Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Spyware eats all my CPU [RESOLVED]

Started by okucu , Oct 26 2008 11:17 AM

  • This topic is locked This topic is locked

#46
okucu
Posted 13 November 2008 - 09:15 PM

okucu

    Member

  • Topic Starter
  • Member
  • PipPip
  • 66 posts
ComboFix 08-11-03.06 - OKUCU 2008-11-13 18:51:12.10 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1254.90.1033.18.1043 [GMT -8:00]
Running from: c:\documents and settings\OKUCU\Desktop\ComboFix.exe
Command switches used :: / Snapshot

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\08223B03.cfg
c:\windows\system32\122B901E.cfg
c:\windows\system32\2EF0D734.cfg
c:\windows\system32\43ACDCC5.cfg
c:\windows\system32\4D023DE9.cfg
c:\windows\system32\58FF3024.cfg
c:\windows\system32\66AFCB56.cfg
c:\windows\system32\9CA963CA.cfg
c:\windows\system32\9F684DE8.cfg
c:\windows\system32\B3721C07.cfg
c:\windows\system32\BA7EDF54.cfg
c:\windows\system32\ca99d57.sys
c:\windows\system32\D7C79813.cfg
c:\windows\system32\DA63E650.cfg
c:\windows\system32\DFEC5CB7.cfg
c:\windows\system32\E0D39066.cfg
c:\windows\system32\E3367679.cfg
c:\windows\system32\E3367679.dll
c:\windows\system32\E4814792.cfg
c:\windows\system32\F65BDEC7.cfg

.
((((((((((((((((((((((((( Files Created from 2008-10-14 to 2008-11-14 )))))))))))))))))))))))))))))))
.

2008-11-13 09:05 . 2008-11-13 09:05 11,328 --ahs---- c:\windows\system32\E4814792.dll
2008-11-13 09:04 . 2008-11-13 09:04 11,927 --ahs---- c:\windows\system32\E0D39066.dll
2008-11-13 09:03 . 2008-11-13 09:03 216,873 --ahs---- c:\windows\system32\755D0ED0.dll
2008-11-13 09:03 . 2008-11-13 09:03 216,381 --ahs---- c:\windows\system32\16AF66EB.dll
2008-11-13 09:03 . 2008-11-13 09:03 5,504 --a------ c:\windows\system32\f35ee9e.sys
2008-11-13 09:03 . 2008-11-13 09:03 296 --ahs---- c:\windows\system32\16AF66EB.cfg
2008-11-13 09:03 . 2008-11-13 09:03 244 --ahs---- c:\windows\system32\755D0ED0.cfg
2008-11-13 09:01 . 2008-11-13 09:01 11,555 --ahs---- c:\windows\system32\9F684DE8.dll
2008-11-13 07:30 . 2008-11-13 07:30 11,825 --ahs---- c:\windows\system32\DFEC5CB7.dll
2008-11-12 08:27 . 2008-11-12 08:30 <DIR> d-------- C:\Lop SD
2008-11-12 08:22 . 2008-11-12 08:22 217,077 --ahs---- c:\windows\system32\2EF0D734.dll
2008-11-12 08:22 . 2008-11-12 08:22 12,798 --ahs---- c:\windows\system32\66AFCB56.dll
2008-11-12 08:22 . 2008-11-12 08:22 12,269 --ahs---- c:\windows\system32\93DEE065.dll
2008-11-12 08:22 . 2008-11-12 08:22 12,103 --ahs---- c:\windows\system32\C8FFD223.dll
2008-11-12 08:22 . 2008-11-12 08:22 11,938 --ahs---- c:\windows\system32\BA7EDF54.dll
2008-11-12 07:53 . 2008-11-12 07:53 <DIR> d-------- c:\windows\ERUNT
2008-11-12 07:48 . 2008-11-12 07:48 12,717 --ahs---- c:\windows\system32\5934EA2B.dll
2008-11-12 07:48 . 2008-11-12 07:48 11,722 --ahs---- c:\windows\system32\F65BDEC7.dll
2008-11-12 07:47 . 2008-11-06 02:03 <DIR> d-------- C:\SDFix
2008-11-12 07:46 . 2008-11-12 07:46 217,404 --ahs---- c:\windows\system32\70B0129E.dll
2008-11-12 07:46 . 2008-11-12 07:46 217,351 --ahs---- c:\windows\system32\4FBFD5A4.dll
2008-11-12 07:46 . 2008-11-12 07:46 216,781 --ahs---- c:\windows\system32\F8E07BB2.dll
2008-11-12 07:46 . 2008-11-12 07:46 216,659 --ahs---- c:\windows\system32\F2CBFAC4.dll
2008-11-12 07:46 . 2008-11-12 07:46 11,219 --ahs---- c:\windows\system32\01AFE3DC.dll
2008-11-12 07:45 . 2008-11-12 07:45 216,338 --ahs---- c:\windows\system32\3F21AA0C.dll
2008-11-12 07:38 . 2008-11-12 07:38 24,625 --a------ c:\windows\MSVB50CHS.dll
2008-11-11 20:06 . 2008-11-12 08:22 10,240 --a------ c:\windows\MKMKrnl.dll
2008-11-11 20:06 . 2008-11-11 20:06 204 --ahs---- c:\windows\system32\C8FFD223.cfg
2008-11-11 20:05 . 2008-11-11 20:05 184 --ahs---- c:\windows\system32\93DEE065.cfg
2008-11-11 20:04 . 2008-11-12 07:48 20,480 --a------ c:\windows\MPKrnl.dll
2008-11-11 20:04 . 2008-11-13 09:03 468 --ahs---- c:\windows\system32\70B0129E.cfg
2008-11-11 20:04 . 2008-11-11 20:04 272 --ahs---- c:\windows\system32\F2CBFAC4.cfg
2008-11-11 20:04 . 2008-11-11 20:04 220 --ahs---- c:\windows\system32\F8E07BB2.cfg
2008-11-11 20:04 . 2008-11-11 20:04 204 --ahs---- c:\windows\system32\5934EA2B.cfg
2008-11-11 20:04 . 2008-11-11 20:04 152 --ahs---- c:\windows\system32\01AFE3DC.cfg
2008-11-11 20:03 . 2008-11-11 20:03 5,504 --a------ c:\windows\system32\de8296f.sys
2008-11-11 20:03 . 2008-11-11 20:03 5,504 --a------ c:\windows\system32\d7b49fa.sys
2008-11-11 20:03 . 2008-11-11 20:03 5,504 --a------ c:\windows\system32\c39e8db.sys
2008-11-11 20:03 . 2008-11-11 20:03 312 --ahs---- c:\windows\system32\3F21AA0C.cfg
2008-11-11 20:03 . 2008-11-11 20:03 212 --ahs---- c:\windows\system32\4FBFD5A4.cfg
2008-11-02 18:25 . 2008-11-02 18:25 <DIR> d-------- c:\documents and settings\OKUCU\DoctorWeb
2008-11-02 17:46 . 2008-11-02 18:24 250 --a------ c:\windows\gmer.ini
2008-10-27 09:43 . 2008-11-05 23:48 54,156 --ah----- c:\windows\QTFont.qfn
2008-10-27 09:43 . 2008-10-27 09:43 1,409 --a------ c:\windows\QTFont.for
2008-10-26 18:12 . 2008-10-26 18:12 <DIR> d-------- C:\rsit
2008-10-25 05:09 . 2008-10-25 05:09 <DIR> d-------- c:\program files\SDHelper (Spybot - Search & Destroy)
2008-10-24 19:55 . 2008-10-24 19:55 <DIR> d-------- C:\_OTScanIt
2008-10-23 16:18 . 2008-10-23 16:18 2,302,017 --a------ c:\windows\system32\GPhotos.scr
2008-10-15 06:16 . 2008-11-03 18:16 <DIR> d-------- c:\windows\system32\config\systemprofile\Application Data\SolidDocuments
2008-10-15 01:49 . 2008-10-15 01:49 <DIR> d-------- c:\program files\Visage
2008-10-15 01:49 . 2008-10-15 01:49 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-10-15 01:49 . 2008-10-15 01:49 <DIR> d-------- c:\program files\Common Files\Visage Software
2008-10-15 00:12 . 2008-11-01 20:24 167 --a------ c:\windows\ConverterCore.INI
2008-10-15 00:10 . 2008-10-15 00:10 <DIR> d-------- c:\program files\SolidDocuments
2008-10-15 00:10 . 2008-11-12 20:43 <DIR> d-------- c:\documents and settings\OKUCU\Application Data\SolidDocuments
2008-10-15 00:09 . 2008-10-15 00:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\SolidDocuments
2008-10-15 00:00 . 2008-03-27 04:42 7,477 --a------ c:\windows\system32\novap5.ctm
2008-10-14 23:58 . 2008-03-27 04:42 7,477 --a------ c:\windows\system32\dopdf6.ctm
2008-10-14 23:47 . 2008-10-14 23:49 <DIR> d-------- C:\STA4V12
2008-10-14 23:47 . 2008-10-14 23:48 <DIR> d-------- C:\STA4
2008-10-14 23:41 . 2008-10-25 08:06 <DIR> d-------- C:\Sta4v11
2008-10-14 23:38 . 2008-10-14 23:38 <DIR> d-------- c:\program files\PDFCreator
2008-10-14 23:38 . 2008-10-14 23:38 <DIR> d-------- c:\documents and settings\OKUCU\Application Data\PDFCreator
2008-10-14 23:30 . 2004-01-31 09:14 420,000 --a------ c:\windows\system32\drivers\hardlock.sys
2008-10-14 23:30 . 2003-12-18 07:53 47,616 --a------ c:\windows\system32\drivers\haspnt.sys
2008-10-14 23:29 . 2008-10-14 23:42 <DIR> d-------- C:\HaspEmulPE.XP
2008-10-14 23:19 . 2004-02-22 13:00 1,386,496 --a------ c:\windows\system32\MSVBVM60.DLL
2008-10-14 23:19 . 2003-09-10 18:08 665,600 --a------ c:\windows\system32\HARDLOCK.SYS
2008-10-14 23:19 . 2002-07-29 18:13 434,252 --a------ c:\windows\system32\HARDLOCK.VXD
2008-10-14 23:19 . 2002-08-27 19:07 291,328 --a------ c:\windows\system32\hlvdd.dll
2008-10-14 23:19 . 2003-07-25 08:17 148,992 --a------ c:\windows\system32\HASPVB32.DLL
2008-10-14 23:19 . 2001-11-01 23:50 49,750 --a------ c:\windows\system32\HASP95DL.VXD
2008-10-14 23:19 . 2001-11-01 22:15 45,664 --a------ c:\windows\system32\HASP95.VXD
2008-10-14 23:19 . 2001-11-01 22:15 6,656 --a------ c:\windows\system32\haspvdd.dll
2008-10-14 23:19 . 2001-03-02 05:00 383 --a------ c:\windows\system32\haspdos.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-14 02:45 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-11-14 02:36 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2008-11-12 06:16 --------- d-----w c:\documents and settings\OKUCU\Application Data\Skype
2008-10-31 15:27 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-26 04:12 76,856 ----a-w c:\documents and settings\OKUCU\Application Data\GDIPFONTCACHEV1.DAT
2008-10-25 13:09 --------- d-----w c:\program files\TeaTimer (Spybot - Search & Destroy)
2008-10-25 12:51 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-10-22 23:10 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2008-10-22 23:10 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2008-10-18 15:47 --------- d-----w c:\documents and settings\OKUCU\Application Data\LimeWire
2008-10-14 05:17 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-13 20:55 --------- d-----w c:\program files\MathType
2008-10-12 11:08 --------- d-----w c:\documents and settings\OKUCU\Application Data\Autodesk
2008-10-12 11:08 --------- d-----w c:\documents and settings\All Users\Application Data\Autodesk
2008-10-11 09:25 --------- d-----w c:\program files\MSXML 6.0
2008-10-10 08:32 --------- d-----w c:\program files\Nikon_Capture_NX2_v2.1.0
2008-10-10 08:13 --------- d-----w c:\program files\AutoCAD 2008
2008-10-10 08:12 --------- d-----w c:\program files\Common Files\Autodesk Shared
2008-10-09 18:42 --------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2008-10-09 18:30 --------- d-----w c:\program files\Common Files\Adobe
2008-10-09 18:30 --------- d-----w c:\program files\Bonjour
2008-10-09 18:17 --------- d-----w c:\program files\Common Files\Macrovision Shared
2008-10-09 17:00 --------- d-----w c:\program files\turbo squid tentacles
2008-10-09 16:54 --------- d-----w c:\program files\Autodesk
2008-10-05 06:22 --------- d-----w c:\program files\Google
2008-10-02 06:33 --------- d-----w c:\program files\eMule
2008-10-02 06:31 --------- d-----w c:\program files\Swiss International Air Lines TravelDesk
2008-10-02 06:29 --------- d-----w c:\program files\Netopia
2008-09-29 12:20 61,440 ----a-w c:\windows\system32\drivers\qkcgs.sys
2008-09-29 05:52 20 ---h--w c:\documents and settings\All Users\Application Data\PKP_DLdu.DAT
2008-09-29 05:47 20 ---h--w c:\documents and settings\All Users\Application Data\PKP_DLdw.DAT
2008-09-25 07:44 --------- d-----w c:\documents and settings\OKUCU\Application Data\U3
2008-08-10 06:58 20 ---h--w c:\documents and settings\All Users\Application Data\PKP_DLbz.DAT
.

