View Full Version : History of Mal/Obfus-A, Busky!generic, virtumonde, etc. Please help?
Before I post the logs for HijackThis and Kaspersky, I feel I should mention that I have scanned this computer using SpySweeper and found that I was infected with Mal/Obfus-A (quarantine failed), and CA Internet Security Suite, which found an infection of Busky!generic trojan, yet provided no option for removal. Both programs have also scanned in safe mode, but no infections were found. (I have since uninstalled SpySweeper, by the way...)
As it stands I am fairly certain I am still infected with the above viruses, but Spybot Search & Destroy is unable to locate either (though it located several others that I promptly removed yesterday, including the dreaded virtumonde).
Any help would be tremendously appreciated!
Thanks in advance,
Jess
______________________________________________
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:45:51 PM, on 11/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\GtDetectSc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\Program Files\a-squared Free\a2service.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\NETGEAR\SC101 Manager Utility\ZeteraService.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7B19DB54-14B3-4657-A400-F9E08B6A97B6} - (no file)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] "C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE" /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [Auto EPSON Stylus Photo R200 Series (USB) on CHROWMMAXTOR] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE" /P57 "Auto EPSON Stylus Photo R200 Series (USB) on CHROWMMAXTOR" /O23 "\\CHROWMMAXTOR\EPSONSty" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [\\chrowmmaxtor\EPSON Stylus Photo R200 Series (Copy 1)] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE" /P54 "\\chrowmmaxtor\EPSON Stylus Photo R200 Series (Copy 1)" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [cafwc] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl
O4 - HKLM\..\Run: [capfasem] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
O4 - HKLM\..\Run: [capfupgrade] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Search - ?p=ZK
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://onlinedesigner.hgtv.com/images/app/view22rte.cab
O20 - Winlogon Notify: winjyp32 - C:\WINDOWS\
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GT Detect (GtDetectSc) - OptionNV - C:\WINDOWS\system32\GtDetectSc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: OwnershipProtocol - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
O23 - Service: Zetera - Zetera Corporation - C:\Program Files\NETGEAR\SC101 Manager Utility\ZeteraService.exe
--
End of file - 11135 bytes
______________________________________________
Also, the Kaspersky log seemed fairly long (IMO), so I went ahead and saved the html version and hosted it on my server in hopes it would make it easier to look over. If that is not okay, I will post it in another format if requested.
Kasperky report can be found here: http://merelycryptical.com/kaspersky_report.html
steamwiz
2007-11-10, 19:35
Hi
It would help if you can tell us the name of the file & location of Mal/Obfus-A found bt spysweeper..
& the same for CA Internet Security Suite & Busky!generic trojan ...
Your hijackthis shows a couple of orphan registry keys ...
Your Kaspersky log is in fact quite shoer as far as Kaspersky logs go ... & clean ... infections are only shown in system
restore ... fine as long as you don't perform a system restore ... even so, the infections are nothing serious ... you just
need to clear your restore points to clean them out ...
Disconnect from the internet Close ALL browser windows
(including this one) - run hijackthis and tick to fix (check the box next to) the list
below.........when all are ticked (checked) click the Fix Checked button at the bottom. :-
O2 - BHO: (no name) - {7B19DB54-14B3-4657-A400-F9E08B6A97B6} - (no file)
O20 - Winlogon Notify: winjyp32 - C:\WINDOWS\
THEN ...
Download Superantispyware.
http://www.superantispyware.com/
Once downloaded and installed update the definitions
and then run a full system scan quarantine what it finds!
* Double-click SUPERAntiSypware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting
"Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from
here.)
http://www.superantispyware.com/definitions.html
* Under "Configuration and Preferences", click the Preferences button.
* Click the Scanning Control tab.
* Under Scanner Options make sure the following are checked (leave all others unchecked):
o Close browsers before scanning.
o Scan for tracking cookies.
o Terminate memory threats before quarantining.
* Click the "Close" button to leave the control center screen.
* Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
* On the left, make sure you check C:\Fixed Drive.
* On the right, under "Complete Scan", choose Perform Complete Scan.
* Click "Next" to start the scan. Please be patient while it scans your computer.
* After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
* Make sure everything has a checkmark next to it and click "Next".
* A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to
return to the main menu.
* If asked if you want to reboot, click "Yes".
* To retrieve the removal information after reboot, launch SUPERAntispyware again.
o Click Preferences, then click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o If there are several logs, click the current dated log and press View log. A text file will open in your default text
editor.
o Please copy and paste the Scan Log results in your next reply.
* Click Close to exit the program.
THEN ...
Please download Combofix: http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe
and save to the desktop.
1. Double click on combo.exe & follow the prompts.
2. When finished, it will produce a logfile located at C:\ComboFix.txt.
3. Post the contents of that log in your next reply with a new hijackthis log.
Notes:
* Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.
* Disable script blocking if you have NAV installed so it will not interfere with the fix. Trojan Hunter has been reported
to detect combofix as Worm.Qiv.100.
Please remember to post :-
1. SUPERAntiSpyware Scan Log
2. C:\ComboFix.txt
3. a new hijackthis log.( run after everything else)
steam
Thank you so much for taking the time to help!
I can't seem to locate Mal/Obfus-A. When SpySweeper was installed, it only peridically detected it, but always failed on quarantining. It seems as if it's mastered hiding itself from most scan engines... and because I uninstalled SS, I lost the old scan logs so I can't even reference that. :oops:
I do have the location for Busky!generic virus, though...
