View Full Version : XP is infected, is 2k safe?
SufferWell1396
02-28-2008, 04:01 PM
my Windows XP is confirmed to have a virus, which i will post a log on it later. But for now, im sticking to Windows 2k, and since XP and 2k are the same kernel, i want to make sure my 2k install didnt catch the bug also.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:00:35 PM, on 2/28/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Ashampoo\Ashampoo Magical Defrag\bin\aDefragService.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Ashampoo\Ashampoo Magical Defrag\bin\defragActivityMonitor.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv42.exe
C:\WINNT\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Comodo\Firewall\CPF.exe
C:\WINNT\system32\CTHELPER.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe
C:\Program Files\Ashampoo\Ashampoo Magical Defrag\bin\aDefragCtrl.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\AIM\aim.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Winamp\winamp.exe
C:\Documents and Settings\Administrator.NONE-CB22685844\Desktop\HiJackThis.exe
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Wireless Configuration Utility HW.51.lnk = C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe
O4 - Global Startup: Ashampoo Magical Defrag.lnk = C:\Program Files\Ashampoo\Ashampoo Magical Defrag\bin\aDefragCtrl.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1202843279765
O23 - Service: AshampooDefragService - - C:\Program Files\Ashampoo\Ashampoo Magical Defrag\bin\aDefragService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: O&O Defrag 2000 (OOD2000) - O&O Software GmbH - C:\WINNT\system32\OOD2000.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WUSB54Gv42SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
--
End of file - 4806 bytes
ill post my XP log in my one of my next posts here.
thanks, and i will follow up on this thread.
classicsoftware
02-28-2008, 06:12 PM
You system is safe
SufferWell1396
02-28-2008, 10:02 PM
Thank you classic. :)
A log from Windows XP will follow here later, once i reboot.
SufferWell1396
02-28-2008, 11:25 PM
heres the XP log
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 10:23:26 PM, on 2/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Windows Defender\MsMpEng.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\System32\wudfhost.exe
D:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\aDefragService.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
D:\Program Files\Bonjour\mDNSResponder.exe
D:\Program Files\COMODO\Firewall\cmdagent.exe
D:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
D:\Program Files\SiteAdvisor\6253\SAService.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\ThreatFire\TFService.exe
D:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
D:\WINDOWS\System32\alg.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv42.exe
D:\Program Files\COMODO\Firewall\cfp.exe
D:\PROGRA~1\Grisoft\AVG7\avgcc.exe
D:\Program Files\DAEMON Tools\daemon.exe
D:\Program Files\Windows Defender\MSASCui.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
D:\Program Files\SiteAdvisor\6253\SiteAdv.exe
D:\Program Files\ThreatFire\TFTray.exe
D:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\defragTaskBar.exe
D:\Program Files\AIM\aim.exe
D:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\aDefragCtrl.exe
D:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe
D:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
D:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
D:\WINDOWS\system32\wuauclt.exe
D:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
D:\WINDOWS\system32\MAPISP32.EXE
D:\Program Files\Microsoft Office\Office\Winword.exe
D:\Documents and Settings\Howard\Desktop\HiJackThis_v2.exe
D:\WINDOWS\system32\wbem\wmiprvse.exe
SufferWell1396
02-28-2008, 11:26 PM
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
O2 - BHO: IE7Pro - {00011268-E188-40DF-A514-835FCD78B1BF} - D:\Program Files\IEPro\iepro.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - D:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - D:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - D:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [COMODO Firewall Pro] "D:\Program Files\COMODO\Firewall\cfp.exe" -s
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [DAEMON Tools] "D:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Windows Defender] "D:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [UpdReg] D:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "D:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SiteAdvisor] D:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ThreatFire] D:\Program Files\ThreatFire\TFTray.exe
O4 - HKLM\..\Run: [DefragTaskBar] "D:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\defragTaskBar.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [AIM] D:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Nikon Monitor.lnk = ?
