-
Shaba:
The .exe fix worked, in that I could launch some programs (e.g., Solitaire).
I went ahead and tried to launch gmer, but as far as I can tell it did not run. Windows task manager said it was running, but no gmer screen appeared. There was no reference to gmer.sys loading, nor a warning about rootkit activity, nor a Rootkit tab, etc.
I tried in Safe Mode too, same result. Am I not waiting long enough, or should there be some screen after doubleclicking the Gmer icon saying gmer is running?:confused:
As an added bonus, during one of the reboots, Antivirus Pro 2010 appeared and began running a fake scan.
I did NOT try Combo-fix.
-
For clarification, when windows task manager was opened, the gmer folder appeared under the "applications" tab, but I did not see any activity under the "processes" tab ...
-
Please then try to run combofix in safe mode.
-
Combofix "results"
Shaba:
I was able to start combofix in safe mode, and it eventually produced the below log, however I'm not sure if everything went as expected.
When I started combofix, it said it identified rootkit activity (c:\windows\system32\drivers\UACpyxmtkiqvd.sys), and rebooted. Once combofix started, it said I didn't have a Windows Recovery Console and would access the internet to download one, but then could not access the internet. (I also thought I had the Recovery Console installed, but perhaps not).
During the scan, numerous windows popped up saying various files were corrupt and to run the chkdsk utility. For example, I received the following:
PEV.EXE - corrupt file. The file or directory \pagefile.sys is corrupt and unreadable. Please run the chkdsk utility.
CF25281.exe - corrupt file. The file or directory \windows\temp\dd_net_framework20_setup01303.txt is corrupt and unreadable ...
NIRCMD.cfxxe - corrupt file. The file or directory \recycled\Dc4.exe is corrupt and unreadable. Please run the chkdsk utility.
etc.
I also received a message saying to insert my Windows XP disk, as some files needed to run Windows had been replaced with unrecognized ones.
I did NOT run chkdsk and did NOT reinstall any Windows components.
Finally, combofix rebooted my machine a second time to prepare the below.
Thanks for your help.
-
Combofix log
ComboFix 09-09-14.02 - default 09/15/2009 12:42.1.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.147 [GMT -6:00]
Running from: c:\documents and settings\default\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
Overlay aborted ... Please run ComboFix once more
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\dumokisamo.ban
c:\documents and settings\All Users\Application Data\ekozynuqew.pif
c:\documents and settings\All Users\Application Data\fecimyd.inf
c:\documents and settings\All Users\Application Data\fulahypax.dll
c:\documents and settings\All Users\Application Data\mecuw.vbs
c:\documents and settings\All Users\Application Data\mehomifari.com
c:\documents and settings\All Users\Application Data\nedaf._sy
c:\documents and settings\All Users\Application Data\xozonuby.dll
c:\documents and settings\All Users\Application Data\ymupuxas.dl
c:\documents and settings\All Users\Application Data\yqur.bin
c:\documents and settings\default\Application Data\aqadujedej.ban
c:\documents and settings\default\Application Data\axudewux.exe
c:\documents and settings\default\Application Data\dytylypoxu.lib
c:\documents and settings\default\Application Data\ebevobifoj.dl
c:\documents and settings\default\Application Data\eqohute.vbs
c:\documents and settings\default\Application Data\fehiga.bat
c:\documents and settings\default\Application Data\ihyfuvaxiz.dll
c:\documents and settings\default\Application Data\jeji._sy