Win32/Busky!generic
Filename: A0033076.DLL
Location: C:\SYSTEM VOLUME INFORMATION\_RESTORE{ECB59046-3A52-4DAC-A60C-958731DCEC37}\RP167\
Here are the requested logs for SUPERAntiSpyware, ComboFix and HijackThis:
_________________________________________________________________________________
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 11/10/2007 at 04:16 PM
Application Version : 3.9.1008
Core Rules Database Version : 3342
Trace Rules Database Version: 1343
Scan type : Complete Scan
Total Scan Time : 02:13:49
Memory items scanned : 473
Memory threats detected : 0
Registry items scanned : 5296
Registry threats detected : 0
File items scanned : 82477
File threats detected : 2
Adware.Tracking Cookie
C:\Documents and Settings\Jessica Lynn\Cookies\jessica lynn@html[1].txt
Adware.Vundo Variant/Rel
C:\WINDOWS\SYSTEM32\MCRH.TMP
_________________________________________________________________________________
ComboFix 07-11-08.3 - Jessica Lynn 2007-11-10 16:34:37.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1467 [GMT -5:00]
Running from: C:\Documents and Settings\Jessica Lynn\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Jessica Lynn\Application Data\macromedia\Flash Player\#SharedObjects\47RU84XA\www.broadcaster.com
C:\Documents and Settings\Jessica Lynn\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\Jessica Lynn\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\Documents and Settings\Jessica Lynn\g2mdlhlpx.exe
C:\Program Files\Common Files\{2CC2E~1
C:\WINDOWS\system32\x64
.
((((((((((((((((((((((((( Files Created from 2007-10-10 to 2007-11-10 )))))))))))))))))))))))))))))))
.
2007-11-10 16:34 53,248 --a------ C:\Temp\yobkllrwTUS.dll
2007-11-10 16:32 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-10 16:25 146,672 --a------ C:\Temp\SSUPDATE.EXE
2007-11-10 13:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-10 13:54 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-11-10 13:54 <DIR> d-------- C:\Documents and Settings\Jessica Lynn\Application Data\SUPERAntiSpyware.com
2007-11-10 10:48 <DIR> d-------- C:\Temp\Online Scanner mail files
2007-11-09 21:55 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-11-09 21:55 <DIR> d-------- C:\Temp\KAV Updater update files
2007-11-09 21:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-09 18:39 <DIR> d-------- C:\Temp\0x26C7DE08
2007-11-08 18:37 <DIR> d-------- C:\Temp\0x21A07868
2007-11-07 19:07 <DIR> d-------- C:\Temp\0x1C94F768
2007-11-07 03:06 <DIR> d-------- C:\Temp\0x19253890
2007-11-06 15:54 <DIR> d-------- C:\WINDOWS\CAVTemp
2007-11-05 21:32 <DIR> d-------- C:\Temp\0x12CDA3D8
2007-11-02 21:52 <DIR> d-------- C:\Temp\0x036C71F8
2007-11-01 21:51 <DIR> d-------- C:\Temp\0xFE450488
2007-10-31 22:14 <DIR> d-------- C:\Temp\WERb80c.dir00
2007-10-31 17:42 <DIR> d-------- C:\Temp\0xF83ADC20
2007-10-31 09:41 <DIR> d-------- C:\Temp\0xF682C410
2007-10-31 02:01 <DIR> d-------- C:\Temp\WERf10b.dir00
2007-10-30 23:34 <DIR> d-------- C:\Temp\0xF456C038
2007-10-30 23:25 <DIR> d-------- C:\Program Files\Common Files\Scanner
2007-10-30 23:25 <DIR> d-------- C:\Program Files\CA
2007-10-30 23:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CA
2007-10-30 23:25 879,784 --a------ C:\WINDOWS\system32\drivers\vetefile.sys
2007-10-30 23:25 108,312 --a------ C:\WINDOWS\system32\drivers\veteboot.sys
2007-10-30 23:25 99,592 --a------ C:\WINDOWS\system32\isafeif.dll
2007-10-30 23:25 79,424 --a------ C:\WINDOWS\system32\vetredir.dll
2007-10-30 23:25 75,016 --a------ C:\WINDOWS\system32\isafprod.dll
2007-10-30 23:25 32,264 --a------ C:\WINDOWS\system32\drivers\vetmonnt.sys
2007-10-30 23:25 26,376 --a------ C:\WINDOWS\system32\drivers\vet-filt.sys
2007-10-30 23:25 21,512 --a------ C:\WINDOWS\system32\drivers\vetfddnt.sys
2007-10-30 23:25 21,128 --a------ C:\WINDOWS\system32\drivers\vet-rec.sys
2007-10-25 17:46 <DIR> d-------- C:\Temp\plugtmp-14
2007-10-24 09:52 <DIR> d-------- C:\Temp\plugtmp-13
2007-10-21 10:45 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-20 08:43 <DIR> d-------- C:\Program Files\a-squared Free
2007-10-19 22:47 <DIR> d-------- C:\Temp\plugtmp-12
2007-10-19 11:00 <DIR> d-------- C:\Temp\CitrixLogs
2007-10-19 11:00 <DIR> d-------- C:\Program Files\Citrix
2007-10-13 16:14 <DIR> d-------- C:\Temp\plugtmp-11
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-10 21:24 --------- d-----w C:\Documents and Settings\Jessica Lynn\Application Data\WTablet
2007-11-10 21:23 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k7
2007-11-10 21:23 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k6
2007-11-10 21:23 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k5
2007-11-10 21:23 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k4
2007-11-10 21:23 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k3
2007-11-10 21:23 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k2
2007-11-10 21:23 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k1
2007-11-10 21:23 53,350 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k0
2007-11-10 18:54 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-11-08 15:30 --------- d-----w C:\Documents and Settings\LocalService\Application Data\WTablet
2007-10-27 15:14 --------- d-----w C:\Documents and Settings\Guest\Application Data\WTablet
2007-10-22 05:22 --------- d-----w C:\Documents and Settings\Jessica Lynn\Application Data\Move Networks
