View Full Version : Registry values changing to RECYCLER folder
KStew308
02-03-2009, 06:12 PM
Hello,
I am running Windows XP, Service Pack 2.
Recently, I went to My Computer to double-click and access my C drive. I have a habit of going that route to get to Program Files instead of just making a shortcut to the Program Files folder.
However, when I double-clicked on the C drive icon, nothing happened. I noticed the fan suddenly whirled and the hard drive activity light blinked rapidly on my laptop. I popped open Task Manager to see what process was eating me up.
S-4-8-56-100003052-100031905-100028435-6683 was running. Since it's suspicious to me, and a quick Google search didn't acknowledge it, I shut it down, then researched further. I discovered that there was something in the RECYCLER folder in the C: drive with that name, though I can't seem to access it or find it, even with hidden files and folders on and typing in the address.
I opened regedit and did a search for RECYCLER, and found two places in the registry where AutoRun and Open were set to RECYCLER and some alphanumeric string with the dashes, similar to the one above. I changed it back to just base C:\, a little puzzled, and somewhat worried.
After a while, the registry changes back to the RECYCLER folder, except each time with a new string.
I did a scan with AVG which yielded nothing. I've forgotten where the exact registry values were, and it hasn't reset itself yet, so I can't give that detail (yet).
I found a thread on your forums somewhere in here about RECYCLER and the alphanumeric string, which is why I'm posting here. (:
I hope that's enough information. That's about all I can say right now without any prompting for something I forgot.
I know I went a little overboard on the details, but I'm a rambling kind of person... can't help it! (:
Any help would be appreciated. It doesn't seem to be malicious, because otherwise, I haven't noticed anything out of the ordinary.
Thanks,
K. Stew
Paul Komski
02-03-2009, 06:43 PM
The RECYCLER folder is the underlying folder for the Recycle Bin, which is a MS Special or Virtual Folder. The "SID Identity" S ....... folder(s) inside it relate to the files deleted by different identities/users.
KStew308
02-03-2009, 11:26 PM
@mjc - By version, do you mean Home Edition vs. Professional vs. ... etc.? The answer to that would be Professional.
@Paul Komski - Yes, sorry, I don't think I explained my problem well enough. I understand what the RECYCLER folder is and the "SID Identity" ... ah, so that's what it's called! that sounds much more official than alphanumeric-with-dashes-thinige (: ... I understand what they are.
My problem is that there is a registry value that is setting the C:/ drive icon link in the My Computer folder to, instead of C:/ as usual, C:/RECYCLER/"SID Identity" and if I unknowingly double-click on the C:/ icon, it acts like it's trying to run the SID Identity folder as an .exe.
Post a HJT log...that is not 'normal', even for a screw up.
http://www.pcguide.com/vb/showthread.php?t=60009
KStew308
02-04-2009, 01:40 AM
Of course, once I swallowed my pride and posted here about it, it won't do it. Honestly. It's like that guy with the talking frog that only spoke in front of him.
However, when I restarted the computer before running the HijackThis (wasn't sure if I was supposed to, but thought it couldn't hurt), there was a blip of a blue screen before it shut down, so now I'm paranoid. (:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:31:50 AM, on 2/4/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\IVT Corporation\BlueSoleil\StartSkysolSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\WINDOWS\ATK0100\HControl.exe
C:\Program Files\Wireless Console 2\wcourier.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\ASUS\ATK Media\DMEDIA.EXE
C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe
C:\Program Files\ASUS\Splendid\ACMON.exe
C:\WINDOWS\ABLKSR\ABLKSR.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\WINDOWS\system32\RunDll32.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\ASUS\ASUS Live Update\ALU.exe
C:\WINDOWS\System\CmFlywav.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Documents and Settings\Leigh\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\ASUS\Asus MultiFrame\MultiFrame.exe
C:\Program Files\SetPoint\SetPoint.exe
C:\Documents and Settings\Leigh\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\dumprep.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS\system32\ACEngSvr.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\WINDOWS\System\CMAS2DS.EXE
C:\WINDOWS\system32\dwwin.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.surfentry.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.asus.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.asus.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: IDMIEHlprObj Class - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Wireless Console 2] C:\Program Files\Wireless Console 2\wcourier.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ATKMEDIA] C:\Program Files\ASUS\ATK Media\DMEDIA.EXE
O4 - HKLM\..\Run: [Power_Gear] C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe 1
O4 - HKLM\..\Run: [ACMON] C:\Program Files\ASUS\Splendid\ACMON.exe
O4 - HKLM\..\Run: [ABLKSR] C:\WINDOWS\ABLKSR\ABLKSR.exe
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
O4 - HKLM\..\Run: [Cmaudiow] RunDll32 cmcnfgw.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [b043dfff] rundll32.exe "C:\WINDOWS\system32\leieqdnw.dll",b
KStew308
02-04-2009, 01:40 AM
O4 - HKLM\..\Run: [ASUS Live Update] C:\Program Files\ASUS\ASUS Live Update\ALU.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Leigh\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [amva] C:\WINDOWS\system32\amvo.exe
O4 - HKUS\S-1-5-21-1836929278-579920100-1401729743-1005\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized (User 'cadmin')
O4 - Global Startup: MultiFrame.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\SetPoint\SetPoint.exe
O4 - Global Startup: BlueSoleil.lnk = C:\Program Files\IVT Corporation\BlueSoleil\gprs.exe
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://www.asus.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{3116BB0A-BC09-495F-9612-E725B62F412D}: NameServer = 85.255.112.39,85.255.112.40
O17 - HKLM\System\CCS\Services\Tcpip\..\{A988DEA3-798B-4CC1-ADBF-4B36F3C2B9C7}: NameServer = 85.255.112.39,85.255.112.40
O17 - HKLM\System\CCS\Services\Tcpip\..\{CFA2DCF4-428F-4C89-A039-E449F3CB6659}: NameServer = 85.255.112.39,85.255.112.40
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.39,85.255.112.40
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.39,85.255.112.40
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\WINDOWS\system32\Skype4COM.dll
O20 - AppInit_DLLs: wvmyku.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Crossfire server (Crossfire) - Unknown owner - C:\Program Files\Crossfire Server\Crossfire32.exe (file missing)
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: License Management Service ESD - element5 - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Pure Networks Platform Service (nmservice) - Cisco Systems, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - C:\Nexon\Mabinogi\npkcmsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PostgreSQL Database Server 8.3 (pgsql-8.3) - PostgreSQL Global Development Group - C:\Program Files\PostgreSQL\8.3\bin\pg_ctl.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Start BT in service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\StartSkysolSvc.exe
O23 - Service: wampapache - Unknown owner - c:\wamp\bin\apache\apache2.2.11\bin\httpd.exe (file missing)
O23 - Service: wampmysqld - Unknown owner - c:\wamp\bin\mysql\mysql5.1.30\bin\mysqld.exe (file missing)
--
End of file - 11850 bytes
GOSH, I need to clean some of the junk off here... *shy*
KStew308
02-04-2009, 02:09 PM
Sorry, I didn't see an option to edit previous messages, so forgive me for somewhat triple-posting... however, it did it again, so I have some small screenshot clips. It can't make me out to be a liar this time (:
http://img22.imageshack.us/img22/7826/recyclerps5.png
1st clip is of task manager processes after I tried to access the C:/ drive, then 2nd and 3rd are the registry values. They are located at:
My Computer\HKEY_CURRENT_USER\Software\Microsoft\Wind ows\CurrentVersion\Explorer\MountPoints2\{c03500a2 -a3b8-11dc-aff8-806d6172696f}\Shell\
then AutoRun\command for the 2nd and Open\command for the 3rd.