O4 - Startup: Microsoft Find Fast.lnk = D:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Wireless Configuration Utility HW.51.lnk = D:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - D:\Program Files\IEPro\iepro.dll
O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - D:\Program Files\IEPro\iepro.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://D:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll/206 (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - [url]http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab[/url]
O20 - AppInit_DLLs: wbsys.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - D:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - D:\WINDOWS\system32\browseui.dll
O23 - Service: AshampooDefragService - - D:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\aDefragService.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762# # (Bonjour Service) - Apple Computer, Inc. - D:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - D:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - D:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - D:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - D:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: O&O Defrag 2000 (OOD2000) - O&O Software GmbH - D:\WINDOWS\system32\OOD2000.exe
O23 - Service: Roxio UPnP Renderer 10 - Sonic Solutions - D:\Program Files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe
O23 - Service: Roxio Upnp Server 10 - Sonic Solutions - D:\Program Files\Roxio\Digital Home 10\RoxioUpnpService10.exe
O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Sonic Solutions - D:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe
O23 - Service: RoxMediaDB10 - Sonic Solutions - D:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe
O23 - Service: Roxio Hard Drive Watcher 10 (RoxWatch10) - Sonic Solutions - D:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe
O23 - Service: SessionLauncher - Unknown owner - D:\DOCUME~1\Howard\LOCALS~1\Temp\DX9\SessionLaunch er.exe (file missing)
O23 - Service: SiteAdvisor Service - Unknown owner - D:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: ThreatFire - PC Tools - D:\Program Files\ThreatFire\TFService.exe
O23 - Service: WUSB54Gv42SVC - GEMTEKS - D:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
--
End of file - 10501 bytes
SufferWell1396
03-02-2008, 04:45 PM
please help me out here :(
classicsoftware
03-02-2008, 05:42 PM
Not much there. You've been down this road before, do a Smitfraud scan and a combofix scan and report both results to me.
SufferWell1396
03-03-2008, 08:00 PM
You've been down this road before, do a Smitfraud scan and a combofix scan and report both results to me.
True. i have. I just dont want to do a Combofix before i get told to, cant combofix damage your system in some way?
Ill post the logs here soon
classicsoftware
03-03-2008, 10:14 PM
I just meant I didn't have to provide you with complete instructions, not that you should have done the scan without being told. Sorry for the confusion.
SufferWell1396
03-11-2008, 08:46 PM
Sorry for the hold up.
since the infection wasnt that big
and i couldnt find a reliable ComboFix mirror
im justing using avast! AVS in 2k
and im gonna use AVG in XP once im done here
there was an infection
but it was not active, it was just in a compressed folder.
classicsoftware
03-12-2008, 12:11 AM
If you can't get Combofix from here (http://www.bleepingcomputer.com/combofix/how-to-use-combofix), there is a more serious problem.
SufferWell1396
03-14-2008, 10:12 AM
oh, ill run the scan as soon as i get back. thanks.
SufferWell1396
03-14-2008, 10:08 PM
uh oh. Classic, this doesnt look good.
ComboFix ran fine on 2k.
on XP however, when i ran it in safemode the computer restarted.
Now everytime i boot the computer to XP in NORMAL mode it restarts...
i did, however, get the log for 2k. Here it is.
ComboFix 08-03-14.4 - Administrator 03/14/2008 20:07:56.1 - FAT32x86 MINIMAL
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.682 [GMT -5:00]
Running from: C:\Documents and Settings\Administrator.NONE-CB22685844\Desktop\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINNT\Web\default.htt
.
((((((((((((((((((((((((( Files Created from 2008-02-15 to 2008-03-15 )))))))))))))))))))))))))))))))
.