((((((((((((((((((((((((((((( snapshot_2008-11-04_ 7.03.36.01 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-08-07 23:27:04 163,328 ----a-w c:\windows\ERUNT\SDFIX\ERDNT.EXE
+ 2008-11-12 15:53:57 10,006,528 ----a-w c:\windows\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2008-11-12 15:53:57 540,672 ----a-w c:\windows\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-08-07 23:27:04 163,328 ----a-w c:\windows\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-11-12 15:53:29 10,006,528 ----a-w c:\windows\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
+ 2008-11-12 15:53:29 540,672 ----a-w c:\windows\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
- 2005-12-25 15:50:14 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2008-11-14 02:55:38 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2005-12-25 15:50:14 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-11-14 02:55:38 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-11-09 06:58:58 8,470 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\17HTUR26\msusp[1].bin
+ 2008-11-11 03:13:25 15,770 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\17HTUR26\msusp[2].bin
+ 2008-11-11 05:18:34 8,470 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\17HTUR26\msusp[3].bin
+ 2008-11-14 02:55:38 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2004-08-04 12:00:00 66,048 ----a-w c:\windows\system32\mscaeo.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-19 68856]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2005-04-11 65536]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-06-20 1207080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-07-19 94208]
"SVPWUTIL"="c:\program files\Toshiba\Windows Utilities\SVPWUTIL.exe" [2004-05-01 65536]
"Tvs"="c:\program files\TOSHIBA\Tvs\TvsTray.exe" [2005-04-05 73728]
"CeEKEY"="c:\program files\TOSHIBA\E-KEY\CeEKey.exe" [2005-09-06 671744]
"TPNF"="c:\program files\TOSHIBA\TouchPad\TPTray.exe" [2005-08-25 53248]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-28 286720]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2004-03-23 196608]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-07-19 221184]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-07-19 114688]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-07-19 77824]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-30 122941]
"HWSetup"="c:\program files\TOSHIBA\TOSHIBA Applet\HWSetup.exe" [2004-05-01 28672]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-04-19 48752]
"URLLSTCK.exe"="c:\program files\Norton Internet Security\UrlLstCk.exe" [2005-05-05 22656]
"MPKrnl"="c:\windows\MPKrnl.dll" [2008-11-12 20480]
"TFncKy"="TFncKy.exe" [BU]
"CFSServ.exe"="CFSServ.exe" [BU]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2006-03-28 c:\windows\KHALMNPR.Exe]
"TCtryIOHook"="TCtrlIOHook.exe" [2005-08-22 c:\windows\system32\TCtrlIOHook.exe]
"NDSTray.exe"="NDSTray.exe" [BU]
"AGRSMMSG"="AGRSMMSG.exe" [2004-12-22 c:\windows\agrsmmsg.exe]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 c:\windows\system32\bthprops.cpl]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"MPMKrnl"="c:\windows\MKMKrnl.dll" [2008-11-12 10240]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2005-12-28 155648]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{F8E07BB2-7A19-4057-80F1-E14646E630B4}"= "F8E07BB2.dll" [BU]
"{4FBFD5A4-5FE8-4444-8BD9-FD0FAFA64F96}"= "4FBFD5A4.dll" [BU]
"{3F21AA0C-2A9E-4BE9-9083-9E58AB41BA01}"= "3F21AA0C.dll" [BU]
"{F2CBFAC4-6FF9-4DE9-BCB1-0F2FA2AA0B4C}"= "F2CBFAC4.dll" [BU]
"{70B0129E-726E-4789-A7C0-5DDC33241E94}"= "70B0129E.dll" [BU]
"{01AFE3DC-2242-436E-9B44-6DD1C664E828}"= "01AFE3DC.dll" [BU]
"{5934EA2B-B2C4-4BE7-BF7A-FBA781A12E40}"= "5934EA2B.dll" [BU]
"{93DEE065-EC9B-4505-ADD3-19880AD3C38F}"= "93DEE065.dll" [BU]
"{C8FFD223-C0FB-40C5-94A0-FD7891AC18E9}"= "C8FFD223.dll" [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=01AFE3DC.dll,HBmhly.dll,HBZHUXIAN.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth Manager.lnk
backup=c:\windows\pss\Bluetooth Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=c:\windows\pss\HotSync Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package Menu.lnk
backup=c:\windows\pss\Picture Package Menu.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package VCD Maker.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package VCD Maker.lnk
backup=c:\windows\pss\Picture Package VCD Maker.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Run Google Web Accelerator.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Run Google Web Accelerator.lnk
backup=c:\windows\pss\Run Google Web Accelerator.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Desktop Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Desktop Search.lnk
backup=c:\windows\pss\Windows Desktop Search.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^OKUCU^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=c:\documents and settings\OKUCU\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=c:\windows\pss\HotSync Manager.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^OKUCU^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\OKUCU\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^OKUCU^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]
path=c:\documents and settings\OKUCU\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk
backup=c:\windows\pss\Microsoft Office OneNote 2003 Quick Launch.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^OKUCU^Start Menu^Programs^Startup^Nikon Monitor.lnk]
path=c:\documents and settings\OKUCU\Start Menu\Programs\Startup\Nikon Monitor.lnk
backup=c:\windows\pss\Nikon Monitor.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
--a------ 2008-09-03 09:11 29744 c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
--a------ 2006-06-20 12:36 1207080 c:\program files\Microsoft ActiveSync\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2005-10-18 03:58 278528 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
--a------ 2007-02-27 01:18 67128 c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X1100 Series]
--a------ 2003-08-19 06:43 57344 c:\program files\Lexmark X1100 Series\lxbkbmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechSoftwareUpdate]
--a------ 2005-06-08 05:44 196608 c:\program files\Logitech\Video\ManifestEngine.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]
--a------ 2005-06-08 06:24 458752 c:\program files\Logitech\Video\ISStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]
--a------ 2005-06-08 06:14 217088 c:\program files\Logitech\Video\LogiTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PadTouch]
--a------ 2005-08-30 02:53 1077329 c:\program files\Toshiba\Touch and Launch\PadExe.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
--a------ 2006-10-13 08:20 20058152 c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmoothView]
--a------ 2005-05-12 01:31 118784 c:\program files\Toshiba\TOSHIBA Zooming Utility\SmoothView.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2006-03-10 09:45 35328 c:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zooming]
--a------ 2005-06-06 00:58 24576 c:\windows\system32\ZoomingHook.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Autodesk\\Backburner\\monitor.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\manager.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\server.exe"=
"c:\\Program Files\\Autodesk\\3ds Max 2008\\3dsmax.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R3 de8296f;de8296f;c:\windows\system32\de8296f.sys [2008-11-11 5504]
S3 c39e8db;c39e8db;c:\windows\system32\c39e8db.sys [2008-11-11 5504]
S3 ca99d57;ca99d57;c:\windows\system32\ca99d57.sys [ ]
S3 d7b49fa;d7b49fa;c:\windows\system32\d7b49fa.sys [2008-11-11 5504]
S3 f35ee9e;f35ee9e;c:\windows\system32\f35ee9e.sys [2008-11-13 5504]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2008-09-03 29744]
.
Contents of the 'Scheduled Tasks' folder

2008-11-13 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2004-12-14 03:24]
.
- - - - ORPHANS REMOVED - - - -

ShellExecuteHooks-{16AF66EB-93C8-49F9-BB09-B4F87CEDCE46} - 16AF66EB.dll
ShellExecuteHooks-{755D0ED0-3996-4ADB-9B1F-AD8F0E9E4738} - 755D0ED0.dll


.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\OKUCU\Application Data\Mozilla\Firefox\Profiles\c4f6pgvi.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-13 18:53:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Toshiba\ConfigFree\CFSvcs.exe
c:\windows\system32\DVDRAMSV.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Autodesk\3ds Max 2008\mentalray\satellite\raysat_3dsMax2008_32server.exe
c:\program files\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\fxssvc.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\program files\Toshiba\TOSHIBA Controls\TFncKy.exe
c:\program files\Toshiba\ConfigFree\CFSServ.exe
c:\program files\Toshiba\ConfigFree\NDSTray.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\progra~1\MICROS~4\rapimgr.exe
c:\program files\Apoint2K\ApntEx.exe
.
**************************************************************************
.
Completion time: 2008-11-13 19:01:42 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-14 03:01:35
ComboFix2.txt 2008-11-12 15:41:13
ComboFix3.txt 2008-11-12 07:33:00
ComboFix4.txt 2008-11-12 03:58:35
ComboFix5.txt 2008-11-14 02:50:53

Pre-Run: 14,327,734,272 bytes free
Post-Run: 14,329,004,032 bytes free

372 --- E O F --- 2008-10-16 20:32:25
  • 0

Advertisements

#47
okucu
Posted 16 November 2008 - 01:17 AM

okucu

    Member

  • Topic Starter
  • Member
  • PipPip
  • 66 posts
You forgot about me :-))
  • 0

#48
Egwene
Posted 16 November 2008 - 12:34 PM

Egwene

    Member 2k

  • Visiting Consultant
  • 2,141 posts
Hello,

Nop, again busy :)

So now it's ok, let's go on :)

CLICK THIS TO LINK TO BE SURE YOU CAN VIEW HIDDEN FILES

  • Please go to VirScan
  • Copy and paste the following file path into the Suspicious files to scan box.
    o c:\windows\system32\mscaeo.exe
  • Click on the Upload button
  • Once the Scan has completed, click on the Copy to Clipboard button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.
  • Do the same for :
    o c:\windows\system32\drivers\hardlock.sys

Regards,
Egwene.
  • 0

#49
okucu
Posted 16 November 2008 - 08:41 PM

okucu

    Member

  • Topic Starter
  • Member
  • PipPip
  • 66 posts
Regarding first one (c:\windows\system32\mscaeo.exe ) , it gives error on upload . It says " can't find upload file " .

Second log below


VirSCAN.org Scanned Report :
Scanned time : 2008/11/16 18:30:02 (PST)
Scanner results: All Scanners reported not find malware!
File Name : hardlock.sys
File Size : 420000 byte
File Type : PE32 executable for MS Windows (native) Intel 80386 32-bit
MD5 : dfcc5cb95936c74a9fcbef23434f406f
SHA1 : e6f6da939e8ffef4dc6986e2fcc70e974577a146
Online report : http://virscan.org/r...8815d02520.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.0.0.26 20081117060118 2008-11-17 3.42 -
AhnLab V3 2008.11.17.01 2008.11.17 2008-11-17 1.05 -
AntiVir 7.9.0.31 7.1.0.90 2008-11-16 1.53 -
Antiy 2.0.18 20081114.1573099 2008-11-14 0.12 -
Arcavir 1.0.5 200811161554 2008-11-16 1.23 -
Authentium 5.1.1 200811170013 2008-11-17 1.11 -
AVAST! 3.0.1 081116-1 2008-11-16 0.02 -
AVG 7.5.52.442 270.9.4/1793 2008-11-16 1.74 -
BitDefender 7.81008.2197006 7.21905 2008-11-17 2.01 -
CA (VET) 9.0.0.143 31.6.6210 2008-11-14 4.19 -
ClamAV 0.94.1 8636 2008-11-15 0.08 -
Comodo 2.11 2.0.0.708 2008-11-16 0.44 -
CP Secure 1.1.0.715 2008.11.14 2008-11-14 6.42 -
Dr.Web 4.44.0.9170 2008.11.16 2008-11-16 3.53 -
ewido 4.0.0.2 2008.11.16 2008-11-16 6.64 -
F-Prot 4.4.4.56 20081116 2008-11-16 1.07 -
F-Secure 5.51.6100 2008.11.16.02 2008-11-16 0.10 -
Fortinet 2.81-3.117 9.714 2008-11-15 0.22 -
GData 19.1549/19.110 20081116 2008-11-16 2.79 -
ViRobot 20081115 2008.11.15 2008-11-15 0.48 -
Ikarus T3.1.01.45 2008.11.16.71866 2008-11-16 3.46 -
JiangMin 11.0.706 2008.11.16 2008-11-16 1.39 -
Kaspersky 5.5.10 2008.11.16 2008-11-16 0.06 -
KingSoft 2008.9.8.18 2008.11.13.23 2008-11-13 0.70 -
McAfee 5.3.00 5436 2008-11-16 2.53 -
Microsoft 1.4104 2008.11.17 2008-11-17 5.08 -
mks_vir 2.01 2008.11.17 2008-11-17 2.68 -
Norman 5.93.01 5.93.00 2008-11-14 5.31 -
Panda 9.05.01 2008.11.16 2008-11-16 3.14 -
Trend Micro 8.700-1004 5.654.38 2008-11-16 0.38 -
Quick Heal 10.00 2008.11.15 2008-11-15 1.80 -
Rising 20.0 21.03.42.00 2008-11-14 1.00 -
Sophos 2.80.0 4.35 2008-11-17 1.99 -
Sunbelt 4474 4474 2008-11-04 0.71 -
Symantec 1.3.0.24 20081116.003 2008-11-16 0.09 -
nProtect 2008-11-14.00 2541461 2008-11-14 3.29 -
The Hacker 6.3.1.1 v00155 2008-11-15 0.46 -
VBA32 3.12.8.9 20081116.1932 2008-11-16 1.54 -
VirusBuster 4.5.11.10 10.93.4/671777 2008-11-16 1.21 -
  • 0

#50
Egwene
Posted 17 November 2008 - 04:14 PM

Egwene

    Member 2k

  • Visiting Consultant
  • 2,141 posts
Hello,

I need a fresh combofix log, please run again combofix and post me the new repport :)

I may have found what is the file responsible of the re-infection.

Regards,
Egwene.
  • 0

#51
okucu
Posted 17 November 2008 - 10:36 PM

okucu

    Member

  • Topic Starter
  • Member
  • PipPip
  • 66 posts
ComboFix 08-11-03.06 - OKUCU 2008-11-17 20:21:10.11 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1254.90.1033.18.1017 [GMT -8:00]
Running from: c:\documents and settings\OKUCU\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Messenger\msgmr.dll
c:\windows\AppPatch\AcSpecf.dll
c:\windows\AppPatch\AcSpecf.sdb
c:\windows\AppPatch\AcXtrnel.sdb
c:\windows\Downloaded Program Files\ThunderAdvise.dll
c:\windows\Fonts\Framdee.ttf
c:\windows\system32\08223B03.cfg
c:\windows\system32\08223B03.dll
c:\windows\system32\122B901E.cfg
c:\windows\system32\122B901E.dll
c:\windows\system32\2EF0D734.cfg
c:\windows\system32\43ACDCC5.cfg
c:\windows\system32\43ACDCC5.dll
c:\windows\system32\4D023DE9.cfg
c:\windows\system32\58FF3024.cfg
c:\windows\system32\58FF3024.dll
c:\windows\system32\66AFCB56.cfg
c:\windows\system32\8566F82E.cfg
c:\windows\system32\8566F82E.dll
c:\windows\system32\9CA963CA.cfg
c:\windows\system32\9CA963CA.dll
c:\windows\system32\9F684DE8.cfg
c:\windows\system32\B3721C07.cfg
c:\windows\system32\BA7EDF54.cfg
c:\windows\system32\ca99d57.sys
c:\windows\system32\D7C79813.cfg
c:\windows\system32\DA63E650.cfg
c:\windows\system32\DA63E650.dll
c:\windows\system32\DFEC5CB7.cfg
c:\windows\system32\drivers\HBKernel32.sys
c:\windows\system32\E0D39066.cfg
c:\windows\system32\E3367679.cfg
c:\windows\system32\E3367679.dll
c:\windows\system32\E4814792.cfg
c:\windows\system32\F65BDEC7.cfg
c:\windows\system32\HBmhly.dll
c:\windows\system32\HBZHUXIAN.dll
c:\windows\system32\system.exe
c:\windows\system32\unxxx.bat
c:\windows\temp\wmsetup.dll
c:\windows\Update.dll

.
((((((((((((((((((((((((( Files Created from 2008-10-18 to 2008-11-18 )))))))))))))))))))))))))))))))
.