c:\documents and settings\default\Application Data\jozupotoq.lib
c:\documents and settings\default\Application Data\jurecukify.pif
c:\documents and settings\default\Application Data\kyno.dl
c:\documents and settings\default\Application Data\lagol.dll
c:\documents and settings\default\Application Data\megaj.inf
c:\documents and settings\default\Application Data\memawyc.ban
c:\documents and settings\default\Application Data\Microsoft\Internet Explorer\Quick Launch\AntivirusPro_2010.lnk
c:\documents and settings\default\Application Data\oranymo.ban
c:\documents and settings\default\Application Data\osiveko._sy
c:\documents and settings\default\Application Data\RACLE~1
c:\documents and settings\default\Application Data\siseba.lib
c:\documents and settings\default\Application Data\ufedu.inf
c:\documents and settings\default\Application Data\ufezy.reg
c:\documents and settings\default\Application Data\vozycuqati.ban
c:\documents and settings\default\Application Data\widukixi.reg
c:\documents and settings\default\Application Data\wilexaho.scr
c:\documents and settings\default\Application Data\zotufec.bat
c:\documents and settings\default\Application Data\zysy.exe
c:\documents and settings\default\Cookies\dagys.scr
c:\documents and settings\default\Cookies\esylacahe.dll
c:\documents and settings\default\Cookies\gojosukisy.dll
c:\documents and settings\default\Cookies\opijex.bat
c:\documents and settings\default\Cookies\wareburac.lib
c:\documents and settings\default\Cookies\woficexoru.reg
c:\documents and settings\default\Local Settings\Temporary Internet Files\agac.lib
c:\documents and settings\default\Local Settings\Temporary Internet Files\esyco.bin
c:\documents and settings\default\Local Settings\Temporary Internet Files\gygen.lib
c:\documents and settings\default\Local Settings\Temporary Internet Files\kosud.bat
c:\documents and settings\default\Local Settings\Temporary Internet Files\lisabaxel.inf
c:\documents and settings\default\Local Settings\Temporary Internet Files\lura.exe
c:\documents and settings\default\Local Settings\Temporary Internet Files\vapolokuqo.ban
c:\documents and settings\default\Local Settings\Temporary Internet Files\wulaqovuj.sys
c:\documents and settings\default\Local Settings\Temporary Internet Files\xirexa.pif
c:\documents and settings\default\Start Menu\Programs\AntivirusPro_2010
c:\documents and settings\default\Start Menu\Programs\AntivirusPro_2010\AntivirusPro_2010.lnk
c:\documents and settings\default\Start Menu\Programs\AntivirusPro_2010\Uninstall.lnk
c:\program files\AntivirusPro_2010
c:\program files\AntivirusPro_2010\AntivirusPro_2010.exe
c:\program files\AntivirusPro_2010\AVEngn.dll
c:\program files\AntivirusPro_2010\data\daily.cvd
c:\program files\AntivirusPro_2010\htmlayout.dll
c:\program files\AntivirusPro_2010\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest
c:\program files\AntivirusPro_2010\Microsoft.VC80.CRT\msvcm80.dll
c:\program files\AntivirusPro_2010\Microsoft.VC80.CRT\msvcp80.dll
c:\program files\AntivirusPro_2010\Microsoft.VC80.CRT\msvcr80.dll
c:\program files\AntivirusPro_2010\pthreadVC2.dll
c:\program files\AntivirusPro_2010\Uninstall.exe
c:\program files\AntivirusPro_2010\wscui.cpl
c:\program files\Common Files\ipycybile.dll
c:\program files\Common Files\micukutat.pif
c:\program files\Common Files\pagypotov.exe
c:\program files\Common Files\paqogaruxa.reg
c:\program files\Common Files\pifa._dl
c:\program files\Common Files\qaxilo.dl
c:\program files\Common Files\uheped.sys
c:\program files\Common Files\zuviki.bin
c:\program files\Windows Police Pro
c:\program files\Windows Police Pro\msvcm80.dll
c:\program files\Windows Police Pro\msvcp80.dll
