Combofix Log Analysis
Started by
do_you_realize
, Jan 11 2010 09:25 PM
#1
Posted 11 January 2010 - 09:25 PM
#2
Posted 11 January 2010 - 09:57 PM
ComboFix 10-01-11.01 - 01/11/2010 19:20:40.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.405 [GMT -5:00]
Running from: c:\documents and settings\\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
c:\windows\AegisP.inf
c:\windows\Downloaded Program Files\webinst.dll
c:\windows\system32\basotudo.dll
c:\windows\system32\bokadopi.dll
c:\windows\system32\geyofebi.dll
c:\windows\system32\gezibaju.dll
c:\windows\system32\kadidika.dll
c:\windows\system32\lidanufu.dll
c:\windows\system32\munuropi.dll
c:\windows\system32\ratofoze.dll
c:\windows\system32\vebufewo.dll
c:\windows\Tasks\jimodbih.job
.
((((((((((((((((((((((((( Files Created from 2009-12-12 to 2010-01-12 )))))))))))))))))))))))))))))))
.
2010-01-11 22:49 . 2010-01-11 22:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-08 02:28 . 2010-01-08 03:13 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2010-01-08 02:28 . 2010-01-08 02:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-12 00:55 . 2006-08-24 16:06 -------- d-----w- c:\program files\Symantec AntiVirus
2010-01-11 22:55 . 2006-08-24 18:43 -------- d-----w- c:\documents and settings\\Application Data\Skype
2010-01-11 22:51 . 2010-01-11 22:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-08 03:25 . 2010-01-09 07:13 15688 ----a-w- c:\windows\system32\lsdelete.exe
2010-01-08 03:25 . 2010-01-08 02:29 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-01-08 02:51 . 2007-11-21 14:55 -------- d-----w- c:\documents and settings\\Application Data\uTorrent
2010-01-08 02:28 . 2010-01-08 02:28 -------- d-----w- c:\program files\Lavasoft
2010-01-08 02:25 . 2006-08-24 16:15 -------- d-----w- c:\documents and settings\\Application Data\Lavasoft
2010-01-07 21:07 . 2010-01-11 22:49 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 21:07 . 2010-01-11 22:49 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-05 03:20 . 2006-08-17 04:00 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2010-01-02 02:57 . 2007-03-19 15:49 -------- d-----w- c:\program files\iTunes
2009-12-25 19:22 . 2006-08-17 03:46 -------- d-----w- c:\program files\Java
2009-12-10 08:10 . 2007-01-11 19:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-11-15 23:36 . 2006-08-22 21:10 75424 -c--a-w- c:\documents and settings\ .\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-29 05:38 . 2004-08-11 22:00 667136 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 05:38 . 2004-08-11 22:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-11 22:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 04:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b15cf83d-d602-43bd-b005-1d6afaadcb39}]
1601-01-01 00:03 52736 --sha-w- c:\windows\system32\buvezoze.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
"Google Update"="c:\documents and settings\ .\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-10-18 133104]
"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400]
"DAEMON Tools Pro Agent"="c:\program files\DAEMON Tools Pro\DTProAgent.exe" [2009-04-09 228808]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WD Button Manager"="WDBtnMgr.exe" [2007-03-12 339968]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-05-27 124656]
"VoiceCenter"="c:\program files\Creative\VoiceCenter\AndreaVC.exe" [2006-01-02 1126400]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-13 98304]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-13 118784]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2006-05-03 98304]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-07 53408]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-10-08 995328]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-10-08 1101824]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-02-13 488984]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam10\QuickCam10.exe" [2007-02-13 774680]
"LVCOMSX"="c:\program files\Common Files\Logitech\LComMgr\LVComSX.exe" [2007-02-13 252704]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2010-01-08 520024]
c:\documents and settings\ .\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-8-16 24576]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-5-3 81920]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"AllowMultipleTSSessions"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-09-16 17:58 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Documents and Settings\\ .\\Application Data\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Simplify Media\\SimplifyMedia.exe"=
"c:\\Documents and Settings\\ .\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\ .\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Documents and Settings\\ .\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3\\RosettaStoneVersion3.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3\\support\\bin\\win\\RosettaStoneLtdServices.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\wbem\\unsecapp.exe"=
"c:\\Documents and Settings\\ .\\Local Settings\\Application Data\\Google\\Update\\GoogleUpdate.exe"=
"c:\\Program Files\\Creative\\MediaSource\\Detector\\CTDetect.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"<NO NAME>"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [1/7/2010 9:29 PM 64160]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [4/3/2007 8:33 AM 721904]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/31/2009 9:05 AM 102448]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [1/18/2009 4:34 PM 1028432]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [5/26/2006 8:01 PM 115952]
.