2008-03-14 20:07 . 03/14/08 08:08p 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_174.dat
2008-03-14 14:45 . 03/14/08 02:45p 16,384 --a------ C:\WINNT\system32\Perflib_Perfdata_26c.dat
2008-03-11 23:41 . 03/11/08 11:41p <DIR> d-------- C:\Program Files\Ashampoo
2008-03-11 23:41 . 03/11/08 11:41p <DIR> d-------- C:\DOCUME~1\ALLUSE~2.WIN\APPLIC~1\Ashampoo
2008-03-10 19:51 . 03/10/08 07:51p 16,384 --a------ C:\WINNT\system32\Perflib_Perfdata_27c.dat
2008-03-08 11:03 . 03/08/08 11:03a 16,384 --a------ C:\WINNT\system32\Perflib_Perfdata_264.dat
2008-03-07 19:52 . 03/07/08 07:52p <DIR> d-------- C:\WINNT\Sun
2008-03-07 19:52 . 03/07/08 07:52p <DIR> d-------- C:\Documents and Settings\Administrator.NONE-CB22685844\Application Data\SystemRequirementsLab
2008-03-07 13:08 . 03/07/08 01:08p 16,384 --a------ C:\WINNT\system32\Perflib_Perfdata_280.dat
2008-03-06 21:31 . 03/06/08 09:31p <DIR> d-------- C:\Program Files\Common Files\Stardock
2008-03-06 21:31 . 03/06/08 09:37p 163,712 --a------ C:\WINNT\system32\drivers\vidstub.sys
2008-03-05 17:32 . 03/05/08 05:32p <DIR> d-------- C:\Documents and Settings\Administrator.NONE-CB22685844\Application Data\LimeWire
2008-03-05 17:32 . 09/24/07 11:31p 69,632 --a------ C:\WINNT\system32\javacpl.cpl
2008-03-05 17:16 . 10/29/98 04:45p 306,688 --a------ C:\WINNT\IsUninst.exe
2008-03-05 17:16 . 09/01/99 05:03a 14,304 --a------ C:\WINNT\system32\drivers\SECDRV.SYS
2008-03-04 21:04 . 03/04/08 09:04p <DIR> d-------- C:\Documents and Settings\Administrator.NONE-CB22685844\Application Data\FoxieSpywareSwiftSweeper
2008-03-04 21:03 . 03/04/08 09:03p <DIR> d-------- C:\Program Files\Foxie Suite
2008-03-04 17:28 . 03/04/08 05:28p <DIR> d-------- C:\Program Files\Deskshare
2008-03-04 17:28 . 03/04/08 05:28p <DIR> d-------- C:\Program Files\Common Files\DeskShare Shared
2008-03-03 20:23 . 03/03/08 08:23p <DIR> d-------- C:\Program Files\LimeWire
2008-03-01 15:33 . 03/01/08 03:33p <DIR> d-------- C:\Program Files\Ares
2008-02-27 15:29 . 02/27/08 03:29p <DIR> d-------- C:\DOCUME~1\ALLUSE~2.WIN\APPLIC~1\TEMP
2008-02-27 15:28 . 02/27/08 03:28p <DIR> d-------- C:\Program Files\Common Files\eSellerate
2008-02-27 15:28 . 02/27/08 03:28p <DIR> d-------- C:\Program Files\AnswersThatWork
2008-02-27 15:28 . 03/13/01 02:51p 1,066,176 --a------ C:\WINNT\system32\MSCOMCTL.OCX
2008-02-27 15:28 . 04/03/07 04:51p 614,400 --a------ C:\WINNT\system32\ExButton.dll
2008-02-27 15:28 . 06/05/07 10:20a 602,112 --a------ C:\WINNT\system32\ExMenu.dll
2008-02-27 15:28 . 06/05/07 10:19a 516,096 --a------ C:\WINNT\system32\ExTab.dll
2008-02-27 15:28 . 04/24/98 12:00a 368,912 --a------ C:\WINNT\system32\vbar332.dll
2008-02-27 15:28 . 10/11/05 02:40p 356,352 --a------ C:\WINNT\system32\eSellerateEngine.dll
2008-02-27 15:28 . 04/03/07 04:51p 307,200 --a------ C:\WINNT\system32\ExPMenu.dll
2008-02-27 15:28 . 06/18/05 11:44a 212,240 --a------ C:\WINNT\system32\RichTx32.ocx
2008-02-27 15:28 . 03/09/04 01:00a 124,688 --a------ C:\WINNT\system32\MSWinSck.ocx
2008-02-27 15:27 . 02/27/08 03:27p <DIR> d-------- C:\Documents and Settings\Administrator.NONE-CB22685844\Application Data\U3
2008-02-24 18:33 . 06/19/03 12:05p 21,552 --a------ C:\WINNT\system32\dllcache\usbstor.sys