2008-11-17 10:49 . 2008-11-17 10:49 10,752 --a------ C:\12.exe
2008-11-16 19:19 . 2008-11-17 06:34 11,463 --ahs---- c:\windows\system32\E4814792.dll
2008-11-16 19:19 . 2008-11-16 19:19 5,504 --a------ c:\windows\system32\d435fd4.sys
2008-11-16 18:28 . 2008-11-16 18:28 11,581 --ahs---- c:\windows\system32\9F684DE8.dll
2008-11-14 21:39 . 2008-11-14 21:39 12,004 --ahs---- c:\windows\system32\B8E83D3C.dll
2008-11-14 21:39 . 2008-11-14 21:39 220 --ahs---- c:\windows\system32\B8E83D3C.cfg
2008-11-13 19:09 . 2008-11-13 19:09 11,958 --ahs---- c:\windows\system32\D7C79813.dll
2008-11-13 19:08 . 2008-11-13 19:08 12,754 --ahs---- c:\windows\system32\B3721C07.dll
2008-11-13 19:06 . 2008-11-13 19:06 11,960 --ahs---- c:\windows\system32\4D023DE9.dll
2008-11-13 09:03 . 2008-11-13 09:03 216,873 --ahs---- c:\windows\system32\755D0ED0.dll
2008-11-13 09:03 . 2008-11-13 09:03 216,381 --ahs---- c:\windows\system32\16AF66EB.dll
2008-11-13 09:03 . 2008-11-13 09:03 5,504 --a------ c:\windows\system32\f35ee9e.sys
2008-11-13 09:03 . 2008-11-13 09:03 296 --ahs---- c:\windows\system32\16AF66EB.cfg
2008-11-13 09:03 . 2008-11-13 09:03 244 --ahs---- c:\windows\system32\755D0ED0.cfg
2008-11-13 07:30 . 2008-11-13 19:09 11,825 --ahs---- c:\windows\system32\DFEC5CB7.dll
2008-11-12 08:27 . 2008-11-12 08:30 <DIR> d-------- C:\Lop SD
2008-11-12 08:22 . 2008-11-13 19:09 217,077 --ahs---- c:\windows\system32\2EF0D734.dll
2008-11-12 08:22 . 2008-11-13 19:08 12,798 --ahs---- c:\windows\system32\66AFCB56.dll
2008-11-12 08:22 . 2008-11-12 08:22 12,269 --ahs---- c:\windows\system32\93DEE065.dll
2008-11-12 08:22 . 2008-11-12 08:22 12,103 --ahs---- c:\windows\system32\C8FFD223.dll
2008-11-12 08:22 . 2008-11-13 19:09 11,938 --ahs---- c:\windows\system32\BA7EDF54.dll
2008-11-12 07:53 . 2008-11-12 07:53 <DIR> d-------- c:\windows\ERUNT
2008-11-12 07:48 . 2008-11-12 07:48 12,717 --ahs---- c:\windows\system32\5934EA2B.dll
2008-11-12 07:48 . 2008-11-13 19:06 11,722 --ahs---- c:\windows\system32\F65BDEC7.dll
2008-11-12 07:47 . 2008-11-06 02:03 <DIR> d-------- C:\SDFix
2008-11-12 07:46 . 2008-11-12 07:46 217,404 --ahs---- c:\windows\system32\70B0129E.dll
2008-11-12 07:46 . 2008-11-12 07:46 217,351 --ahs---- c:\windows\system32\4FBFD5A4.dll
2008-11-12 07:46 . 2008-11-12 07:46 216,781 --ahs---- c:\windows\system32\F8E07BB2.dll
2008-11-12 07:46 . 2008-11-12 07:46 216,659 --ahs---- c:\windows\system32\F2CBFAC4.dll
2008-11-12 07:46 . 2008-11-12 07:46 11,219 --ahs---- c:\windows\system32\01AFE3DC.dll
2008-11-12 07:45 . 2008-11-12 07:45 216,338 --ahs---- c:\windows\system32\3F21AA0C.dll
2008-11-12 07:38 . 2008-11-12 07:38 24,625 --a------ c:\windows\MSVB50CHS.dll
2008-11-11 20:06 . 2008-11-12 08:22 10,240 --a------ c:\windows\MKMKrnl.dll
2008-11-11 20:06 . 2008-11-11 20:06 204 --ahs---- c:\windows\system32\C8FFD223.cfg
2008-11-11 20:05 . 2008-11-11 20:05 184 --ahs---- c:\windows\system32\93DEE065.cfg
2008-11-11 20:04 . 2008-11-12 07:48 20,480 --a------ c:\windows\MPKrnl.dll
2008-11-11 20:04 . 2008-11-13 09:03 468 --ahs---- c:\windows\system32\70B0129E.cfg
2008-11-11 20:04 . 2008-11-11 20:04 272 --ahs---- c:\windows\system32\F2CBFAC4.cfg
2008-11-11 20:04 . 2008-11-11 20:04 220 --ahs---- c:\windows\system32\F8E07BB2.cfg
2008-11-11 20:04 . 2008-11-11 20:04 204 --ahs---- c:\windows\system32\5934EA2B.cfg
2008-11-11 20:04 . 2008-11-11 20:04 152 --ahs---- c:\windows\system32\01AFE3DC.cfg
2008-11-11 20:03 . 2008-11-11 20:03 5,504 --a------ c:\windows\system32\de8296f.sys
2008-11-11 20:03 . 2008-11-11 20:03 5,504 --a------ c:\windows\system32\d7b49fa.sys
2008-11-11 20:03 . 2008-11-11 20:03 5,504 --a------ c:\windows\system32\c39e8db.sys
2008-11-11 20:03 . 2008-11-11 20:03 312 --ahs---- c:\windows\system32\3F21AA0C.cfg
2008-11-11 20:03 . 2008-11-11 20:03 212 --ahs---- c:\windows\system32\4FBFD5A4.cfg
2008-11-10 11:53 . 2008-11-10 11:53 2,306,113 --a------ c:\windows\system32\GPhotos.scr
2008-11-02 18:25 . 2008-11-02 18:25 <DIR> d-------- c:\documents and settings\OKUCU\DoctorWeb
2008-11-02 17:46 . 2008-11-02 18:24 250 --a------ c:\windows\gmer.ini
2008-10-27 09:43 . 2008-11-05 23:48 54,156 --ah----- c:\windows\QTFont.qfn
2008-10-27 09:43 . 2008-10-27 09:43 1,409 --a------ c:\windows\QTFont.for
2008-10-26 18:12 . 2008-10-26 18:12 <DIR> d-------- C:\rsit
2008-10-25 05:09 . 2008-10-25 05:09 <DIR> d-------- c:\program files\SDHelper (Spybot - Search & Destroy)
2008-10-24 19:55 . 2008-10-24 19:55 <DIR> d-------- C:\_OTScanIt

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-18 04:12 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-11-17 17:39 --------- d-----w c:\documents and settings\OKUCU\Application Data\SolidDocuments
2008-11-17 08:05 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2008-11-12 06:16 --------- d-----w c:\documents and settings\OKUCU\Application Data\Skype
2008-11-04 02:16 --------- d-----w c:\windows\system32\config\systemprofile\Application Data\SolidDocuments
2008-10-31 15:27 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-26 04:12 76,856 ----a-w c:\documents and settings\OKUCU\Application Data\GDIPFONTCACHEV1.DAT
2008-10-25 13:09 --------- d-----w c:\program files\TeaTimer (Spybot - Search & Destroy)
2008-10-25 12:51 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-10-22 23:10 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2008-10-22 23:10 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2008-10-18 15:47 --------- d-----w c:\documents and settings\OKUCU\Application Data\LimeWire
2008-10-15 09:49 --------- d-----w c:\program files\Visage
2008-10-15 09:49 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-10-15 09:49 --------- d-----w c:\program files\Common Files\Visage Software
2008-10-15 08:10 --------- d-----w c:\program files\SolidDocuments
2008-10-15 08:09 --------- d-----w c:\documents and settings\All Users\Application Data\SolidDocuments
2008-10-15 07:38 --------- d-----w c:\program files\PDFCreator
2008-10-15 07:38 --------- d-----w c:\documents and settings\OKUCU\Application Data\PDFCreator
2008-10-14 05:17 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-13 20:55 --------- d-----w c:\program files\MathType
2008-10-12 11:08 --------- d-----w c:\documents and settings\OKUCU\Application Data\Autodesk
2008-10-12 11:08 --------- d-----w c:\documents and settings\All Users\Application Data\Autodesk
2008-10-11 09:25 --------- d-----w c:\program files\MSXML 6.0
2008-10-10 08:32 --------- d-----w c:\program files\Nikon_Capture_NX2_v2.1.0
2008-10-10 08:13 --------- d-----w c:\program files\AutoCAD 2008
2008-10-10 08:12 --------- d-----w c:\program files\Common Files\Autodesk Shared
2008-10-09 18:42 --------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2008-10-09 18:30 --------- d-----w c:\program files\Common Files\Adobe
2008-10-09 18:30 --------- d-----w c:\program files\Bonjour
2008-10-09 18:17 --------- d-----w c:\program files\Common Files\Macrovision Shared
2008-10-09 17:00 --------- d-----w c:\program files\turbo squid tentacles
2008-10-09 16:54 --------- d-----w c:\program files\Autodesk
2008-10-05 06:22 --------- d-----w c:\program files\Google
2008-10-02 06:33 --------- d-----w c:\program files\eMule
2008-10-02 06:31 --------- d-----w c:\program files\Swiss International Air Lines TravelDesk
2008-10-02 06:29 --------- d-----w c:\program files\Netopia
2008-09-29 12:20 61,440 ----a-w c:\windows\system32\drivers\qkcgs.sys
2008-09-29 05:52 20 ---h--w c:\documents and settings\All Users\Application Data\PKP_DLdu.DAT
2008-09-29 05:47 20 ---h--w c:\documents and settings\All Users\Application Data\PKP_DLdw.DAT
2008-09-25 07:44 --------- d-----w c:\documents and settings\OKUCU\Application Data\U3
2008-08-10 06:58 20 ---h--w c:\documents and settings\All Users\Application Data\PKP_DLbz.DAT
.

((((((((((((((((((((((((((((( snapshot_2008-11-04_ 7.03.36.01 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-08-07 23:27:04 163,328 ----a-w c:\windows\ERUNT\SDFIX\ERDNT.EXE
+ 2008-11-12 15:53:57 10,006,528 ----a-w c:\windows\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2008-11-12 15:53:57 540,672 ----a-w c:\windows\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-08-07 23:27:04 163,328 ----a-w c:\windows\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-11-12 15:53:29 10,006,528 ----a-w c:\windows\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
+ 2008-11-12 15:53:29 540,672 ----a-w c:\windows\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
- 2005-12-25 15:50:14 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2008-11-18 04:25:28 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2005-12-25 15:50:14 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-11-18 04:25:28 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-11-09 06:58:58 8,470 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\17HTUR26\msusp[1].bin
+ 2008-11-11 03:13:25 15,770 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\17HTUR26\msusp[2].bin
+ 2008-11-11 05:18:34 8,470 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\17HTUR26\msusp[3].bin
+ 2008-11-18 04:25:28 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2004-08-04 12:00:00 66,048 ----a-w c:\windows\system32\mscaeo.exe
+ 2007-04-16 15:52:53 20,480 ----a-w c:\windows\system32\upnpsrv.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-19 68856]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2005-04-11 65536]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-06-20 1207080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-07-19 94208]
"SVPWUTIL"="c:\program files\Toshiba\Windows Utilities\SVPWUTIL.exe" [2004-05-01 65536]
"Tvs"="c:\program files\TOSHIBA\Tvs\TvsTray.exe" [2005-04-05 73728]
"CeEKEY"="c:\program files\TOSHIBA\E-KEY\CeEKey.exe" [2005-09-06 671744]
"TPNF"="c:\program files\TOSHIBA\TouchPad\TPTray.exe" [2005-08-25 53248]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-28 286720]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2004-03-23 196608]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-07-19 221184]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-07-19 114688]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-07-19 77824]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-30 122941]
"HWSetup"="c:\program files\TOSHIBA\TOSHIBA Applet\HWSetup.exe" [2004-05-01 28672]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-04-19 48752]
"URLLSTCK.exe"="c:\program files\Norton Internet Security\UrlLstCk.exe" [2005-05-05 22656]
"MPKrnl"="c:\windows\MPKrnl.dll" [2008-11-12 20480]
"TFncKy"="TFncKy.exe" [BU]
"CFSServ.exe"="CFSServ.exe" [BU]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2006-03-28 c:\windows\KHALMNPR.Exe]
"TCtryIOHook"="TCtrlIOHook.exe" [2005-08-22 c:\windows\system32\TCtrlIOHook.exe]
"NDSTray.exe"="NDSTray.exe" [BU]
"AGRSMMSG"="AGRSMMSG.exe" [2004-12-22 c:\windows\agrsmmsg.exe]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 c:\windows\system32\bthprops.cpl]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"MPMKrnl"="c:\windows\MKMKrnl.dll" [2008-11-12 10240]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2005-12-28 155648]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{F8E07BB2-7A19-4057-80F1-E14646E630B4}"= "F8E07BB2.dll" [BU]
"{4FBFD5A4-5FE8-4444-8BD9-FD0FAFA64F96}"= "4FBFD5A4.dll" [BU]
"{3F21AA0C-2A9E-4BE9-9083-9E58AB41BA01}"= "3F21AA0C.dll" [BU]
"{F2CBFAC4-6FF9-4DE9-BCB1-0F2FA2AA0B4C}"= "F2CBFAC4.dll" [BU]
"{70B0129E-726E-4789-A7C0-5DDC33241E94}"= "70B0129E.dll" [BU]
"{01AFE3DC-2242-436E-9B44-6DD1C664E828}"= "01AFE3DC.dll" [BU]
"{5934EA2B-B2C4-4BE7-BF7A-FBA781A12E40}"= "5934EA2B.dll" [BU]
"{93DEE065-EC9B-4505-ADD3-19880AD3C38F}"= "93DEE065.dll" [BU]
"{C8FFD223-C0FB-40C5-94A0-FD7891AC18E9}"= "C8FFD223.dll" [BU]
"{16AF66EB-93C8-49F9-BB09-B4F87CEDCE46}"= "16AF66EB.dll" [BU]
"{755D0ED0-3996-4ADB-9B1F-AD8F0E9E4738}"= "755D0ED0.dll" [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=01AFE3DC.dll,HBmhly.dll,HBZHUXIAN.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth Manager.lnk
backup=c:\windows\pss\Bluetooth Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=c:\windows\pss\HotSync Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package Menu.lnk
backup=c:\windows\pss\Picture Package Menu.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package VCD Maker.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package VCD Maker.lnk
backup=c:\windows\pss\Picture Package VCD Maker.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Run Google Web Accelerator.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Run Google Web Accelerator.lnk
backup=c:\windows\pss\Run Google Web Accelerator.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Desktop Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Desktop Search.lnk
backup=c:\windows\pss\Windows Desktop Search.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^OKUCU^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=c:\documents and settings\OKUCU\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=c:\windows\pss\HotSync Manager.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^OKUCU^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\OKUCU\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^OKUCU^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]
path=c:\documents and settings\OKUCU\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk
backup=c:\windows\pss\Microsoft Office OneNote 2003 Quick Launch.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^OKUCU^Start Menu^Programs^Startup^Nikon Monitor.lnk]
path=c:\documents and settings\OKUCU\Start Menu\Programs\Startup\Nikon Monitor.lnk
backup=c:\windows\pss\Nikon Monitor.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
--a------ 2008-09-03 09:11 29744 c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
--a------ 2006-06-20 12:36 1207080 c:\program files\Microsoft ActiveSync\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2005-10-18 03:58 278528 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
--a------ 2007-02-27 01:18 67128 c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X1100 Series]
--a------ 2003-08-19 06:43 57344 c:\program files\Lexmark X1100 Series\lxbkbmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechSoftwareUpdate]
--a------ 2005-06-08 05:44 196608 c:\program files\Logitech\Video\ManifestEngine.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]
--a------ 2005-06-08 06:24 458752 c:\program files\Logitech\Video\ISStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]
--a------ 2005-06-08 06:14 217088 c:\program files\Logitech\Video\LogiTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PadTouch]
--a------ 2005-08-30 02:53 1077329 c:\program files\Toshiba\Touch and Launch\PadExe.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
--a------ 2006-10-13 08:20 20058152 c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmoothView]
--a------ 2005-05-12 01:31 118784 c:\program files\Toshiba\TOSHIBA Zooming Utility\SmoothView.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2006-03-10 09:45 35328 c:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zooming]
--a------ 2005-06-06 00:58 24576 c:\windows\system32\ZoomingHook.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Autodesk\\Backburner\\monitor.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\manager.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\server.exe"=
"c:\\Program Files\\Autodesk\\3ds Max 2008\\3dsmax.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R3 de8296f;de8296f;c:\windows\system32\de8296f.sys [2008-11-11 5504]
S0 HBKernel32;HBKernel32 Driver;c:\windows\system32\drivers\HBKernel32.sys [ ]
S3 c39e8db;c39e8db;c:\windows\system32\c39e8db.sys [2008-11-11 5504]
S3 ca99d57;ca99d57;c:\windows\system32\ca99d57.sys [ ]
S3 d435fd4;d435fd4;c:\windows\system32\d435fd4.sys [2008-11-16 5504]
S3 d7b49fa;d7b49fa;c:\windows\system32\d7b49fa.sys [2008-11-11 5504]
S3 f35ee9e;f35ee9e;c:\windows\system32\f35ee9e.sys [2008-11-13 5504]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2008-09-03 29744]
.
Contents of the 'Scheduled Tasks' folder

2008-11-17 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2004-12-14 03:24]
.
- - - - ORPHANS REMOVED - - - -

ShellExecuteHooks-{B8E83D3C-9466-4091-9AD1-1F89418A6EB7} - B8E83D3C.dll


.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\OKUCU\Application Data\Mozilla\Firefox\Profiles\c4f6pgvi.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-17 20:23:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Toshiba\ConfigFree\CFSvcs.exe
c:\windows\system32\DVDRAMSV.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Autodesk\3ds Max 2008\mentalray\satellite\raysat_3dsMax2008_32server.exe
c:\program files\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\fxssvc.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\program files\Toshiba\TOSHIBA Controls\TFncKy.exe
c:\program files\Toshiba\ConfigFree\CFSServ.exe
c:\program files\Toshiba\ConfigFree\NDSTray.exe
c:\program files\Apoint2K\ApntEx.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\progra~1\MICROS~4\rapimgr.exe
.
**************************************************************************
.
Completion time: 2008-11-17 20:31:39 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-18 04:31:32
ComboFix2.txt 2008-11-14 03:01:43
ComboFix3.txt 2008-11-12 15:41:13
ComboFix4.txt 2008-11-12 07:33:00
ComboFix5.txt 2008-11-18 04:20:50

Pre-Run: 14,247,415,808 bytes free
Post-Run: 14,238,687,232 bytes free

384 --- E O F --- 2008-10-16 20:32:25
  • 0

#52
Egwene
Posted 18 November 2008 - 07:28 AM

Egwene

    Member 2k

  • Visiting Consultant
  • 2,141 posts
Hello,

Look at the CF repport :

- REDUCED FUNCTIONALITY MODE -


Please run it again as exactly the same way you did the first time i've asked you to run it, in normal mode :wave:

Sorry for asking you to run it again... To be honnest with you it's the first time i'm stuck with a disinfection :)

But, this time, i think i have found the issue... :)

Regards,
Egwene.