Paul Komski
02-04-2009, 02:41 PM
The recycler SID-like "sub-folders" that you have shown are not folders at all but executable files with a .com file extension.
As mjc sussed they are almost beyond doubt malware/viruses/rootkits.
Entries like [b043dfff] rundll32.exe "C:\WINDOWS\system32\leieqdnw.dll",b in the HJT logs are also very very supicious. I am not a malware expert so wait till those that are respond.
There are several indicators of infection, please follow these steps.
It is best to download the tools on a known clean machine and store them on some form of portable storage, such as a USB memory stick or to burn them onto a CD (A CR-RW will work just fine). After using the portable storage media (unless it is a burned CD), you need to totally erase it...zero fill. Then transfer them to the problem machine and run them as directed. This is especially helpful in cases of browser redirection or problematic internet connectivity.
First:
How to run a scan with Malwarebytes' Anti-Malware
Download Malwarebytes' Anti-Malware from Here (http://www.besttechie.net/tools/mbam-setup.exe) or Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)
Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.[/QUOTE]
Second:
Now run Combofix...follow the instructions, exactly.
Please do the following:
Download this file - combofix.exe (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop (it needs to be run from the Desktop). Double click combofix.exe & follow the prompts.
When finished, it will produce a log for you.
Note:
Do not mouseclick Combofix's window while it is running. That may cause the program to stall...
Third:
IN THE ORDER LISTED BELOW
Re-boot the system
Post the Combofix Log
Post the MBAM log
Post a new HJT log
Tell us how the system is running.
Fruss Tray Ted
02-04-2009, 03:25 PM
This "RECYCLER" problem is definitely malware. I just ran across the same problem on someone's PC and it affected all of the partitions and folders in 'My Computer'. ~13 autorun.inf files were affected! You could not open by clicking anything in "My Computer' but could get to the files via right click and explore.
MAL_OTORUN1 and coolplay (Trojan.DNSChanger) were some of the malware files found and eradicated.
All caused by something downloaded via a torrent program.
KStew308
02-04-2009, 05:49 PM
Okay - here goes!
ComboFix 09-02-04.01 - Leigh 2009-02-04 16:35:59.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1663 [GMT -5:00]
Running from: c:\documents and settings\Leigh\My Documents\Downloads\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Autorun.inf
c:\docume~1\Leigh\LOCALS~1\Temp\tmp2.tmp
c:\documents and settings\Leigh\Local Settings\Temporary Internet Files\bestwiner.stt
c:\documents and settings\Leigh\Local Settings\Temporary Internet Files\fbk.sts
c:\program files\INSTALL.LOG
c:\recycler\S-3-7-12-100020509-100031222-100015025-5110.com
c:\windows\system32\drivers\gaopdxaffluhhn.sys
c:\windows\system32\FTPx.dll
c:\windows\system32\gaopdxgtrnofyk.dll
c:\windows\system32\hgfdge4unjdfdg.dll
c:\windows\system32\MabryObj.dll
c:\windows\Tasks\pelmnycz.job
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_gaopdxserv.sys
((((((((((((((((((((((((( Files Created from 2009-01-04 to 2009-02-04 )))))))))))))))))))))))))))))))
.
2009-02-04 00:26 . 2009-02-04 00:26 <DIR> d-------- c:\program files\Trend Micro
2009-02-04 00:26 . 2009-02-04 00:26 268 --ah----- C:\sqmdata00.sqm
2009-02-04 00:26 . 2009-02-04 00:26 244 --ah----- C:\sqmnoopt00.sqm
2009-02-04 00:25 . 2009-02-04 00:25 <DIR> d-------- C:\HJT
2009-02-02 23:28 . 2009-02-02 23:28 <DIR> d--h----- C:\$AVG8.VAULT$
2009-02-02 23:22 . 2009-02-02 23:22 <DIR> d-------- c:\windows\system32\drivers\Avg
2009-02-02 23:22 . 2009-02-02 23:22 325,128 --a------ c:\windows\system32\drivers\avgldx86.sys
2009-02-02 23:22 . 2009-02-02 23:22 107,272 --a------ c:\windows\system32\drivers\avgtdix.sys
2009-02-02 23:22 . 2009-02-02 23:22 10,520 --a------ c:\windows\system32\avgrsstx.dll
2009-02-02 23:21 . 2009-02-02 23:21 <DIR> d-------- c:\program files\AVG
2009-02-02 23:21 . 2009-02-02 23:21 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2009-02-02 21:20 . 2009-02-02 21:20 0 --ah----- c:\windows\SwSys2.bmp
2009-02-02 21:20 . 2009-02-02 21:20 0 --ah----- c:\windows\SwSys1.bmp
2009-02-01 22:08 . 2009-02-01 22:08 <DIR> d-------- c:\documents and settings\Leigh\Application Data\aicon
2009-02-01 20:53 . 2009-02-01 20:53 <DIR> d-------- c:\program files\LOVE
2009-02-01 16:32 . 2009-02-01 16:32 <DIR> d-------- c:\program files\Lua
2009-02-01 15:46 . 2009-02-01 15:46 <DIR> d-------- c:\documents and settings\Leigh\Application Data\Dev-Cpp
2009-01-27 17:13 . 2009-01-27 17:13 <DIR> d-------- c:\program files\SQLyog Community
2009-01-27 17:13 . 2009-01-27 17:13 <DIR> d-------- c:\documents and settings\Leigh\Application Data\SQLyog
2009-01-27 16:48 . 2009-01-27 16:48 <DIR> d-------- c:\program files\MySQL
2009-01-23 12:31 . 2009-01-23 12:31 <DIR> d-------- c:\documents and settings\Leigh\Application Data\Wings3D
2009-01-21 21:16 . 2009-01-21 21:16 <DIR> d-------- c:\program files\MilkShape 3D 1.8.2
2009-01-21 16:54 . 2009-01-21 16:54 <DIR> d-------- c:\documents and settings\Leigh\Application Data\MilkShape 3D 1.x.x
2009-01-21 15:59 . 2009-01-21 15:59 <DIR> d-------- c:\documents and settings\Leigh\Application Data\PSpad
2009-01-20 16:44 . 2009-01-20 16:44 <DIR> d-------- c:\program files\EQ2MAP Updater
2009-01-19 14:14 . 2009-01-19 14:14 <DIR> d-------- c:\documents and settings\Leigh\Application Data\Blender Foundation
2009-01-18 16:39 . 2002-07-31 19:55 108 ---hs---- c:\windows\WSYS049.SYS