c:\program files\Windows Police Pro\msvcr80.dll
c:\program files\Windows Police Pro\windows Police Pro.exe
c:\temp\tn3
c:\windows\All Users\Documents\asufi.ban
c:\windows\All Users\Documents\balolyhyza._dl
c:\windows\All Users\Documents\gesymavola.inf
c:\windows\All Users\Documents\hobuda.dl
c:\windows\All Users\Documents\ivoh.bat
c:\windows\All Users\Documents\mini.bat
c:\windows\All Users\Documents\onode.dl
c:\windows\All Users\Documents\panefaru.pif
c:\windows\All Users\Documents\ycoco._dl
c:\windows\All Users\Documents\zaxusy.com
c:\windows\All Users\Documents\zuhanom.scr
c:\windows\amuco.scr
c:\windows\braviax.exe
c:\windows\cru629.dat
c:\windows\DRIVERS\beep.sys
c:\windows\elis.ban
c:\windows\hocade.bin
c:\windows\Installer\127f7.msi
c:\windows\Installer\163f2.msi
c:\windows\Installer\241ea.msi
c:\windows\Installer\2b522.msi
c:\windows\Installer\30df8.msi
c:\windows\Installer\35d57.msi
c:\windows\Installer\36a86.msi
c:\windows\Installer\3c38d.msi
c:\windows\Installer\61274.msi
c:\windows\Installer\ffd03b10.msi
c:\windows\jestertb.dll
c:\windows\lyciwezexe.bat
c:\windows\ppp3.dat
c:\windows\ppp4.dat
c:\windows\rejovida.reg
c:\windows\seqawimi.vbs
c:\windows\start.exe
c:\windows\system32\_scui.cpl
c:\windows\system32\bgqwwsnw.ini
c:\windows\system32\bincd32.dat
c:\windows\system32\braviax.exe
c:\windows\system32\cete.bat
c:\windows\system32\cru629.dat
c:\windows\SYSTEM32\dcbeg.bak1
c:\windows\SYSTEM32\dcbeg.bak2
c:\windows\SYSTEM32\dcbeg.tmp
c:\windows\system32\drivers\UACpyxmtkiqvd.sys
c:\windows\system32\fmifkfgn.ini
c:\windows\system32\gtccwsvp.ini
c:\windows\system32\hniivpof.ini
c:\windows\system32\images
c:\windows\system32\images\i1.gif
c:\windows\system32\images\i2.gif
c:\windows\system32\images\i3.gif
c:\windows\system32\images\j1.gif
c:\windows\system32\images\j2.gif
c:\windows\system32\images\j3.gif
c:\windows\system32\images\jj1.gif
c:\windows\system32\images\jj2.gif
c:\windows\system32\images\jj3.gif
c:\windows\system32\images\l1.gif
c:\windows\system32\images\l2.gif
c:\windows\system32\images\l3.gif
c:\windows\system32\images\pix.gif
c:\windows\system32\images\t1.gif
c:\windows\system32\images\t2.gif
c:\windows\system32\images\up1.gif
c:\windows\system32\images\up2.gif
c:\windows\system32\images\w1.gif
c:\windows\system32\images\w11.gif
c:\windows\system32\images\w2.gif
c:\windows\system32\images\w3.gif
c:\windows\system32\images\w3.jpg
c:\windows\system32\images\wt1.gif
c:\windows\system32\images\wt2.gif
c:\windows\system32\images\wt3.gif
c:\windows\system32\iwefa.ban
c:\windows\system32\jvwfpfxx.ini
c:\windows\system32\lymusoluza.exe
c:\windows\system32\mghrgosi.ini
c:\windows\system32\npyyuwol.ini
c:\windows\system32\opyvi.sys
c:\windows\system32\puviwo.dll
c:\windows\system32\qiphxufk.ini
c:\windows\system32\sahutaxam.bin
c:\windows\system32\sonhelp.htm
c:\windows\system32\sysnet.dat
c:\windows\system32\uzofybojyt.scr
c:\windows\system32\waksdqvj.ini
c:\windows\system32\windows.scr
c:\windows\system32\wisdstr.exe
c:\windows\system32\wispex.html
c:\windows\system32\yqezilona.vbs
c:\windows\system32\Z1
c:\windows\system32\Z11
c:\windows\system32\Z3
c:\windows\system32\Z5
c:\windows\system32\Z7
c:\windows\system32\Z9
c:\windows\tonahedoh.reg
c:\windows\ugisarali.vbs
c:\windows\uhebuvy.ban
c:\windows\unidivy.inf
c:\windows\Web\default.htt
c:\windows\wirane.scr
c:\windows\ynox._dl
c:\windows\system32\drivers\beep.sys . . . is infected!!
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_UACd.sys
-------\Legacy_UACd.sys
-------\Legacy_ANTIPPRO2009_100
-------\Service_AntipPro2009_100
((((((((((((((((((((((((( Files Created from 2009-08-15 to 2009-09-15 )))))))))))))))))))))))))))))))
.
2009-09-15 18:29 . 2009-09-15 18:29 -------- d-----w- C:\Combo-Fix
2009-09-15 17:57 . 2009-09-15 17:57 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2009-09-15 17:54 . 2009-09-15 17:54 12379 ----a-w- c:\documents and settings\default\Application Data\bifupexa.dat
2009-09-15 13:02 . 2009-09-15 13:02 -------- d-----w- c:\documents and settings\Administrator\Application Data\AVG8
2009-09-15 01:05 . 2009-09-15 01:05 14268 ----a-w- c:\windows\system32\pepo.dat
2009-09-15 01:05 . 2009-09-15 01:05 10574 ----a-w- c:\documents and settings\default\Application Data\mykade.dat
2009-09-15 00:01 . 2009-09-15 00:01 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2009-09-14 13:30 . 2009-09-15 00:57 27648 ----a-w- c:\windows\system32\dllcache\beep.sys
2009-09-10 06:09 . 2009-09-10 06:09 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-09-10 06:04 . 2009-09-10 06:04 -------- d-----w- c:\documents and settings\default\Application Data\AVG8
2009-09-10 06:04 . 2009-09-10 06:04 -------- d-----w- c:\documents and settings\default\Application Data\AVG8
2009-09-08 19:28 . 2009-06-21 21:44 153088 ------w- c:\windows\system32\dllcache\triedit.dll
2009-09-08 05:45 . 2009-09-08 06:01 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-07 04:28 . 2009-09-07 04:28 -------- d-sh--w- c:\documents and settings\default\IECompatCache
2009-09-07 02:42 . 2009-09-07 02:42 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-09-07 02:31 . 2009-07-03 14:49 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-09-07 01:52 . 2009-07-03 14:49 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-09-07 01:51 . 2009-09-07 01:51 -------- d--h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-09-07 01:50 . 2009-09-07 01:50 -------- d-----w- c:\program files\Lavasoft
2009-09-06 22:51 . 2009-09-06 22:51 -------- d-----w- c:\program files\Trend Micro
2009-09-06 20:23 . 2009-09-06 20:23 16342 ----a-w- c:\documents and settings\default\Application Data\cixadura.dat
2009-09-06 19:57 . 2009-09-06 19:57 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2009-09-06 19:35 . 2009-09-06 19:35 -------- d-----w- c:\windows\system32\scripting
2009-09-06 19:35 . 2009-09-06 19:35 -------- d-----w- c:\windows\l2schemas
2009-09-06 19:35 . 2009-09-06 19:35 -------- d-----w- c:\windows\system32\en
2009-09-06 19:35 . 2009-09-06 19:35 -------- d-----w- c:\windows\system32\bits
2009-09-06 19:26 . 2009-09-06 19:27 -------- d-----w- c:\windows\EHome
2009-09-06 18:31 . 2009-09-06 18:31 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-09-06 18:22 . 2009-09-06 18:22 -------- d-sh--w- c:\documents and settings\default\PrivacIE
2009-09-06 18:22 . 2009-09-06 18:22 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-09-06 18:21 . 2009-09-06 18:21 -------- d-sh--w- c:\documents and settings\default\IETldCache
2009-09-06 18:19 . 2009-09-06 18:19 -------- d-----w- c:\windows\ie8updates
2009-09-06 18:18 . 2009-09-06 18:18 -------- d--h--w- c:\windows\ie8
2009-09-06 18:17 . 2009-08-07 08:48 100352 ------w- c:\windows\system32\dllcache\iecompat.dll
2009-09-06 18:17 . 2009-07-03 17:09 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-09-06 18:17 . 2009-07-03 17:09 594432 ------w- c:\windows\system32\dllcache\msfeeds.dll
2009-09-06 18:17 . 2009-07-03 17:09 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-09-06 18:17 . 2009-07-03 17:09 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-09-06 18:17 . 2009-07-03 17:09 1985536 ------w- c:\windows\system32\dllcache\iertutil.dll
2009-09-06 18:03 . 2008-10-16 20:06 268648 ----a-w- c:\windows\system32\mucltui.dll
2009-09-06 01:11 . 2009-09-15 19:02 268435456 --sha-w- c:\windows\system32\temppf.sys
2009-09-03 23:16 . 2009-09-03 23:17 45 ----a-w- c:\documents and settings\default\jagex_runescape_preferences2.dat
2009-08-18 02:53 . 2009-08-18 02:53 -------- d-----w- c:\program files\iPod
2009-08-18 02:53 . 2009-08-18 02:53 -------- d-----w- c:\program files\iTunes