Edited by Egwene, 18 November 2008 - 08:09 AM.

  • 0

#53
okucu
Posted 18 November 2008 - 10:14 AM

okucu

    Member

  • Topic Starter
  • Member
  • PipPip
  • 66 posts
Sorry about the Combofix . It must have expired and I must have continued with the reduced mode . I reloaded and here is the log :


ComboFix 08-11-17.04 - OKUCU 2008-11-18 7:56:20.12 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1254.90.1033.18.1028 [GMT -8:00]
Running from: c:\documents and settings\OKUCU\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\12.exe
c:\program files\Messenger\msgmr.dll
c:\windows\AppPatch\AcSpecf.dll
c:\windows\AppPatch\AcXtrnel.sdb
c:\windows\Downloaded Program Files\ThunderAdvise.dll
c:\windows\Fonts\Framdee.ttf
c:\windows\MSVB50CHS.dll
c:\windows\system32\01AFE3DC.dll
c:\windows\system32\08223B03.cfg
c:\windows\system32\08223B03.dll
c:\windows\system32\122B901E.cfg
c:\windows\system32\122B901E.dll
c:\windows\system32\16AF66EB.dll
c:\windows\system32\201476D0.dll
c:\windows\system32\2EF0D734.cfg
c:\windows\system32\2EF0D734.dll
c:\windows\system32\3F21AA0C.dll
c:\windows\system32\4D023DE9.cfg
c:\windows\system32\4D023DE9.dll
c:\windows\system32\4FBFD5A4.dll
c:\windows\system32\58FF3024.cfg
c:\windows\system32\58FF3024.dll
c:\windows\system32\5934EA2B.dll
c:\windows\system32\66AFCB56.cfg
c:\windows\system32\66AFCB56.dll
c:\windows\system32\70B0129E.dll
c:\windows\system32\755D0ED0.dll
c:\windows\system32\8566F82E.cfg
c:\windows\system32\8566F82E.dll
c:\windows\system32\93DEE065.dll
c:\windows\system32\9CA963CA.cfg
c:\windows\system32\9CA963CA.dll
c:\windows\system32\9F684DE8.cfg
c:\windows\system32\B3721C07.cfg
c:\windows\system32\B3721C07.dll
c:\windows\system32\B8E83D3C.dll
c:\windows\system32\BA7EDF54.cfg
c:\windows\system32\BA7EDF54.dll
c:\windows\system32\c39e8db.sys
c:\windows\system32\C8FFD223.dll
c:\windows\system32\d7b49fa.sys
c:\windows\system32\D7C79813.dll
c:\windows\system32\DA63E650.cfg
c:\windows\system32\DA63E650.dll
c:\windows\system32\DFEC5CB7.cfg
c:\windows\system32\DFEC5CB7.dll
c:\windows\system32\drivers\HBKernel32.sys
c:\windows\system32\E3367679.cfg
c:\windows\system32\F2CBFAC4.dll
c:\windows\system32\F65BDEC7.cfg
c:\windows\system32\F65BDEC7.dll
c:\windows\system32\F8E07BB2.dll
c:\windows\system32\HBmhly.dll
c:\windows\system32\HBZHUXIAN.dll
c:\windows\system32\system.exe
c:\windows\Update.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_c39e8db
-------\Service_ca99d57
-------\Service_d7b49fa
-------\Service_HBKernel32


((((((((((((((((((((((((( Files Created from 2008-10-18 to 2008-11-18 )))))))))))))))))))))))))))))))
.

2008-11-17 20:37 . 2008-11-17 20:37 220 --ahs---- c:\windows\system32\201476D0.cfg
2008-11-16 19:19 . 2008-11-16 19:19 5,504 --a------ c:\windows\system32\d435fd4.sys
2008-11-14 21:39 . 2008-11-14 21:39 220 --ahs---- c:\windows\system32\B8E83D3C.cfg
2008-11-13 09:03 . 2008-11-13 09:03 5,504 --a------ c:\windows\system32\f35ee9e.sys
2008-11-13 09:03 . 2008-11-13 09:03 296 --ahs---- c:\windows\system32\16AF66EB.cfg
2008-11-13 09:03 . 2008-11-13 09:03 244 --ahs---- c:\windows\system32\755D0ED0.cfg
2008-11-12 08:27 . 2008-11-12 08:30 <DIR> d-------- C:\Lop SD
2008-11-12 07:53 . 2008-11-12 07:53 <DIR> d-------- c:\windows\ERUNT
2008-11-12 07:47 . 2008-11-06 02:03 <DIR> d-------- C:\SDFix
2008-11-11 20:06 . 2008-11-12 08:22 10,240 --a------ c:\windows\MKMKrnl.dll
2008-11-11 20:06 . 2008-11-11 20:06 204 --ahs---- c:\windows\system32\C8FFD223.cfg
2008-11-11 20:05 . 2008-11-11 20:05 184 --ahs---- c:\windows\system32\93DEE065.cfg
2008-11-11 20:04 . 2008-11-12 07:48 20,480 --a------ c:\windows\MPKrnl.dll
2008-11-11 20:04 . 2008-11-13 09:03 468 --ahs---- c:\windows\system32\70B0129E.cfg
2008-11-11 20:04 . 2008-11-11 20:04 272 --ahs---- c:\windows\system32\F2CBFAC4.cfg
2008-11-11 20:04 . 2008-11-11 20:04 220 --ahs---- c:\windows\system32\F8E07BB2.cfg
2008-11-11 20:04 . 2008-11-11 20:04 204 --ahs---- c:\windows\system32\5934EA2B.cfg
2008-11-11 20:04 . 2008-11-11 20:04 152 --ahs---- c:\windows\system32\01AFE3DC.cfg
2008-11-11 20:03 . 2008-11-11 20:03 5,504 --a------ c:\windows\system32\de8296f.sys
2008-11-11 20:03 . 2008-11-11 20:03 312 --ahs---- c:\windows\system32\3F21AA0C.cfg
2008-11-11 20:03 . 2008-11-11 20:03 212 --ahs---- c:\windows\system32\4FBFD5A4.cfg
2008-11-10 11:53 . 2008-11-10 11:53 2,306,113 --a------ c:\windows\system32\GPhotos.scr
2008-11-02 18:25 . 2008-11-02 18:25 <DIR> d-------- c:\documents and settings\OKUCU\DoctorWeb
2008-11-02 17:46 . 2008-11-02 18:24 250 --a------ c:\windows\gmer.ini
2008-10-27 09:43 . 2008-11-05 23:48 54,156 --ah----- c:\windows\QTFont.qfn
2008-10-27 09:43 . 2008-10-27 09:43 1,409 --a------ c:\windows\QTFont.for
2008-10-26 18:12 . 2008-10-26 18:12 <DIR> d-------- C:\rsit
2008-10-25 05:09 . 2008-10-25 05:09 <DIR> d-------- c:\program files\SDHelper (Spybot - Search & Destroy)
2008-10-24 19:55 . 2008-10-24 19:55 <DIR> d-------- C:\_OTScanIt

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-18 15:49 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-11-18 15:25 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2008-11-17 17:39 --------- d-----w c:\documents and settings\OKUCU\Application Data\SolidDocuments
2008-11-12 06:16 --------- d-----w c:\documents and settings\OKUCU\Application Data\Skype
2008-11-04 02:16 --------- d-----w c:\windows\system32\config\systemprofile\Application Data\SolidDocuments
2008-10-31 15:27 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-26 04:12 76,856 ----a-w c:\documents and settings\OKUCU\Application Data\GDIPFONTCACHEV1.DAT
2008-10-25 13:09 --------- d-----w c:\program files\TeaTimer (Spybot - Search & Destroy)
2008-10-25 12:51 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-10-22 23:10 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2008-10-22 23:10 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2008-10-18 15:47 --------- d-----w c:\documents and settings\OKUCU\Application Data\LimeWire
2008-10-15 09:49 --------- d-----w c:\program files\Visage
2008-10-15 09:49 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-10-15 09:49 --------- d-----w c:\program files\Common Files\Visage Software
2008-10-15 08:10 --------- d-----w c:\program files\SolidDocuments
2008-10-15 08:09 --------- d-----w c:\documents and settings\All Users\Application Data\SolidDocuments
2008-10-15 07:38 --------- d-----w c:\program files\PDFCreator
2008-10-15 07:38 --------- d-----w c:\documents and settings\OKUCU\Application Data\PDFCreator
2008-10-14 05:17 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-13 20:55 --------- d-----w c:\program files\MathType
2008-10-12 11:08 --------- d-----w c:\documents and settings\OKUCU\Application Data\Autodesk
2008-10-12 11:08 --------- d-----w c:\documents and settings\All Users\Application Data\Autodesk
2008-10-11 09:25 --------- d-----w c:\program files\MSXML 6.0
2008-10-10 08:32 --------- d-----w c:\program files\Nikon_Capture_NX2_v2.1.0
2008-10-10 08:13 --------- d-----w c:\program files\AutoCAD 2008
2008-10-10 08:12 --------- d-----w c:\program files\Common Files\Autodesk Shared
2008-10-09 18:42 --------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2008-10-09 18:30 --------- d-----w c:\program files\Common Files\Adobe
2008-10-09 18:30 --------- d-----w c:\program files\Bonjour
2008-10-09 18:17 --------- d-----w c:\program files\Common Files\Macrovision Shared
2008-10-09 17:00 --------- d-----w c:\program files\turbo squid tentacles
2008-10-09 16:54 --------- d-----w c:\program files\Autodesk
2008-10-05 06:22 --------- d-----w c:\program files\Google
2008-10-02 06:33 --------- d-----w c:\program files\eMule
2008-10-02 06:31 --------- d-----w c:\program files\Swiss International Air Lines TravelDesk
2008-10-02 06:29 --------- d-----w c:\program files\Netopia
2008-09-29 12:20 61,440 ----a-w c:\windows\system32\drivers\qkcgs.sys
2008-09-29 05:52 20 ---h--w c:\documents and settings\All Users\Application Data\PKP_DLdu.DAT
2008-09-29 05:47 20 ---h--w c:\documents and settings\All Users\Application Data\PKP_DLdw.DAT
2008-09-25 07:44 --------- d-----w c:\documents and settings\OKUCU\Application Data\U3
2008-08-10 06:58 20 ---h--w c:\documents and settings\All Users\Application Data\PKP_DLbz.DAT
.

((((((((((((((((((((((((((((( snapshot_2008-11-04_ 7.03.36.01 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-08-07 23:27:04 163,328 ----a-w c:\windows\ERUNT\SDFIX\ERDNT.EXE
+ 2008-11-12 15:53:57 10,006,528 ----a-w c:\windows\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2008-11-12 15:53:57 540,672 ----a-w c:\windows\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-08-07 23:27:04 163,328 ----a-w c:\windows\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-11-12 15:53:29 10,006,528 ----a-w c:\windows\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
+ 2008-11-12 15:53:29 540,672 ----a-w c:\windows\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
- 2000-08-31 05:00:00 89,504 ----a-w c:\windows\fdsv.exe
+ 2000-08-31 16:00:00 89,504 ----a-w c:\windows\fdsv.exe
- 2000-08-31 05:00:00 80,412 ----a-w c:\windows\grep.exe
+ 2000-08-31 16:00:00 80,412 ----a-w c:\windows\grep.exe
- 2000-08-31 05:00:00 98,816 ----a-w c:\windows\sed.exe
+ 2000-08-31 16:00:00 98,816 ----a-w c:\windows\sed.exe
- 2000-08-31 05:00:00 136,704 ----a-w c:\windows\swsc.exe
+ 2000-08-31 16:00:00 136,704 ----a-w c:\windows\SWSC.exe
- 2000-08-31 05:00:00 212,480 ----a-w c:\windows\swxcacls.exe
+ 2000-08-31 16:00:00 212,480 ----a-w c:\windows\SWXCACLS.exe
- 2005-12-25 15:50:14 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2008-11-18 16:03:11 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2005-12-25 15:50:14 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-11-18 16:03:11 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-11-18 16:03:11 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2004-08-04 12:00:00 66,048 ----a-w c:\windows\system32\mscaeo.exe
+ 2007-04-16 15:52:53 20,480 ----a-w c:\windows\system32\upnpsrv.dll
- 2000-08-31 05:00:00 49,152 ----a-w c:\windows\VFind.exe
+ 2000-08-31 16:00:00 49,152 ----a-w c:\windows\VFIND.exe
- 2000-08-31 05:00:00 68,096 ----a-w c:\windows\zip.exe
+ 2000-08-31 16:00:00 68,096 ----a-w c:\windows\zip.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-19 68856]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2005-04-11 65536]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-06-20 1207080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-07-19 94208]
"SVPWUTIL"="c:\program files\Toshiba\Windows Utilities\SVPWUTIL.exe" [2004-05-01 65536]
"Tvs"="c:\program files\TOSHIBA\Tvs\TvsTray.exe" [2005-04-05 73728]
"CeEKEY"="c:\program files\TOSHIBA\E-KEY\CeEKey.exe" [2005-09-06 671744]
"TPNF"="c:\program files\TOSHIBA\TouchPad\TPTray.exe" [2005-08-25 53248]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-28 286720]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2004-03-23 196608]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-07-19 221184]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-07-19 114688]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-07-19 77824]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-30 122941]
"HWSetup"="c:\program files\TOSHIBA\TOSHIBA Applet\HWSetup.exe" [2004-05-01 28672]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-04-19 48752]
"URLLSTCK.exe"="c:\program files\Norton Internet Security\UrlLstCk.exe" [2005-05-05 22656]
"MPKrnl"="c:\windows\MPKrnl.dll" [2008-11-12 20480]
"TFncKy"="TFncKy.exe" [BU]
"CFSServ.exe"="CFSServ.exe" [BU]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2006-03-28 c:\windows\KHALMNPR.Exe]
"TCtryIOHook"="TCtrlIOHook.exe" [2005-08-22 c:\windows\system32\TCtrlIOHook.exe]
"NDSTray.exe"="NDSTray.exe" [BU]
"AGRSMMSG"="AGRSMMSG.exe" [2004-12-22 c:\windows\agrsmmsg.exe]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 c:\windows\system32\bthprops.cpl]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"MPMKrnl"="c:\windows\MKMKrnl.dll" [2008-11-12 10240]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2005-12-28 155648]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{F8E07BB2-7A19-4057-80F1-E14646E630B4}"= "F8E07BB2.dll" [BU]
"{4FBFD5A4-5FE8-4444-8BD9-FD0FAFA64F96}"= "4FBFD5A4.dll" [BU]
"{3F21AA0C-2A9E-4BE9-9083-9E58AB41BA01}"= "3F21AA0C.dll" [BU]
"{F2CBFAC4-6FF9-4DE9-BCB1-0F2FA2AA0B4C}"= "F2CBFAC4.dll" [BU]
"{70B0129E-726E-4789-A7C0-5DDC33241E94}"= "70B0129E.dll" [BU]
"{01AFE3DC-2242-436E-9B44-6DD1C664E828}"= "01AFE3DC.dll" [BU]
"{5934EA2B-B2C4-4BE7-BF7A-FBA781A12E40}"= "5934EA2B.dll" [BU]
"{93DEE065-EC9B-4505-ADD3-19880AD3C38F}"= "93DEE065.dll" [BU]
"{C8FFD223-C0FB-40C5-94A0-FD7891AC18E9}"= "C8FFD223.dll" [BU]
"{16AF66EB-93C8-49F9-BB09-B4F87CEDCE46}"= "16AF66EB.dll" [BU]
"{755D0ED0-3996-4ADB-9B1F-AD8F0E9E4738}"= "755D0ED0.dll" [BU]
"{B8E83D3C-9466-4091-9AD1-1F89418A6EB7}"= "B8E83D3C.dll" [BU]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth Manager.lnk
backup=c:\windows\pss\Bluetooth Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=c:\windows\pss\HotSync Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package Menu.lnk
backup=c:\windows\pss\Picture Package Menu.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package VCD Maker.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package VCD Maker.lnk
backup=c:\windows\pss\Picture Package VCD Maker.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Run Google Web Accelerator.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Run Google Web Accelerator.lnk
backup=c:\windows\pss\Run Google Web Accelerator.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Desktop Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Desktop Search.lnk
backup=c:\windows\pss\Windows Desktop Search.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^OKUCU^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=c:\documents and settings\OKUCU\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=c:\windows\pss\HotSync Manager.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^OKUCU^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\OKUCU\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^OKUCU^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]
path=c:\documents and settings\OKUCU\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk
backup=c:\windows\pss\Microsoft Office OneNote 2003 Quick Launch.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^OKUCU^Start Menu^Programs^Startup^Nikon Monitor.lnk]
path=c:\documents and settings\OKUCU\Start Menu\Programs\Startup\Nikon Monitor.lnk
backup=c:\windows\pss\Nikon Monitor.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
--a------ 2008-09-03 09:11 29744 c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
--a------ 2006-06-20 12:36 1207080 c:\program files\Microsoft ActiveSync\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2005-10-18 03:58 278528 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
--a------ 2007-02-27 01:18 67128 c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X1100 Series]
--a------ 2003-08-19 06:43 57344 c:\program files\Lexmark X1100 Series\lxbkbmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechSoftwareUpdate]
--a------ 2005-06-08 05:44 196608 c:\program files\Logitech\Video\ManifestEngine.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]
--a------ 2005-06-08 06:24 458752 c:\program files\Logitech\Video\ISStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]
--a------ 2005-06-08 06:14 217088 c:\program files\Logitech\Video\LogiTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PadTouch]
--a------ 2005-08-30 02:53 1077329 c:\program files\Toshiba\Touch and Launch\PadExe.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
--a------ 2006-10-13 08:20 20058152 c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmoothView]
--a------ 2005-05-12 01:31 118784 c:\program files\Toshiba\TOSHIBA Zooming Utility\SmoothView.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2006-03-10 09:45 35328 c:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zooming]
--a------ 2005-06-06 00:58 24576 c:\windows\system32\ZoomingHook.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Autodesk\\Backburner\\monitor.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\manager.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\server.exe"=
"c:\\Program Files\\Autodesk\\3ds Max 2008\\3dsmax.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