Contents of the 'Scheduled Tasks' folder
2010-01-08 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 03:24]
2010-01-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34]
2010-01-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2793965585-4125001162-1582932196-1006Core.job
- c:\documents and settings\ .\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-10-18 11:36]
2010-01-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2793965585-4125001162-1582932196-1006UA.job
- c:\documents and settings\ .\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-10-18 11:36]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.gmail.com/
mStart Page = hxxp://www.dell.com
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: {{FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\PokerStars.NET\PokerStarsUpdate.exe
Trusted Zone: musicmatch.com\online
TCP: {EFC087C3-9926-4B0E-A585-0835D769A380} = 71.252.0.12,71.242.0.12
DPF: {81449547-EB5D-422E-8730-932DC5E412C8} - hxxp://www.howardstern.com/install/uvuplayer.cab
DPF: {D30CA0FD-1CA0-11D4-AC78-006008A9A8BC} - hxxp://147.31.32.2:8080/registration/deploy/WebInst/webinst.cab
FF - ProfilePath - c:\documents and settings\ .\Application Data\Mozilla\Firefox\Profiles\2595zsu5.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.gmail.com/
FF - plugin: c:\documents and settings\ .\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\ .\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-SetDefaultMIDI - MIDIDef.exe
HKLM-Run-LogitechVideo[inspector] - c:\program files\Logitech\Video\InstallHelper.exe
HKLM-Run-zifohugih - c:\windows\system32\geyofebi.dll
HKLM-Run-yesiyuputa - bokadopi.dll
SharedTaskScheduler-{55f3ab3d-c72f-4f52-bc91-3c64395076bd} - c:\windows\system32\fisepolo.dll
SharedTaskScheduler-{77cdd9b2-6f76-45a1-99ed-f1086781be9a} - c:\windows\system32\geyofebi.dll
SSODL-wumarazuv-{55f3ab3d-c72f-4f52-bc91-3c64395076bd} - c:\windows\system32\fisepolo.dll
SSODL-nuhuwokeh-{77cdd9b2-6f76-45a1-99ed-f1086781be9a} - c:\windows\system32\geyofebi.dll
AddRemove-ProInst - c:\windows\Installer\iProInst.exe
AddRemove-ShockwaveFlash - c:\windows\system32\Macromed\Flash\FlashUtil9b.exe
AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-11 20:00
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys spdw.sys >>UNKNOWN [0x87387938]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7556f28
\Driver\ACPI -> ACPI.sys @ 0xf72d0cb8
\Driver\atapi -> atapi.sys @ 0xf7265b40
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->NDIS: -> SendCompleteHandler -> 0x0
PacketIndicateHandler -> 0x0
SendHandler -> 0x0
user & kernel MBR OK
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1096)
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
- - - - - - - > 'explorer.exe'(7164)
c:\program files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\netprovcredman.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
c:\windows\system32\CTsvcCDA.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
c:\program files\Dell\QuickSet\NICCONFIGSVC.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\StacSV.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\windows\system32\WDBtnMgr.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-01-11 20:24:43 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-12 01:24
Pre-Run: 19,513,810,944 bytes free
Post-Run: 21,509,529,600 bytes free
Current=2 Default=2 Failed=3 LastKnownGood=5 Sets=1,2,3,4,5
- - End Of File - - 42A5D755CCF28AC806084030677A533D
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.405 [GMT -5:00]
Running from: c:\documents and settings\\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
c:\windows\AegisP.inf
c:\windows\Downloaded Program Files\webinst.dll
c:\windows\system32\basotudo.dll
c:\windows\system32\bokadopi.dll
c:\windows\system32\geyofebi.dll
c:\windows\system32\gezibaju.dll
c:\windows\system32\kadidika.dll
c:\windows\system32\lidanufu.dll
c:\windows\system32\munuropi.dll
c:\windows\system32\ratofoze.dll
c:\windows\system32\vebufewo.dll
c:\windows\Tasks\jimodbih.job
.