2008-02-24 18:30 . 02/24/08 06:30p 16,384 --a------ C:\WINNT\system32\Perflib_Perfdata_284.dat
2008-02-24 18:28 . 11/28/06 09:05p 520,192 --------- C:\WINNT\system32\ati2sgag.exe
2008-02-22 18:27 . 02/22/08 06:27p <DIR> d--hs---- C:\FOUND.003
2008-02-22 18:17 . 02/22/08 06:17p <DIR> d-------- C:\Program Files\Guitar Pro 5.0
2008-02-22 10:35 . 02/22/08 10:35a <DIR> d-------- C:\UW98FE
2008-02-20 14:56 . 02/20/08 02:56p <DIR> d--hs---- C:\FOUND.002
2008-02-18 13:07 . 02/18/08 01:07p <DIR> d-------- C:\Documents and Settings\Administrator.NONE-CB22685844\Application Data\Viewpoint
2008-02-18 11:37 . 02/18/08 11:37a <DIR> d-------- C:\FOUND.001
2008-02-18 01:53 . 02/18/08 01:53a <DIR> d-------- C:\Program Files\LogoSchemes
2008-02-18 00:55 . 02/18/08 12:55a 16,384 --a------ C:\WINNT\system32\Perflib_Perfdata_1fc.dat
2008-02-18 00:35 . 12/04/07 09:51a 42,912 --a------ C:\WINNT\system32\drivers\aswTdi.sys
2008-02-18 00:35 . 12/04/07 09:53a 23,152 --a------ C:\WINNT\system32\drivers\aswRdr.sys
2008-02-18 00:34 . 03/18/03 03:20p 1,060,864 --a------ C:\WINNT\system32\MFC71.dll
2008-02-18 00:34 . 12/04/07 08:04a 837,496 --a------ C:\WINNT\system32\aswBoot.exe
2008-02-18 00:34 . 03/18/03 02:14p 499,712 --a------ C:\WINNT\system32\MSVCP71.dll
2008-02-18 00:34 . 01/09/04 04:13a 380,928 --a------ C:\WINNT\system32\actskin4.ocx
2008-02-18 00:34 . 12/04/07 07:54a 95,608 --a------ C:\WINNT\system32\AvastSS.scr
2008-02-18 00:34 . 12/04/07 09:55a 94,544 --a------ C:\WINNT\system32\drivers\aswmon2.sys
2008-02-18 00:34 . 12/04/07 09:56a 93,264 --a------ C:\WINNT\system32\drivers\aswmon.sys
2008-02-18 00:34 . 12/04/07 09:49a 26,624 --a------ C:\WINNT\system32\drivers\aavmker4.sys
2008-02-17 23:55 . 02/17/08 11:55p <DIR> d-------- C:\Documents and Settings\Administrator.NONE-CB22685844\Application Data\uTorrent
2008-02-17 22:36 . 02/17/08 10:36p 207 --ah----- C:\CONFIG.BAK
2008-02-16 20:09 . 02/16/08 08:54p 3,799 --a------ C:\WINNT\iexplore.ini
2008-02-16 19:39 . 02/16/08 07:39p <DIR> d-------- C:\Documents and Settings\Administrator.NONE-CB22685844\Application Data\IEPro
2008-02-16 19:31 . 02/16/08 07:31p <DIR> d-------- C:\Documents and Settings\Administrator.NONE-CB22685844\Application Data\acccore
2008-02-16 19:29 . 02/16/08 07:29p <DIR> d-------- C:\DOCUME~1\ALLUSE~2.WIN\APPLIC~1\AOL OCP
2008-02-16 19:29 . 02/16/08 07:29p <DIR> d-------- C:\DOCUME~1\ALLUSE~2.WIN\APPLIC~1\AOL
2008-02-16 19:28 . 02/16/08 07:28p <DIR> d-------- C:\Program Files\AIM6
2008-02-16 15:25 . 02/16/08 03:26p 25,992 --a------ C:\WINNT\system32\pgdfgsvc.exe
2008-02-16 15:14 . 02/16/08 03:15p <DIR> d-------- C:\WINNT\system32\dllcache.bak
2008-02-16 15:14 . 02/16/08 03:15p <DIR> d-------- C:\Program Files\OOD2KFRE
2008-02-16 15:14 . 02/16/08 03:14p <DIR> d-------- C:\Documents and Settings\ADMINI~1~NON\LOCALS~1
2008-02-16 15:14 . 04/05/01 05:40p 598,016 --a------ C:\WINNT\system32\OOD2KCRS.dll
2008-02-16 15:14 . 04/06/01 01:57p 238,080 --a------ C:\WINNT\system32\OOD2000.exe
2008-02-16 15:14 . 04/05/01 05:21p 29,272 --a------ C:\WINNT\system32\OOD2KBS.exe
2008-02-16 15:14 . 11/09/00 07:31p 24,576 --a------ C:\WINNT\system32\OODCSPRO.dll