2009-08-18 02:53 . 2009-08-18 02:53 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-08-18 02:51 . 2009-08-18 02:51 -------- d-----w- c:\program files\Bonjour
2009-08-18 02:50 . 2009-08-18 02:50 -------- d-----w- c:\program files\QuickTime
2009-08-18 02:47 . 2009-07-09 18:16 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-15 18:03 . 2009-09-15 18:03 19763 ----a-w- c:\program files\Common Files\ejujuraryj.lib
2009-09-06 20:23 . 2009-09-06 20:23 14766 ----a-w- c:\documents and settings\All Users\Application Data\vahu.dat
2009-09-04 00:28 . 2008-07-01 21:59 37 ----a-w- c:\documents and settings\default\jagex_runescape_preferences.dat
2009-08-16 19:04 . 2009-05-23 14:43 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-16 19:04 . 2008-01-27 03:36 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-16 19:04 . 2009-05-23 14:43 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-08 05:48 . 2009-08-08 05:48 -------- d-----w- c:\program files\MSBuild
2009-08-08 05:48 . 2009-08-08 05:48 -------- d-----w- c:\program files\Reference Assemblies
2009-08-08 05:44 . 2009-08-08 05:43 -------- d-----w- c:\program files\MSXML 6.0
2009-08-05 09:01 . 2008-01-23 03:28 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-03 19:36 . 2008-08-29 04:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 19:36 . 2008-08-29 04:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-17 19:01 . 2008-01-23 03:25 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-12 18:21 . 2008-01-23 03:34 233472 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-09 18:16 . 2008-01-29 04:22 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-07-03 17:09 . 2008-01-23 03:31 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-25 08:25 . 2008-01-23 03:30 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2008-01-23 03:29 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2008-01-23 03:29 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2008-01-23 03:28 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:25 . 2008-01-23 03:27 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2008-01-23 03:27 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-24 11:18 . 2008-01-23 03:27 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2000-10-13 22:56 . 2000-10-13 22:56 23357 ----a-w- c:\program files\folder.htt
.
------- Sigcheck -------
[-] 2009-09-15 00:57 . 5136045680D6EEFB0241B41160416438 . 27648 . . [------] . . c:\windows\SYSTEM32\dllcache\beep.sys
c:\windows\system32\drivers\beep.sys ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]
[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Works Update Detection"="c:\program files\Microsoft Works\WkDetect.exe" [2000-08-10 28739]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-16 2007832]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-08 149280]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Works Update Detection"="c:\program files\Microsoft Works\WkDetect.exe" [2000-08-10 28739]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Printing Migration"="c:\windows\system32\spool\migrate.dll" [2004-08-04 30208]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Filseclab Messenger.lnk - c:\program files\Common Files\Filseclab\FilMsg.exe [2007-7-30 315652]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2008-7-7 282624]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-16 19:04 11952 ----a-w- c:\windows\SYSTEM32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"=c:\progra~1\MESSEN~1\msmsgs.exe /background
"MoneyAgent"="c:\program files\Microsoft Money\System\Money Express.exe"
"Microsoft Works Update Detection"=c:\program files\Microsoft Works\WkDetect.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\windows\SYSTEM32\QTTASK.EXE" -atboottime
"CreateCD50"="c:\program files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
"AdaptecDirectCD"="c:\program files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
"RealTray"=c:\program files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
"TaskMonitor"=c:\windows\taskmon.exe
"PCHealth"=c:\windows\PCHealth\Support\PCHSchd.exe -s
"WorksFUD"=c:\program files\Microsoft Works\wkfud.exe
"Microsoft Works Portfolio"=c:\program files\Microsoft Works\WksSb.exe /AllUsers
"Microsoft Works Update Detection"=c:\program files\Microsoft Works\WkDetect.exe
"MULTIMEDIA KEYBOARD"=c:\program files\Netropa\Multimedia Keyboard\MMKeybd.exe
"LoadQM"=loadqm.exe
"HPAIO_PrintFolderMgr"=c:\windows\SYSTEM\hpoopm07.exe
"DownloadWare"="c:\program files\DownloadWare\dw.exe" /H
"SearchEnhancement"="c:\program files\SCBAR\V1\SCBAR.EXE" /U
"KodakCCS"=c:\program files\Common Files\KODAK\KODAK_DR\KodakCCS.exe --pdr: "c:\program files\Common Files\KODAK\KODAK_DR\dcmnter.pdr"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"NAV Agent"=c:\progra~1\NORTON~1\NAVAPW32.EXE
"RecoverFromReboot"=c:\windows\TEMP\RECOVE~1.EXE
"BJCFD"=c:\program files\BroadJump\Client Foundation\CFD.exe
"QuickTime Task"="c:\windows\SYSTEM32\QTTASK.EXE" -atboottime
"xfilter"="c:\program files\Filseclab\xfilter\xfilter.exe" -a
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices-]
"SchedulingAgent"=mstask.exe
"StillImageMonitor"=c:\windows\SYSTEM32\STIMON.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
R0 Lbd;Lbd;c:\windows\SYSTEM32\DRIVERS\Lbd.sys [9/6/2009 7:52 PM 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [5/23/2009 8:43 AM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [5/23/2009 8:43 AM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [5/23/2009 8:42 AM 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [5/23/2009 8:42 AM 297752]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 8:49 AM 1029456]
R3 LNE100;Linksys LNE100TX(v5) Fast Ethernet Adapter;c:\windows\SYSTEM32\DRIVERS\lne100v5.sys [5/25/2009 7:49 PM 36224]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\^RNA]
rundll rnasetup.dll,installoptionalcomponent rna
.
Contents of the 'Scheduled Tasks' folder
2009-08-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]
2009-09-15 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 14:49]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
DPF: DirectAnimation Java Classes - file://c:\windows\SYSTEM\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso4.cab
.
- - - - ORPHANS REMOVED - - - -
Toolbar-Locked - (no file)
AddRemove-Adobe Acrobat 5.0 - c:\windows\ISUNINST.EXE -fc:\program files\Common Files\Adobe\Acrobat 5.0\ME\Uninst.isu
AddRemove-BroadJump Client Foundation - c:\windows\IsUninst.exe -fc:\program files\BroadJump\Client Foundation\Uninst.isu -cc:\program files\BroadJump\Client Foundation\RmvBJCFD.dll
AddRemove-FoneSync - c:\windows\IsUninst.exe -fc:\program files\FoneSync\Uninst.isu
AddRemove-Image Expert 3.2 - c:\windows\IsUninst.exe -fc:\program files\Sierra Imaging\Image Expert 2000\Uninst.isu
AddRemove-MusicMatch Jukebox - c:\windows\IsUninst.exe -fc:\program files\MusicMatch\MusicMatch Jukebox\Uninst.isu
AddRemove-Win Police Pro - c:\program files\Windows Police Pro\AntiSpyware_Uninstall.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-15 13:03
Windows 5.1.2600 Service Pack 3 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(360)
c:\windows\system32\vct3216.acm
c:\windows\system32\vct3216.dll
c:\windows\system32\MVOICE.VWP
- - - - - - - > 'lsass.exe'(416)
c:\windows\system32\WININET.dll
- - - - - - - > 'explorer.exe'(1324)
c:\windows\system32\WININET.dll
vsfocetkopabwq.dll 10000000 36864 \\?\globalroot\systemroot\system32\vsfocetkopabwq.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\COMMON FILES\APPLE\MOBILE DEVICE SUPPORT\BIN\APPLEMOBILEDEVICESERVICE.EXE
c:\program files\AVG\AVG8\AVGWDSVC.EXE
c:\program files\BONJOUR\MDNSRESPONDER.EXE
c:\program files\JAVA\JRE6\BIN\JQS.EXE
c:\program files\AVG\AVG8\AVGEMC.EXE
c:\program files\AVG\AVG8\AVGRSX.EXE
c:\program files\AVG\AVG8\AVGNSX.EXE
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\SYSTEM32\WBEM\UNSECAPP.EXE
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
.
**************************************************************************
.