((((((((((((((((((((((((( Files Created from 2009-12-12 to 2010-01-12 )))))))))))))))))))))))))))))))
.
2010-01-11 22:49 . 2010-01-11 22:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-08 02:28 . 2010-01-08 03:13 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2010-01-08 02:28 . 2010-01-08 02:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-12 00:55 . 2006-08-24 16:06 -------- d-----w- c:\program files\Symantec AntiVirus
2010-01-11 22:55 . 2006-08-24 18:43 -------- d-----w- c:\documents and settings\\Application Data\Skype
2010-01-11 22:51 . 2010-01-11 22:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-08 03:25 . 2010-01-09 07:13 15688 ----a-w- c:\windows\system32\lsdelete.exe
2010-01-08 03:25 . 2010-01-08 02:29 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-01-08 02:51 . 2007-11-21 14:55 -------- d-----w- c:\documents and settings\\Application Data\uTorrent
2010-01-08 02:28 . 2010-01-08 02:28 -------- d-----w- c:\program files\Lavasoft
2010-01-08 02:25 . 2006-08-24 16:15 -------- d-----w- c:\documents and settings\\Application Data\Lavasoft
2010-01-07 21:07 . 2010-01-11 22:49 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 21:07 . 2010-01-11 22:49 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-05 03:20 . 2006-08-17 04:00 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2010-01-02 02:57 . 2007-03-19 15:49 -------- d-----w- c:\program files\iTunes
2009-12-25 19:22 . 2006-08-17 03:46 -------- d-----w- c:\program files\Java
2009-12-10 08:10 . 2007-01-11 19:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-11-15 23:36 . 2006-08-22 21:10 75424 -c--a-w- c:\documents and settings\ .\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-29 05:38 . 2004-08-11 22:00 667136 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 05:38 . 2004-08-11 22:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-11 22:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 04:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b15cf83d-d602-43bd-b005-1d6afaadcb39}]
1601-01-01 00:03 52736 --sha-w- c:\windows\system32\buvezoze.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
"Google Update"="c:\documents and settings\ .\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-10-18 133104]
"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400]
"DAEMON Tools Pro Agent"="c:\program files\DAEMON Tools Pro\DTProAgent.exe" [2009-04-09 228808]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WD Button Manager"="WDBtnMgr.exe" [2007-03-12 339968]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-05-27 124656]
"VoiceCenter"="c:\program files\Creative\VoiceCenter\AndreaVC.exe" [2006-01-02 1126400]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-13 98304]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-13 118784]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2006-05-03 98304]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-07 53408]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-10-08 995328]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-10-08 1101824]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-02-13 488984]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam10\QuickCam10.exe" [2007-02-13 774680]
"LVCOMSX"="c:\program files\Common Files\Logitech\LComMgr\LVComSX.exe" [2007-02-13 252704]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2010-01-08 520024]
c:\documents and settings\ .\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-8-16 24576]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-5-3 81920]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"AllowMultipleTSSessions"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-09-16 17:58 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Documents and Settings\\ .\\Application Data\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Simplify Media\\SimplifyMedia.exe"=
"c:\\Documents and Settings\\ .\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\ .\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Documents and Settings\\ .\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3\\RosettaStoneVersion3.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3\\support\\bin\\win\\RosettaStoneLtdServices.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\wbem\\unsecapp.exe"=
"c:\\Documents and Settings\\ .\\Local Settings\\Application Data\\Google\\Update\\GoogleUpdate.exe"=
"c:\\Program Files\\Creative\\MediaSource\\Detector\\CTDetect.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"<NO NAME>"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [1/7/2010 9:29 PM 64160]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [4/3/2007 8:33 AM 721904]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/31/2009 9:05 AM 102448]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [1/18/2009 4:34 PM 1028432]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [5/26/2006 8:01 PM 115952]
.