2008-02-16 15:14 . 11/01/00 02:12p 16,384 --a------ C:\WINNT\system32\ood2kmsg.dll
2008-02-16 15:14 . 02/16/08 03:15p 7,952 --a------ C:\WINNT\system32\OODDRMBS.EXE
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-02-22 02:15 266 ---h--w C:\Program Files\desktop.ini
2008-02-22 02:15 11,079 ---h--w C:\Program Files\folder.htt
2008-02-22 02:01 5,166 ---h--r C:\SUHDLOG.DAT
2008-02-12 19:04 --------- d-----w C:\Documents and Settings\Administrator.NONE-CB22685844\Application Data\SiteAdvisor
2008-02-12 19:04 --------- d-----w C:\DOCUME~1\ALLUSE~2.WIN\APPLIC~1\SiteAdvisor
2008-02-12 19:04 --------- d-----w C:\DOCUME~1\ALLUSE~2.WIN\APPLIC~1\McAfee
2008-02-12 19:03 --------- d-----w C:\Documents and Settings\Administrator.NONE-CB22685844\Application Data\Aim
2008-02-12 19:03 --------- d-----w C:\DOCUME~1\ALLUSE~2.WIN\APPLIC~1\Viewpoint
2008-02-12 18:59 --------- d-----w C:\Documents and Settings\Administrator.NONE-CB22685844\Application Data\Comodo
2008-02-12 18:59 --------- d-----w C:\DOCUME~1\ALLUSE~2.WIN\APPLIC~1\Comodo
2008-02-12 18:44 19,387 ----a-w C:\WINNT\system32\drivers\AegisP.sys
2008-02-12 00:47 --------- d-----w C:\Program Files\IEPro
2008-02-03 22:33 --------- d-----w C:\Program Files\Realtek
2008-02-01 00:01 --------- d-----w C:\Documents and Settings\Administrator.FOREVER-FAD3E5F\Application Data\Phoenix
2008-01-26 23:01 --------- d-----w C:\Documents and Settings\Administrator.FOREVER-FAD3E5F\Application Data\Yahoo!
2008-01-26 18:33 --------- d-----w C:\Documents and Settings\Administrator.FOREVER-FAD3E5F\Application Data\Netscape
2008-01-26 18:32 --------- d-----w C:\Documents and Settings\Administrator.FOREVER-FAD3E5F\Application Data\Aim
2008-01-26 18:30 --------- d-----w C:\Documents and Settings\Administrator.FOREVER-FAD3E5F\Application Data\PCToolsFirewallPlus
2008-01-20 23:58 --------- d-----w C:\Program Files\Trillian
2008-01-20 22:39 --------- d-----w C:\Documents and Settings\Administrator\Application Data\PC Tools
2008-01-20 17:52 --------- d-----w C:\Program Files\Trojan Remover
2008-01-19 06:08 --------- d-----w C:\Program Files\ClamWin
2008-01-17 03:02 --------- d-----w C:\Program Files\ViCAM
2008-01-16 07:04 --------- d-----w C:\Program Files\Wolfenstein 3D
2008-01-16 06:56 --------- d-----w C:\Program Files\WinWolf3D
2008-01-15 04:15 --------- d-----w C:\Program Files\Shareaza
2007-11-05 01:32 7,191,196 ----a-w C:\Program Files\Plus!.rar
2002-12-31 17:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys
1993-08-23 17:32 19,056 ----a-w C:\Documents and Settings\Administrator\SETUP.EXE
2006-02-23 13:16 34,048 ----a-w C:\Program Files\opera\program\plugins\upd62i9x.dll
SufferWell1396
03-14-2008, 10:09 PM
2006-02-23 13:16 45,056 ----a-w C:\Program Files\opera\program\plugins\upd62int.dll
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [01/07/08 01:19p 50528]
"ares"="C:\Program Files\Ares\Ares.exe" [02/20/08 09:33a 963072]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"Synchronization Manager"="mobsync.exe" [12/31/02 12:00p 111376 C:\WINNT\system32\mobsync.exe]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [02/12/08 01:57p 1115728]