2009-01-18 16:39 . 2001-09-05 12:28 41 ---h----- c:\windows\trfntw32.cfg
2009-01-04 12:02 . 2009-01-04 12:02 <DIR> d-------- c:\program files\Advanced Combat Tracker
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-01-01 08:00 --------- d-----w c:\program files\Microsoft CAPICOM 2.1.0.2
2009-01-01 01:29 --------- d-sh--w c:\program files\Common Files\WindowsLiveInstaller
2009-01-01 01:29 --------- d-----w c:\program files\Windows Live
2009-01-01 01:29 --------- d-----w c:\documents and settings\All Users\Application Data\WLInstaller
2008-12-19 02:27 --------- d-----w c:\program files\Common Files\INCA Shared
2008-12-18 22:53 --------- d-----w c:\program files\Pando Networks
2008-12-18 18:50 --------- d-----w c:\program files\Opera
2008-12-18 18:31 410,984 ----a-w c:\windows\system32\deploytk.dll
2008-12-14 15:29 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-12-14 15:29 --------- d-----w c:\documents and settings\Leigh\Application Data\Malwarebytes
2008-12-14 15:29 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-12 17:27 3,067,392 ----a-w c:\windows\system32\dllcache\mshtml.dll
2008-12-11 11:57 333,184 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-11 11:57 333,184 ----a-w c:\windows\system32\dllcache\srv.sys
2008-12-07 19:34 --------- d-----w c:\documents and settings\Leigh\Application Data\Twain
2008-12-04 00:59 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-04 00:59 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2008-11-29 21:49 98,304 ------w c:\documents and settings\Leigh\SysLib.dll
2008-11-23 15:43 13,560 --sha-w c:\windows\system32\KGyGaAvL.sys
2008-06-19 13:11 88 --sh--r c:\documents and settings\All Users\Application Data\C762C8CB38.sys
2008-06-19 13:11 1,056 --sha-w c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2008-05-23 14:30 940,032 ------w c:\documents and settings\Leigh\dbghelp.dll
2008-05-23 14:30 57,344 ------w c:\documents and settings\Leigh\NTSpecificModule.dll
2008-05-23 14:30 438,272 ------w c:\documents and settings\Leigh\sc.dll
2008-02-20 10:42 2,330,624 ------w c:\documents and settings\Leigh\LaunchPad.exe
2008-06-13 03:55 56 --sh--r c:\windows\system32\38CBC862C7.sys
2006-05-03 10:06 163,328 --sh--r c:\windows\system32\flvDX.dll
2007-02-21 11:47 31,232 --sh--r c:\windows\system32\msfDX.dll
2007-12-17 13:43 27,648 --sh--w c:\windows\system32\Smab0.dll
.
KStew308
02-04-2009, 05:49 PM
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-08-02 802816]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-08-02 696320]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-07-20 7581696]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-02-02 23:22 10520 c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wvmyku.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= i420vfw.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^$McRebootA5E6DEAA56$.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\$McRebootA5E6DEAA56$.lnk
backup=c:\windows\pss\$McRebootA5E6DEAA56$.lnkComm on Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BlueSoleil.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BlueSoleil.lnk
backup=c:\windows\pss\BlueSoleil.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MultiFrame.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\MultiFrame.lnk
backup=c:\windows\pss\MultiFrame.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Leigh^Start Menu^Programs^Startup^MagicDisc.lnk]
path=c:\documents and settings\Leigh\Start Menu\Programs\Startup\MagicDisc.lnk
backup=c:\windows\pss\MagicDisc.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^Leigh^Start Menu^Programs^Startup^OpenOffice.org 2.4.lnk]
path=c:\documents and settings\Leigh\Start Menu\Programs\Startup\OpenOffice.org 2.4.lnk
backup=c:\windows\pss\OpenOffice.org 2.4.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ABLKSR]
--a------ 2006-01-02 19:14 61440 c:\windows\ABLKSR\ABLKSR.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ACMON]
--a------ 2006-05-30 10:28 811008 c:\program files\ASUS\Splendid\ACMON.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ASUS Live Update]
--a------ 2006-02-21 15:20 180224 c:\program files\ASUS\ASUS Live Update\ALU.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATKMEDIA]
--a------ 2006-05-16 16:29 53248 c:\program files\ASUS\ATK Media\DMedia.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY]
--a------ 2009-02-02 23:21 1601304 c:\progra~1\AVG\AVG8\avgtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
--a------ 2008-10-16 15:27 133104 c:\documents and settings\Leigh\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HControl]
--a------ 2006-08-23 07:22 110592 c:\windows\ATK0100\HControl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IDMan]
--a------ 2008-02-05 18:09 2577840 c:\program files\Internet Download Manager\IDMan.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nmapp]
--a------ 2008-09-14 18:39 705832 c:\program files\Pure Networks\Network Magic\nmapp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nmctxth]
--a------ 2008-09-14 18:38 648488 c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2006-07-20 05:58 7581696 c:\windows\system32\nvcpl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2006-07-20 05:58 86016 c:\windows\system32\nvmctray.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power_Gear]
--a------ 2006-03-14 17:46 90112 c:\program files\ASUS\Power4 Gear\BatteryLife.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
--a------ 2006-08-06 22:11 573440 c:\program files\Motorola\SMSERIAL\sm56hlpr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-12-18 13:31 136600 c:\program files\Java\jre6\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