Contents of the 'Scheduled Tasks' folder
2010-01-08 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 03:24]
2010-01-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34]
2010-01-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2793965585-4125001162-1582932196-1006Core.job
- c:\documents and settings\ .\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-10-18 11:36]
2010-01-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2793965585-4125001162-1582932196-1006UA.job
- c:\documents and settings\ .\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-10-18 11:36]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.gmail.com/
mStart Page = hxxp://www.dell.com
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: {{FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\PokerStars.NET\PokerStarsUpdate.exe
Trusted Zone: musicmatch.com\online
TCP: {EFC087C3-9926-4B0E-A585-0835D769A380} = 71.252.0.12,71.242.0.12
DPF: {81449547-EB5D-422E-8730-932DC5E412C8} - hxxp://www.howardstern.com/install/uvuplayer.cab
DPF: {D30CA0FD-1CA0-11D4-AC78-006008A9A8BC} - hxxp://147.31.32.2:8080/registration/deploy/WebInst/webinst.cab
FF - ProfilePath - c:\documents and settings\ .\Application Data\Mozilla\Firefox\Profiles\2595zsu5.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.gmail.com/
FF - plugin: c:\documents and settings\ .\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\ .\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-SetDefaultMIDI - MIDIDef.exe
HKLM-Run-LogitechVideo[inspector] - c:\program files\Logitech\Video\InstallHelper.exe
HKLM-Run-zifohugih - c:\windows\system32\geyofebi.dll
HKLM-Run-yesiyuputa - bokadopi.dll
SharedTaskScheduler-{55f3ab3d-c72f-4f52-bc91-3c64395076bd} - c:\windows\system32\fisepolo.dll
SharedTaskScheduler-{77cdd9b2-6f76-45a1-99ed-f1086781be9a} - c:\windows\system32\geyofebi.dll
SSODL-wumarazuv-{55f3ab3d-c72f-4f52-bc91-3c64395076bd} - c:\windows\system32\fisepolo.dll
SSODL-nuhuwokeh-{77cdd9b2-6f76-45a1-99ed-f1086781be9a} - c:\windows\system32\geyofebi.dll
AddRemove-ProInst - c:\windows\Installer\iProInst.exe
AddRemove-ShockwaveFlash - c:\windows\system32\Macromed\Flash\FlashUtil9b.exe
AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-11 20:00
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys spdw.sys >>UNKNOWN [0x87387938]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7556f28
\Driver\ACPI -> ACPI.sys @ 0xf72d0cb8
\Driver\atapi -> atapi.sys @ 0xf7265b40
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->NDIS: -> SendCompleteHandler -> 0x0
PacketIndicateHandler -> 0x0
SendHandler -> 0x0
user & kernel MBR OK
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1096)
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
- - - - - - - > 'explorer.exe'(7164)
c:\program files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\netprovcredman.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
c:\windows\system32\CTsvcCDA.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
c:\program files\Dell\QuickSet\NICCONFIGSVC.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\StacSV.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\windows\system32\WDBtnMgr.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-01-11 20:24:43 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-12 01:24
Pre-Run: 19,513,810,944 bytes free
Post-Run: 21,509,529,600 bytes free
Current=2 Default=2 Failed=3 LastKnownGood=5 Sets=1,2,3,4,5
- - End Of File - - 42A5D755CCF28AC806084030677A533D
#3
Posted 12 January 2010 - 09:52 PM
Can someone please help me?