S3 d435fd4;d435fd4;\??\c:\windows\system32\d435fd4.sys [2008-11-16 5504]
S3 de8296f;de8296f;\??\c:\windows\system32\de8296f.sys [2008-11-11 5504]
S3 f35ee9e;f35ee9e;\??\c:\windows\system32\f35ee9e.sys [2008-11-13 5504]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;"c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-08-07 29744]
.
Contents of the 'Scheduled Tasks' folder

2008-11-18 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2004-12-14 03:24]
.
- - - - ORPHANS REMOVED - - - -

ShellExecuteHooks-{201476D0-2B18-462E-AB9F-3E2B0CC8732B} - 201476D0.dll


.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\OKUCU\Application Data\Mozilla\Firefox\Profiles\c4f6pgvi.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-18 08:01:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Toshiba\ConfigFree\CFSvcs.exe
c:\windows\system32\DVDRAMSV.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Autodesk\3ds Max 2008\mentalray\satellite\raysat_3dsMax2008_32server.exe
c:\program files\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\fxssvc.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\program files\Toshiba\TOSHIBA Controls\TFncKy.exe
c:\program files\Toshiba\ConfigFree\CFSServ.exe
c:\program files\Toshiba\ConfigFree\NDSTray.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\program files\Apoint2K\ApntEx.exe
c:\progra~1\MICROS~4\rapimgr.exe
.
**************************************************************************
.
Completion time: 2008-11-18 8:09:08 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-18 16:08:57
ComboFix2.txt 2008-11-18 04:31:40
ComboFix3.txt 2008-11-14 03:01:43
ComboFix4.txt 2008-11-12 15:41:13
ComboFix5.txt 2008-11-18 15:55:40

Pre-Run: 14,123,581,440 bytes free
Post-Run: 14,141,415,424 bytes free

387 --- E O F --- 2008-10-16 20:32:25
  • 0

#54
Egwene
Posted 18 November 2008 - 11:33 AM

Egwene

    Member 2k

  • Visiting Consultant
  • 2,141 posts
Hello,

No problem :)

Let's try this new CFscript. Hope this time i have found all the bad files to kill the infection.

Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. Our fix will be done with internet turned off, and you will be unable to access this thread at that time. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding.

Please close any open windows and disconnect you PHYSICALLY from internet.

Open notepad and copy/paste the text in the quotebox below into it:

http://www.geekstogo.com/forum/Spyware-eats-all-my-CPU-t215682.html&view=findpost&p=1377807

KillAll::

Driver::
d435fd4
de8296f
f35ee9e
mscaeosd

Collect::
c:\windows\system32\201476D0.cfg
c:\windows\system32\d435fd4.sys
c:\windows\system32\B8E83D3C.cfg
c:\windows\system32\f35ee9e.sys
c:\windows\system32\16AF66EB.cfg
c:\windows\system32\755D0ED0.cfg
c:\windows\MKMKrnl.dll
c:\windows\system32\C8FFD223.cfg
c:\windows\system32\93DEE065.cfg
c:\windows\MPKrnl.dll
c:\windows\system32\70B0129E.cfg
c:\windows\system32\F2CBFAC4.cfg
c:\windows\system32\F8E07BB2.cfg
c:\windows\system32\5934EA2B.cfg
c:\windows\system32\01AFE3DC.cfg
c:\windows\system32\de8296f.sys
c:\windows\system32\3F21AA0C.cfg
c:\windows\system32\4FBFD5A4.cfg
c:\windows\system32\mscaeo.exe
c:\windows\system32\upnpsrv.dll

File::
c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\17HTUR26\msusp[1].bin
c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\17HTUR26\msusp[2].bin
c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\17HTUR26\msusp[3].bin

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MPKrnl"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"MPMKrnl"=-
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{F8E07BB2-7A19-4057-80F1-E14646E630B4}"=-
"{4FBFD5A4-5FE8-4444-8BD9-FD0FAFA64F96}"=-
"{3F21AA0C-2A9E-4BE9-9083-9E58AB41BA01}"=-
"{F2CBFAC4-6FF9-4DE9-BCB1-0F2FA2AA0B4C}"=- 
"{70B0129E-726E-4789-A7C0-5DDC33241E94}"=-
"{01AFE3DC-2242-436E-9B44-6DD1C664E828}"=-
"{5934EA2B-B2C4-4BE7-BF7A-FBA781A12E40}"=-
"{93DEE065-EC9B-4505-ADD3-19880AD3C38F}"=-
"{C8FFD223-C0FB-40C5-94A0-FD7891AC18E9}"=-
"{16AF66EB-93C8-49F9-BB09-B4F87CEDCE46}"=-
"{755D0ED0-3996-4ADB-9B1F-AD8F0E9E4738}"=-
"{B8E83D3C-9466-4091-9AD1-1F89418A6EB7}"=-

Save this as CFScript.txt

Posted Image

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Please re-connect you to the internet.
  • Ensure you are connected to the internet and click OK on the message box.
  • A browser will open.
  • Simply follow the instructions to copy/paste/send the requested file.

Note: if Combofix does not open a webpage or if you can't connect to the internet at this time please, after connecting to the internet, click Here
then click on the browse button and then navigate to this location:
C:\Qoobox\quarantine open the quarantine folder.

Then choose the Submit.zip and then click on upload file.

Let me know if you were able to do so.

Regards,
Egwene.
  • 0

#55
okucu
Posted 19 November 2008 - 12:32 AM

okucu

    Member

  • Topic Starter
  • Member
  • PipPip
  • 66 posts
Here is the Combofix log below .

I also submitted the Quarantine/Submit file you wanted ( I clicked "send" after browsing and locating it . It said it was sent successfully )

ComboFix 08-11-17.04 - OKUCU 2008-11-18 22:11:35.13 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1254.90.1033.18.1008 [GMT -8:00]
Running from: c:\documents and settings\OKUCU\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\OKUCU\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\17HTUR26\msusp[1].bin
c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\17HTUR26\msusp[2].bin
c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\17HTUR26\msusp[3].bin
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\12.exe
c:\program files\Messenger\msgmr.dll
c:\windows\AppPatch\AcSpecf.dll
c:\windows\AppPatch\AcXtrnel.sdb
c:\windows\Downloaded Program Files\ThunderAdvise.dll
c:\windows\Fonts\Framdee.ttf
c:\windows\MKMKrnl.dll
c:\windows\MPKrnl.dll
c:\windows\MSVB50CHS.dll
c:\windows\system32\01AFE3DC.cfg
c:\windows\system32\01AFE3DC.dll
c:\windows\system32\08223B03.cfg
c:\windows\system32\08223B03.dll
c:\windows\system32\122B901E.cfg
c:\windows\system32\122B901E.dll
c:\windows\system32\16AF66EB.cfg
c:\windows\system32\16AF66EB.dll
c:\windows\system32\201476D0.cfg
c:\windows\system32\201476D0.dll
c:\windows\system32\2EF0D734.cfg
c:\windows\system32\2EF0D734.dll
c:\windows\system32\3B8DA919.dll
c:\windows\system32\3F21AA0C.cfg
c:\windows\system32\4D023DE9.cfg
c:\windows\system32\4D023DE9.dll
c:\windows\system32\4FBFD5A4.cfg
c:\windows\system32\4FBFD5A4.dll
c:\windows\system32\58FF3024.cfg
c:\windows\system32\58FF3024.dll
c:\windows\system32\5934EA2B.cfg
c:\windows\system32\5934EA2B.dll
c:\windows\system32\66AFCB56.cfg
c:\windows\system32\66AFCB56.dll
c:\windows\system32\70B0129E.cfg
c:\windows\system32\755D0ED0.cfg
c:\windows\system32\8566F82E.cfg
c:\windows\system32\8566F82E.dll
c:\windows\system32\93DEE065.cfg
c:\windows\system32\93DEE065.dll
c:\windows\system32\9CA963CA.cfg
c:\windows\system32\9CA963CA.dll
c:\windows\system32\9F684DE8.cfg
c:\windows\system32\9F684DE8.dll
c:\windows\system32\A1A6BC2E.dll
c:\windows\system32\AD794E6B.dll
c:\windows\system32\B3721C07.cfg
c:\windows\system32\B3721C07.dll
c:\windows\system32\B8E83D3C.cfg
c:\windows\system32\B8E83D3C.dll
c:\windows\system32\BA7EDF54.cfg
c:\windows\system32\BA7EDF54.dll
c:\windows\system32\C8FFD223.cfg
c:\windows\system32\C8FFD223.dll
c:\windows\system32\d435fd4.sys
c:\windows\system32\DA63E650.cfg
c:\windows\system32\DA63E650.dll
c:\windows\system32\de8296f.sys
c:\windows\system32\DFEC5CB7.cfg
c:\windows\system32\DFEC5CB7.dll
c:\windows\system32\drivers\HBKernel32.sys
c:\windows\system32\E.tmp
c:\windows\system32\E1D19FCC.dll
c:\windows\system32\E3367679.cfg
c:\windows\system32\F2CBFAC4.cfg
c:\windows\system32\f35ee9e.sys
c:\windows\system32\F8E07BB2.cfg
c:\windows\system32\F8E07BB2.dll
c:\windows\system32\HBmhly.dll
c:\windows\system32\HBZHUXIAN.dll
c:\windows\system32\mscaeo.exe
c:\windows\system32\system.exe
c:\windows\system32\upnpsrv.dll
c:\windows\temp\wmsetup.dll
c:\windows\Update.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_F35EE9E
-------\Legacy_MSCAEOSD
-------\Service_d435fd4
-------\Service_de8296f
-------\Service_f35ee9e
-------\Service_HBKernel32
-------\Service_mscaeosd


((((((((((((((((((((((((( Files Created from 2008-10-19 to 2008-11-19 )))))))))))))))))))))))))))))))
.

2008-11-18 22:06 . 2008-11-18 22:06 208 --ahs---- c:\windows\system32\A1A6BC2E.cfg
2008-11-18 22:05 . 2008-11-18 22:05 5,504 --a------ c:\windows\system32\b160485.sys
2008-11-18 08:14 . 2008-11-18 08:14 244 --ahs---- c:\windows\system32\E1D19FCC.cfg
2008-11-18 08:14 . 2008-11-18 08:14 228 --ahs---- c:\windows\system32\AD794E6B.cfg
2008-11-18 08:14 . 2008-11-18 08:14 180 --ahs---- c:\windows\system32\3B8DA919.cfg
2008-11-12 08:27 . 2008-11-12 08:30 <DIR> d-------- C:\Lop SD
2008-11-12 07:53 . 2008-11-12 07:53 <DIR> d-------- c:\windows\ERUNT
2008-11-12 07:47 . 2008-11-06 02:03 <DIR> d-------- C:\SDFix
2008-11-10 11:53 . 2008-11-10 11:53 2,306,113 --a------ c:\windows\system32\GPhotos.scr
2008-11-02 18:25 . 2008-11-02 18:25 <DIR> d-------- c:\documents and settings\OKUCU\DoctorWeb
2008-11-02 17:46 . 2008-11-02 18:24 250 --a------ c:\windows\gmer.ini
2008-10-27 09:43 . 2008-11-05 23:48 54,156 --ah----- c:\windows\QTFont.qfn
2008-10-27 09:43 . 2008-10-27 09:43 1,409 --a------ c:\windows\QTFont.for
2008-10-26 18:12 . 2008-10-26 18:12 <DIR> d-------- C:\rsit
2008-10-25 05:09 . 2008-10-25 05:09 <DIR> d-------- c:\program files\SDHelper (Spybot - Search & Destroy)
2008-10-24 19:55 . 2008-10-24 19:55 <DIR> d-------- C:\_OTScanIt

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-19 05:54 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-11-18 15:25 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2008-11-17 17:39 --------- d-----w c:\documents and settings\OKUCU\Application Data\SolidDocuments
2008-11-12 06:16 --------- d-----w c:\documents and settings\OKUCU\Application Data\Skype
2008-11-04 02:16 --------- d-----w c:\windows\system32\config\systemprofile\Application Data\SolidDocuments
2008-10-31 15:27 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-26 04:12 76,856 ----a-w c:\documents and settings\OKUCU\Application Data\GDIPFONTCACHEV1.DAT
2008-10-25 13:09 --------- d-----w c:\program files\TeaTimer (Spybot - Search & Destroy)
2008-10-25 12:51 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-10-22 23:10 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2008-10-22 23:10 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2008-10-18 15:47 --------- d-----w c:\documents and settings\OKUCU\Application Data\LimeWire
2008-10-15 09:49 --------- d-----w c:\program files\Visage
2008-10-15 09:49 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-10-15 09:49 --------- d-----w c:\program files\Common Files\Visage Software
2008-10-15 08:10 --------- d-----w c:\program files\SolidDocuments
2008-10-15 08:09 --------- d-----w c:\documents and settings\All Users\Application Data\SolidDocuments
2008-10-15 07:38 --------- d-----w c:\program files\PDFCreator
2008-10-15 07:38 --------- d-----w c:\documents and settings\OKUCU\Application Data\PDFCreator
2008-10-14 05:17 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-13 20:55 --------- d-----w c:\program files\MathType
2008-10-12 11:08 --------- d-----w c:\documents and settings\OKUCU\Application Data\Autodesk
2008-10-12 11:08 --------- d-----w c:\documents and settings\All Users\Application Data\Autodesk
2008-10-11 09:25 --------- d-----w c:\program files\MSXML 6.0
2008-10-10 08:32 --------- d-----w c:\program files\Nikon_Capture_NX2_v2.1.0
2008-10-10 08:13 --------- d-----w c:\program files\AutoCAD 2008
2008-10-10 08:12 --------- d-----w c:\program files\Common Files\Autodesk Shared
2008-10-09 18:42 --------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2008-10-09 18:30 --------- d-----w c:\program files\Common Files\Adobe
2008-10-09 18:30 --------- d-----w c:\program files\Bonjour
2008-10-09 18:17 --------- d-----w c:\program files\Common Files\Macrovision Shared
2008-10-09 17:00 --------- d-----w c:\program files\turbo squid tentacles
2008-10-09 16:54 --------- d-----w c:\program files\Autodesk
2008-10-05 06:22 --------- d-----w c:\program files\Google
2008-10-02 06:33 --------- d-----w c:\program files\eMule
2008-10-02 06:31 --------- d-----w c:\program files\Swiss International Air Lines TravelDesk
2008-10-02 06:29 --------- d-----w c:\program files\Netopia
2008-09-29 12:20 61,440 ----a-w c:\windows\system32\drivers\qkcgs.sys
2008-09-29 05:52 20 ---h--w c:\documents and settings\All Users\Application Data\PKP_DLdu.DAT
2008-09-29 05:47 20 ---h--w c:\documents and settings\All Users\Application Data\PKP_DLdw.DAT
2008-09-25 07:44 --------- d-----w c:\documents and settings\OKUCU\Application Data\U3
2008-08-10 06:58 20 ---h--w c:\documents and settings\All Users\Application Data\PKP_DLbz.DAT
.