--a------ 2005-10-20 23:26 761945 c:\program files\Synaptics\SynTP\SynTPEnh.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2008-04-01 14:49 36352 c:\program files\Winamp\winampa.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Wireless Console 2]
--a------ 2005-10-17 17:09 987136 c:\program files\Wireless Console 2\wcourier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationA gent]
--a------ 2004-08-04 20:00 110592 c:\windows\system32\bthprops.cpl
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2006-07-20 05:58 1519616 c:\windows\system32\nwiz.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"0057311233726398mcinstcleanup"=2 (0x2)
"wampmysqld"=2 (0x2)
"wampapache"=2 (0x2)
"Start BT in service"=2 (0x2)
"npkcmsvc"=2 (0x2)
"nmservice"=2 (0x2)
"McSysmon"=3 (0x3)
"McShield"=2 (0x2)
"License Management Service ESD"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"gusvc"=3 (0x3)
"Crossfire"=3 (0x3)
"BlueSoleil Hid Service"=2 (0x2)
"avg8wd"=2 (0x2)
"avg8emc"=2 (0x2)
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\WINDOWS\\System32\\dpvsetup.exe"=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"c:\\Program Files\\Sony\\EverQuest II\\LaunchPad.exe"=
"c:\\Documents and Settings\\Leigh\\LaunchPad.exe"=
"c:\\Program Files\\Sony\\EverQuest II\\EverQuest2.exe"=
"c:\\Documents and Settings\\Leigh\\My Documents\\Downloads\\Programs\\Conquer_v5039_10_B C.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Java\\JRE6\\BIN\\java.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"26105:TCP"= 26105:TCP:BitCometLite 26105 TCP
"26105:UDP"= 26105:UDP:BitCometLite 26105 UDP
"67:UDP"= 67:UDP:DHCP Discovery Service
"20930:TCP"= 20930:TCP:BitCometLite 20930 TCP
"20930:UDP"= 20930:UDP:BitCometLite 20930 UDP
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-02-02 325128]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-02-02 107272]
R3 cmvad;ZyXEL NMP-1100W Interface;c:\windows\system32\drivers\cmudaxv.sys [2008-12-12 1410240]
S3 npkycryp;npkycryp;\??\c:\program files\Gravity\Copy of RO\npkycryp.sys --> c:\program files\Gravity\Copy of RO\npkycryp.sys [?]
S4 0057311233726398mcinstcleanup;McAfee Application Installer Cleanup (0057311233726398);c:\docume~1\Leigh\LOCALS~1\Temp \[u]0[/u]05731~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\docume~1\Leigh\LOCALS~1\Temp\[u]0[/u]05731~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]
S4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-02-02 903960]
S4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-02-02 298264]
S4 Crossfire;Crossfire server;c:\program files\Crossfire Server\Crossfire32.exe -srv --> c:\program files\Crossfire Server\Crossfire32.exe -srv [?]
S4 Start BT in service;Start BT in service;c:\program files\IVT Corporation\BlueSoleil\StartSkysolSvc.exe [2007-12-27 51816]
KStew308
02-04-2009, 05:50 PM
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\C]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RECYCLER\S-6-5-43-100015159-100013614-100000506-6073.com c:\
\Shell\Open\command - c:\recycler\S-6-5-43-100015159-100013614-100000506-6073.com c:\
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{0857d3f1-224e-11dd-b94e-0015830b9166}]
\Shell\AutoRun\command - E:\t.com
\Shell\explore\Command - E:\t.com
\Shell\open\Command - E:\t.com
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{5d17ebd9-23a6-11dd-b94f-0015830b9166}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{5d17ebda-23a6-11dd-b94f-0015830b9166}]
\Shell\AutoRun\command - F:\t.com
\Shell\explore\Command - F:\t.com
\Shell\open\Command - F:\t.com
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{6f673518-180f-11dd-b947-001bfc801b7c}]
\Shell\AutoRun\command - F:\t.com
\Shell\explore\Command - F:\t.com
\Shell\open\Command - F:\t.com
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{7a0f872c-beed-11dd-b98b-0015830b9166}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{cfe81c26-caf6-11dd-b98e-0018de1f290c}]
\Shell\AutoRun\command - E:\tcauto.exe
\Shell\VERB\COMMAND - E:\tcauto.exe
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{dc1c1957-c9ae-11dc-b912-0018f3cf9416}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder
2009-02-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1836929278-579920100-1401729743-1004.job
- c:\documents and settings\Leigh\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-10-16 15:27]
.
- - - - ORPHANS REMOVED - - - -
MSConfigStartUp-AIM - c:\program files\AIM\aim.exe
MSConfigStartUp-amva - c:\windows\system32\amvo.exe
MSConfigStartUp-b043dfff - c:\windows\system32\leieqdnw.dll
MSConfigStartUp-GetModule31 - c:\program files\GetModule\GetModule31.exe
MSConfigStartUp-mcagent_exe - c:\program files\McAfee.com\Agent\mcagent.exe
MSConfigStartUp-MSMSGS - c:\program files\Messenger\msmsgs.exe
MSConfigStartUp-MsnMsgr - c:\program files\Windows Live\Messenger\MsnMsgr.Exe
MSConfigStartUp-PowerForPhone - c:\program files\PowerForPhone\PowerForPhone\PowerForPhone.ex e
MSConfigStartUp-SpybotSD TeaTimer - c:\program files\Spybot - Search & Destroy\TeaTimer.exe
MSConfigStartUp-Yahoo! Pager - c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
MSConfigStartUp-Zune Launcher - c:\program files\Zune\ZuneLauncher.exe
MSConfigStartUp-Cmaudiow - cmcnfgw.cpl
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.surfentry.com/
uInternet Connection Wizard,ShellNext = hxxp://www.asus.com/
uInternet Settings,ProxyOverride = *.local
IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\Internet Download Manager\IEGetVL.htm
IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm
.