#4
Posted 12 January 2010 - 10:12 PM
I also have a HJT log and Root Repeal.
#5
Posted 17 January 2010 - 06:20 AM
We look for post with 0 replies, so when you posted to your own log, we assumed you were being helped.
DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.
Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.
Vista and Windows 7 users:
1. These tools MUST be run from the executable. (.exe) every time you run them
2. With Admin Rights (Right click, choose "Run as Administrator")
Stay with this topic until I give you the all clean post.
You might want to print these instructions out.
I suggest you do this:
Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Uncheck "Hide file extensions for known file types."
Under the "Hidden files" folder, select "Show hidden files and folders."
Uncheck "Hide protected operating system files."
Click Apply, and then click OK.
Please do not delete anything unless instructed to.
Please download ATF Cleaner by Atribune.
Download - ATF Cleaner»
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
(If you use FireFox or the Opera browser
To keep saved passwords, click No at the prompt.)
It's normal after running ATF cleaner that the PC will be slower to boot the first time or two.
Next:
Please download Malwarebytes' Anti-Malware to your desktop.
- Double-click mbam-setup.exe and follow the prompts to install the program.
- At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
- If an update is found, it will download and install the latest version.
- Once the program has loaded, select Perform quick scan, then click Scan.
- When the scan is complete, click OK, then Show Results to view the results.
- Then click Remove Selected .
- When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
- Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
Also please describe how your computer behaves at the moment.
Please don't attach the scans / logs, use "copy/paste". .
#6
Posted 17 January 2010 - 09:09 AM
Since the time I made this post, my computer has continued to suffer. Virus pop up windows began infesting my computer at a rate that I could not control. It got to the point that my computer became completely inoperable. One day, I eventually had to manually shut the computer down. When I attempted to restart the computer, a blue screen appeared which read:
"A problem has been detected and windows has been shut down to prevent damage to your computer.
If this is the first time you've seen this Stop error screen, restart your computer. If this screen appears again, follow these steps:
Disable or uninstall any anti-virus, disk defragmentation or backup utilities. Check your hard drive configuration, and check for any updated drivers. Run CHKDSK /F to check for hard drive corruption, and then restart your computer.
Technical information:
*** STOP: 0x00000024 (0x001902FE, 0xF7949380, 0xF794907c, 0x87254805)"
When I try to start the computer in safe mode or my last known good configurations, this blue screen with the above error message still appears.
Please advise. Thanks so much for any help!
"A problem has been detected and windows has been shut down to prevent damage to your computer.
If this is the first time you've seen this Stop error screen, restart your computer. If this screen appears again, follow these steps:
Disable or uninstall any anti-virus, disk defragmentation or backup utilities. Check your hard drive configuration, and check for any updated drivers. Run CHKDSK /F to check for hard drive corruption, and then restart your computer.
Technical information:
*** STOP: 0x00000024 (0x001902FE, 0xF7949380, 0xF794907c, 0x87254805)"
When I try to start the computer in safe mode or my last known good configurations, this blue screen with the above error message still appears.
Please advise. Thanks so much for any help!
#7
Posted 17 January 2010 - 09:16 AM
If you can't get it to boot the only thing I know of would be a Windows repair install.
#8
Posted 17 January 2010 - 09:21 AM
Can you tell me more about a windows repair install? How would I do it?
#9
Posted 17 January 2010 - 09:28 AM
#10
Posted 17 January 2010 - 09:34 AM
Is there anything you would recommend if I don't have the Windows Boot CD?
#11
Posted 17 January 2010 - 09:37 AM
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users