((((((((((((((((((((((((((((( snapshot_2008-11-18_ 8.08.27.35 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-11-18 16:03:11 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2008-11-19 05:54:06 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-11-18 16:03:11 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-11-19 05:54:06 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-11-18 16:03:11 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-11-19 05:54:06 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-19 68856]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2005-04-11 65536]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-06-20 1207080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-07-19 94208]
"SVPWUTIL"="c:\program files\Toshiba\Windows Utilities\SVPWUTIL.exe" [2004-05-01 65536]
"Tvs"="c:\program files\TOSHIBA\Tvs\TvsTray.exe" [2005-04-05 73728]
"CeEKEY"="c:\program files\TOSHIBA\E-KEY\CeEKey.exe" [2005-09-06 671744]
"TPNF"="c:\program files\TOSHIBA\TouchPad\TPTray.exe" [2005-08-25 53248]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-28 286720]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2004-03-23 196608]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-07-19 221184]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-07-19 114688]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-07-19 77824]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-30 122941]
"HWSetup"="c:\program files\TOSHIBA\TOSHIBA Applet\HWSetup.exe" [2004-05-01 28672]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-04-19 48752]
"URLLSTCK.exe"="c:\program files\Norton Internet Security\UrlLstCk.exe" [2005-05-05 22656]
"TFncKy"="TFncKy.exe" [BU]
"CFSServ.exe"="CFSServ.exe" [BU]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2006-03-28 c:\windows\KHALMNPR.Exe]
"TCtryIOHook"="TCtrlIOHook.exe" [2005-08-22 c:\windows\system32\TCtrlIOHook.exe]
"NDSTray.exe"="NDSTray.exe" [BU]
"AGRSMMSG"="AGRSMMSG.exe" [2004-12-22 c:\windows\agrsmmsg.exe]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 c:\windows\system32\bthprops.cpl]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2005-12-28 155648]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{201476D0-2B18-462E-AB9F-3E2B0CC8732B}"= "201476D0.dll" [BU]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth Manager.lnk
backup=c:\windows\pss\Bluetooth Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=c:\windows\pss\HotSync Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package Menu.lnk
backup=c:\windows\pss\Picture Package Menu.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package VCD Maker.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package VCD Maker.lnk
backup=c:\windows\pss\Picture Package VCD Maker.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Run Google Web Accelerator.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Run Google Web Accelerator.lnk
backup=c:\windows\pss\Run Google Web Accelerator.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Desktop Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Desktop Search.lnk
backup=c:\windows\pss\Windows Desktop Search.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^OKUCU^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=c:\documents and settings\OKUCU\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=c:\windows\pss\HotSync Manager.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^OKUCU^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\OKUCU\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^OKUCU^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]
path=c:\documents and settings\OKUCU\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk
backup=c:\windows\pss\Microsoft Office OneNote 2003 Quick Launch.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^OKUCU^Start Menu^Programs^Startup^Nikon Monitor.lnk]
path=c:\documents and settings\OKUCU\Start Menu\Programs\Startup\Nikon Monitor.lnk
backup=c:\windows\pss\Nikon Monitor.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
--a------ 2008-09-03 09:11 29744 c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
--a------ 2006-06-20 12:36 1207080 c:\program files\Microsoft ActiveSync\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2005-10-18 03:58 278528 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
--a------ 2007-02-27 01:18 67128 c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X1100 Series]
--a------ 2003-08-19 06:43 57344 c:\program files\Lexmark X1100 Series\lxbkbmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechSoftwareUpdate]
--a------ 2005-06-08 05:44 196608 c:\program files\Logitech\Video\ManifestEngine.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]
--a------ 2005-06-08 06:24 458752 c:\program files\Logitech\Video\ISStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]
--a------ 2005-06-08 06:14 217088 c:\program files\Logitech\Video\LogiTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PadTouch]
--a------ 2005-08-30 02:53 1077329 c:\program files\Toshiba\Touch and Launch\PadExe.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
--a------ 2006-10-13 08:20 20058152 c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmoothView]
--a------ 2005-05-12 01:31 118784 c:\program files\Toshiba\TOSHIBA Zooming Utility\SmoothView.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2006-03-10 09:45 35328 c:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zooming]
--a------ 2005-06-06 00:58 24576 c:\windows\system32\ZoomingHook.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Autodesk\\Backburner\\monitor.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\manager.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\server.exe"=
"c:\\Program Files\\Autodesk\\3ds Max 2008\\3dsmax.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

S3 b160485;b160485;\??\c:\windows\system32\b160485.sys [2008-11-18 5504]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;"c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-08-07 29744]
.
Contents of the 'Scheduled Tasks' folder

2008-11-18 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2004-12-14 03:24]
.
- - - - ORPHANS REMOVED - - - -

ShellExecuteHooks-{E1D19FCC-4777-4D71-B863-6A0A5B4E59BC} - E1D19FCC.dll
ShellExecuteHooks-{AD794E6B-90B7-4F9D-8FD6-0C16E3298FF2} - AD794E6B.dll
ShellExecuteHooks-{3B8DA919-1139-4B10-AD8F-91E8FBCFD375} - 3B8DA919.dll
ShellExecuteHooks-{A1A6BC2E-C6A1-43C1-8884-A31D772F42B8} - A1A6BC2E.dll



**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-18 22:16:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Toshiba\ConfigFree\CFSvcs.exe
c:\windows\system32\DVDRAMSV.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Autodesk\3ds Max 2008\mentalray\satellite\raysat_3dsMax2008_32server.exe
c:\program files\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\fxssvc.exe
c:\windows\system32\wscntfy.exe
c:\program files\Toshiba\TOSHIBA Controls\TFncKy.exe
c:\program files\Toshiba\ConfigFree\CFSServ.exe
c:\program files\Toshiba\ConfigFree\NDSTray.exe
c:\program files\Apoint2K\ApntEx.exe
c:\windows\system32\rundll32.exe
c:\progra~1\MICROS~4\rapimgr.exe
.
**************************************************************************
.
Completion time: 2008-11-18 22:23:31 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-19 06:23:18
ComboFix2.txt 2008-11-18 16:09:09
ComboFix3.txt 2008-11-18 04:31:40
ComboFix4.txt 2008-11-14 03:01:43
ComboFix5.txt 2008-11-19 06:09:49

Pre-Run: 14,101,622,784 bytes free
Post-Run: 14,092,267,520 bytes free

355 --- E O F --- 2008-10-16 20:32:25
  • 0

Advertisements

#56
Egwene
Posted 19 November 2008 - 08:20 AM

Egwene

    Member 2k

  • Visiting Consultant
  • 2,141 posts
Hello,

Please download and unzip Icesword to its own folder on your desktop.
  • Close all windows and run IceSword.
  • Click on the File tab at left.
  • Click on the cross Local Disk ( C: )
  • Click on the cross Windows
  • Click on the system32 folder
  • Click on the drivers folder
  • Please search a file called qkcgs.sys
  • Then, right click on it and chose Copie to...
  • Call it "qkTest.sys" and save it on your desktop.
  • Close IceSword
  • To finish, please analyse the "qkTest.sys" file on virusscan and post me the repport with a fresh combofix log.

We have nearly finished... :)

Regards,
Egwene.

Edited by Egwene, 19 November 2008 - 08:22 AM.

  • 0

#57
okucu
Posted 19 November 2008 - 10:13 AM

okucu

    Member

  • Topic Starter
  • Member
  • PipPip
  • 66 posts
Hi Ewgene ,

We did the same virusscan for same file on Nov 07 .
But here it is again once more :



VirSCAN.org Scanned Report :
Scanned time : 2008/10/10 14:55:21 (PDT)
Scanner results: 26% Scanner(10/38) found malware!
File Name : igfwr.sys
File Size : 61440 byte
File Type : PE32 executable for MS Windows (native) Intel 80386 32-bit
MD5 : 589312a3b46721c5a751e4d5222a89be
SHA1 : 3a497d3968a4f6e3c648d196da38e5f98e75ec30
Online report : http://virscan.org/r...cee43dab85.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.0.0.16 2008.10.09 2008-10-09 1.43 Hoax.Win32.Agent.fu!A2
AhnLab V3 2008.10.11.00 2008.10.11 2008-10-11 0.94 Win-Trojan/Avenger.61440
AntiVir 7.8.1.34 7.0.7.27 2008-10-10 2.36 -
Antiy 2.0.18 20081010.1468787 2008-10-10 0.12 -
Arcavir 1.0.5 200810101307 2008-10-10 1.28 -
Authentium 5.1.1 200810100520 2008-10-10 1.05 -
AVAST! 3.0.1 081010-0 2008-10-10 0.01 -
AVG 7.5.52.442 270.8.0/1719 2008-10-10 1.63 -
BitDefender 7.60825.1859675 7.21216 2008-10-11 3.13 -
CA (VET) 9.0.0.143 31.6.6141 2008-10-10 3.85 -
ClamAV 0.94 8410 2008-10-11 0.01 Joke.FakeInfect
Comodo 2.11 2.0.0.672 2008-10-10 0.43 -
CP Secure 1.1.0.715 2008.10.11 2008-10-11 6.03 Malware.W32.Agent.fu
Dr.Web 4.44.0.9170 2008.10.10 2008-10-10 3.28 -
ewido 4.0.0.2 2008.10.10 2008-10-10 4.72 -
F-Prot 4.4.4.56 20081010 2008-10-10 1.05 -
F-Secure 5.51.6100 2008.10.10.08 2008-10-10 3.54 -
Fortinet 2.81-3.113 9.630 2008-10-10 0.18 PossibleThreat
ViRobot 20081010 2008.10.10 2008-10-10 0.40 -
Ikarus T3.1.01.34 2008.10.10.71621 2008-10-10 3.51 -
JiangMin 11.0.706 2008.10.10 2008-10-10 1.28 Hoax.Agent.f
Kaspersky 5.5.10 2008.10.10 2008-10-10 0.04 -
KingSoft 2008.9.8.18 2008.10.10.17 2008-10-10 0.65 -
McAfee 5.3.00 5402 2008-10-09 2.08 -
Microsoft 1.4005 2008.10.10 2008-10-10 4.03 -
mks_vir 2.01 2008.10.10 2008-10-10 2.78 -
Norman 5.93.01 5.93.00 2008-10-10 5.20 W32/Agent.HHSF
Panda 9.05.01 2008.10.10 2008-10-10 2.38 Trj/Downloader.MDW
Trend Micro 8.700-1004 5.593.00 2008-10-10 0.03 -
Quick Heal 9.50 2008.10.10 2008-10-10 1.81 Hoax.Agent.fz (Not a Virus)
Rising 20.0 20.65.40.00 2008-10-10 0.79 -
Sophos 2.79.0 4.34 2008-10-11 1.80 Troj/Agent-HTL
Sunbelt 3.1.1714.1 2297 2008-10-09 0.51 -
Symantec 1.3.0.24 20081010.004 2008-10-10 0.21 -
nProtect 2008-10-10.00 2229401 2008-10-10 4.32 -
The Hacker 6.3.1.0 v00107 2008-10-10 0.44 -
VBA32 3.12.8.6 20081009.0801 2008-10-09 1.37 -
VirusBuster 4.5.11.10 10.89.13/634209 2008-10-10 0.84 -



Combofix will follow ...
  • 0

#58
okucu
Posted 19 November 2008 - 10:48 AM

okucu

    Member

  • Topic Starter
  • Member
  • PipPip
  • 66 posts
and the Combolog

ComboFix 08-11-17.04 - OKUCU 2008-11-19 8:21:29.14 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1254.90.1033.18.1012 [GMT -8:00]
Running from: c:\documents and settings\OKUCU\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Messenger\msgmr.dll
c:\windows\AppPatch\AcSpecf.dll
c:\windows\AppPatch\AcXtrnel.sdb
c:\windows\Downloaded Program Files\ThunderAdvise.dll
c:\windows\Fonts\Framdee.ttf
c:\windows\MSVB50CHS.dll
c:\windows\system32\01AFE3DC.dll
c:\windows\system32\08223B03.cfg
c:\windows\system32\08223B03.dll
c:\windows\system32\122B901E.cfg
c:\windows\system32\122B901E.dll
c:\windows\system32\16AF66EB.dll
c:\windows\system32\201476D0.dll
c:\windows\system32\2EF0D734.cfg
c:\windows\system32\2EF0D734.dll
c:\windows\system32\3B8DA919.dll
c:\windows\system32\4D023DE9.cfg
c:\windows\system32\4D023DE9.dll
c:\windows\system32\4FBFD5A4.dll
c:\windows\system32\58FF3024.cfg
c:\windows\system32\58FF3024.dll
c:\windows\system32\5934EA2B.dll
c:\windows\system32\66AFCB56.cfg
c:\windows\system32\66AFCB56.dll
c:\windows\system32\8566F82E.cfg
c:\windows\system32\8566F82E.dll
c:\windows\system32\93DEE065.dll
c:\windows\system32\9CA963CA.cfg
c:\windows\system32\9CA963CA.dll
c:\windows\system32\9F684DE8.cfg
c:\windows\system32\A1A6BC2E.dll
c:\windows\system32\AD794E6B.dll
c:\windows\system32\B3721C07.cfg
c:\windows\system32\B3721C07.dll
c:\windows\system32\B8E83D3C.dll
c:\windows\system32\BA7EDF54.cfg
c:\windows\system32\BA7EDF54.dll
c:\windows\system32\C8FFD223.dll
c:\windows\system32\DA63E650.cfg
c:\windows\system32\DA63E650.dll
c:\windows\system32\DFEC5CB7.cfg
c:\windows\system32\DFEC5CB7.dll
c:\windows\system32\drivers\HBKernel32.sys
c:\windows\system32\E1D19FCC.dll
c:\windows\system32\F8E07BB2.dll
c:\windows\system32\HBmhly.dll
c:\windows\system32\HBZHUXIAN.dll
c:\windows\system32\system.exe
c:\windows\temp\wmsetup.dll
c:\windows\Update.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_HBKernel32


((((((((((((((((((((((((( Files Created from 2008-10-19 to 2008-11-19 )))))))))))))))))))))))))))))))
.