2007-10-21 17:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-21 02:38 --------- d-----w C:\Program Files\PageBreeze
2007-10-21 02:38 --------- d-----w C:\Program Files\AWS
2007-10-14 04:27 164 ----a-w C:\install.dat
2007-09-28 17:32 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2007-09-28 17:32 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-09-24 13:56 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-09-24 13:56 --------- d-----w C:\Program Files\NETGEAR
2007-09-14 21:48 --------- d-----w C:\Documents and Settings\Jessica Lynn\Application Data\U3
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-06-05 18:00 69,272 ----a-w C:\Documents and Settings\Jessica Lynn\Application Data\GDIPFONTCACHEV1.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-03-02 19:53]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-03-02 19:53]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-03-02 19:53]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2004-08-10 04:04]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-15 11:27]
"EOUApp"="C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe" [2004-10-15 11:31]
"EPSON Stylus Photo R200 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.exe" [2003-07-08 02:00]
"Auto EPSON Stylus Photo R200 Series (USB) on CHROWMMAXTOR"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.exe" [2003-07-08 02:00]
"\\chrowmmaxtor\EPSON Stylus Photo R200 Series (Copy 1)"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.exe" [2003-07-08 02:00]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 18:51]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-07-18 18:19]
"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [2007-08-16 21:25]
"QOELOADER"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe" [2007-10-30 23:25]
"CAVRID"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2007-08-20 12:42]
"cafwc"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe" [2007-08-14 09:06]
"capfasem"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe" [2007-08-14 09:06]
"capfupgrade"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe" [2007-08-14 09:01]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 15:46]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"nltide_3"=rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"=1 (0x1)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"=1 (0x1)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-10-15 11:27 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]
UmxWnp.Dll 2007-05-18 13:30 79368 C:\WINDOWS\system32\UmxWNP.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Suitcase Startup.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Suitcase Startup.lnk
backup=C:\WINDOWS\pss\Suitcase Startup.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Bonjour Service"=2 (0x2)
R0 KmxStart;KmxStart;C:\WINDOWS\system32\DRIVERS\kmxstart.sys
R0 ZetSFD;ZetSFD;C:\WINDOWS\system32\DRIVERS\ZetSFD.sys
R1 KmxAgent;KmxAgent;C:\WINDOWS\system32\DRIVERS\kmxagent.sys
R1 KmxFile;KmxFile;C:\WINDOWS\system32\DRIVERS\KmxFile.sys
R1 KmxFw;KmxFw;C:\WINDOWS\system32\DRIVERS\kmxfw.sys
R2 GtDetectSc;GT Detect;C:\WINDOWS\system32\GtDetectSc.exe
R2 KmxCF;KmxCF;C:\WINDOWS\system32\DRIVERS\KmxCF.sys
R2 KmxSbx;KmxSbx;C:\WINDOWS\system32\DRIVERS\KmxSbx.sys
R2 SFSZ;DataPlow SFS for Zetera Storage Devices;C:\WINDOWS\system32\drivers\sfsz.sys
R2 UmxAgent;HIPS Event Manager;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe"
R2 UmxCfg;HIPS Configuration Interpreter;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe"
R2 UmxPol;HIPS Policy Manager;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe"
R2 UxTuneUp;TuneUp Design Expansion;C:\WINDOWS\System32\svchost.exe -k netsvcs
R2 Zetera;Zetera;C:\Program Files\NETGEAR\SC101 Manager Utility\ZeteraService.exe
R3 KmxCfg;KmxCfg;C:\WINDOWS\system32\DRIVERS\kmxcfg.sys
R3 PPCtlPriv;PPCtlPriv;"C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe"
R3 wacommousefilter;Wacom Mouse Filter Driver;C:\WINDOWS\system32\DRIVERS\wacommousefilter.sys
R3 wacomvhid;Wacom Virtual Hid Driver;C:\WINDOWS\system32\DRIVERS\wacomvhid.sys
R3 ZetBus;Zetera Virtual Bus;C:\WINDOWS\system32\DRIVERS\ZetBus.sys
R3 ZetMPD;ZetMPD;C:\WINDOWS\system32\DRIVERS\ZetMPD.sys
S3 GTFFBUS;GT FF BUS;C:\WINDOWS\system32\DRIVERS\gtffbus.sys
S3 GTMNDISIRPXP;GT M 3G+ IRP NDIS;C:\WINDOWS\system32\DRIVERS\Gtm51Irp.sys
S3 GTPTSER;GT PT SER;C:\WINDOWS\system32\DRIVERS\gtptser.sys
S3 GTUQBUS;GT UQ BUS;C:\WINDOWS\system32\DRIVERS\gtuqbus.sys
S3 PCTINDIS5;PCTINDIS5 NDIS Protocol Driver;\??\C:\WINDOWS\system32\PCTINDIS5.SYS
S3 RimSerPort;RIM Virtual Serial Port;C:\WINDOWS\system32\DRIVERS\RimSerial.sys
S3 ss_bus;SAMSUNG Mobile USB Device 1.0 driver (WDM);C:\WINDOWS\system32\DRIVERS\ss_bus.sys
S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;C:\WINDOWS\system32\DRIVERS\ss_mdfl.sys
S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;C:\WINDOWS\system32\DRIVERS\ss_mdm.sys
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{197caa0c-5cae-11dc-8dea-0012f03cc41a}]
\Shell\AutoRun\command - H:\LaunchU3.exe
*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2007-11-09 22:15:00 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2006\SystemOptimizer.exe
"2007-10-31 05:49:33 C:\WINDOWS\Tasks\CAAntiSpywareScan_Daily as Jessica Lynn at 12 25 AM.job"
.
**************************************************************************
catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-10 16:40:12
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"\\\\chrowmmaxtor\\EPSON Stylus Photo R200 Series (Copy 1)"="\"C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S4I2H1.EXE\" /P54 \"\\\\chrowmmaxtor\\EPSON Stylus Photo R200 Series (Copy 1)\" /O6 \"USB001\" /M \"Stylus Photo R200\""
.
Completion time: 2007-11-10 16:42:23
.
--- E O F ---
(cont...)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:54:44 PM, on 11/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\GtDetectSc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\Program Files\NETGEAR\SC101 Manager Utility\ZeteraService.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] "C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE" /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [Auto EPSON Stylus Photo R200 Series (USB) on CHROWMMAXTOR] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE" /P57 "Auto EPSON Stylus Photo R200 Series (USB) on CHROWMMAXTOR" /O23 "\\CHROWMMAXTOR\EPSONSty" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [\\chrowmmaxtor\EPSON Stylus Photo R200 Series (Copy 1)] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE" /P54 "\\chrowmmaxtor\EPSON Stylus Photo R200 Series (Copy 1)" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [cafwc] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl
O4 - HKLM\..\Run: [capfasem] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
O4 - HKLM\..\Run: [capfupgrade] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Search - ?p=ZK
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://onlinedesigner.hgtv.com/images/app/view22rte.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GT Detect (GtDetectSc) - OptionNV - C:\WINDOWS\system32\GtDetectSc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: OwnershipProtocol - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
O23 - Service: Zetera - Zetera Corporation - C:\Program Files\NETGEAR\SC101 Manager Utility\ZeteraService.exe
--
End of file - 11215 bytes
steamwiz
2007-11-11, 20:50
Hi
I do have the location for Busky!generic virus, though...
Win32/Busky!generic
Filename: A0033076.DLL
Location: C:\SYSTEM VOLUME INFORMATION\_RESTORE{ECB59046-3A52-4DAC-A60C-958731DCEC37}\RP167\
Well, that's in a restore point ... it's easily dealt with, & OK where it is as long as you don't perform a system restore ...
Do you think the Mal/Obfus-A may have been in system restore as well ?
You have a lot of files\folders in the C:\Temp folder ... most of these are randomly named, so there is no way of knowing what they are, without going very deeply into it...
Temp folders are basically used so that programs can be downloaded to them, files extracted to them, in order to install \update programs on your computer ... once this has been done the files in the temp folders are no longer required ... so with this in mind I'm going to get you to delete that temp folder, & therefore all the files/folders in it ...
This...
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"=1 (0x1)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"=1 (0x1)
Shows a restriction in your registry, which looks as though you are only able to use the ClassicControlPanel (NO XP ControlPanel) ... are you aware of this ? ... did you maybe set it up yourself ? or do you want the restriction removing ?
I'll wait for your reply on this before proceeding ...
steam
Hi
This...
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"=1 (0x1)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"=1 (0x1)
Shows a restriction in your registry, which looks as though you are only able to use the ClassicControlPanel (NO XP ControlPanel) ... are you aware of this ? ... did you maybe set it up yourself ? or do you want the restriction removing ?
Hi, thanks for getting back to me.
Not quite sure what to make of the control panel issue. When you say classic vs. XP, is that referring to the appearance? I have my control panel set to show all applications rather than the typical grouping that XP defaults as... just a preference for viewing. But maybe I misunderstood? Let me know.
Also, it's possible Mal/Obfus-A was in a restore point, but I thought at one point it was the reason I was having a random alert come up on occasion stating, "your computer has been running slower than normal, it may be infected with viruses..." trying to prompt me to scan it with some sham software... but I haven't had a problem with that for at least a couple of weeks. Much like the virus, it suddenly quit appearing without me physically quarantining or removing it. I may have to put that virus aside on the priority list until I can find out where it's located...
I went ahead and tried to delete the files in my temp folder and was halted because some files were in use at the time, I will go ahead and delete them in safe mode when I'm finished with this post... I don't suspect I will have any trouble...
What do you recommend I do with the registry restriction and do you think it's really a concern?
And... should I go ahead and clear out my restore points? Or wait?
Just let me know when you get a chance. I really appreciate how helpful you've been so far, thank you again! :bigthumb:
steamwiz
2007-11-12, 21:01
Hi
Yes ... the control Panel keys I referenced refer to the appearance ...
When you go to Start > Control Panel ... & Control Panel opens ... on the left hand side, do you have an option to go to Category view .. & if you do, & you click on it ... do you get the Category view ... with the option to switch back to the Classic view ?
If none of this is causing you a problem, then it isn't a problem in itself ...
-
I didn't mean you to delete the temp files/folders, I was going to give you a script to do that for you, but if you've already done it that's OK ... I'll still give you the script with or without, including removing the registry restriction, as you wish ...
Once we've done this you can purge system restore ...
So what's it to be with the restriction ? it's not a default key ... it was placed there at some time in the past, either by you or by malware ... but it's only a problem if you see it as a problem ... me ... I'd remove it.
steam
I'll go ahead and take your advice as far as the restriction goes, particularly because when I tried to go back to the classic view there was no option. Very strange. But I take it you suspected that already. :laugh:
Just let me know what to do next.
Thanks!
steamwiz
2007-11-12, 22:17
Hi
Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the code box nothing out side of it.
Also ..
Pay particular attention to this :-
Make sure the word Folder:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
Folder::
C:\Temp
Registry::
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"=-
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"=-
Save this as "CFScript.txt"
Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.
http://img.photobucket.com/albums/v666/sUBs/CFScript.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply
steam
Okay, will do.
Another fairly big concern just arose... I scanned my computer earlier using CA Anti-Spyware and it found the backdoor trojan 'Bitfrost'. I'm not quite sure how this has suddenly come into the picture as I've not done any 'web-surfing' on this computer since I started the whole cleaning process. Is there any other possible way this could have occured otherwise? I use Outlook Express and CA scans all incoming e-mail, so I doubt that's the culprit. I hate to say that I'm actually tempted to format and start from scratch simply because I'm getting slightly paranoid. I am using Teatimer, SpywareBlaster and SpywareGuard, so I'd think I'd at least have a pretty strong wall of protection... not to mention my firewall settings are pretty high.
Anyway, I'm going to go do as requested. Thanks for taking the time to help me with everything.
steamwiz
2007-11-12, 23:20
Hi
Can you give me a file name & location for backdoor trojan 'Bitfrost' ?
steam
Encountered a few issues while running the script for Combofix...
As it was rebooting, I received the following alert:
16 bit MS-DOS Subsystem
C:/Combofix/ntpback.exe
C:/windows/system32/config.nt
The system file is not suitable for running MS-DOS and microsoft windows applications choose 'Close' to terminate the application.
I clicked 'ignore' and once the computer rebooted, this message popped up:
sed.cfexe
sed.cfexe has encountered a problem and needs to close. We are sorry for the inconvenience.
Combofix continued to 'try' to create a log file but finally halted altogether. (I did not click anything aside from the error message.)
_________________________________________
The location for Bitfrost was...
hkey_users \S-1-5-21-1757981266-413027322-839522115-1003\software\wget
steamwiz
2007-11-13, 19:54
Hi
Go to your C:\WINDOWS\system32 & look for the file CONFIG.NT
If you find it, open it in notepad & copy & paste the contents here ...
If you don't find one, then you can make one ...
Open a new notepad & copy the text from the code box below into it :-
dos=high, umb
device=%SystemRoot%\system32\himem.sys
files=40
save it as CONFIG.NT & save it to the C:\WINDOWS\system32 folder ...
If you get an error doing this, then you must have missed the file & you actually do have it ...
Try to run Combofix again ...
-
RE: Bitfrost
Please do this :-
Open a new notepad & copy the text from the code box below into it :-
regedit /e search.txt "hkey_users\S-1-5-21-1757981266-413027322-839522115-1003\software\wget"
save it on the desktop & save it as search.bat
doubleclick the search.bat and a new text file will be created in the desktop search.txt
Post the contents of the search.txt
steam
Things have officially gotten a little weird... I think there's a few major underlying issues in my registry/Windows setup that are more than likely causing so many conflicts. Earlier today I used CCleaner to clear out a few orphan registry keys and my computer suddenly went into PIO mode. Fortunately I created a backup prior to using CC, so I reverted back to it. I was still stuck in PIO mode, so I reinstalled the IDE ATA/ATAPI controller... and then everything went back to "normal".
I just completed what you asked (had to create config.nt) and I got the same error message stating:
sed.cfexe
sed.cfexe has encountered a problem and needs to close. We are sorry for the inconvenience.
But, it actually managed to create a log this time...
_____________________________________________________
ComboFix 07-11-08.3 - Jessica Lynn 2007-11-13 16:05:20.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1415 [GMT -5:00]
Running from: C:\Documents and Settings\Jessica Lynn\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Jessica Lynn\Desktop\CFScript.txt
* Created a new restore point
.
Unable to gain System Privileges
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Temp
C:\Temp\~DF1429.tmp
C:\Temp\~DF3637.tmp
C:\Temp\~DF46AE.tmp
C:\Temp\~DF4CF2.tmp
C:\Temp\~DF4E55.tmp
C:\Temp\~DF6A82.tmp
C:\Temp\~DF6B5E.tmp
C:\Temp\~DFA215.tmp
C:\Temp\~DFA2C0.tmp
C:\Temp\~DFA802.tmp
C:\Temp\~DFABB8.tmp
C:\Temp\~DFAE48.tmp
C:\Temp\~DFB074.tmp
C:\Temp\~DFB2B1.tmp
C:\Temp\~DFF0DC.tmp
C:\Temp\~DFF7AD.tmp
C:\Temp\8A56EAB7.TMP
C:\Temp\avg7inst.log
C:\Temp\CitrixLogs\G2MInst.log
C:\Temp\CitrixLogs\G2MOutlookAddin-uninstall.log
C:\Temp\CitrixLogs\G2MStart-uninstall.log
C:\Temp\D653F3EC.TMP
C:\Temp\G2MCodec.log
C:\Temp\hsperfdata_Jessica Lynn\924
C:\Temp\IMT6B.xml
C:\Temp\IMT6C.xml
C:\Temp\IMT6D.xml
C:\Temp\jusched.log
C:\Temp\Set2D.tmp
C:\Temp\SSUPDATE.EXE
C:\Temp\vmpremov.exe
C:\Temp\yobkllrwTUS.dll
.
((((((((((((((((((((((((( Files Created from 2007-10-13 to 2007-11-13 )))))))))))))))))))))))))))))))
.
2007-11-13 00:05 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-11-12 23:59 <DIR> d-------- C:\Documents and Settings\Jessica Lynn\Application Data\AVG7
2007-11-12 23:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-12 23:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-11-12 23:59 110,592 --a------ C:\WINDOWS\system32\avgfwafu.dll
2007-11-12 23:59 9,216 --a------ C:\WINDOWS\system32\avgwlntf.dll
2007-11-12 23:04 <DIR> d-------- C:\Program Files\Yahoo!
2007-11-12 23:04 <DIR> d-------- C:\Program Files\CCleaner
2007-11-12 22:30 <DIR> d-------- C:\KAV
2007-11-12 19:01 <DIR> d-------- C:\VundoFix Backups
2007-11-10 20:02 <DIR> d-------- C:\Sun
2007-11-10 19:59 <DIR> d-------- C:\Program Files\SpywareGuard
2007-11-10 18:57 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-11-10 18:13 26,112 --------- C:\WINDOWS\system32\idndl.dll
2007-11-10 18:13 23,552 --------- C:\WINDOWS\system32\normaliz.dll
2007-11-10 18:11 24,576 --------- C:\WINDOWS\system32\nlsdl.dll
2007-11-10 16:32 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-10 13:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-10 13:54 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-11-10 13:54 <DIR> d-------- C:\Documents and Settings\Jessica Lynn\Application Data\SUPERAntiSpyware.com
2007-11-06 15:54 <DIR> d-------- C:\WINDOWS\CAVTemp
2007-10-30 23:25 <DIR> d-------- C:\Program Files\CA
2007-10-21 10:45 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-20 08:43 <DIR> d-------- C:\Program Files\a-squared Free
2007-10-19 11:00 <DIR> d-------- C:\Program Files\Citrix
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-13 21:09 --------- d-----w C:\Documents and Settings\Jessica Lynn\Application Data\WTablet
2007-11-13 18:37 --------- d-----w C:\Documents and Settings\LocalService\Application Data\WTablet
2007-11-13 18:34 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-13 18:34 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-11-13 14:34 --------- d-----w C:\Program Files\PageBreeze
2007-11-13 04:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-11 01:19 --------- d-----w C:\Program Files\Java
2007-11-10 18:54 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-10-27 15:14 --------- d-----w C:\Documents and Settings\Guest\Application Data\WTablet
2007-10-22 05:22 --------- d-----w C:\Documents and Settings\Jessica Lynn\Application Data\Move Networks
2007-10-21 02:38 --------- d-----w C:\Program Files\AWS
2007-09-28 17:32 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2007-09-28 17:32 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-09-24 13:56 --------- d-----w C:\Program Files\NETGEAR
2007-09-14 21:48 --------- d-----w C:\Documents and Settings\Jessica Lynn\Application Data\U3
2007-06-05 18:00 69,272 ----a-w C:\Documents and Settings\Jessica Lynn\Application Data\GDIPFONTCACHEV1.DAT
.
((((((((((((((((((((((((((((( snapshot_2007-11-11_21.04.42.21 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-11-11 01:16:39 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2007-11-13 03:39:08 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2007-11-11 01:16:39 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-11-13 03:39:08 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2004-08-03 23:59:42 95,360 ----a-w C:\WINDOWS\system32\drivers\atapi.sys
+ 2004-08-04 03:59:44 95,360 ----a-w C:\WINDOWS\system32\drivers\atapi.sys
+ 2007-11-13 04:59:41 821,856 ----a-w C:\WINDOWS\system32\drivers\avg7core.sys
+ 2007-11-13 04:59:41 4,224 ----a-w C:\WINDOWS\system32\drivers\avg7rsw.sys
+ 2007-11-13 04:59:41 27,776 ----a-w C:\WINDOWS\system32\drivers\avg7rsxp.sys
+ 2007-11-13 04:59:45 3,968 ----a-w C:\WINDOWS\system32\drivers\avgclean.sys
+ 2007-11-13 04:59:41 19,904 ----a-w C:\WINDOWS\system32\drivers\avgmfx86.sys
+ 2007-11-13 04:59:43 4,960 ----a-w C:\WINDOWS\system32\drivers\avgtdi.sys
- 2001-08-17 14:58:02 35,840 ----a-w C:\WINDOWS\system32\drivers\isapnp.sys
+ 2001-08-17 18:58:02 35,840 ----a-w C:\WINDOWS\system32\drivers\isapnp.sys
- 2004-08-04 00:07:46 68,224 ----a-w C:\WINDOWS\system32\drivers\pci.sys
+ 2004-08-04 04:07:48 68,224 ----a-w C:\WINDOWS\system32\drivers\pci.sys
- 2001-08-17 14:51:52 3,328 ----a-w C:\WINDOWS\system32\drivers\pciide.sys
+ 2001-08-17 18:51:52 3,328 ----a-w C:\WINDOWS\system32\drivers\pciide.sys
- 2004-08-03 23:59:42 25,088 ----a-w C:\WINDOWS\system32\drivers\pciidex.sys
+ 2004-08-04 03:59:42 25,088 ----a-w C:\WINDOWS\system32\drivers\pciidex.sys
- 2004-08-04 00:08:38 26,624 ----a-w C:\WINDOWS\system32\drivers\usbehci.sys
+ 2004-08-04 04:08:38 26,624 ----a-w C:\WINDOWS\system32\drivers\usbehci.sys
- 2004-08-04 00:08:42 57,600 ----a-w C:\WINDOWS\system32\drivers\usbhub.sys
+ 2004-08-04 04:08:44 57,600 ----a-w C:\WINDOWS\system32\drivers\usbhub.sys
- 2004-08-04 00:08:42 142,976 ----a-w C:\WINDOWS\system32\drivers\usbport.sys
+ 2004-08-04 04:08:44 142,976 ----a-w C:\WINDOWS\system32\drivers\usbport.sys
- 2004-08-04 00:08:38 20,480 ----a-w C:\WINDOWS\system32\drivers\usbuhci.sys
+ 2004-08-04 04:08:38 20,480 ----a-w C:\WINDOWS\system32\drivers\usbuhci.sys
+ 2004-08-04 00:07:46 68,224 ----a-w C:\WINDOWS\system32\ReinstallBackups\0003\DriverFiles\i386\pci.sys
+ 2001-08-17 14:58:02 35,840 ----a-w C:\WINDOWS\system32\ReinstallBackups\0005\DriverFiles\i386\isapnp.sys
+ 2004-08-04 00:08:42 57,600 ----a-w C:\WINDOWS\system32\ReinstallBackups\0006\DriverFiles\i386\usbhub.sys
+ 2004-08-04 00:08:42 142,976 ----a-w C:\WINDOWS\system32\ReinstallBackups\0006\DriverFiles\i386\usbport.sys
+ 2004-08-04 00:08:38 20,480 ----a-w C:\WINDOWS\system32\ReinstallBackups\0006\DriverFiles\i386\usbuhci.sys
+ 2004-08-04 00:56:48 74,240 ----a-w C:\WINDOWS\system32\ReinstallBackups\0006\DriverFiles\i386\usbui.dll
+ 2004-08-04 04:08:44 57,600 ----a-w C:\WINDOWS\system32\ReinstallBackups\0007\DriverFiles\i386\usbhub.sys
+ 2004-08-04 04:08:44 142,976 ----a-w C:\WINDOWS\system32\ReinstallBackups\0007\DriverFiles\i386\usbport.sys
+ 2004-08-04 04:08:38 20,480 ----a-w C:\WINDOWS\system32\ReinstallBackups\0007\DriverFiles\i386\usbuhci.sys
+ 2004-08-04 05:56:48 74,240 ----a-w C:\WINDOWS\system32\ReinstallBackups\0007\DriverFiles\i386\usbui.dll
+ 2004-08-04 04:08:44 57,600 ----a-w C:\WINDOWS\system32\ReinstallBackups\0008\DriverFiles\i386\usbhub.sys
+ 2004-08-04 04:08:44 142,976 ----a-w C:\WINDOWS\system32\ReinstallBackups\0008\DriverFiles\i386\usbport.sys
+ 2004-08-04 04:08:38 20,480 ----a-w C:\WINDOWS\system32\ReinstallBackups\0008\DriverFiles\i386\usbuhci.sys
+ 2004-08-04 05:56:48 74,240 ----a-w C:\WINDOWS\system32\ReinstallBackups\0008\DriverFiles\i386\usbui.dll
+ 2004-08-04 04:08:44 57,600 ----a-w C:\WINDOWS\system32\ReinstallBackups\0009\DriverFiles\i386\usbhub.sys
+ 2004-08-04 04:08:44 142,976 ----a-w C:\WINDOWS\system32\ReinstallBackups\0009\DriverFiles\i386\usbport.sys
+ 2004-08-04 04:08:38 20,480 ----a-w C:\WINDOWS\system32\ReinstallBackups\0009\DriverFiles\i386\usbuhci.sys
+ 2004-08-04 05:56:48 74,240 ----a-w C:\WINDOWS\system32\ReinstallBackups\0009\DriverFiles\i386\usbui.dll
+ 2004-08-04 01:56:42 7,168 ----a-w C:\WINDOWS\system32\ReinstallBackups\0010\DriverFiles\i386\hccoin.dll
+ 2004-08-04 00:08:38 26,624 ----a-w C:\WINDOWS\system32\ReinstallBackups\0010\DriverFiles\i386\usbehci.sys
+ 2004-08-04 04:08:44 57,600 ----a-w C:\WINDOWS\system32\ReinstallBackups\0010\DriverFiles\i386\usbhub.sys
+ 2004-08-04 04:08:44 142,976 ----a-w C:\WINDOWS\system32\ReinstallBackups\0010\DriverFiles\i386\usbport.sys
+ 2004-08-04 05:56:48 74,240 ----a-w C:\WINDOWS\system32\ReinstallBackups\0010\DriverFiles\i386\usbui.dll
+ 2004-08-04 04:07:48 68,224 ----a-w C:\WINDOWS\system32\ReinstallBackups\0011\DriverFiles\i386\pci.sys
+ 2004-08-04 04:07:48 68,224 ----a-w C:\WINDOWS\system32\ReinstallBackups\0012\DriverFiles\i386\pci.sys
+ 2004-08-04 04:07:48 68,224 ----a-w C:\WINDOWS\system32\ReinstallBackups\0013\DriverFiles\i386\pci.sys
+ 2004-08-03 23:59:42 95,360 ----a-w C:\WINDOWS\system32\ReinstallBackups\0015\DriverFiles\i386\atapi.sys
+ 2004-08-03 22:59:42 5,504 ----a-w C:\WINDOWS\system32\ReinstallBackups\0015\DriverFiles\i386\intelide.sys
+ 2004-08-03 23:59:42 25,088 ----a-w C:\WINDOWS\system32\ReinstallBackups\0015\DriverFiles\i386\pciidex.sys
- 2004-08-04 00:56:48 74,240 ----a-w C:\WINDOWS\system32\usbui.dll
+ 2004-08-04 05:56:48 74,240 ----a-w C:\WINDOWS\system32\usbui.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-03-02 19:53]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-03-02 19:53]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-03-02 19:53]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2004-08-10 04:04]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-15 11:27]
"EOUApp"="C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe" [2004-10-15 11:31]
"EPSON Stylus Photo R200 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.exe" [2003-07-08 02:00]
"Auto EPSON Stylus Photo R200 Series (USB) on CHROWMMAXTOR"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.exe" [2003-07-08 02:00]
"\\chrowmmaxtor\EPSON Stylus Photo R200 Series (Copy 1)"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.exe" [2003-07-08 02:00]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 18:51]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-07-18 18:19]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-11-12 23:59]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 15:46]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 20:56]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"nltide_3"=rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
C:\Documents and Settings\Jessica Lynn\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 18:16:50]
SDK Tray Menu.lnk - C:\Sun\SDK\jdk\bin\javaw.exe [2007-11-10 20:03:28]
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 19:05:35]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
avgwlntf.dll 2007-11-12 23:59 9216 C:\WINDOWS\system32\avgwlntf.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-10-15 11:27 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Suitcase Startup.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Suitcase Startup.lnk