"WINDVDPatch"="CTHELPER.EXE" [07/02/02 05:56p 24576 C:\WINNT\system32\CTHELPER.EXE]
"UpdReg"="C:\WINNT\UpdReg.EXE" [05/11/00 01:00a 90112]
"Jet Detection"="C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe" [11/29/01 01:00a 28672]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [12/04/07 08:00a 79224]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/07 01:11a 132496]
"BootSkin Startup Jobs"="C:\PROGRA~1\STARDOCK\WINCUS~1\BOOTSKIN\BootSkin.ex e" [04/26/04 04:21p 270336]
"DefragTaskBar"="C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\defragTaskBar.exe" [08/28/07 04:31p 169312]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [07/16/01 08:52a 184592]
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50 113664]
C:\DOCUME~1\ALLUSE~2.WIN\STARTM~1\Programs\Startup \
Wireless Configuration Utility HW.51.lnk - C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe [2005-04-12 10:03:26 458752]
S2 aswMon;avast! Standard Shield Support;C:\WINNT\system32\drivers\aswMon.sys [12/04/07 09:56a]
S2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [01/04/07 04:38p]
S2 WUSB54Gv42SVC;WUSB54Gv42SVC;"C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv42.exe" []
S3 W8335PCI;IEEE 802.11g Wireless Cardbus/PCI Adapter HW51;C:\WINNT\system32\DRIVERS\Mrv8000c.sys [12/24/04 02:40p]
S3 WUSB54GPV4SRV;Linksys Home Wireless-G USB Adaptor Driver;C:\WINNT\system32\DRIVERS\rt2500usb.sys [10/17/05 07:50p]
.
************************************************** ************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-14 20:10:31
Windows 5.0.2195 Service Pack 4 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************************************** ************************
.
Completion time: 03/14/2008 20:11:10
ComboFix2.txt 2008-01-01 01:04:52
ComboFix-quarantined-files.txt 2008-03-15 01:11:10
.
2008-03-02 20:36:03 --- E O F ---
classicsoftware
03-15-2008, 12:02 AM
Why did you not install the recovery console as instructed and why did you run it in safe when the instructions do not say to do so?
classicsoftware
03-15-2008, 12:08 AM
Please try last known good configuration in XP
SufferWell1396
03-15-2008, 12:15 AM
there was only Recovery Console for XP
and not Recovery Console for Windows 2k.
ill try that in XP though.
Paul Komski
03-15-2008, 05:02 AM
How do I install the Recovery Console? (http://windowsitpro.com/article/articleid/14731/how-do-i-install-the-recovery-console.html) (Win2K)
classicsoftware
03-15-2008, 08:54 AM
You said there was no trouble with Windows 2000 and the trouble was with XP. You have me more than confused. You were given instructions on how to do this and you didn't....
SufferWell1396
03-15-2008, 11:47 AM
ahhhhh
let me start over.
XP was acting up, and i knew it was infected with something.
2k wasnt, but i just wanted to make sure that it wasnt infected.
Now, im going to do ComboFix again, and install Recovery Console.
So, im basically just starting over with ComboFix again to avoid Confusion.
SufferWell1396
03-15-2008, 05:39 PM
well, i installed Recovery Console on XP.
Now, if i try to use ComboFix it wont work.
It will restart if i try to use ComboFix.
vBulletin v3.6.1, Copyright ©2000-2012, Jelsoft Enterprises Ltd.