2008-11-18 22:30 . 2008-11-18 22:30 20,480 --a------ c:\windows\MPKrnl.dll
2008-11-18 22:30 . 2008-11-18 22:30 220 --ahs---- c:\windows\system32\B8E83D3C.cfg
2008-11-18 22:30 . 2008-11-18 22:30 152 --ahs---- c:\windows\system32\01AFE3DC.cfg
2008-11-18 22:29 . 2008-11-18 22:29 10,240 --a------ c:\windows\MKMKrnl.dll
2008-11-18 22:29 . 2008-11-18 22:29 220 --ahs---- c:\windows\system32\201476D0.cfg
2008-11-18 22:29 . 2008-11-18 22:29 204 --ahs---- c:\windows\system32\C8FFD223.cfg
2008-11-18 22:29 . 2008-11-18 22:29 180 --ahs---- c:\windows\system32\93DEE065.cfg
2008-11-18 22:28 . 2008-11-18 22:28 5,504 --a------ c:\windows\system32\f35ee9e.sys
2008-11-18 22:28 . 2008-11-18 22:28 5,504 --a------ c:\windows\system32\d435fd4.sys
2008-11-18 22:28 . 2008-11-18 22:28 296 --ahs---- c:\windows\system32\16AF66EB.cfg
2008-11-18 22:28 . 2008-11-18 22:28 220 --ahs---- c:\windows\system32\F8E07BB2.cfg
2008-11-18 22:28 . 2008-11-18 22:28 212 --ahs---- c:\windows\system32\4FBFD5A4.cfg
2008-11-18 22:28 . 2008-11-18 22:28 204 --ahs---- c:\windows\system32\5934EA2B.cfg
2008-11-18 22:06 . 2008-11-18 22:06 208 --ahs---- c:\windows\system32\A1A6BC2E.cfg
2008-11-18 22:05 . 2008-11-18 22:05 5,504 --a------ c:\windows\system32\b160485.sys
2008-11-18 08:14 . 2008-11-18 08:14 244 --ahs---- c:\windows\system32\E1D19FCC.cfg
2008-11-18 08:14 . 2008-11-18 08:14 228 --ahs---- c:\windows\system32\AD794E6B.cfg
2008-11-18 08:14 . 2008-11-18 08:14 180 --ahs---- c:\windows\system32\3B8DA919.cfg
2008-11-12 08:27 . 2008-11-12 08:30 <DIR> d-------- C:\Lop SD
2008-11-12 07:53 . 2008-11-12 07:53 <DIR> d-------- c:\windows\ERUNT
2008-11-12 07:47 . 2008-11-06 02:03 <DIR> d-------- C:\SDFix
2008-11-10 11:53 . 2008-11-10 11:53 2,306,113 --a------ c:\windows\system32\GPhotos.scr
2008-11-02 18:25 . 2008-11-02 18:25 <DIR> d-------- c:\documents and settings\OKUCU\DoctorWeb
2008-11-02 17:46 . 2008-11-02 18:24 250 --a------ c:\windows\gmer.ini
2008-10-27 09:43 . 2008-11-05 23:48 54,156 --ah----- c:\windows\QTFont.qfn
2008-10-27 09:43 . 2008-10-27 09:43 1,409 --a------ c:\windows\QTFont.for
2008-10-26 18:12 . 2008-10-26 18:12 <DIR> d-------- C:\rsit
2008-10-25 05:09 . 2008-10-25 05:09 <DIR> d-------- c:\program files\SDHelper (Spybot - Search & Destroy)
2008-10-24 19:55 . 2008-10-24 19:55 <DIR> d-------- C:\_OTScanIt

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-19 15:40 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-11-19 08:18 --------- d-----w c:\documents and settings\OKUCU\Application Data\SolidDocuments
2008-11-18 15:25 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2008-11-12 06:16 --------- d-----w c:\documents and settings\OKUCU\Application Data\Skype
2008-11-04 02:16 --------- d-----w c:\windows\system32\config\systemprofile\Application Data\SolidDocuments
2008-10-31 15:27 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-26 04:12 76,856 ----a-w c:\documents and settings\OKUCU\Application Data\GDIPFONTCACHEV1.DAT
2008-10-25 13:09 --------- d-----w c:\program files\TeaTimer (Spybot - Search & Destroy)
2008-10-25 12:51 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-10-22 23:10 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2008-10-22 23:10 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2008-10-18 15:47 --------- d-----w c:\documents and settings\OKUCU\Application Data\LimeWire
2008-10-15 09:49 --------- d-----w c:\program files\Visage
2008-10-15 09:49 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-10-15 09:49 --------- d-----w c:\program files\Common Files\Visage Software
2008-10-15 08:10 --------- d-----w c:\program files\SolidDocuments
2008-10-15 08:09 --------- d-----w c:\documents and settings\All Users\Application Data\SolidDocuments
2008-10-15 07:38 --------- d-----w c:\program files\PDFCreator
2008-10-15 07:38 --------- d-----w c:\documents and settings\OKUCU\Application Data\PDFCreator
2008-10-14 05:17 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-13 20:55 --------- d-----w c:\program files\MathType
2008-10-12 11:08 --------- d-----w c:\documents and settings\OKUCU\Application Data\Autodesk
2008-10-12 11:08 --------- d-----w c:\documents and settings\All Users\Application Data\Autodesk
2008-10-11 09:25 --------- d-----w c:\program files\MSXML 6.0
2008-10-10 08:32 --------- d-----w c:\program files\Nikon_Capture_NX2_v2.1.0
2008-10-10 08:13 --------- d-----w c:\program files\AutoCAD 2008
2008-10-10 08:12 --------- d-----w c:\program files\Common Files\Autodesk Shared
2008-10-09 18:42 --------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2008-10-09 18:30 --------- d-----w c:\program files\Common Files\Adobe
2008-10-09 18:30 --------- d-----w c:\program files\Bonjour
2008-10-09 18:17 --------- d-----w c:\program files\Common Files\Macrovision Shared
2008-10-09 17:00 --------- d-----w c:\program files\turbo squid tentacles
2008-10-09 16:54 --------- d-----w c:\program files\Autodesk
2008-10-05 06:22 --------- d-----w c:\program files\Google
2008-10-02 06:33 --------- d-----w c:\program files\eMule
2008-10-02 06:31 --------- d-----w c:\program files\Swiss International Air Lines TravelDesk
2008-10-02 06:29 --------- d-----w c:\program files\Netopia
2008-09-29 12:20 61,440 ----a-w c:\windows\system32\drivers\qkcgs.sys
2008-09-29 05:52 20 ---h--w c:\documents and settings\All Users\Application Data\PKP_DLdu.DAT
2008-09-29 05:47 20 ---h--w c:\documents and settings\All Users\Application Data\PKP_DLdw.DAT
2008-09-25 07:44 --------- d-----w c:\documents and settings\OKUCU\Application Data\U3
2008-08-10 06:58 20 ---h--w c:\documents and settings\All Users\Application Data\PKP_DLbz.DAT
.

((((((((((((((((((((((((((((( snapshot_2008-11-18_ 8.08.27.35 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-11-18 16:03:11 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2008-11-19 05:54:06 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-11-18 16:03:11 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-11-19 05:54:06 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-11-18 16:03:11 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-11-19 05:54:06 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-19 68856]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2005-04-11 65536]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-06-20 1207080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-07-19 94208]
"SVPWUTIL"="c:\program files\Toshiba\Windows Utilities\SVPWUTIL.exe" [2004-05-01 65536]
"Tvs"="c:\program files\TOSHIBA\Tvs\TvsTray.exe" [2005-04-05 73728]
"CeEKEY"="c:\program files\TOSHIBA\E-KEY\CeEKey.exe" [2005-09-06 671744]
"TPNF"="c:\program files\TOSHIBA\TouchPad\TPTray.exe" [2005-08-25 53248]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-28 286720]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2004-03-23 196608]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-07-19 221184]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-07-19 114688]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-07-19 77824]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-30 122941]
"HWSetup"="c:\program files\TOSHIBA\TOSHIBA Applet\HWSetup.exe" [2004-05-01 28672]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-04-19 48752]
"URLLSTCK.exe"="c:\program files\Norton Internet Security\UrlLstCk.exe" [2005-05-05 22656]
"MPKrnl"="c:\windows\MPKrnl.dll" [2008-11-18 20480]
"TFncKy"="TFncKy.exe" [BU]
"CFSServ.exe"="CFSServ.exe" [BU]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2006-03-28 c:\windows\KHALMNPR.Exe]
"TCtryIOHook"="TCtrlIOHook.exe" [2005-08-22 c:\windows\system32\TCtrlIOHook.exe]
"NDSTray.exe"="NDSTray.exe" [BU]
"AGRSMMSG"="AGRSMMSG.exe" [2004-12-22 c:\windows\agrsmmsg.exe]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 c:\windows\system32\bthprops.cpl]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"MPMKrnl"="c:\windows\MKMKrnl.dll" [2008-11-18 10240]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2005-12-28 155648]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{201476D0-2B18-462E-AB9F-3E2B0CC8732B}"= "201476D0.dll" [BU]
"{16AF66EB-93C8-49F9-BB09-B4F87CEDCE46}"= "16AF66EB.dll" [BU]
"{4FBFD5A4-5FE8-4444-8BD9-FD0FAFA64F96}"= "4FBFD5A4.dll" [BU]
"{E1D19FCC-4777-4D71-B863-6A0A5B4E59BC}"= "E1D19FCC.dll" [BU]
"{F8E07BB2-7A19-4057-80F1-E14646E630B4}"= "F8E07BB2.dll" [BU]
"{AD794E6B-90B7-4F9D-8FD6-0C16E3298FF2}"= "AD794E6B.dll" [BU]
"{A1A6BC2E-C6A1-43C1-8884-A31D772F42B8}"= "A1A6BC2E.dll" [BU]
"{5934EA2B-B2C4-4BE7-BF7A-FBA781A12E40}"= "5934EA2B.dll" [BU]
"{3B8DA919-1139-4B10-AD8F-91E8FBCFD375}"= "3B8DA919.dll" [BU]
"{93DEE065-EC9B-4505-ADD3-19880AD3C38F}"= "93DEE065.dll" [BU]
"{C8FFD223-C0FB-40C5-94A0-FD7891AC18E9}"= "C8FFD223.dll" [BU]
"{B8E83D3C-9466-4091-9AD1-1F89418A6EB7}"= "B8E83D3C.dll" [BU]
"{01AFE3DC-2242-436E-9B44-6DD1C664E828}"= "01AFE3DC.dll" [BU]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth Manager.lnk
backup=c:\windows\pss\Bluetooth Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=c:\windows\pss\HotSync Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package Menu.lnk
backup=c:\windows\pss\Picture Package Menu.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package VCD Maker.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package VCD Maker.lnk
backup=c:\windows\pss\Picture Package VCD Maker.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Run Google Web Accelerator.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Run Google Web Accelerator.lnk
backup=c:\windows\pss\Run Google Web Accelerator.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Desktop Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Desktop Search.lnk
backup=c:\windows\pss\Windows Desktop Search.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^OKUCU^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=c:\documents and settings\OKUCU\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=c:\windows\pss\HotSync Manager.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^OKUCU^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\OKUCU\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^OKUCU^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]
path=c:\documents and settings\OKUCU\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk
backup=c:\windows\pss\Microsoft Office OneNote 2003 Quick Launch.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^OKUCU^Start Menu^Programs^Startup^Nikon Monitor.lnk]
path=c:\documents and settings\OKUCU\Start Menu\Programs\Startup\Nikon Monitor.lnk
backup=c:\windows\pss\Nikon Monitor.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
--a------ 2008-09-03 09:11 29744 c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
--a------ 2006-06-20 12:36 1207080 c:\program files\Microsoft ActiveSync\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2005-10-18 03:58 278528 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
--a------ 2007-02-27 01:18 67128 c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X1100 Series]
--a------ 2003-08-19 06:43 57344 c:\program files\Lexmark X1100 Series\lxbkbmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechSoftwareUpdate]
--a------ 2005-06-08 05:44 196608 c:\program files\Logitech\Video\ManifestEngine.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]
--a------ 2005-06-08 06:24 458752 c:\program files\Logitech\Video\ISStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]
--a------ 2005-06-08 06:14 217088 c:\program files\Logitech\Video\LogiTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PadTouch]
--a------ 2005-08-30 02:53 1077329 c:\program files\Toshiba\Touch and Launch\PadExe.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
--a------ 2006-10-13 08:20 20058152 c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmoothView]
--a------ 2005-05-12 01:31 118784 c:\program files\Toshiba\TOSHIBA Zooming Utility\SmoothView.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2006-03-10 09:45 35328 c:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zooming]
--a------ 2005-06-06 00:58 24576 c:\windows\system32\ZoomingHook.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Autodesk\\Backburner\\monitor.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\manager.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\server.exe"=
"c:\\Program Files\\Autodesk\\3ds Max 2008\\3dsmax.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

S3 b160485;b160485;\??\c:\windows\system32\b160485.sys [2008-11-18 5504]
S3 d435fd4;d435fd4;\??\c:\windows\system32\d435fd4.sys [2008-11-18 5504]
S3 f35ee9e;f35ee9e;\??\c:\windows\system32\f35ee9e.sys [2008-11-18 5504]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;"c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-08-07 29744]
.
Contents of the 'Scheduled Tasks' folder

2008-11-19 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2004-12-14 03:24]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\OKUCU\Application Data\Mozilla\Firefox\Profiles\c4f6pgvi.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-19 08:29:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Toshiba\ConfigFree\CFSvcs.exe
c:\windows\system32\DVDRAMSV.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Autodesk\3ds Max 2008\mentalray\satellite\raysat_3dsMax2008_32server.exe
c:\program files\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\fxssvc.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\program files\Toshiba\TOSHIBA Controls\TFncKy.exe
c:\program files\Toshiba\ConfigFree\CFSServ.exe
c:\program files\Toshiba\ConfigFree\NDSTray.exe
c:\program files\Apoint2K\ApntEx.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\progra~1\MICROS~4\rapimgr.exe
c:\program files\Google\Google Updater\GoogleUpdater.exe
c:\program files\Google\Google Updater\GoogleUpdater.exe
.
**************************************************************************
.
Completion time: 2008-11-19 8:36:42 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-19 16:36:29
ComboFix2.txt 2008-11-19 06:23:32
ComboFix3.txt 2008-11-18 16:09:09
ComboFix4.txt 2008-11-18 04:31:40
ComboFix5.txt 2008-11-19 16:19:33

Pre-Run: 14,075,715,584 bytes free
Post-Run: 14,076,944,384 bytes free

355 --- E O F --- 2008-10-16 20:32:25
  • 0

#59
Egwene
Posted 19 November 2008 - 11:47 AM

Egwene

    Member 2k

  • Visiting Consultant
  • 2,141 posts
Hello,

We did the same virusscan for same file on Nov 07 .
But here it is again once more :


This appeared strange for me... But, this was the file i've been looking for... Sorry about that. We lose our time together i guess. I am always afraid of deleting something without being 100% sure that it is bad. So, my first opinion seemed to be the right :)

Here we go. This time, we are going to kill it !

Open notepad and copy/paste the text in the quotebox below into it:

http://www.geekstogo.com/forum/Spyware-eats-all-my-CPU-t215682.html&view=findpost&p=1378687

KillAll::

Driver::
b160485
d435fd4
f35ee9e
mscaeosd

Collect::
c:\windows\system32\drivers\qkcgs.sys

File::
c:\windows\MPKrnl.dll
c:\windows\system32\B8E83D3C.cfg
c:\windows\system32\01AFE3DC.cfg
c:\windows\MKMKrnl.dll
c:\windows\system32\201476D0.cfg
c:\windows\system32\C8FFD223.cfg
c:\windows\system32\93DEE065.cfg
c:\windows\system32\f35ee9e.sys
c:\windows\system32\d435fd4.sys
c:\windows\system32\16AF66EB.cfg
c:\windows\system32\F8E07BB2.cfg
c:\windows\system32\4FBFD5A4.cfg
c:\windows\system32\5934EA2B.cfg
c:\windows\system32\A1A6BC2E.cfg
c:\windows\system32\b160485.sys
c:\windows\system32\E1D19FCC.cfg
c:\windows\system32\AD794E6B.cfg
c:\windows\system32\3B8DA919.cfg
c:\windows\system32\mscaeo.exe
c:\windows\system32\upnpsrv.dll

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MPKrnl"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"MPMKrnl"=-
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{201476D0-2B18-462E-AB9F-3E2B0CC8732B}"=-
"{16AF66EB-93C8-49F9-BB09-B4F87CEDCE46}"=-
"{4FBFD5A4-5FE8-4444-8BD9-FD0FAFA64F96}"=-
"{E1D19FCC-4777-4D71-B863-6A0A5B4E59BC}"=-
"{F8E07BB2-7A19-4057-80F1-E14646E630B4}"=-
"{AD794E6B-90B7-4F9D-8FD6-0C16E3298FF2}"=-
"{A1A6BC2E-C6A1-43C1-8884-A31D772F42B8}"=-
"{5934EA2B-B2C4-4BE7-BF7A-FBA781A12E40}"=-
"{3B8DA919-1139-4B10-AD8F-91E8FBCFD375}"=-
"{93DEE065-EC9B-4505-ADD3-19880AD3C38F}"=-
"{C8FFD223-C0FB-40C5-94A0-FD7891AC18E9}"=-
"{B8E83D3C-9466-4091-9AD1-1F89418A6EB7}"=-
"{01AFE3DC-2242-436E-9B44-6DD1C664E828}"=-

Save this as CFScript.txt


Posted Image

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.
  • A browser will open.
  • Simply follow the instructions to copy/paste/send the requested file.