Completion time: 2009-09-15 13:16 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-15 19:16
Pre-Run: 1,341,374,464 bytes free
Post-Run: 3,543,924,736 bytes free
445 --- E O F --- 2009-09-08 20:07
-
Please install recovery console manually like described in my link, rerun combofix and post back a fresh combofix log :)
-
Link
Shaba:
Could you please send me the link that describes how to manually install the recovery console.
Thanks.
-
-
Combofix Scan
Got it.
Combofix ran, with several windows opening to identify various corrupt files, and a reboot into normal XP mode (not recovery console mode). Here is the Combofix log:
===
ComboFix 09-09-14.02 - default 09/15/2009 23:25.2.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.136 [GMT -6:00]
Running from: c:\documents and settings\default\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\default\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
PEV Error: LocalAppDataFolder
((((((((((((((((((((((((( Files Created from 2009-08-16 to 2009-09-16 )))))))))))))))))))))))))))))))
.
2009-09-15 18:29 . 2009-09-15 18:29 -------- d-----w- C:\Combo-Fix
2009-09-15 17:57 . 2009-09-15 17:57 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2009-09-15 17:54 . 2009-09-15 17:54 12379 ----a-w- c:\documents and settings\default\Application Data\bifupexa.dat
2009-09-15 13:02 . 2009-09-15 13:02 -------- d-----w- c:\documents and settings\Administrator\Application Data\AVG8
2009-09-15 01:05 . 2009-09-15 01:05 14268 ----a-w- c:\windows\system32\pepo.dat
2009-09-15 01:05 . 2009-09-15 01:05 10574 ----a-w- c:\documents and settings\default\Application Data\mykade.dat
2009-09-15 00:01 . 2009-09-15 00:01 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2009-09-14 13:30 . 2009-09-15 00:57 27648 ----a-w- c:\windows\system32\dllcache\beep.sys
2009-09-10 06:09 . 2009-09-10 06:09 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-09-10 06:04 . 2009-09-10 06:04 -------- d-----w- c:\documents and settings\default\Application Data\AVG8
2009-09-10 06:04 . 2009-09-10 06:04 -------- d-----w- c:\documents and settings\default\Application Data\AVG8
2009-09-08 19:28 . 2009-06-21 21:44 153088 ------w- c:\windows\system32\dllcache\triedit.dll
2009-09-08 05:45 . 2009-09-08 06:01 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-07 04:28 . 2009-09-07 04:28 -------- d-sh--w- c:\documents and settings\default\IECompatCache
2009-09-07 02:42 . 2009-09-07 02:42 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-09-07 02:31 . 2009-07-03 14:49 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-09-07 01:52 . 2009-07-03 14:49 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-09-07 01:51 . 2009-09-07 01:51 -------- d--h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-09-07 01:50 . 2009-09-07 01:50 -------- d-----w- c:\program files\Lavasoft
2009-09-06 22:51 . 2009-09-06 22:51 -------- d-----w- c:\program files\Trend Micro
2009-09-06 20:23 . 2009-09-06 20:23 16342 ----a-w- c:\documents and settings\default\Application Data\cixadura.dat
2009-09-06 19:57 . 2009-09-06 19:57 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2009-09-06 19:35 . 2009-09-06 19:35 -------- d-----w- c:\windows\system32\scripting
2009-09-06 19:35 . 2009-09-06 19:35 -------- d-----w- c:\windows\l2schemas
2009-09-06 19:35 . 2009-09-06 19:35 -------- d-----w- c:\windows\system32\en
2009-09-06 19:35 . 2009-09-06 19:35 -------- d-----w- c:\windows\system32\bits
2009-09-06 19:26 . 2009-09-06 19:27 -------- d-----w- c:\windows\EHome
2009-09-06 18:31 . 2009-09-06 18:31 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-09-06 18:22 . 2009-09-06 18:22 -------- d-sh--w- c:\documents and settings\default\PrivacIE
2009-09-06 18:22 . 2009-09-06 18:22 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-09-06 18:21 . 2009-09-06 18:21 -------- d-sh--w- c:\documents and settings\default\IETldCache
2009-09-06 18:19 . 2009-09-06 18:19 -------- d-----w- c:\windows\ie8updates
2009-09-06 18:18 . 2009-09-06 18:18 -------- d--h--w- c:\windows\ie8
2009-09-06 18:17 . 2009-08-07 08:48 100352 ------w- c:\windows\system32\dllcache\iecompat.dll