backup=C:\WINDOWS\pss\Suitcase Startup.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Bonjour Service"=2 (0x2)
R0 ZetSFD;ZetSFD;C:\WINDOWS\system32\DRIVERS\ZetSFD.sys
R2 GtDetectSc;GT Detect;C:\WINDOWS\system32\GtDetectSc.exe
R2 SFSZ;DataPlow SFS for Zetera Storage Devices;C:\WINDOWS\system32\drivers\sfsz.sys
R2 UxTuneUp;TuneUp Design Expansion;C:\WINDOWS\System32\svchost.exe -k netsvcs
R2 Zetera;Zetera;C:\Program Files\NETGEAR\SC101 Manager Utility\ZeteraService.exe
R3 wacommousefilter;Wacom Mouse Filter Driver;C:\WINDOWS\system32\DRIVERS\wacommousefilter.sys
R3 wacomvhid;Wacom Virtual Hid Driver;C:\WINDOWS\system32\DRIVERS\wacomvhid.sys
R3 ZetBus;Zetera Virtual Bus;C:\WINDOWS\system32\DRIVERS\ZetBus.sys
R3 ZetMPD;ZetMPD;C:\WINDOWS\system32\DRIVERS\ZetMPD.sys
S3 GTFFBUS;GT FF BUS;C:\WINDOWS\system32\DRIVERS\gtffbus.sys
S3 GTMNDISIRPXP;GT M 3G+ IRP NDIS;C:\WINDOWS\system32\DRIVERS\Gtm51Irp.sys
S3 GTPTSER;GT PT SER;C:\WINDOWS\system32\DRIVERS\gtptser.sys
S3 GTUQBUS;GT UQ BUS;C:\WINDOWS\system32\DRIVERS\gtuqbus.sys
S3 PCTINDIS5;PCTINDIS5 NDIS Protocol Driver;\??\C:\WINDOWS\system32\PCTINDIS5.SYS
S3 RimSerPort;RIM Virtual Serial Port;C:\WINDOWS\system32\DRIVERS\RimSerial.sys
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{197caa0c-5cae-11dc-8dea-0012f03cc41a}]
\Shell\AutoRun\command - H:\LaunchU3.exe
.
Contents of the 'Scheduled Tasks' folder
"2007-11-09 22:15:00 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2006\SystemOptimizer.exe
.
**************************************************************************
catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-13 16:11:47
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"\\\\chrowmmaxtor\\EPSON Stylus Photo R200 Series (Copy 1)"="\"C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S4I2H1.EXE\" /P54 \"\\\\chrowmmaxtor\\EPSON Stylus Photo R200 Series (Copy 1)\" /O6 \"USB001\" /M \"Stylus Photo R200\""
.
Completion time: 2007-11-13 16:15:02 - machine was rebooted
.
--- E O F ---
_____________________________________________________
Here is the log for the search...
Windows Registry Editor Version 5.00
[HKEY_USERS\S-1-5-21-1757981266-413027322-839522115-1003\software\wget]
_____________________________________________________
After I used Combofix, Firefox was suddenly completely uninstalled from my system on reboot. :blink:
I have no idea what is going on, hahha.
steamwiz
2007-11-14, 18:53
HI
I'm curious how you knew the computer was running in PIO mode ... In Device manager > IDE ATA/ATAPI controllers - IDE channel properties ... presumably the current transfer mode was PIO only ? because ULTRA DMA mode2 was not available ? ... anyway glad you got that sorted ...
RE: Combofix ... did you get any other error before the sed.cfexe error ?
In Combofix ... under ...
((((( Other Deletions )))))
All the files deleted from the temp folder were innocent temp files, except the last one yobkllrwTUS.dll
what ever it was, it was definitely up to no good ...
The Combofix log is clean ...
I see no entries whatsoever for Firefox in the Combofix log, I don't see how Combofix could have uninstalled it, I must have had over thousand user run Combofix, & every so often something unexplained happens, as can happen with any malware removal program, we can never be 100% certain what malware has done to a computer, we just remove it as safely as we can, this is the first time I have heard of Firefox being uninstalled in this way ...
I do not advise running ANY registry cleaner, and that includes Ccleaner (for the registry) I have seen too many legit registry keys removed by "reputable" cleaners over the years ... in the days of win 9x the registry would become bloated and slow down a computer, bit with XP, the registry works in a different way, & no matter how many orphan keys you in the registry, it will not slow down your computer ... so I don't worry too much about them, I only remove malware keys ....
I wonder if it was Ccleaner which removed Firefox & not Combofix ? is this possible ?
While we are talking about the registry ...This ...
[HKEY_USERS\S-1-5-21-1757981266-413027322-839522115-1003\software\wget]
is an empty key/folder ...
As it was picked up as backdoor trojan 'Bitfrost' I wondered what files/ programs it was pointing to ... turns out ... nothing ... just an empty key/folder called wget ...
You appear to be relatively experienced with computers, so you can run regedit, navigate to the folder wget, right click on it and delete it, if you want to ... or I could give you a script to drop into Combofix & let it do it for you, or I could give you reg file to delete it, or you could just ignore it.
Is the Control Panel issue resolved ?
& I've lost track of your original problems, are they resolved also ?
Please let me know how we stand at the moment ?
steam
---