Note: if Combofix does not open a webpage then Click Here
then click on the browse button and then navigate to this location:
C:\Qoobox\quarantine open the quarantine folder.

Then choose the Submit.zip and then click on upload file.

Let me know if you were able to do so.

Regards,
Egwene.
  • 0

#60
okucu
Posted 19 November 2008 - 09:14 PM

okucu

    Member

  • Topic Starter
  • Member
  • PipPip
  • 66 posts
I sent the quarantine zip file . below is the cobofix log .

ComboFix 08-11-17.04 - OKUCU 2008-11-19 11:15:04.15 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1254.90.1033.18.1029 [GMT -8:00]
Running from: c:\documents and settings\OKUCU\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\OKUCU\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
c:\windows\MKMKrnl.dll
c:\windows\MPKrnl.dll
c:\windows\system32\01AFE3DC.cfg
c:\windows\system32\16AF66EB.cfg
c:\windows\system32\201476D0.cfg
c:\windows\system32\3B8DA919.cfg
c:\windows\system32\4FBFD5A4.cfg
c:\windows\system32\5934EA2B.cfg
c:\windows\system32\93DEE065.cfg
c:\windows\system32\A1A6BC2E.cfg
c:\windows\system32\AD794E6B.cfg
c:\windows\system32\b160485.sys
c:\windows\system32\B8E83D3C.cfg
c:\windows\system32\C8FFD223.cfg
c:\windows\system32\d435fd4.sys
c:\windows\system32\E1D19FCC.cfg
c:\windows\system32\f35ee9e.sys
c:\windows\system32\F8E07BB2.cfg
c:\windows\system32\mscaeo.exe
c:\windows\system32\upnpsrv.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Messenger\msgmr.dll
c:\windows\AppPatch\AcSpecf.dll
c:\windows\AppPatch\AcXtrnel.sdb
c:\windows\Downloaded Program Files\ThunderAdvise.dll
c:\windows\Fonts\Framdee.ttf
c:\windows\MKMKrnl.dll
c:\windows\MPKrnl.dll
c:\windows\MSVB50CHS.dll
c:\windows\system32\01AFE3DC.cfg
c:\windows\system32\01AFE3DC.dll
c:\windows\system32\08223B03.cfg
c:\windows\system32\08223B03.dll
c:\windows\system32\122B901E.cfg
c:\windows\system32\122B901E.dll
c:\windows\system32\16AF66EB.cfg
c:\windows\system32\16AF66EB.dll
c:\windows\system32\201476D0.cfg
c:\windows\system32\201476D0.dll
c:\windows\system32\2EF0D734.cfg
c:\windows\system32\2EF0D734.dll
c:\windows\system32\3B8DA919.cfg
c:\windows\system32\3B8DA919.dll
c:\windows\system32\4D023DE9.cfg
c:\windows\system32\4D023DE9.dll
c:\windows\system32\4FBFD5A4.cfg
c:\windows\system32\4FBFD5A4.dll
c:\windows\system32\58FF3024.cfg
c:\windows\system32\58FF3024.dll
c:\windows\system32\5934EA2B.cfg
c:\windows\system32\5934EA2B.dll
c:\windows\system32\66AFCB56.cfg
c:\windows\system32\66AFCB56.dll
c:\windows\system32\8566F82E.cfg
c:\windows\system32\8566F82E.dll
c:\windows\system32\93DEE065.cfg
c:\windows\system32\93DEE065.dll
c:\windows\system32\9CA963CA.cfg
c:\windows\system32\9CA963CA.dll
c:\windows\system32\9F684DE8.cfg
c:\windows\system32\A1A6BC2E.cfg
c:\windows\system32\A1A6BC2E.dll
c:\windows\system32\AD794E6B.cfg
c:\windows\system32\AD794E6B.dll
c:\windows\system32\b160485.sys
c:\windows\system32\B3721C07.cfg
c:\windows\system32\B3721C07.dll
c:\windows\system32\B8E83D3C.cfg
c:\windows\system32\B8E83D3C.dll
c:\windows\system32\BA7EDF54.cfg
c:\windows\system32\BA7EDF54.dll
c:\windows\system32\C8FFD223.cfg
c:\windows\system32\C8FFD223.dll
c:\windows\system32\d435fd4.sys
c:\windows\system32\DA63E650.cfg
c:\windows\system32\DA63E650.dll
c:\windows\system32\DFEC5CB7.cfg
c:\windows\system32\DFEC5CB7.dll
c:\windows\system32\drivers\HBKernel32.sys
c:\windows\system32\drivers\qkcgs.sys
c:\windows\system32\E1D19FCC.cfg
c:\windows\system32\E1D19FCC.dll
c:\windows\system32\f35ee9e.sys
c:\windows\system32\F8E07BB2.cfg
c:\windows\system32\F8E07BB2.dll
c:\windows\system32\HBmhly.dll
c:\windows\system32\HBZHUXIAN.dll
c:\windows\system32\system.exe
c:\windows\system32\upnpsrv.dll
c:\windows\temp\wmsetup.dll
c:\windows\Update.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_B160485
-------\Service_b160485
-------\Service_d435fd4
-------\Service_f35ee9e
-------\Service_HBKernel32


((((((((((((((((((((((((( Files Created from 2008-10-19 to 2008-11-19 )))))))))))))))))))))))))))))))
.

2008-11-12 08:27 . 2008-11-12 08:30 <DIR> d-------- C:\Lop SD
2008-11-12 07:53 . 2008-11-12 07:53 <DIR> d-------- c:\windows\ERUNT
2008-11-12 07:47 . 2008-11-06 02:03 <DIR> d-------- C:\SDFix
2008-11-10 11:53 . 2008-11-10 11:53 2,306,113 --a------ c:\windows\system32\GPhotos.scr
2008-11-02 18:25 . 2008-11-02 18:25 <DIR> d-------- c:\documents and settings\OKUCU\DoctorWeb
2008-11-02 17:46 . 2008-11-02 18:24 250 --a------ c:\windows\gmer.ini
2008-10-27 09:43 . 2008-11-05 23:48 54,156 --ah----- c:\windows\QTFont.qfn
2008-10-27 09:43 . 2008-10-27 09:43 1,409 --a------ c:\windows\QTFont.for
2008-10-26 18:12 . 2008-10-26 18:12 <DIR> d-------- C:\rsit
2008-10-25 05:09 . 2008-10-25 05:09 <DIR> d-------- c:\program files\SDHelper (Spybot - Search & Destroy)
2008-10-24 19:55 . 2008-10-24 19:55 <DIR> d-------- C:\_OTScanIt

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-19 19:20 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-11-19 08:18 --------- d-----w c:\documents and settings\OKUCU\Application Data\SolidDocuments
2008-11-18 15:25 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2008-11-12 06:16 --------- d-----w c:\documents and settings\OKUCU\Application Data\Skype
2008-11-04 02:16 --------- d-----w c:\windows\system32\config\systemprofile\Application Data\SolidDocuments
2008-10-31 15:27 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-26 04:12 76,856 ----a-w c:\documents and settings\OKUCU\Application Data\GDIPFONTCACHEV1.DAT
2008-10-25 13:09 --------- d-----w c:\program files\TeaTimer (Spybot - Search & Destroy)
2008-10-25 12:51 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-10-22 23:10 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2008-10-22 23:10 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2008-10-18 15:47 --------- d-----w c:\documents and settings\OKUCU\Application Data\LimeWire
2008-10-15 09:49 --------- d-----w c:\program files\Visage
2008-10-15 09:49 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-10-15 09:49 --------- d-----w c:\program files\Common Files\Visage Software
2008-10-15 08:10 --------- d-----w c:\program files\SolidDocuments
2008-10-15 08:09 --------- d-----w c:\documents and settings\All Users\Application Data\SolidDocuments
2008-10-15 07:38 --------- d-----w c:\program files\PDFCreator
2008-10-15 07:38 --------- d-----w c:\documents and settings\OKUCU\Application Data\PDFCreator
2008-10-14 05:17 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-13 20:55 --------- d-----w c:\program files\MathType
2008-10-12 11:08 --------- d-----w c:\documents and settings\OKUCU\Application Data\Autodesk
2008-10-12 11:08 --------- d-----w c:\documents and settings\All Users\Application Data\Autodesk
2008-10-11 09:25 --------- d-----w c:\program files\MSXML 6.0
2008-10-10 08:32 --------- d-----w c:\program files\Nikon_Capture_NX2_v2.1.0
2008-10-10 08:13 --------- d-----w c:\program files\AutoCAD 2008
2008-10-10 08:12 --------- d-----w c:\program files\Common Files\Autodesk Shared
2008-10-09 18:42 --------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2008-10-09 18:30 --------- d-----w c:\program files\Common Files\Adobe
2008-10-09 18:30 --------- d-----w c:\program files\Bonjour
2008-10-09 18:17 --------- d-----w c:\program files\Common Files\Macrovision Shared
2008-10-09 17:00 --------- d-----w c:\program files\turbo squid tentacles
2008-10-09 16:54 --------- d-----w c:\program files\Autodesk
2008-10-05 06:22 --------- d-----w c:\program files\Google
2008-10-02 06:33 --------- d-----w c:\program files\eMule
2008-10-02 06:31 --------- d-----w c:\program files\Swiss International Air Lines TravelDesk
2008-10-02 06:29 --------- d-----w c:\program files\Netopia
2008-09-29 05:52 20 ---h--w c:\documents and settings\All Users\Application Data\PKP_DLdu.DAT
2008-09-29 05:47 20 ---h--w c:\documents and settings\All Users\Application Data\PKP_DLdw.DAT
2008-09-25 07:44 --------- d-----w c:\documents and settings\OKUCU\Application Data\U3
2008-08-10 06:58 20 ---h--w c:\documents and settings\All Users\Application Data\PKP_DLbz.DAT
.

((((((((((((((((((((((((((((( snapshot_2008-11-18_ 8.08.27.35 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-11-18 16:03:11 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2008-11-19 05:54:06 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-11-18 16:03:11 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-11-19 05:54:06 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-11-18 16:03:11 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-11-19 05:54:06 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-19 68856]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2005-04-11 65536]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-06-20 1207080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-07-19 94208]
"SVPWUTIL"="c:\program files\Toshiba\Windows Utilities\SVPWUTIL.exe" [2004-05-01 65536]
"Tvs"="c:\program files\TOSHIBA\Tvs\TvsTray.exe" [2005-04-05 73728]
"CeEKEY"="c:\program files\TOSHIBA\E-KEY\CeEKey.exe" [2005-09-06 671744]
"TPNF"="c:\program files\TOSHIBA\TouchPad\TPTray.exe" [2005-08-25 53248]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-28 286720]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2004-03-23 196608]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-07-19 221184]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-07-19 114688]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-07-19 77824]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-30 122941]
"HWSetup"="c:\program files\TOSHIBA\TOSHIBA Applet\HWSetup.exe" [2004-05-01 28672]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-04-19 48752]
"URLLSTCK.exe"="c:\program files\Norton Internet Security\UrlLstCk.exe" [2005-05-05 22656]
"TFncKy"="TFncKy.exe" [BU]
"CFSServ.exe"="CFSServ.exe" [BU]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2006-03-28 c:\windows\KHALMNPR.Exe]
"TCtryIOHook"="TCtrlIOHook.exe" [2005-08-22 c:\windows\system32\TCtrlIOHook.exe]
"NDSTray.exe"="NDSTray.exe" [BU]
"AGRSMMSG"="AGRSMMSG.exe" [2004-12-22 c:\windows\agrsmmsg.exe]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 c:\windows\system32\bthprops.cpl]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2005-12-28 155648]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth Manager.lnk
backup=c:\windows\pss\Bluetooth Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=c:\windows\pss\HotSync Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package Menu.lnk
backup=c:\windows\pss\Picture Package Menu.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package VCD Maker.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package VCD Maker.lnk
backup=c:\windows\pss\Picture Package VCD Maker.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Run Google Web Accelerator.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Run Google Web Accelerator.lnk
backup=c:\windows\pss\Run Google Web Accelerator.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Desktop Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Desktop Search.lnk
backup=c:\windows\pss\Windows Desktop Search.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^OKUCU^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=c:\documents and settings\OKUCU\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=c:\windows\pss\HotSync Manager.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^OKUCU^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\OKUCU\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^OKUCU^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]
path=c:\documents and settings\OKUCU\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk
backup=c:\windows\pss\Microsoft Office OneNote 2003 Quick Launch.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^OKUCU^Start Menu^Programs^Startup^Nikon Monitor.lnk]
path=c:\documents and settings\OKUCU\Start Menu\Programs\Startup\Nikon Monitor.lnk
backup=c:\windows\pss\Nikon Monitor.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
--a------ 2008-09-03 09:11 29744 c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
--a------ 2006-06-20 12:36 1207080 c:\program files\Microsoft ActiveSync\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2005-10-18 03:58 278528 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
--a------ 2007-02-27 01:18 67128 c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X1100 Series]
--a------ 2003-08-19 06:43 57344 c:\program files\Lexmark X1100 Series\lxbkbmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechSoftwareUpdate]
--a------ 2005-06-08 05:44 196608 c:\program files\Logitech\Video\ManifestEngine.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]
--a------ 2005-06-08 06:24 458752 c:\program files\Logitech\Video\ISStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]
--a------ 2005-06-08 06:14 217088 c:\program files\Logitech\Video\LogiTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PadTouch]
--a------ 2005-08-30 02:53 1077329 c:\program files\Toshiba\Touch and Launch\PadExe.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
--a------ 2006-10-13 08:20 20058152 c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmoothView]
--a------ 2005-05-12 01:31 118784 c:\program files\Toshiba\TOSHIBA Zooming Utility\SmoothView.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2006-03-10 09:45 35328 c:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zooming]
--a------ 2005-06-06 00:58 24576 c:\windows\system32\ZoomingHook.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Autodesk\\Backburner\\monitor.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\manager.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\server.exe"=
"c:\\Program Files\\Autodesk\\3ds Max 2008\\3dsmax.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;"c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-08-07 29744]
.
Contents of the 'Scheduled Tasks' folder

2008-11-19 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2004-12-14 03:24]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-19 11:20:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccProxy.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Norton Internet Security\ISSVC.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Toshiba\ConfigFree\CFSvcs.exe
c:\windows\system32\DVDRAMSV.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Autodesk\3ds Max 2008\mentalray\satellite\raysat_3dsMax2008_32server.exe
c:\program files\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\fxssvc.exe
c:\windows\system32\wscntfy.exe
c:\program files\Toshiba\TOSHIBA Controls\TFncKy.exe
c:\program files\Toshiba\ConfigFree\CFSServ.exe
c:\program files\Toshiba\ConfigFree\NDSTray.exe
c:\program files\Apoint2K\ApntEx.exe
c:\windows\system32\rundll32.exe
c:\progra~1\MICROS~4\rapimgr.exe
c:\program files\Common Files\Symantec Shared\SNDSrvc.exe
c:\program files\Messenger\msmsgs.exe
.
**************************************************************************
.
Completion time: 2008-11-19 11:26:30 - machine was rebooted [OKUCU]
ComboFix-quarantined-files.txt 2008-11-19 19:26:15
ComboFix2.txt 2008-11-19 16:36:42
ComboFix3.txt 2008-11-19 06:23:32
ComboFix4.txt 2008-11-18 16:09:09
ComboFix5.txt 2008-11-19 18:51:19

Pre-Run: 14,186,000,384 bytes free
Post-Run: 14,358,806,528 bytes free

357 --- E O F --- 2008-10-16 20:32:25
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP