<DIR> Mozilla Firefox
[01/08/2006|02:20] C:\Program Files\<DIR> MSN
[12/31/2005|02:02] C:\Program Files\<DIR> MSN Gaming Zone
[07/05/2007|09:59] C:\Program Files\<DIR> MTV Networks
[10/23/2006|07:32] C:\Program Files\<DIR> MySecretCodes Toolbar
[10/15/2007|09:26] C:\Program Files\<DIR> MySpace
[07/25/2007|04:27] C:\Program Files\<DIR> NetBattle
[01/10/2006|06:21] C:\Program Files\<DIR> NetMeeting
[04/01/2008|08:25] C:\Program Files\<DIR> Oberon Media
[12/31/2005|02:04] C:\Program Files\<DIR> Online Services
[04/15/2006|05:00] C:\Program Files\<DIR> Outlook Express
[04/08/2009|01:19] C:\Program Files\<DIR> Plaxo
[07/14/2009|01:12] C:\Program Files\<DIR> PokerStars.NET
[08/17/2009|02:28] C:\Program Files\<DIR> PopCap Games
[03/13/2006|09:12] C:\Program Files\<DIR> PrintMaster 16
[07/28/2007|07:12] C:\Program Files\<DIR> QuickTime
[02/20/2008|11:29] C:\Program Files\<DIR> Real
[03/19/2006|12:21] C:\Program Files\<DIR> REGSHAVE
[02/20/2008|11:28] C:\Program Files\<DIR> Rhapsody
[12/24/2006|01:28] C:\Program Files\<DIR> SanDisk
[10/08/2006|07:18] C:\Program Files\<DIR> Strategy First
[07/03/2007|11:21] C:\Program Files\<DIR> The Weather Channel FW
[04/04/2006|02:20] C:\Program Files\<DIR> TryMedia
[01/28/2008|08:23] C:\Program Files\<DIR> TurboTax
[12/31/2005|03:33] C:\Program Files\<DIR> Uninstall Information
[08/29/2009|05:47] C:\Program Files\<DIR> Viewpoint
[02/02/2008|08:13] C:\Program Files\<DIR> Walgreens
[01/31/2007|07:39] C:\Program Files\<DIR> Web Publish
[01/01/2006|03:48] C:\Program Files\<DIR> Webroot
[12/24/2006|02:09] C:\Program Files\<DIR> Windows Media Player
[12/31/2005|02:02] C:\Program Files\<DIR> Windows NT
[01/08/2006|03:47] C:\Program Files\<DIR> WindowsUpdate
[04/19/2006|02:00] C:\Program Files\<DIR> WordPerfect Office 12
[12/31/2005|02:09] C:\Program Files\<DIR> xerox
[08/29/2009|05:46] C:\Program Files\<DIR> Zwangi

--------------------\\ Listing Folders in C:\Program Files\Common Files

[09/15/2007|10:59] C:\Program Files\Common Files\<DIR> Adobe
[11/25/2009|03:55] C:\Program Files\Common Files\<DIR> AlphaAntUninstall
[01/28/2008|08:32] C:\Program Files\Common Files\<DIR> AnswerWorks 4.0
[04/03/2009|04:09] C:\Program Files\Common Files\<DIR> AOL
[11/01/2007|06:43] C:\Program Files\Common Files\<DIR> AOLSHARE
[12/24/2006|01:28] C:\Program Files\Common Files\<DIR> ArcSoft
[04/19/2006|02:01] C:\Program Files\Common Files\<DIR> Borland Shared
[03/02/2006|10:47] C:\Program Files\Common Files\<DIR> Broderbund
[04/19/2006|02:00] C:\Program Files\Common Files\<DIR> Corel
[08/09/2006|01:07] C:\Program Files\Common Files\<DIR> DirectX
[11/14/2006|02:38] C:\Program Files\Common Files\<DIR> Elecard
[07/02/2009|04:53] C:\Program Files\Common Files\<DIR> INCA Shared
[04/19/2006|02:00] C:\Program Files\Common Files\<DIR> InstallShield
[01/19/2006|11:20] C:\Program Files\Common Files\<DIR> Intuit
[10/15/2007|09:26] C:\Program Files\Common Files\<DIR> Java
[01/01/2009|10:21] C:\Program Files\Common Files\<DIR> Microsoft Shared
[01/12/2007|07:04] C:\Program Files\Common Files\<DIR> Motive
[12/31/2005|02:03] C:\Program Files\Common Files\<DIR> MSSoap
[06/25/2006|04:01] C:\Program Files\Common Files\<DIR> NSV
[01/13/2006|03:43] C:\Program Files\Common Files\<DIR> Nullsoft
[12/30/2005|10:51] C:\Program Files\Common Files\<DIR> ODBC
[11/27/2007|11:33] C:\Program Files\Common Files\<DIR> Real
[12/31/2005|02:04] C:\Program Files\Common Files\<DIR> Services
[02/02/2008|08:13] C:\Program Files\Common Files\<DIR> Simple Star Shared
[12/30/2005|10:50] C:\Program Files\Common Files\<DIR> SpeechEngines
[04/15/2006|05:00] C:\Program Files\Common Files\<DIR> System
[12/31/2005|02:40] C:\Program Files\Common Files\<DIR> Verizon Online
[09/25/2006|01:46] C:\Program Files\Common Files\<DIR> Viewpoint

--------------------\\ Process

( 31 Processes )

... OK !

--------------------\\ Searching with S_Lop

No Lop folder found !

--------------------\\ Searching for Lop Files - Folders

C:\DOCUME~1\Colleen\Cookies\[email protected][1].txt

--------------------\\ Searching within the Registry

..... OK !

--------------------\\ Checking the Hosts file

Hosts file CLEAN


--------------------\\ Searching for hidden files with Catchme

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-30 07:02:19
Windows 5.1.2600 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden files: 0

--------------------\\ Searching for other infections

--------------------\\ Cracks & Keygens ..

C:\DOCUME~1\Colleen\crack
C:\DOCUME~1\Colleen\crack\Dynomite v1.2 Full Crack.exe
C:\DOCUME~1\Colleen\crack\WinDynomite_setup.exe


[F:1][D:0]-> C:\DOCUME~1\Colleen\LOCALS~1\Temp
[F:257][D:0]-> C:\DOCUME~1\Colleen\Cookies
[F:2][D:0]-> C:\DOCUME~1\Colleen\LOCALS~1\TEMPOR~1\content.IE5

1 - "C:\Lop SD\LopR_1.txt" - Mon 11/30/2009| 7:04 - Option : [1]

--------------------\\ Scan completed at 7:04:14

Edited by hixyousuck, 30 November 2009 - 11:35 AM.

  • 0

Advertisements







Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP