View Full Version : New Scan Logs after Infection Clean
Cuc Tu
12-04-2008, 11:38 AM
Here are the logs after trying to clean up an infection I had.
Thanks for looking...
MBAM kept finding a few infections:
Malwarebytes' Anti-Malware 1.30
Database version: 1306
Windows 5.1.2600 Service Pack 2
12/2/2008 7:54:44 PM
mbam-log-2008-12-02 (19-54-44).txt
Scan type: Full Scan (C:\|)
Objects scanned: 27098
Time elapsed: 50 minute(s), 43 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 7
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 6
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
C:\WINDOWS\system32\opnnOHyY.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\efcAQIax.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\lgxybc.dll (Trojan.Vundo.H) -> Delete on reboot.
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{280bb164-41ee-46e8-8cd2-0b97ae1ca5cf} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{280bb164-41ee-46e8-8cd2-0b97ae1ca5cf} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\efcaqiax (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{fd891196-f502-442b-8c97-08ef15ae1ec7} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{fd891196-f502-442b-8c97-08ef15ae1ec7} (Trojan.Vundo.H) -> Delete on reboot.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\ShellExecuteHooks\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Delete on reboot.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\opnnohyy -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\LSA\Authentication Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\opnnohyy -> Delete on reboot.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\lgxybc.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\efcAQIax.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\opnnOHyY.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\YyHOnnpo.ini (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\YyHOnnpo.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\ati1snxxx.sys (Rootkit.Agent.H) -> Delete on reboot.
Malwarebytes' Anti-Malware 1.30
Database version: 1306
Windows 5.1.2600 Service Pack 2
12/2/2008 8:31:18 PM
mbam-log-2008-12-02 (20-31-18).txt
Scan type: Quick Scan
Objects scanned: 57603
Time elapsed: 21 minute(s), 30 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 10
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 5
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Uninstall\Deewoo Network Manager (Adware.Radio) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\R oot\LEGACY_NETWORK_MONITOR (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\R oot\LEGACY_CMDSERVICE (Trojan.Downloader) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
C:\Documents and Settings\LocalService\Application Data\NetMon (Trojan.NetMon) -> Quarantined and deleted successfully.
Files Infected:
C:\Documents and Settings\P4\Local Settings\Temp\winasnet.tmp (Trojan.Inject) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt (Trojan.NetMon) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt (Trojan.NetMon) -> Quarantined and deleted successfully.
C:\WINDOWS\Downloaded Program Files\atmgr.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\core.cache.dsk (Rootkit.Agent) -> Quarantined and deleted successfully.
Cuc Tu
12-04-2008, 11:39 AM
Malwarebytes' Anti-Malware 1.30
Database version: 1306
Windows 5.1.2600 Service Pack 2
12/3/2008 6:08:30 AM
mbam-log-2008-12-03 (06-08-30).txt
Scan type: Full Scan (C:\|)
Objects scanned: 163714
Time elapsed: 5 hour(s), 28 minute(s), 57 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\uv9\peco85IV.exe (Adware.ZenoSearch) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\VC\MTK63G.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Q3VjIFR1\asappsrv.dll (Adware.CommAd) -> Quarantined and deleted successfully.
C:\WINDOWS\Q3VjIFR1\command.exe (Adware.CommAd) -> Quarantined and deleted successfully.
Cuc Tu
12-04-2008, 11:41 AM
ComboFix 08-12-01.03 - P4 2008-12-04 6:38:22.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1132 [GMT -8:00]
Running from: c:\documents and settings\P4\Desktop\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((( Files Created from 2008-11-04 to 2008-12-04 )))))))))))))))))))))))))))))))
.
2008-12-03 06:15 . 2008-12-03 06:15 <DIR> d-------- c:\program files\Avira
2008-12-03 06:15 . 2008-12-03 06:15 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira
2008-12-02 19:02 . 2008-12-02 19:02 <DIR> d-------- c:\documents and settings\P4\Application Data\Malwarebytes
2008-12-02 19:01 . 2008-12-02 19:02 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-02 19:01 . 2008-12-02 19:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-02 19:01 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-02 19:01 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-01 20:23 . 2008-12-03 06:08 <DIR> d--hs---- c:\windows\Q3VjIFR1
2008-12-01 20:22 . 2008-12-03 06:08 <DIR> d-------- c:\windows\system32\VC
2008-12-01 20:22 . 2008-12-03 06:08 <DIR> d-------- c:\windows\system32\uv9
2008-12-01 20:22 . 2008-12-03 06:22 <DIR> d-------- c:\windows\system32\ki3
2008-12-01 20:22 . 2008-12-01 20:22 <DIR> d-------- c:\windows\system32\hov
2008-12-01 20:22 . 2008-12-01 20:23 <DIR> d-------- c:\windows\system32\bin
2008-11-30 10:04 . 2008-11-30 10:04 <DIR> d-------- c:\documents and settings\All Users\Application Data\FLEXnet
2008-11-30 09:58 . 2008-11-30 09:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\ALM
2008-11-30 09:54 . 2008-11-30 09:54 <DIR> d-------- c:\program files\Bonjour
2008-11-30 09:29 . 2008-11-30 09:29 <DIR> d-------- c:\program files\Common Files\Macrovision Shared
2008-11-24 08:42 . 2008-11-24 08:42 366,592 --a------ c:\windows\system32\osuxedmbukrxv.dll
2008-11-23 20:28 . 2008-11-29 15:59 12,496 --a------ c:\windows\MSPuzzle.dat
2008-11-23 20:16 . 2008-11-23 20:16 <DIR> d-------- c:\program files\Microsoft Games
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-12-03 15:00 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-30 17:54 --------- d-----w c:\program files\Common Files\Adobe
2008-11-24 04:17 --------- d-----w c:\documents and settings\P4\Application Data\Tyre
2007-05-10 18:47 4,499 ----a-w c:\program files\Common Files\Waveguides-S8x0D.lst
2007-05-10 18:47 21,100 ----a-w c:\program files\Common Files\AllFreqCable.lst
2006-04-28 01:59 19,594 ----a-w c:\program files\Common Files\CABLES-S8x0D.LST
2005-07-30 00:24 472 --sha-r c:\windows\Q3VjIFR1\kap3KIlY.vbs
.
((((((((((((((((((((((((((((( snapshot@2008-12-02_20.54.03.70 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-05-09 21:15:51 45,376 ----a-w c:\windows\system32\drivers\avgntdd.sys
+ 2008-01-22 02:11:28 22,336 ----a-w c:\windows\system32\drivers\avgntmgr.sys
+ 2008-06-27 23:03:55 75,072 ----a-w c:\windows\system32\drivers\avipbb.sys
+ 2007-03-01 18:34:22 28,352 ----a-w c:\windows\system32\drivers\ssmdrv.sys
- 2008-12-03 04:49:32 220,186 ----a-w c:\windows\system32\inetsrv\MetaBase.bin
+ 2008-12-04 14:31:17 220,175 ----a-w c:\windows\system32\inetsrv\MetaBase.bin
+ 2008-12-04 14:30:51 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_73c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"zBrowser Launcher"="c:\program files\Logitech\iTouch\iTouch.exe" [2004-03-18 892928]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"PinnacleDriverCheck"="c:\windows\system32\PSDrvCheck.exe" [2003-12-04 406016]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
"Jet Detection"="c:\program files\Creative\SBLive\PROGRAM\ADGJDet.exe" [2001-11-29 28672]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"nwiz"="nwiz.exe" [2007-12-05 c:\windows\system32\nwiz.exe]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 c:\windows\LOGI_MWX.EXE]
"CTHelper"="CTHELPER.EXE" [2003-08-28 c:\windows\system32\CTHELPER.EXE]
c:\documents and settings\P4\Start Menu\Programs\Startup\
SpywareGuard.lnk - c:\program files\SpywareGuard\sgmain.exe [2003-08-29 360448]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=lgxybc.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ctmp3"= c:\windows\system32\ctmp3.acm
"VIDC.YV12"= xl_yv12.dll
"VIDC.YU12"= ATIYUV12.DLL
"VIDC.HFYU"= huffyuv.dll
"VIDC.PIM1"= pclepim1.dll
"VIDC.D263"= xl_x263dec.dll
"VIDC.XJPG"= camfc.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoStart IR.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AutoStart IR.lnk
backup=c:\windows\pss\AutoStart IR.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ZDWLan Utility.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\ZDWLan Utility.lnk
backup=c:\windows\pss\ZDWLan Utility.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^P4^Start Menu^Programs^Startup^Deewoo.lnk]
path=c:\documents and settings\P4\Start Menu\Programs\Startup\Deewoo.lnk
backup=c:\windows\pss\Deewoo.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^P4^Start Menu^Programs^Startup^DW_Start.lnk]
path=c:\documents and settings\P4\Start Menu\Programs\Startup\DW_Start.lnk
backup=c:\windows\pss\DW_Start.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^P4^Start Menu^Programs^Startup^UMAX VistaAccess.lnk]
path=c:\documents and settings\P4\Start Menu\Programs\Startup\UMAX VistaAccess.lnk
backup=c:\windows\pss\UMAX VistaAccess.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI DeviceDetect]
--a------ 2004-11-04 17:13 69707 c:\program files\ATI Multimedia\main\atidtct.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI Scheduler]
--a------ 2004-11-04 17:14 45133 c:\program files\ATI Multimedia\main\AtiSched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a------ 2004-10-26 20:10 344064 c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GhostStartTrayApp]
--a------ 2002-08-14 14:21 94208 c:\program files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Iomega Automatic Backup 1.0.1]
--a------ 2002-10-15 09:32 3014656 c:\program files\Iomega\Iomega Automatic Backup\iBackup.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 08:24 1694208 c:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pegzfjycdkobdn]
--a------ 2008-11-24 08:42 366592 c:\windows\system32\osuxedmbukrxv.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
--a------ 2003-08-19 00:01 110592 c:\program files\Common Files\Sonic\Update Manager\sgtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-06-07 13:08 4670968 c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"PhotoshopElementsDeviceConnect"=2 (0x2)
"AdobeActiveFileMonitor"=2 (0x2)
"ose"=2 (0x2)
"Iomega App Services"=2 (0x2)
"Network Monitor"=2 (0x2)
"FLEXnet Licensing Service"=3 (0x3)
"cmdService"=2 (0x2)
"CiSvc"=3 (0x3)
"Bonjour Service"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Quake III Arena\\quake3.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"c:\\Papyrus\\NASCAR Racing 2003 Season\\NR2003.exe"=
"c:\\Program Files\\Windows Media Components\\Encoder\\wmenc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)
"80:TCP"= 80:TCP:HTTP
"2799:UDP"= 2799:UDP:*:Disabled:Altova License Metering Port (UDP)
"2799:TCP"= 2799:TCP:*:Disabled:Altova License Metering Port (TCP)
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
Cuc Tu
12-04-2008, 11:42 AM
R1 GhPciScan;GhostPciScanner;\??\c:\program files\Symantec\Norton Ghost 2003\ghpciscan.sys [2002-08-14 5632]
R1 vcdrom;Virtual CD-ROM Device Driver;\??\c:\windows\system32\drivers\VCdRom.sys [2008-08-28 8576]
R3 hcw18bda;Hauppauge WinTV 418 Driver;c:\windows\system32\drivers\hcw18bda.sys [2006-11-22 366080]
R3 PPJoyBus;Parallel Port Joystick Bus device driver;c:\windows\system32\drivers\PPJoyBus.sys [2004-01-23 13952]
R3 PPortJoystick;Parallel Port Joystick device driver;c:\windows\system32\drivers\PPortJoy.sys [2004-01-23 28800]
S1 AEC671X;AEC671X;c:\windows\system32\drivers\AEC671 X.SYS [2005-09-02 12128]
S1 ati1snxxx;ati1snxxx;c:\windows\system32\drivers\at i1snxxx.sys []
S1 DMX3191;DMX3191;c:\windows\system32\drivers\DMX319 1.SYS [2005-09-02 17700]
S2 UDNT;UDNT;c:\windows\system32\drivers\UDNT.sys [2005-09-02 76260]
S3 BRGSp50;BRGSp50 NDIS Protocol Driver;c:\windows\system32\Drivers\BRGSp50.sys [2006-09-17 20608]
S3 cusbohcn;cusbohcn;\??\c:\docume~1\P4\LOCALS~1\Temp \cusbohcn.sys []
S3 HauppaugeTVServer;HauppaugeTVServer;c:\progra~1\Wi nTV\HCWTVS~1.EXE [2007-06-27 815104]
S3 XIRLINK;Veo PC Camera;c:\windows\system32\DRIVERS\ucdnt.sys [2007-10-13 1001120]
S3 ZD1211BU(WLAN);IEEE 802.11g USB Wireless LAN(WLAN);c:\windows\system32\DRIVERS\zd1211Bu.sys [2006-09-17 402944]
S4 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [2004-10-04 98304]
S4 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [2004-10-04 118784]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{5404e307-e067-11d9-904f-000d8756f371}]
\Shell\AutoRun\command - F:\setupSNK.exe
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{5084F01D-458E-45EB-A6FD-692D4C9D2789}]
c:\windows\system32\msiexec.exe /qn /fpu {5084F01D-458E-45EB-A6FD-692D4C9D2789}
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\P4\Application Data\Mozilla\Firefox\Profiles\jiwrcx2p.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - file:///C:/Home.html
.
************************************************** ************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-04 06:43:22
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************************************** ************************
[HKEY_LOCAL_MACHINE\system\ControlSet004\Services\I omega Activity Disk2]
"ImagePath"="\"\""
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(504)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2008-12-04 6:45:24
ComboFix-quarantined-files.txt 2008-12-04 14:44:29
ComboFix2.txt 2008-12-03 04:55:09
Pre-Run: 13,604,888,576 bytes free
Post-Run: 13,580,472,320 bytes free
198
Cuc Tu
12-04-2008, 11:45 AM
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:44:46 AM, on 12/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Home.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Edit with Altova X&MLSpy - C:\Program Files\Altova\XMLSpy2008\spy.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSpy2008\spy.htm
O9 - Extra 'Tools' menuitem: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSpy2008\spy.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [url]http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1191705583984[/url]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [url]http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1191705525968[/url]
O20 - AppInit_DLLs: lgxybc.dll
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: HauppaugeTVServer - Hauppauge Computer Works - C:\PROGRA~1\WinTV\HCWTVS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
--
End of file - 5689 bytes
Cuc Tu
12-04-2008, 11:48 AM
Computer seems to run OK.
Maybe a bit slow.
The sys tray icons don't load anymore, after scanning with Avira.
classicsoftware
12-04-2008, 12:08 PM
Computer seems to run OK.
Maybe a bit slow.
The sys tray icons don't load anymore, after scanning with Avira.
What Icons don't load?
Cuc Tu
12-04-2008, 05:01 PM
Speaker (sound)
nVidia control panel
iTouch keyboard
Mouse
SpywareGuard (SG)
Aviria (was there once, now gone again)
The only icon is the network icon.
Is my PC clean?
I still show Deewoo and something64 in the ms config startup (unchecked). I know these two were bad, but not sure how to get rid of them from the startup. Now that I think of it I may have disabled them before my final scans.
Thanks
classicsoftware
12-05-2008, 12:27 AM
If you disabled anything in MS-Config, we are at ground ZERO. Please enable everything, re-boot and re-do the scans and post the results....
Cuc Tu
12-05-2008, 01:51 AM
OK, I did mean that everything was enabled on the first rounds of scans...
I'm still infected as new things are showing up in HijackThis.
I eneabled everything and rescanned:
Malwarebytes' Anti-Malware 1.31
Database version: 1460
Windows 5.1.2600 Service Pack 2
12/4/2008 9:26:46 PM
mbam-log-2008-12-04 (21-26-46).txt
Scan type: Quick Scan
Objects scanned: 53059
Time elapsed: 13 minute(s), 46 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
Cuc Tu
12-05-2008, 01:52 AM
ComboFix 08-12-04.04 - P4 2008-12-04 21:28:49.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1120 [GMT -8:00]
Running from: c:\documents and settings\P4\Desktop\ComboFix.exe
.
((((((((((((((((((((((((( Files Created from 2008-11-05 to 2008-12-05 )))))))))))))))))))))))))))))))
.
2008-12-03 06:15 . 2008-12-03 06:15 <DIR> d-------- c:\program files\Avira
2008-12-03 06:15 . 2008-12-03 06:15 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira
2008-12-02 19:02 . 2008-12-02 19:02 <DIR> d-------- c:\documents and settings\P4\Application Data\Malwarebytes
2008-12-02 19:01 . 2008-12-04 18:28 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-02 19:01 . 2008-12-02 19:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-02 19:01 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-02 19:01 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-01 20:23 . 2008-12-03 06:08 <DIR> d--hs---- c:\windows\Q3VjIFR1
2008-12-01 20:22 . 2008-12-03 06:08 <DIR> d-------- c:\windows\system32\VC
2008-12-01 20:22 . 2008-12-03 06:08 <DIR> d-------- c:\windows\system32\uv9
2008-12-01 20:22 . 2008-12-03 06:22 <DIR> d-------- c:\windows\system32\ki3
2008-12-01 20:22 . 2008-12-01 20:22 <DIR> d-------- c:\windows\system32\hov
2008-12-01 20:22 . 2008-12-01 20:23 <DIR> d-------- c:\windows\system32\bin
2008-11-30 10:04 . 2008-11-30 10:04 <DIR> d-------- c:\documents and settings\All Users\Application Data\FLEXnet
2008-11-30 09:58 . 2008-11-30 09:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\ALM
2008-11-30 09:54 . 2008-11-30 09:54 <DIR> d-------- c:\program files\Bonjour
2008-11-30 09:29 . 2008-11-30 09:29 <DIR> d-------- c:\program files\Common Files\Macrovision Shared
2008-11-24 08:42 . 2008-11-24 08:42 366,592 --a------ c:\windows\system32\osuxedmbukrxv.dll
2008-11-23 20:28 . 2008-11-29 15:59 12,496 --a------ c:\windows\MSPuzzle.dat
2008-11-23 20:16 . 2008-11-23 20:16 <DIR> d-------- c:\program files\Microsoft Games
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-12-05 04:26 --------- d-----w c:\program files\SpywareGuard
2008-12-05 03:31 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-05 02:57 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-05 02:53 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-05 02:29 --------- d-----w c:\program files\SpywareBlaster
2008-11-30 17:54 --------- d-----w c:\program files\Common Files\Adobe
2008-11-24 04:17 --------- d-----w c:\documents and settings\P4\Application Data\Tyre
2007-05-10 18:47 4,499 ----a-w c:\program files\Common Files\Waveguides-S8x0D.lst
2007-05-10 18:47 21,100 ----a-w c:\program files\Common Files\AllFreqCable.lst
2006-04-28 01:59 19,594 ----a-w c:\program files\Common Files\CABLES-S8x0D.LST
2005-07-30 00:24 472 --sha-r c:\windows\Q3VjIFR1\kap3KIlY.vbs
.
((((((((((((((((((((((((((((( snapshot@2008-12-02_20.54.03.70 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-05-09 21:15:51 45,376 ----a-w c:\windows\system32\drivers\avgntdd.sys
+ 2008-01-22 02:11:28 22,336 ----a-w c:\windows\system32\drivers\avgntmgr.sys
+ 2008-12-05 02:15:29 75,072 ----a-w c:\windows\system32\drivers\avipbb.sys
+ 2007-03-01 18:34:22 28,352 ----a-w c:\windows\system32\drivers\ssmdrv.sys
- 2008-12-03 04:49:32 220,186 ----a-w c:\windows\system32\inetsrv\MetaBase.bin
+ 2008-12-05 05:05:43 220,175 ----a-w c:\windows\system32\inetsrv\MetaBase.bin
+ 2008-12-05 05:05:21 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_16c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
Cuc Tu
12-05-2008, 01:53 AM
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-06-07 4670968]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"ATI Scheduler"="c:\program files\ATI Multimedia\MAIN\ATISched.EXE" [2004-11-04 45133]
"ATI DeviceDetect"="c:\program files\ATI Multimedia\main\ATIDtct.EXE" [2004-11-04 69707]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"zBrowser Launcher"="c:\program files\Logitech\iTouch\iTouch.exe" [2004-03-18 892928]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"PinnacleDriverCheck"="c:\windows\system32\PSDrvCheck.exe" [2003-12-04 406016]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
"Jet Detection"="c:\program files\Creative\SBLive\PROGRAM\ADGJDet.exe" [2001-11-29 28672]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"Iomega Automatic Backup 1.0.1"="c:\program files\Iomega\Iomega Automatic Backup\ibackup.exe" [2002-10-15 3014656]
"GhostStartTrayApp"="c:\program files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe" [2002-08-14 94208]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-10-26 344064]
"nwiz"="nwiz.exe" [2007-12-05 c:\windows\system32\nwiz.exe]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 c:\windows\LOGI_MWX.EXE]
"CTHelper"="CTHELPER.EXE" [2003-08-28 c:\windows\system32\CTHELPER.EXE]
c:\documents and settings\P4\Start Menu\Programs\Startup\
SpywareGuard.lnk - c:\program files\SpywareGuard\sgmain.exe [2003-08-29 360448]
UMAX VistaAccess.lnk - c:\vstascan\vsaccess.exe [2005-09-02 159744]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-10-04 113664]
AutoStart IR.lnk - c:\program files\WinTV\Ir.exe [2007-06-27 106551]
ZDWLan Utility.lnk - c:\program files\ZyDAS Technology Corporation\ZyDAS_802.11g_Utility\ZDWlan.exe [2007-01-06 483328]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=lgxybc.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ctmp3"= c:\windows\system32\ctmp3.acm
"VIDC.YV12"= xl_yv12.dll
"VIDC.YU12"= ATIYUV12.DLL
"VIDC.HFYU"= huffyuv.dll
"VIDC.PIM1"= pclepim1.dll
"VIDC.D263"= xl_x263dec.dll
"VIDC.XJPG"= camfc.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Network Monitor"=2 (0x2)
"cmdService"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Quake III Arena\\quake3.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"c:\\Papyrus\\NASCAR Racing 2003 Season\\NR2003.exe"=
"c:\\Program Files\\Windows Media Components\\Encoder\\wmenc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)
"80:TCP"= 80:TCP:HTTP
"2799:UDP"= 2799:UDP:*:Disabled:Altova License Metering Port (UDP)
"2799:TCP"= 2799:TCP:*:Disabled:Altova License Metering Port (TCP)
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
R1 GhPciScan;GhostPciScanner;\??\c:\program files\Symantec\Norton Ghost 2003\ghpciscan.sys [2002-08-14 5632]
R1 vcdrom;Virtual CD-ROM Device Driver;\??\c:\windows\system32\drivers\VCdRom.sys [2008-08-28 8576]
R2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [2004-10-04 98304]
R2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [2004-10-04 118784]
R3 hcw18bda;Hauppauge WinTV 418 Driver;c:\windows\system32\drivers\hcw18bda.sys [2006-11-22 366080]
R3 PPJoyBus;Parallel Port Joystick Bus device driver;c:\windows\system32\drivers\PPJoyBus.sys [2004-01-23 13952]
R3 PPortJoystick;Parallel Port Joystick device driver;c:\windows\system32\drivers\PPortJoy.sys [2004-01-23 28800]
S1 AEC671X;AEC671X;c:\windows\system32\drivers\AEC671 X.SYS [2005-09-02 12128]
S1 ati1snxxx;ati1snxxx;c:\windows\system32\drivers\at i1snxxx.sys []
S1 DMX3191;DMX3191;c:\windows\system32\drivers\DMX319 1.SYS [2005-09-02 17700]
S2 UDNT;UDNT;c:\windows\system32\drivers\UDNT.sys [2005-09-02 76260]
S3 BRGSp50;BRGSp50 NDIS Protocol Driver;c:\windows\system32\Drivers\BRGSp50.sys [2006-09-17 20608]
S3 cusbohcn;cusbohcn;\??\c:\docume~1\P4\LOCALS~1\Temp \cusbohcn.sys []
S3 HauppaugeTVServer;HauppaugeTVServer;c:\progra~1\Wi nTV\HCWTVS~1.EXE [2007-06-27 815104]
S3 XIRLINK;Veo PC Camera;c:\windows\system32\DRIVERS\ucdnt.sys [2007-10-13 1001120]
S3 ZD1211BU(WLAN);IEEE 802.11g USB Wireless LAN(WLAN);c:\windows\system32\DRIVERS\zd1211Bu.sys [2006-09-17 402944]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{5404e307-e067-11d9-904f-000d8756f371}]
\Shell\AutoRun\command - F:\setupSNK.exe
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{5084F01D-458E-45EB-A6FD-692D4C9D2789}]
c:\windows\system32\msiexec.exe /qn /fpu {5084F01D-458E-45EB-A6FD-692D4C9D2789}
.
.
------- Supplementary Scan -------
.
uStart Page = file:///C:/Home.html
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Edit with Altova X&MLSpy - c:\program files\Altova\XMLSpy2008\spy.htm
FireFox -: Profile - c:\documents and settings\P4\Application Data\Mozilla\Firefox\Profiles\jiwrcx2p.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - file:///C:/Home.html
.
************************************************** ************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url]http://www.gmer.net[/url]
Rootkit scan 2008-12-04 21:33:15
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************************************** ************************
[HKEY_LOCAL_MACHINE\system\ControlSet004\Services\I omega Activity Disk2]
"ImagePath"="\"\""
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(500)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2008-12-04 21:35:19
ComboFix-quarantined-files.txt 2008-12-05 05:34:31
ComboFix2.txt 2008-12-05 03:31:41
ComboFix3.txt 2008-12-04 14:45:27
ComboFix4.txt 2008-12-03 04:55:09
Pre-Run: 13,444,825,088 bytes free
Post-Run: 13,431,775,232 bytes free
178
Cuc Tu
12-05-2008, 01:54 AM
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:46:55 PM, on 12/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\ATI Multimedia\MAIN\ATISched.EXE
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\WinTV\Ir.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\VSTASCAN\vsaccess.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Home.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Iomega Automatic Backup 1.0.1] C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\MAIN\ATISched.EXE
O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: UMAX VistaAccess.lnk = C:\VSTASCAN\vsaccess.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AutoStart IR.lnk = C:\Program Files\WinTV\Ir.exe
O4 - Global Startup: ZDWLan Utility.lnk = C:\Program Files\ZyDAS Technology Corporation\ZyDAS_802.11g_Utility\ZDWlan.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Edit with Altova X&MLSpy - C:\Program Files\Altova\XMLSpy2008\spy.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSpy2008\spy.htm
O9 - Extra 'Tools' menuitem: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSpy2008\spy.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [url]http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1191705583984[/url]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [url]http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1191705525968[/url]
O20 - AppInit_DLLs: lgxybc.dll
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762# # (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: HauppaugeTVServer - Hauppauge Computer Works - C:\PROGRA~1\WinTV\HCWTVS~1.EXE
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
--
End of file - 8193 bytes
Cuc Tu
12-05-2008, 01:57 AM
What do I do when I'm running a scan and SpyBot and Avira pop-up with a warning?
I.E., during MBAM, spybot asks to allow or deny a reg. change and during ComboFix, Avira identifies a trojan.
1. Disconnect from the Internet, while scanning.
2. Turn off/disable Spybot. <===This is very important, because having Spybot's resident protection enabled during a cleanup operation can actually prevent the infection from being cleaned up!
3. Ignore the 'virus' warning from Avira, and most importantly...Don't let it 'fix' Combofix! Combofix and similar tools are very powerful programs that work at a level that most consumer software does not, as such, many AV programs flag them as 'dangerous'. They do not harbor malware!!! If you do let it 'fix' Combofix, then Combofix will be broken and not do what it needs to do.
If it won't let you ignore the warning then disable Avira during the run of Combofix.
After following the above steps, repeat the process outlined earlier...along with posting fresh logs.
Cuc Tu
12-05-2008, 11:54 AM
Malwarebytes' Anti-Malware 1.31
Database version: 1460
Windows 5.1.2600 Service Pack 2
12/5/2008 5:05:07 AM
mbam-log-2008-12-05 (05-05-07).txt
Scan type: Full Scan (C:\|)
Objects scanned: 167758
Time elapsed: 5 hour(s), 34 minute(s), 14 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 10
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Qoobox\Quarantine\C\Documents and Settings\P4\Application Data\gadcom\gadcom.exe.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Documents and Settings\P4\Application Data\NI.GSCNS\IUpd721.exe.vir (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C3A006DC-2D07-43B2-B0E3-FDC44A732706}\RP2\A0000060.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C3A006DC-2D07-43B2-B0E3-FDC44A732706}\RP2\A0000061.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C3A006DC-2D07-43B2-B0E3-FDC44A732706}\RP2\A0000062.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C3A006DC-2D07-43B2-B0E3-FDC44A732706}\RP2\A0000069.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C3A006DC-2D07-43B2-B0E3-FDC44A732706}\RP2\A0000070.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C3A006DC-2D07-43B2-B0E3-FDC44A732706}\RP2\A0000074.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C3A006DC-2D07-43B2-B0E3-FDC44A732706}\RP2\A0000076.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hov\BATU2I3X.exe (Adware.Agent) -> Quarantined and deleted successfully.
Cuc Tu
12-05-2008, 11:55 AM
ComboFix 08-12-04.05 - P4 2008-12-05 5:09:40.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1029 [GMT -8:00]
Running from: c:\documents and settings\P4\Desktop\ComboFix.exe
.
((((((((((((((((((((((((( Files Created from 2008-11-05 to 2008-12-05 )))))))))))))))))))))))))))))))
.
2008-12-03 06:15 . 2008-12-03 06:15 <DIR> d-------- c:\program files\Avira
2008-12-03 06:15 . 2008-12-03 06:15 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira
2008-12-02 19:02 . 2008-12-02 19:02 <DIR> d-------- c:\documents and settings\P4\Application Data\Malwarebytes
2008-12-02 19:01 . 2008-12-04 18:28 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-02 19:01 . 2008-12-02 19:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-02 19:01 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-02 19:01 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-01 20:23 . 2008-12-03 06:08 <DIR> d--hs---- c:\windows\Q3VjIFR1
2008-12-01 20:22 . 2008-12-03 06:08 <DIR> d-------- c:\windows\system32\VC
2008-12-01 20:22 . 2008-12-03 06:08 <DIR> d-------- c:\windows\system32\uv9
2008-12-01 20:22 . 2008-12-03 06:22 <DIR> d-------- c:\windows\system32\ki3
2008-12-01 20:22 . 2008-12-05 05:05 <DIR> d-------- c:\windows\system32\hov
2008-12-01 20:22 . 2008-12-01 20:23 <DIR> d-------- c:\windows\system32\bin
2008-11-30 10:04 . 2008-11-30 10:04 <DIR> d-------- c:\documents and settings\All Users\Application Data\FLEXnet
2008-11-30 09:58 . 2008-11-30 09:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\ALM
2008-11-30 09:54 . 2008-11-30 09:54 <DIR> d-------- c:\program files\Bonjour
2008-11-30 09:29 . 2008-11-30 09:29 <DIR> d-------- c:\program files\Common Files\Macrovision Shared
2008-11-24 08:42 . 2008-11-24 08:42 366,592 --a------ c:\windows\system32\osuxedmbukrxv.dll
2008-11-23 20:28 . 2008-11-29 15:59 12,496 --a------ c:\windows\MSPuzzle.dat
2008-11-23 20:16 . 2008-11-23 20:16 <DIR> d-------- c:\program files\Microsoft Games
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-12-05 04:26 --------- d-----w c:\program files\SpywareGuard
2008-12-05 03:31 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-05 02:57 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-05 02:53 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-05 02:29 --------- d-----w c:\program files\SpywareBlaster
2008-11-30 17:54 --------- d-----w c:\program files\Common Files\Adobe
2008-11-24 04:17 --------- d-----w c:\documents and settings\P4\Application Data\Tyre
2007-05-10 18:47 4,499 ----a-w c:\program files\Common Files\Waveguides-S8x0D.lst
2007-05-10 18:47 21,100 ----a-w c:\program files\Common Files\AllFreqCable.lst
2006-04-28 01:59 19,594 ----a-w c:\program files\Common Files\CABLES-S8x0D.LST
2005-07-30 00:24 472 --sha-r c:\windows\Q3VjIFR1\kap3KIlY.vbs
.
((((((((((((((((((((((((((((( snapshot@2008-12-02_20.54.03.70 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-05-09 21:15:51 45,376 ----a-w c:\windows\system32\drivers\avgntdd.sys
+ 2008-01-22 02:11:28 22,336 ----a-w c:\windows\system32\drivers\avgntmgr.sys
+ 2008-12-05 02:15:29 75,072 ----a-w c:\windows\system32\drivers\avipbb.sys
+ 2007-03-01 18:34:22 28,352 ----a-w c:\windows\system32\drivers\ssmdrv.sys
- 2008-12-03 04:49:32 220,186 ----a-w c:\windows\system32\inetsrv\MetaBase.bin
+ 2008-12-05 05:05:43 220,175 ----a-w c:\windows\system32\inetsrv\MetaBase.bin
+ 2008-12-05 05:05:21 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_16c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-06-07 4670968]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"ATI Scheduler"="c:\program files\ATI Multimedia\MAIN\ATISched.EXE" [2004-11-04 45133]
"ATI DeviceDetect"="c:\program files\ATI Multimedia\main\ATIDtct.EXE" [2004-11-04 69707]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"zBrowser Launcher"="c:\program files\Logitech\iTouch\iTouch.exe" [2004-03-18 892928]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"PinnacleDriverCheck"="c:\windows\system32\PSDrvCheck.exe" [2003-12-04 406016]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
"Jet Detection"="c:\program files\Creative\SBLive\PROGRAM\ADGJDet.exe" [2001-11-29 28672]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"Iomega Automatic Backup 1.0.1"="c:\program files\Iomega\Iomega Automatic Backup\ibackup.exe" [2002-10-15 3014656]
"GhostStartTrayApp"="c:\program files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe" [2002-08-14 94208]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-10-26 344064]
"nwiz"="nwiz.exe" [2007-12-05 c:\windows\system32\nwiz.exe]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 c:\windows\LOGI_MWX.EXE]
"CTHelper"="CTHELPER.EXE" [2003-08-28 c:\windows\system32\CTHELPER.EXE]
c:\documents and settings\P4\Start Menu\Programs\Startup\
SpywareGuard.lnk - c:\program files\SpywareGuard\sgmain.exe [2003-08-29 360448]
UMAX VistaAccess.lnk - c:\vstascan\vsaccess.exe [2005-09-02 159744]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-10-04 113664]
AutoStart IR.lnk - c:\program files\WinTV\Ir.exe [2007-06-27 106551]
ZDWLan Utility.lnk - c:\program files\ZyDAS Technology Corporation\ZyDAS_802.11g_Utility\ZDWlan.exe [2007-01-06 483328]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=lgxybc.dll
Cuc Tu
12-05-2008, 11:55 AM
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ctmp3"= c:\windows\system32\ctmp3.acm
"VIDC.YV12"= xl_yv12.dll
"VIDC.YU12"= ATIYUV12.DLL
"VIDC.HFYU"= huffyuv.dll
"VIDC.PIM1"= pclepim1.dll
"VIDC.D263"= xl_x263dec.dll
"VIDC.XJPG"= camfc.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Network Monitor"=2 (0x2)
"cmdService"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Quake III Arena\\quake3.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"c:\\Papyrus\\NASCAR Racing 2003 Season\\NR2003.exe"=
"c:\\Program Files\\Windows Media Components\\Encoder\\wmenc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)
"80:TCP"= 80:TCP:HTTP
"2799:UDP"= 2799:UDP:*:Disabled:Altova License Metering Port (UDP)
"2799:TCP"= 2799:TCP:*:Disabled:Altova License Metering Port (TCP)
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
R1 GhPciScan;GhostPciScanner;\??\c:\program files\Symantec\Norton Ghost 2003\ghpciscan.sys [2002-08-14 5632]
R1 vcdrom;Virtual CD-ROM Device Driver;\??\c:\windows\system32\drivers\VCdRom.sys [2008-08-28 8576]
R2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [2004-10-04 98304]
R2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [2004-10-04 118784]
R3 hcw18bda;Hauppauge WinTV 418 Driver;c:\windows\system32\drivers\hcw18bda.sys [2006-11-22 366080]
R3 PPJoyBus;Parallel Port Joystick Bus device driver;c:\windows\system32\drivers\PPJoyBus.sys [2004-01-23 13952]
R3 PPortJoystick;Parallel Port Joystick device driver;c:\windows\system32\drivers\PPortJoy.sys [2004-01-23 28800]
S1 AEC671X;AEC671X;c:\windows\system32\drivers\AEC671 X.SYS [2005-09-02 12128]
S1 ati1snxxx;ati1snxxx;c:\windows\system32\drivers\at i1snxxx.sys []
S1 DMX3191;DMX3191;c:\windows\system32\drivers\DMX319 1.SYS [2005-09-02 17700]
S2 UDNT;UDNT;c:\windows\system32\drivers\UDNT.sys [2005-09-02 76260]
S3 BRGSp50;BRGSp50 NDIS Protocol Driver;c:\windows\system32\Drivers\BRGSp50.sys [2006-09-17 20608]
S3 cusbohcn;cusbohcn;\??\c:\docume~1\P4\LOCALS~1\Temp \cusbohcn.sys []
S3 HauppaugeTVServer;HauppaugeTVServer;c:\progra~1\Wi nTV\HCWTVS~1.EXE [2007-06-27 815104]
S3 XIRLINK;Veo PC Camera;c:\windows\system32\DRIVERS\ucdnt.sys [2007-10-13 1001120]
S3 ZD1211BU(WLAN);IEEE 802.11g USB Wireless LAN(WLAN);c:\windows\system32\DRIVERS\zd1211Bu.sys [2006-09-17 402944]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{5404e307-e067-11d9-904f-000d8756f371}]
\Shell\AutoRun\command - F:\setupSNK.exe
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{5084F01D-458E-45EB-A6FD-692D4C9D2789}]
c:\windows\system32\msiexec.exe /qn /fpu {5084F01D-458E-45EB-A6FD-692D4C9D2789}
.
.
------- Supplementary Scan -------
.
uStart Page = file:///C:/Home.html
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Edit with Altova X&MLSpy - c:\program files\Altova\XMLSpy2008\spy.htm
FireFox -: Profile - c:\documents and settings\P4\Application Data\Mozilla\Firefox\Profiles\jiwrcx2p.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - file:///C:/Home.html
.
************************************************** ************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url]http://www.gmer.net[/url]
Rootkit scan 2008-12-05 05:13:42
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************************************** ************************
[HKEY_LOCAL_MACHINE\system\ControlSet004\Services\I omega Activity Disk2]
"ImagePath"="\"\""
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(500)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2008-12-05 5:15:43
ComboFix-quarantined-files.txt 2008-12-05 13:14:48
ComboFix2.txt 2008-12-05 05:35:23
ComboFix3.txt 2008-12-05 03:31:41
ComboFix4.txt 2008-12-04 14:45:27
ComboFix5.txt 2008-12-05 13:07:19
Pre-Run: 13,413,257,216 bytes free
Post-Run: 13,391,343,616 bytes free
178
Cuc Tu
12-05-2008, 11:56 AM
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:51:22 AM, on 12/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\ATI Multimedia\MAIN\ATISched.EXE
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\WinTV\Ir.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\VSTASCAN\vsaccess.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Home.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Iomega Automatic Backup 1.0.1] C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\MAIN\ATISched.EXE
O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: UMAX VistaAccess.lnk = C:\VSTASCAN\vsaccess.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AutoStart IR.lnk = C:\Program Files\WinTV\Ir.exe
O4 - Global Startup: ZDWLan Utility.lnk = C:\Program Files\ZyDAS Technology Corporation\ZyDAS_802.11g_Utility\ZDWlan.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Edit with Altova X&MLSpy - C:\Program Files\Altova\XMLSpy2008\spy.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSpy2008\spy.htm
O9 - Extra 'Tools' menuitem: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSpy2008\spy.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [url]http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1191705583984[/url]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [url]http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1191705525968[/url]
O20 - AppInit_DLLs: lgxybc.dll
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762# # (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: HauppaugeTVServer - Hauppauge Computer Works - C:\PROGRA~1\WinTV\HCWTVS~1.EXE
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
--
End of file - 7723 bytes
classicsoftware
12-05-2008, 09:00 PM
How is the system running.???????????????
Cuc Tu
12-06-2008, 10:37 AM
The system seems to start up slow as there are many more processes than before. Also, the mouse pauses every second and a video will pause (studder) every second (CPU ~22% during playback).
Some tray icons are still missing: Avira, SG, iTouch Keyboard, Ghost.
I cannot get into SpywareGuard as there is no tray icon and launching the program seems to do nothing.
Other apps seem OK.
I must have gone through the list of MBAM, ComboFix, HJT, Avira, Spybot about 5 times now.
3rd time logs above
The last two are below and hopefully done correctly after updating the programs, rebooting with everything ON, internet physically unplugged, Avira/Spybot disabled, SG running as I cannot get into it.
4th logs below:
Cuc Tu
12-06-2008, 10:37 AM
Sorry, the 4th log is above already, below is Avira scan after the above:
Avira AntiVir Personal
Report file date: Friday, December 05, 2008 08:02
Scanning for 1075186 virus strains and unwanted programs.
Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Boot mode: Normally booted
Username: SYSTEM
Computer name: ENERMAX
Version information:
BUILD.DAT : 8.2.0.337 16934 Bytes 11/18/2008 13:05:00
AVSCAN.EXE : 8.1.4.10 315649 Bytes 12/5/2008 02:15:23
AVSCAN.DLL : 8.1.4.0 40705 Bytes 5/26/2008 17:56:40
LUKE.DLL : 8.1.4.5 164097 Bytes 6/12/2008 22:44:19
LUKERES.DLL : 8.1.4.0 12033 Bytes 5/26/2008 17:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 02:15:24
ANTIVIR1.VDF : 7.1.0.56 411136 Bytes 11/9/2008 02:15:24
ANTIVIR2.VDF : 7.1.0.160 571392 Bytes 11/30/2008 02:15:24
ANTIVIR3.VDF : 7.1.0.194 217088 Bytes 12/5/2008 14:32:39
Engineversion : 8.2.0.41
AEVDF.DLL : 8.1.0.6 102772 Bytes 10/14/2008 20:05:56
AESCRIPT.DLL : 8.1.1.17 336251 Bytes 12/5/2008 02:15:29
AESCN.DLL : 8.1.1.5 123251 Bytes 12/5/2008 02:15:28
AERDL.DLL : 8.1.1.3 438645 Bytes 12/5/2008 02:15:24
AEPACK.DLL : 8.1.3.4 393591 Bytes 12/5/2008 02:15:24
AEOFFICE.DLL : 8.1.0.31 196987 Bytes 12/5/2008 02:15:24
AEHEUR.DLL : 8.1.0.74 1519990 Bytes 12/5/2008 02:15:24
AEHELP.DLL : 8.1.2.0 119159 Bytes 12/5/2008 02:15:24
AEGEN.DLL : 8.1.1.6 323955 Bytes 12/5/2008 02:15:24
AEEMU.DLL : 8.1.0.9 393588 Bytes 10/14/2008 20:05:56
AECORE.DLL : 8.1.5.2 172405 Bytes 12/5/2008 02:15:24
AEBB.DLL : 8.1.0.3 53618 Bytes 10/14/2008 20:05:56
AVWINLL.DLL : 1.0.0.12 15105 Bytes 7/9/2008 18:40:05
AVPREF.DLL : 8.0.2.0 38657 Bytes 5/16/2008 19:28:01
AVREP.DLL : 8.0.0.2 98344 Bytes 12/5/2008 02:15:24
AVREG.DLL : 8.0.0.1 33537 Bytes 5/9/2008 21:26:40
AVARKT.DLL : 1.0.0.23 307457 Bytes 2/12/2008 18:29:23
AVEVTLOG.DLL : 8.0.0.16 119041 Bytes 6/12/2008 22:27:49
SQLITE3.DLL : 3.3.17.1 339968 Bytes 1/23/2008 03:28:02
SMTPLIB.DLL : 1.2.0.23 28929 Bytes 6/12/2008 22:49:40
NETNT.DLL : 8.0.0.1 7937 Bytes 1/25/2008 22:05:10
RCIMAGE.DLL : 8.0.0.51 2371841 Bytes 6/12/2008 23:48:07
RCTEXT.DLL : 8.0.52.0 86273 Bytes 6/27/2008 23:34:37
Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:, D:,
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: on
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium
Start of the scan: Friday, December 05, 2008 08:02
Starting search for hidden objects.
'64661' objects were checked, '0' hidden objects were found.
The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'sgbhp.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'Ymsgr_tray.exe' - '1' Module(s) have been scanned
Scan process 'vsaccess.exe' - '1' Module(s) have been scanned
Scan process 'sgmain.exe' - '1' Module(s) have been scanned
Scan process 'Ir.exe' - '1' Module(s) have been scanned
Scan process 'atidtct.exe' - '1' Module(s) have been scanned
Scan process 'AtiSched.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'EM_EXEC.EXE' - '1' Module(s) have been scanned
Scan process 'GhostStartTrayApp.exe' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'MsPMSPSv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'snmp.exe' - '1' Module(s) have been scanned
Scan process 'tcpsvcs.exe' - '1' Module(s) have been scanned
Scan process 'PhotoshopElementsDeviceConnect.exe' - '1' Module(s) have been scanned
Scan process 'nvsvc32.exe' - '1' Module(s) have been scanned
Scan process 'AppServices.exe' - '1' Module(s) have been scanned
Scan process 'inetinfo.exe' - '1' Module(s) have been scanned
Scan process 'GhostStartService.exe' - '1' Module(s) have been scanned
Scan process 'CTSVCCDA.EXE' - '1' Module(s) have been scanned
Scan process 'mDNSResponder.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'PhotoshopElementsFileAgent.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
42 processes with 42 modules were scanned
Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!
Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'D:\'
[INFO] No virus was found!
Starting to scan the registry.
The registry was scanned ( '75' files ).
Starting the file scan:
Begin scan in 'C:\'
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\System Volume Information\_restore{C3A006DC-2D07-43B2-B0E3-FDC44A732706}\RP2\A0000063.exe
[DETECTION] Is the TR/Dldr.Agent.afzg Trojan
[NOTE] The file was moved to '4969ec78.qua'!
C:\System Volume Information\_restore{C3A006DC-2D07-43B2-B0E3-FDC44A732706}\RP2\A0000065.exe
[DETECTION] Is the TR/Agent.tzh Trojan
[NOTE] The file was moved to '4969ec79.qua'!
C:\System Volume Information\_restore{C3A006DC-2D07-43B2-B0E3-FDC44A732706}\RP2\A0000068.exe
[DETECTION] Is the TR/Dldr.Agent.afzg Trojan
[NOTE] The file was moved to '4969ec7a.qua'!
C:\System Volume Information\_restore{C3A006DC-2D07-43B2-B0E3-FDC44A732706}\RP4\A0000562.exe
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '4969ec9d.qua'!
Begin scan in 'D:\' <Local Disk>
End of the scan: Friday, December 05, 2008 19:38
Used time: 11:35:30 Hour(s)
The scan has been done completely.
8417 Scanning directories
390367 Files were scanned
4 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
0 files were deleted
0 files were repaired
4 files were moved to quarantine
0 files were renamed
1 Files cannot be scanned
390362 Files not concerned
2749 Archives were scanned
1 Warnings
4 Notes
64661 Objects were scanned with rootkit scan
0 Hidden objects were found
Cuc Tu
12-06-2008, 10:41 AM
Malwarebytes' Anti-Malware 1.31
Database version: 1460
Windows 5.1.2600 Service Pack 2
12/6/2008 5:50:53 AM
mbam-log-2008-12-06 (05-50-53).txt
Scan type: Full Scan (C:\|)
Objects scanned: 167829
Time elapsed: 5 hour(s), 57 minute(s), 11 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
Cuc Tu
12-06-2008, 10:43 AM
ComboFix 08-12-04.05 - P4 2008-12-06 5:54:55.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1058 [GMT -8:00]
Running from: c:\documents and settings\P4\Desktop\ComboFix.exe
.
((((((((((((((((((((((((( Files Created from 2008-11-06 to 2008-12-06 )))))))))))))))))))))))))))))))
.
2008-12-03 06:15 . 2008-12-03 06:15 <DIR> d-------- c:\program files\Avira
2008-12-03 06:15 . 2008-12-03 06:15 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira
2008-12-02 19:02 . 2008-12-02 19:02 <DIR> d-------- c:\documents and settings\P4\Application Data\Malwarebytes
2008-12-02 19:01 . 2008-12-04 18:28 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-02 19:01 . 2008-12-02 19:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-02 19:01 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-02 19:01 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-01 20:23 . 2008-12-03 06:08 <DIR> d--hs---- c:\windows\Q3VjIFR1
2008-12-01 20:22 . 2008-12-03 06:08 <DIR> d-------- c:\windows\system32\VC
2008-12-01 20:22 . 2008-12-03 06:08 <DIR> d-------- c:\windows\system32\uv9
2008-12-01 20:22 . 2008-12-03 06:22 <DIR> d-------- c:\windows\system32\ki3
2008-12-01 20:22 . 2008-12-05 05:05 <DIR> d-------- c:\windows\system32\hov
2008-12-01 20:22 . 2008-12-01 20:23 <DIR> d-------- c:\windows\system32\bin
2008-11-30 10:04 . 2008-11-30 10:04 <DIR> d-------- c:\documents and settings\All Users\Application Data\FLEXnet
2008-11-30 09:58 . 2008-11-30 09:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\ALM
2008-11-30 09:54 . 2008-11-30 09:54 <DIR> d-------- c:\program files\Bonjour
2008-11-30 09:29 . 2008-11-30 09:29 <DIR> d-------- c:\program files\Common Files\Macrovision Shared
2008-11-24 08:42 . 2008-11-24 08:42 366,592 --a------ c:\windows\system32\osuxedmbukrxv.dll
2008-11-23 20:28 . 2008-11-29 15:59 12,496 --a------ c:\windows\MSPuzzle.dat
2008-11-23 20:16 . 2008-11-23 20:16 <DIR> d-------- c:\program files\Microsoft Games
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-12-05 04:26 --------- d-----w c:\program files\SpywareGuard
2008-12-05 03:31 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-05 02:57 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-05 02:53 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-05 02:29 --------- d-----w c:\program files\SpywareBlaster
2008-11-30 17:54 --------- d-----w c:\program files\Common Files\Adobe
2008-11-24 04:17 --------- d-----w c:\documents and settings\P4\Application Data\Tyre
2007-05-10 18:47 4,499 ----a-w c:\program files\Common Files\Waveguides-S8x0D.lst
2007-05-10 18:47 21,100 ----a-w c:\program files\Common Files\AllFreqCable.lst
2006-04-28 01:59 19,594 ----a-w c:\program files\Common Files\CABLES-S8x0D.LST
2005-07-30 00:24 472 --sha-r c:\windows\Q3VjIFR1\kap3KIlY.vbs
.
((((((((((((((((((((((((((((( snapshot@2008-12-02_20.54.03.70 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-05-09 21:15:51 45,376 ----a-w c:\windows\system32\drivers\avgntdd.sys
+ 2008-01-22 02:11:28 22,336 ----a-w c:\windows\system32\drivers\avgntmgr.sys
+ 2008-12-05 02:15:29 75,072 ----a-w c:\windows\system32\drivers\avipbb.sys
+ 2007-03-01 18:34:22 28,352 ----a-w c:\windows\system32\drivers\ssmdrv.sys
- 2008-12-03 04:49:32 220,186 ----a-w c:\windows\system32\inetsrv\MetaBase.bin
+ 2008-12-06 04:13:17 220,175 ----a-w c:\windows\system32\inetsrv\MetaBase.bin
+ 2008-12-06 04:10:11 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_124.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-06-07 4670968]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"ATI Scheduler"="c:\program files\ATI Multimedia\MAIN\ATISched.EXE" [2004-11-04 45133]
"ATI DeviceDetect"="c:\program files\ATI Multimedia\main\ATIDtct.EXE" [2004-11-04 69707]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"zBrowser Launcher"="c:\program files\Logitech\iTouch\iTouch.exe" [2004-03-18 892928]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"PinnacleDriverCheck"="c:\windows\system32\PSDrvCheck.exe" [2003-12-04 406016]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
"Jet Detection"="c:\program files\Creative\SBLive\PROGRAM\ADGJDet.exe" [2001-11-29 28672]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"Iomega Automatic Backup 1.0.1"="c:\program files\Iomega\Iomega Automatic Backup\ibackup.exe" [2002-10-15 3014656]
"GhostStartTrayApp"="c:\program files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe" [2002-08-14 94208]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-10-26 344064]
"nwiz"="nwiz.exe" [2007-12-05 c:\windows\system32\nwiz.exe]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 c:\windows\LOGI_MWX.EXE]
"CTHelper"="CTHELPER.EXE" [2003-08-28 c:\windows\system32\CTHELPER.EXE]
c:\documents and settings\P4\Start Menu\Programs\Startup\
SpywareGuard.lnk - c:\program files\SpywareGuard\sgmain.exe [2003-08-29 360448]
UMAX VistaAccess.lnk - c:\vstascan\vsaccess.exe [2005-09-02 159744]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-10-04 113664]
AutoStart IR.lnk - c:\program files\WinTV\Ir.exe [2007-06-27 106551]
ZDWLan Utility.lnk - c:\program files\ZyDAS Technology Corporation\ZyDAS_802.11g_Utility\ZDWlan.exe [2007-01-06 483328]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=lgxybc.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ctmp3"= c:\windows\system32\ctmp3.acm
"VIDC.YV12"= xl_yv12.dll
"VIDC.YU12"= ATIYUV12.DLL
"VIDC.HFYU"= huffyuv.dll
"VIDC.PIM1"= pclepim1.dll
"VIDC.D263"= xl_x263dec.dll
"VIDC.XJPG"= camfc.dll
Cuc Tu
12-06-2008, 10:43 AM
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Network Monitor"=2 (0x2)
"cmdService"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Quake III Arena\\quake3.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"c:\\Papyrus\\NASCAR Racing 2003 Season\\NR2003.exe"=
"c:\\Program Files\\Windows Media Components\\Encoder\\wmenc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)
"80:TCP"= 80:TCP:HTTP
"2799:UDP"= 2799:UDP:*:Disabled:Altova License Metering Port (UDP)
"2799:TCP"= 2799:TCP:*:Disabled:Altova License Metering Port (TCP)
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
R1 GhPciScan;GhostPciScanner;\??\c:\program files\Symantec\Norton Ghost 2003\ghpciscan.sys [2002-08-14 5632]
R1 vcdrom;Virtual CD-ROM Device Driver;\??\c:\windows\system32\drivers\VCdRom.sys [2008-08-28 8576]
R2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [2004-10-04 98304]
R2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [2004-10-04 118784]
R3 hcw18bda;Hauppauge WinTV 418 Driver;c:\windows\system32\drivers\hcw18bda.sys [2006-11-22 366080]
R3 PPJoyBus;Parallel Port Joystick Bus device driver;c:\windows\system32\drivers\PPJoyBus.sys [2004-01-23 13952]
R3 PPortJoystick;Parallel Port Joystick device driver;c:\windows\system32\drivers\PPortJoy.sys [2004-01-23 28800]
S1 AEC671X;AEC671X;c:\windows\system32\drivers\AEC671 X.SYS [2005-09-02 12128]
S1 ati1snxxx;ati1snxxx;c:\windows\system32\drivers\at i1snxxx.sys []
S1 DMX3191;DMX3191;c:\windows\system32\drivers\DMX319 1.SYS [2005-09-02 17700]
S2 UDNT;UDNT;c:\windows\system32\drivers\UDNT.sys [2005-09-02 76260]
S3 BRGSp50;BRGSp50 NDIS Protocol Driver;c:\windows\system32\Drivers\BRGSp50.sys [2006-09-17 20608]
S3 cusbohcn;cusbohcn;\??\c:\docume~1\P4\LOCALS~1\Temp \cusbohcn.sys []
S3 HauppaugeTVServer;HauppaugeTVServer;c:\progra~1\Wi nTV\HCWTVS~1.EXE [2007-06-27 815104]
S3 XIRLINK;Veo PC Camera;c:\windows\system32\DRIVERS\ucdnt.sys [2007-10-13 1001120]
S3 ZD1211BU(WLAN);IEEE 802.11g USB Wireless LAN(WLAN);c:\windows\system32\DRIVERS\zd1211Bu.sys [2006-09-17 402944]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{5404e307-e067-11d9-904f-000d8756f371}]
\Shell\AutoRun\command - F:\setupSNK.exe
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{5084F01D-458E-45EB-A6FD-692D4C9D2789}]
c:\windows\system32\msiexec.exe /qn /fpu {5084F01D-458E-45EB-A6FD-692D4C9D2789}
.
.
------- Supplementary Scan -------
.
uStart Page = file:///C:/Home.html
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Edit with Altova X&MLSpy - c:\program files\Altova\XMLSpy2008\spy.htm
FireFox -: Profile - c:\documents and settings\P4\Application Data\Mozilla\Firefox\Profiles\jiwrcx2p.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - file:///C:/Home.html
.
************************************************** ************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url]http://www.gmer.net[/url]
Rootkit scan 2008-12-06 05:59:16
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************************************** ************************
[HKEY_LOCAL_MACHINE\system\ControlSet004\Services\I omega Activity Disk2]
"ImagePath"="\"\""
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(520)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2008-12-06 6:01:19
ComboFix-quarantined-files.txt 2008-12-06 14:00:24
ComboFix2.txt 2008-12-05 13:15:47
ComboFix3.txt 2008-12-05 05:35:23
ComboFix4.txt 2008-12-05 03:31:41
ComboFix5.txt 2008-12-06 13:53:52
Pre-Run: 13,391,462,400 bytes free
Post-Run: 13,368,606,720 bytes free
178
Cuc Tu
12-06-2008, 10:44 AM
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:03:23 AM, on 12/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\Program Files\ATI Multimedia\MAIN\ATISched.EXE
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\WinTV\Ir.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\VSTASCAN\vsaccess.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Home.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Iomega Automatic Backup 1.0.1] C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\MAIN\ATISched.EXE
O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: UMAX VistaAccess.lnk = C:\VSTASCAN\vsaccess.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AutoStart IR.lnk = C:\Program Files\WinTV\Ir.exe
O4 - Global Startup: ZDWLan Utility.lnk = C:\Program Files\ZyDAS Technology Corporation\ZyDAS_802.11g_Utility\ZDWlan.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Edit with Altova X&MLSpy - C:\Program Files\Altova\XMLSpy2008\spy.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSpy2008\spy.htm
O9 - Extra 'Tools' menuitem: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSpy2008\spy.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [url]http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1191705583984[/url]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [url]http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1191705525968[/url]
O20 - AppInit_DLLs: lgxybc.dll
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762# # (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: HauppaugeTVServer - Hauppauge Computer Works - C:\PROGRA~1\WinTV\HCWTVS~1.EXE
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
--
End of file - 7674 bytes
Cuc Tu
12-06-2008, 10:46 AM
And I have no idea why I have
C:\Program Files\Bonjour\mDNSResponder.exe
classicsoftware
12-06-2008, 10:57 AM
At this point having not been in on all of the things you have done to this system before posting and not being able to see the system directly, it appears that during the cleaning process, you have corrupted your Windows installation. The best bet at this point is to back up your data and repair your Windows installation.
Cuc Tu
12-06-2008, 11:08 AM
Well, that's not so bad. I was thinking the only real way to fix it was to format and start over.
classicsoftware
12-06-2008, 11:20 AM
If you have an actual Windows disk, you can do a repair installation. If you have an install disk, you must start over. Either way, backup your data and uninstall ALL security software from your system first.
Cuc Tu
12-08-2008, 07:06 PM
I have an OEM disk, full Win XP.
Any idea where C:\Program Files\Bonjour\mDNSResponder.exe came from?
It's supposed to be a legit app for iPod or iTunes, but I did not install it.
It just looks like a virus to me, every part of it.
Cuc Tu
12-08-2008, 09:36 PM
Intersting bit about Adobe/Apple conspiracy to install spyware on your machine:
http://www.x64bit.net/site/board/index.php?showtopic=4214&st=0
There are many things besides iTunes and Adobe that install it...
classicsoftware
12-08-2008, 11:02 PM
Open Hijackthis and place a check next to:
O20 - AppInit_DLLs: lgxybc.dll
Close all open program and browser windows except for Hijackthis and click fix checked
Re-boot
Post a fresh log
Tell me how the system is running.
Cuc Tu
12-09-2008, 01:28 AM
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:26:49 PM, on 12/8/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\WinTV\Ir.exe
C:\Program Files\ZyDAS Technology Corporation\ZyDAS_802.11g_Utility\ZDWlan.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Home.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\MAIN\ATISched.EXE
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AutoStart IR.lnk = C:\Program Files\WinTV\Ir.exe
O4 - Global Startup: ZDWLan Utility.lnk = C:\Program Files\ZyDAS Technology Corporation\ZyDAS_802.11g_Utility\ZDWlan.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [url]http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1191705583984[/url]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [url]http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1191705525968[/url]
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762# # (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: HauppaugeTVServer - Hauppauge Computer Works - C:\PROGRA~1\WinTV\HCWTVS~1.EXE
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
--
End of file - 7311 bytes
Cuc Tu
12-09-2008, 01:30 AM
Hi,
My PC boots up and seems to run OK. Takes a while to load and I still feel it a bit slow, but it's a work'n.
I also unistalled some applications that I'm not using and ran the old ATI display drivers' uninstall utility.
Still missing tray icons, and I chickened out of trying to repair XP.
Oh yeah, tray icons came back after installing XP SP3, but dissapeared after uninstalling some pgms
vBulletin v3.6.1, Copyright ©2000-2012, Jelsoft Enterprises Ltd.