************************************************** ************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url]http://www.gmer.net[/url]
Rootkit scan 2009-02-04 16:37:37
Windows 5.1.2600 Service Pack 2 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
c:\windows\system32\drivers\gaopdxaffluhhn.sys 98304 bytes
c:\windows\system32\drivers\gaopdxwkostyqq.sys 98304 bytes
c:\windows\system32\drivers\gaopdxrrpayxge.sys 98304 bytes
c:\windows\system32\drivers\gaopdxsryarhor.sys 98304 bytes
c:\windows\system32\drivers\gaopdxvtrnemhv.sys 98304 bytes
c:\docume~1\Leigh\LOCALS~1\Temp\gaopdxserv.sys000 0 bytes
c:\docume~1\Leigh\LOCALS~1\Temp\gaopdx000 0 bytes
c:\windows\system32\gaopdxcounter 32768 bytes
c:\windows\system32\gaopdxgtrnofyk.dll 65536 bytes
scan completed successfully
hidden files: 9
************************************************** ************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\g aopdxserv.sys]
"imagepath"="\systemroot\system32\drivers\gaopdxlamtlrpu.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{57a3639 7-d2ac-4b28-9a4e-907ec1ab8dd5}]
@Denied: (Full) (Everyone)
"Model"=dword:00000071
"Therad"=dword:0000000f
"MData"=hex(0):cb,9b,ad,ef,27,7d,29,69,f5,02,f0,76,aa,4a, f1,7c,d3,d9,67,7f,6a,
4b,7b,ad,04,7a,b1,b5,76,9b,27,47,ea,65,3f,e7,98,f9 ,a7,b2,55,2b,af,d5,80,fa,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED6077 9-4DE2-4E07-B862-974CA4FF2E9C}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):84,da,19,6f,16,be,d1,9b,fd,da,42,05,74,42, ae,92,95,00,27,3c,c4,
14,d7,a2,b3,3c,90,2f,52,3b,0d,1a,55,e3,69,ee,89,05 ,6b,f9,00,00,00,00,00,00,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E916 4-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):a4,b8,f2,a2,65,dd,66,ad,5f,a7,ed,28,19,f1, 3c,1f,11,95,be,0a,83,
70,b7,98,76,ad,1a,c7,55,c6,e8,e6,3a,c7,cc,f4,42,2d ,f9,a9,00,00,00,00,00,00,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{e86f8a7 9-6405-4242-95d9-12c733e9a5cd}]
@Denied: (Full) (Everyone)
"Model"=dword:00000011
"Therad"=dword:0000001e
"MData"=hex(0):2b,8f,78,29,5a,0c,ce,ec,48,d4,68,e5,9f,6a, 96,3e,ab,de,c5,81,26,
38,95,44,85,b1,12,f9,90,dd,23,a1,49,8c,bf,1a,9d,fe ,41,71,cb,3f,46,a4,7c,ab,\
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\g aopdxserv.sys]
@DACL=(02 0000)
"start"=dword:00000001
"type"=dword:00000001
"group"="file system"
"imagepath"=expand:"\\systemroot\\system32\\drivers\\gaopdxlamtlrpu.sy s"
.
Completion time: 2009-02-04 16:38:33
ComboFix-quarantined-files.txt 2009-02-04 21:38:34
Pre-Run: 85,428,043,776 bytes free
Post-Run: 85,563,244,544 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOW S
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
332 --- E O F --- 2009-01-14 08:03:08
KStew308
02-04-2009, 05:51 PM
Now for Malware:
alwarebytes' Anti-Malware 1.31
Database version: 1499
Windows 5.1.2600 Service Pack 2
2/4/2009 4:26:14 PM
mbam-log-2009-02-04 (16-26-14).txt
Scan type: Quick Scan
Objects scanned: 59398
Time elapsed: 2 minute(s), 47 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 20
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.39,85.255.112.40 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Tcpip\Parameters\Interfaces\{3116bb0a-bc09-495f-9612-e725b62f412d}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.39,85.255.112.40 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Tcpip\Parameters\Interfaces\{3116bb0a-bc09-495f-9612-e725b62f412d}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.39,85.255.112.40 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Tcpip\Parameters\Interfaces\{a988dea3-798b-4cc1-adbf-4b36f3c2b9c7}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.39,85.255.112.40 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Tcpip\Parameters\Interfaces\{cfa2dcf4-428f-4c89-a039-e449f3cb6659}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.39,85.255.112.40 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Tcpip\Parameters\Interfaces\{cfa2dcf4-428f-4c89-a039-e449f3cb6659}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.39,85.255.112.40 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\T cpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.39,85.255.112.40 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\T cpip\Parameters\Interfaces\{3116bb0a-bc09-495f-9612-e725b62f412d}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.39,85.255.112.40 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\T cpip\Parameters\Interfaces\{3116bb0a-bc09-495f-9612-e725b62f412d}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.39,85.255.112.40 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\T cpip\Parameters\Interfaces\{a988dea3-798b-4cc1-adbf-4b36f3c2b9c7}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.39,85.255.112.40 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\T cpip\Parameters\Interfaces\{cfa2dcf4-428f-4c89-a039-e449f3cb6659}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.39,85.255.112.40 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\T cpip\Parameters\Interfaces\{cfa2dcf4-428f-4c89-a039-e449f3cb6659}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.39,85.255.112.40 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\T cpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.39,85.255.112.40 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\T cpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.39,85.255.112.40 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\T cpip\Parameters\Interfaces\{3116bb0a-bc09-495f-9612-e725b62f412d}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.39,85.255.112.40 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\T cpip\Parameters\Interfaces\{3116bb0a-bc09-495f-9612-e725b62f412d}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.39,85.255.112.40 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\T cpip\Parameters\Interfaces\{a988dea3-798b-4cc1-adbf-4b36f3c2b9c7}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.39,85.255.112.40 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\T cpip\Parameters\Interfaces\{a988dea3-798b-4cc1-adbf-4b36f3c2b9c7}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.39,85.255.112.40 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\T cpip\Parameters\Interfaces\{cfa2dcf4-428f-4c89-a039-e449f3cb6659}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.39,85.255.112.40 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\T cpip\Parameters\Interfaces\{cfa2dcf4-428f-4c89-a039-e449f3cb6659}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.39,85.255.112.40 -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
KStew308
02-04-2009, 05:55 PM
And HJT:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:44:07 PM, on 2/4/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Leigh\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Leigh\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Leigh\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.surfentry.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.asus.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: IDMIEHlprObj Class - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://www.asus.com
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\WINDOWS\system32\Skype4COM.dll
O20 - AppInit_DLLs: wvmyku.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
--
End of file - 5044 bytes
------
As for how the system is going, the C:/ drive link is working fine... but wow, that was a lot of junk! Thank you all for your help ... so far? I don't know if there's still more to do, so I won't get ahead of myself (:
@Fruss Tray Ted - Ugh, torrents. I heard stories about them before I ever met them, so I've never run into any of the trouble with those. However, I won't lie... I do download from Rapidshare from time to time, so it doesn't surprise me that I picked up all this junk in a search. sigh
You aren't out of the woods yet...
Some of these have been deleted but probably not all of them.
c:\windows\system32\drivers\gaopdxaffluhhn.sys 98304 bytes
c:\windows\system32\drivers\gaopdxwkostyqq.sys 98304 bytes
c:\windows\system32\drivers\gaopdxrrpayxge.sys 98304 bytes
c:\windows\system32\drivers\gaopdxsryarhor.sys 98304 bytes
c:\windows\system32\drivers\gaopdxvtrnemhv.sys 98304 bytes
c:\docume~1\Leigh\LOCALS~1\Temp\gaopdxserv.sys000 0 bytes
c:\docume~1\Leigh\LOCALS~1\Temp\gaopdx000 0 bytes
c:\windows\system32\gaopdxcounter 32768 bytes
c:\windows\system32\gaopdxgtrnofyk.dll 65536 bytes
So run both programs, again...
There are other bits and pieces that will probably need manual removal, so after a fresh round of logs we'll look at those.
KStew308
02-05-2009, 10:51 PM
ComboFix 09-02-05.01 - Leigh 2009-02-05 21:38:34.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1530 [GMT -5:00]
Running from: c:\documents and settings\Leigh\My Documents\Downloads\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\drivers\gaopdxaffluhhn.sys
c:\windows\system32\drivers\gaopdxrrpayxge.sys
c:\windows\system32\drivers\gaopdxsryarhor.sys
c:\windows\system32\drivers\gaopdxvtrnemhv.sys
c:\windows\system32\drivers\gaopdxwkostyqq.sys
c:\windows\system32\gaopdxgtrnofyk.dll
.
((((((((((((((((((((((((( Files Created from 2009-01-06 to 2009-02-06 )))))))))))))))))))))))))))))))
.
2009-02-04 19:08 . 2009-02-04 19:08 <DIR> d--hs---- C:\FOUND.000
2009-02-04 00:26 . 2009-02-04 00:26 <DIR> d-------- c:\program files\Trend Micro
2009-02-04 00:26 . 2009-02-04 00:26 268 --ah----- C:\sqmdata00.sqm
2009-02-04 00:26 . 2009-02-04 00:26 244 --ah----- C:\sqmnoopt00.sqm
2009-02-04 00:25 . 2009-02-04 00:25 <DIR> d-------- C:\HJT
2009-02-02 23:28 . 2009-02-02 23:28 <DIR> d--h----- C:\$AVG8.VAULT$
2009-02-02 23:22 . 2009-02-02 23:22 <DIR> d-------- c:\windows\system32\drivers\Avg
2009-02-02 23:22 . 2009-02-02 23:22 325,128 --a------ c:\windows\system32\drivers\avgldx86.sys
2009-02-02 23:22 . 2009-02-02 23:22 107,272 --a------ c:\windows\system32\drivers\avgtdix.sys
2009-02-02 23:22 . 2009-02-02 23:22 10,520 --a------ c:\windows\system32\avgrsstx.dll
2009-02-02 23:21 . 2009-02-02 23:21 <DIR> d-------- c:\program files\AVG
2009-02-02 23:21 . 2009-02-02 23:21 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2009-02-02 22:00 . 2009-02-04 16:34 4 --a------ c:\windows\system32\gaopdxcounter
2009-02-02 21:20 . 2009-02-02 21:20 0 --ah----- c:\windows\SwSys2.bmp
2009-02-02 21:20 . 2009-02-02 21:20 0 --ah----- c:\windows\SwSys1.bmp
2009-02-01 22:08 . 2009-02-01 22:08 <DIR> d-------- c:\documents and settings\Leigh\Application Data\aicon
2009-02-01 20:53 . 2009-02-01 20:53 <DIR> d-------- c:\program files\LOVE
2009-02-01 16:32 . 2009-02-01 16:32 <DIR> d-------- c:\program files\Lua
2009-02-01 15:46 . 2009-02-01 15:46 <DIR> d-------- c:\documents and settings\Leigh\Application Data\Dev-Cpp
2009-01-31 22:34 . 2009-01-31 22:34 <DIR> d-------- c:\program files\Quest3D
2009-01-27 17:13 . 2009-01-27 17:13 <DIR> d-------- c:\program files\SQLyog Community
2009-01-27 17:13 . 2009-01-27 17:13 <DIR> d-------- c:\documents and settings\Leigh\Application Data\SQLyog
2009-01-27 16:48 . 2009-01-27 16:48 <DIR> d-------- c:\program files\MySQL
2009-01-23 12:31 . 2009-01-23 12:31 <DIR> d-------- c:\documents and settings\Leigh\Application Data\Wings3D
2009-01-21 21:16 . 2009-01-21 21:16 <DIR> d-------- c:\program files\MilkShape 3D 1.8.2
2009-01-21 16:54 . 2009-01-21 16:54 <DIR> d-------- c:\documents and settings\Leigh\Application Data\MilkShape 3D 1.x.x
2009-01-21 15:59 . 2009-01-21 15:59 <DIR> d-------- c:\documents and settings\Leigh\Application Data\PSpad
2009-01-20 16:44 . 2009-01-20 16:44 <DIR> d-------- c:\program files\EQ2MAP Updater
2009-01-19 14:14 . 2009-01-19 14:14 <DIR> d-------- c:\documents and settings\Leigh\Application Data\Blender Foundation
2009-01-18 16:39 . 2002-07-31 19:55 108 ---hs---- c:\windows\WSYS049.SYS
2009-01-18 16:39 . 2001-09-05 12:28 41 ---h----- c:\windows\trfntw32.cfg
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-01-04 17:02 --------- d-----w c:\program files\Advanced Combat Tracker
2009-01-01 08:00 --------- d-----w c:\program files\Microsoft CAPICOM 2.1.0.2
2009-01-01 01:29 --------- d-sh--w c:\program files\Common Files\WindowsLiveInstaller
2009-01-01 01:29 --------- d-----w c:\program files\Windows Live
2009-01-01 01:29 --------- d-----w c:\documents and settings\All Users\Application Data\WLInstaller
2008-12-19 02:27 --------- d-----w c:\program files\Common Files\INCA Shared
2008-12-18 22:53 --------- d-----w c:\program files\Pando Networks
2008-12-18 18:50 --------- d-----w c:\program files\Opera
2008-12-18 18:31 410,984 ----a-w c:\windows\system32\deploytk.dll
2008-12-14 15:29 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-12-14 15:29 --------- d-----w c:\documents and settings\Leigh\Application Data\Malwarebytes
2008-12-14 15:29 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-12 17:27 3,067,392 ----a-w c:\windows\system32\dllcache\mshtml.dll
2008-12-11 11:57 333,184 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-11 11:57 333,184 ----a-w c:\windows\system32\dllcache\srv.sys
2008-12-07 19:34 --------- d-----w c:\documents and settings\Leigh\Application Data\Twain
2008-11-29 21:49 98,304 ------w c:\documents and settings\Leigh\SysLib.dll
2008-11-23 15:43 13,560 --sha-w c:\windows\system32\KGyGaAvL.sys
2008-06-19 13:11 88 --sh--r c:\documents and settings\All Users\Application Data\C762C8CB38.sys
2008-06-19 13:11 1,056 --sha-w c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2008-05-23 14:30 940,032 ------w c:\documents and settings\Leigh\dbghelp.dll
2008-05-23 14:30 57,344 ------w c:\documents and settings\Leigh\NTSpecificModule.dll
2008-05-23 14:30 438,272 ------w c:\documents and settings\Leigh\sc.dll
2008-02-20 10:42 2,330,624 ------w c:\documents and settings\Leigh\LaunchPad.exe
2008-06-13 03:55 56 --sh--r c:\windows\system32\38CBC862C7.sys
2006-05-03 10:06 163,328 --sh--r c:\windows\system32\flvDX.dll
2007-02-21 11:47 31,232 --sh--r c:\windows\system32\msfDX.dll
2007-12-17 13:43 27,648 --sh--w c:\windows\system32\Smab0.dll
.
KStew308
02-05-2009, 10:52 PM
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [2008-02-05 2577840]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-08-02 802816]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-08-02 696320]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-07-20 7581696]
"ATKMEDIA"="c:\program files\ASUS\ATK Media\DMEDIA.EXE" [2006-05-16 53248]
"MSConfig"="c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2004-08-04 158208]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-10-20 761945]
"HControl"="c:\windows\ATK0100\HControl.exe" [2006-08-23 110592]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
MultiFrame.lnk - c:\program files\ASUS\Asus MultiFrame\MultiFrame.exe [2007-12-05 491520]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-02-02 23:22 10520 c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wvmyku.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= i420vfw.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^$McRebootA5E6DEAA56$.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\$McRebootA5E6DEAA56$.lnk
backup=c:\windows\pss\$McRebootA5E6DEAA56$.lnkComm on Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BlueSoleil.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BlueSoleil.lnk
backup=c:\windows\pss\BlueSoleil.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Leigh^Start Menu^Programs^Startup^GameSpot Download Manager.lnk]
path=c:\documents and settings\Leigh\Start Menu\Programs\Startup\GameSpot Download Manager.lnk
backup=c:\windows\pss\GameSpot Download Manager.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^Leigh^Start Menu^Programs^Startup^MagicDisc.lnk]
path=c:\documents and settings\Leigh\Start Menu\Programs\Startup\MagicDisc.lnk
backup=c:\windows\pss\MagicDisc.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^Leigh^Start Menu^Programs^Startup^OpenOffice.org 2.4.lnk]
path=c:\documents and settings\Leigh\Start Menu\Programs\Startup\OpenOffice.org 2.4.lnk
backup=c:\windows\pss\OpenOffice.org 2.4.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ABLKSR]
--a------ 2006-01-02 19:14 61440 c:\windows\ABLKSR\ABLKSR.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ACMON]
--a------ 2006-05-30 10:28 811008 c:\program files\ASUS\Splendid\ACMON.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ASUS Live Update]
--a------ 2006-02-21 15:20 180224 c:\program files\ASUS\ASUS Live Update\ALU.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY]
--a------ 2009-02-02 23:21 1601304 c:\progra~1\AVG\AVG8\avgtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
--a------ 2008-10-16 15:27 133104 c:\documents and settings\Leigh\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IDMan]
--a------ 2008-02-05 18:09 2577840 c:\program files\Internet Download Manager\IDMan.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nmapp]
--a------ 2008-09-14 18:39 705832 c:\program files\Pure Networks\Network Magic\nmapp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nmctxth]
--a------ 2008-09-14 18:38 648488 c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2006-07-20 05:58 7581696 c:\windows\system32\nvcpl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2006-07-20 05:58 86016 c:\windows\system32\nvmctray.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power_Gear]
--a------ 2006-03-14 17:46 90112 c:\program files\ASUS\Power4 Gear\BatteryLife.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
--a------ 2006-08-06 22:11 573440 c:\program files\Motorola\SMSERIAL\sm56hlpr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-12-18 13:31 136600 c:\program files\Java\jre6\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2008-04-01 14:49 36352 c:\program files\Winamp\winampa.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Wireless Console 2]
--a------ 2005-10-17 17:09 987136 c:\program files\Wireless Console 2\wcourier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationA gent]
--a------ 2004-08-04 20:00 110592 c:\windows\system32\bthprops.cpl
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2006-07-20 05:58 1519616 c:\windows\system32\nwiz.exe
KStew308
02-05-2009, 10:52 PM
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"0057311233726398mcinstcleanup"=2 (0x2)
"wampmysqld"=2 (0x2)
"wampapache"=2 (0x2)
"Start BT in service"=2 (0x2)
"npkcmsvc"=2 (0x2)
"nmservice"=2 (0x2)
"McSysmon"=3 (0x3)
"McShield"=2 (0x2)
"License Management Service ESD"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"gusvc"=3 (0x3)
"Crossfire"=3 (0x3)
"BlueSoleil Hid Service"=2 (0x2)
"avg8wd"=2 (0x2)
"avg8emc"=2 (0x2)
"WebClient"=2 (0x2)
"VSS"=3 (0x3)
"upnphost"=3 (0x3)
"Themes"=2 (0x2)
"TermService"=3 (0x3)
"LmHosts"=2 (0x2)
"lanmanserver"=2 (0x2)
"wscsvc"=2 (0x2)
"SSDPSRV"=3 (0x3)
"RemoteRegistry"=2 (0x2)
"RDSessMgr"=3 (0x3)
"RSVP"=3 (0x3)
"Spooler"=2 (0x2)
"WmdmPmSN"=3 (0x3)
"SysmonLog"=3 (0x3)
"Nla"=3 (0x3)
"mnmsrvc"=3 (0x3)
"SwPrv"=3 (0x3)
"helpsvc"=2 (0x2)
"FastUserSwitchingCompatibility"=3 (0x3)
"ERSvc"=2 (0x2)
"TrkWks"=2 (0x2)
"Dnscache"=2 (0x2)
"BITS"=3 (0x3)
"ALG"=3 (0x3)
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\WINDOWS\\System32\\dpvsetup.exe"=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"c:\\Program Files\\Sony\\EverQuest II\\LaunchPad.exe"=
"c:\\Documents and Settings\\Leigh\\LaunchPad.exe"=
"c:\\Program Files\\Sony\\EverQuest II\\EverQuest2.exe"=
"c:\\Documents and Settings\\Leigh\\My Documents\\Downloads\\Programs\\Conquer_v5039_10_B C.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Java\\JRE6\\BIN\\java.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"26105:TCP"= 26105:TCP:BitCometLite 26105 TCP
"26105:UDP"= 26105:UDP:BitCometLite 26105 UDP
"67:UDP"= 67:UDP:DHCP Discovery Service
"20930:TCP"= 20930:TCP:BitCometLite 20930 TCP
"20930:UDP"= 20930:UDP:BitCometLite 20930 UDP
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-02-02 325128]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-02-02 107272]
R3 cmvad;ZyXEL NMP-1100W Interface;c:\windows\system32\drivers\cmudaxv.sys [2008-12-12 1410240]
S3 npkycryp;npkycryp;\??\c:\program files\Gravity\Copy of RO\npkycryp.sys --> c:\program files\Gravity\Copy of RO\npkycryp.sys [?]
S4 0057311233726398mcinstcleanup;McAfee Application Installer Cleanup (0057311233726398);c:\docume~1\Leigh\LOCALS~1\Temp \[u]0[/u]05731~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\docume~1\Leigh\LOCALS~1\Temp\[u]0[/u]05731~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]
S4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-02-02 903960]
S4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-02-02 298264]
S4 Crossfire;Crossfire server;c:\program files\Crossfire Server\Crossfire32.exe -srv --> c:\program files\Crossfire Server\Crossfire32.exe -srv [?]
S4 Start BT in service;Start BT in service;c:\program files\IVT Corporation\BlueSoleil\StartSkysolSvc.exe [2007-12-27 51816]
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\C]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RECYCLER\S-6-5-43-100015159-100013614-100000506-6073.com c:\
\Shell\Open\command - c:\recycler\S-6-5-43-100015159-100013614-100000506-6073.com c:\
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{0857d3f1-224e-11dd-b94e-0015830b9166}]
\Shell\AutoRun\command - E:\t.com
\Shell\explore\Command - E:\t.com
\Shell\open\Command - E:\t.com
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{5d17ebd9-23a6-11dd-b94f-0015830b9166}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{5d17ebda-23a6-11dd-b94f-0015830b9166}]
\Shell\AutoRun\command - F:\t.com
\Shell\explore\Command - F:\t.com
\Shell\open\Command - F:\t.com
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{6f673518-180f-11dd-b947-001bfc801b7c}]
\Shell\AutoRun\command - F:\t.com
\Shell\explore\Command - F:\t.com
\Shell\open\Command - F:\t.com
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{7a0f872c-beed-11dd-b98b-0015830b9166}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{cfe81c26-caf6-11dd-b98e-0018de1f290c}]
\Shell\AutoRun\command - E:\tcauto.exe
\Shell\VERB\COMMAND - E:\tcauto.exe
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{dc1c1957-c9ae-11dc-b912-0018f3cf9416}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder
2009-02-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1836929278-579920100-1401729743-1004.job
- c:\documents and settings\Leigh\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-10-16 15:27]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.surfentry.com/
uInternet Connection Wizard,ShellNext = hxxp://www.asus.com/
uInternet Settings,ProxyOverride = *.local
IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\Internet Download Manager\IEGetVL.htm
IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm
.
************************************************** ************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url]http://www.gmer.net[/url]
Rootkit scan 2009-02-05 21:39:57
Windows 5.1.2600 Service Pack 2 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************************************** ************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{57a3639 7-d2ac-4b28-9a4e-907ec1ab8dd5}]
@Denied: (Full) (Everyone)
"Model"=dword:00000071
"Therad"=dword:0000000f
"MData"=hex(0):cb,9b,ad,ef,27,7d,29,69,f5,02,f0,76,aa,4a, f1,7c,d3,d9,67,7f,6a,
4b,7b,ad,04,7a,b1,b5,76,9b,27,47,ea,65,3f,e7,98,f9 ,a7,b2,55,2b,af,d5,80,fa,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED6077 9-4DE2-4E07-B862-974CA4FF2E9C}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):84,da,19,6f,16,be,d1,9b,fd,da,42,05,74,42, ae,92,95,00,27,3c,c4,
14,d7,a2,b3,3c,90,2f,52,3b,0d,1a,55,e3,69,ee,89,05 ,6b,f9,00,00,00,00,00,00,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E916 4-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):a4,b8,f2,a2,65,dd,66,ad,5f,a7,ed,28,19,f1, 3c,1f,11,95,be,0a,83,
70,b7,98,76,ad,1a,c7,55,c6,e8,e6,3a,c7,cc,f4,42,2d ,f9,a9,00,00,00,00,00,00,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{e86f8a7 9-6405-4242-95d9-12c733e9a5cd}]
@Denied: (Full) (Everyone)
"Model"=dword:00000011
"Therad"=dword:0000001e
"MData"=hex(0):2b,8f,78,29,5a,0c,ce,ec,48,d4,68,e5,9f,6a, 96,3e,ab,de,c5,81,26,
38,95,44,85,b1,12,f9,90,dd,23,a1,49,8c,bf,1a,9d,fe ,41,71,cb,3f,46,a4,7c,ab,\
.
Completion time: 2009-02-05 21:40:51
ComboFix-quarantined-files.txt 2009-02-06 02:40:50
ComboFix2.txt 2009-02-04 21:38:36
Pre-Run: 85,352,382,464 bytes free
Post-Run: 85,341,700,096 bytes free
312 --- E O F --- 2009-01-14 08:03:08
KStew308
02-05-2009, 10:54 PM
Malwarebytes' Anti-Malware 1.31
Database version: 1499
Windows 5.1.2600 Service Pack 2
2/5/2009 7:39:16 PM
mbam-log-2009-02-05 (19-39-16).txt
Scan type: Quick Scan
Objects scanned: 50872
Time elapsed: 2 minute(s), 14 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
----
*lol* Somehow in all of this, my sound / speakers have gotten disabled... trying to figure out how I managed that one. heh (:
I still need the HJT log.
And if you have anything disabled with MSConfig, re-enable it and run ComboFix again.
nimo23
10-21-2010, 04:58 AM
Yeah, indeed RECYCLER virus is a bloody stupid threats. I have discovered that almost of the PC in our Office was infected of it. Just uncheck the Hide Protected Operating System file by the Folder Options then, view and you will see the RECYCLER and System Volume Information File.oppps, do not delete it coz it directly your're wasting your time.
Check this guide from Bennix Computer Tips on How to remover RECYCLER VIRUS:
http://bennixcomputertips.blogspot.com/2010/08/how-to-remove-recycler-virus.html
Good Luck!
vBulletin v3.6.1, Copyright ©2000-2012, Jelsoft Enterprises Ltd.