2009-09-06 18:17 . 2009-07-03 17:09 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-09-06 18:17 . 2009-07-03 17:09 594432 ------w- c:\windows\system32\dllcache\msfeeds.dll
2009-09-06 18:17 . 2009-07-03 17:09 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-09-06 18:17 . 2009-07-03 17:09 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-09-06 18:17 . 2009-07-03 17:09 1985536 ------w- c:\windows\system32\dllcache\iertutil.dll
2009-09-06 18:03 . 2008-10-16 20:06 268648 ----a-w- c:\windows\system32\mucltui.dll
2009-09-06 01:11 . 2009-09-16 05:22 268435456 --sha-w- c:\windows\system32\temppf.sys
2009-09-03 23:16 . 2009-09-03 23:17 45 ----a-w- c:\documents and settings\default\jagex_runescape_preferences2.dat
2009-08-18 02:53 . 2009-08-18 02:53 -------- d-----w- c:\program files\iPod
2009-08-18 02:53 . 2009-08-18 02:53 -------- d-----w- c:\program files\iTunes
2009-08-18 02:53 . 2009-08-18 02:53 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-08-18 02:51 . 2009-08-18 02:51 -------- d-----w- c:\program files\Bonjour
2009-08-18 02:50 . 2009-08-18 02:50 -------- d-----w- c:\program files\QuickTime
2009-08-18 02:47 . 2009-07-09 18:16 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-15 18:03 . 2009-09-15 18:03 19763 ----a-w- c:\program files\Common Files\ejujuraryj.lib
2009-09-06 20:23 . 2009-09-06 20:23 14766 ----a-w- c:\documents and settings\All Users\Application Data\vahu.dat
2009-09-04 00:28 . 2008-07-01 21:59 37 ----a-w- c:\documents and settings\default\jagex_runescape_preferences.dat
2009-08-16 19:04 . 2009-05-23 14:43 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-16 19:04 . 2008-01-27 03:36 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-16 19:04 . 2009-05-23 14:43 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-08 05:48 . 2009-08-08 05:48 -------- d-----w- c:\program files\MSBuild
2009-08-08 05:48 . 2009-08-08 05:48 -------- d-----w- c:\program files\Reference Assemblies
2009-08-08 05:44 . 2009-08-08 05:43 -------- d-----w- c:\program files\MSXML 6.0
2009-08-05 09:01 . 2008-01-23 03:28 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-03 19:36 . 2008-08-29 04:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 19:36 . 2008-08-29 04:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-17 19:01 . 2008-01-23 03:25 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-12 18:21 . 2008-01-23 03:34 233472 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-09 18:16 . 2008-01-29 04:22 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-07-03 17:09 . 2008-01-23 03:31 915456 ------w- c:\windows\system32\wininet.dll
2009-06-25 08:25 . 2008-01-23 03:30 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2008-01-23 03:29 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2008-01-23 03:29 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2008-01-23 03:28 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:25 . 2008-01-23 03:27 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2008-01-23 03:27 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-24 11:18 . 2008-01-23 03:27 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2000-10-13 22:56 . 2000-10-13 22:56 23357 ----a-w- c:\program files\folder.htt
.
------- Sigcheck -------
[-] 2009-09-15 00:57 . 5136045680D6EEFB0241B41160416438 . 27648 . . [------] . . c:\windows\SYSTEM32\dllcache\beep.sys
c:\windows\system32\drivers\beep.sys ... is missing !!
.
((((((((((((((((((((((((((((( SnapShot@2009-09-15_19.04.36 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-23 04:22 . 2009-09-16 05:22 49152 c:\windows\SYSTEM32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-01-23 04:22 . 2009-09-15 18:38 49152 c:\windows\SYSTEM32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-09-06 18:31 . 2009-09-15 18:38 16384 c:\windows\SYSTEM32\config\systemprofile\IETldCache\index.dat
+ 2009-09-06 18:31 . 2009-09-16 05:22 16384 c:\windows\SYSTEM32\config\systemprofile\IETldCache\index.dat
+ 2008-01-23 04:22 . 2009-09-16 05:22 49152 c:\windows\SYSTEM32\config\systemprofile\Cookies\index.dat
- 2008-01-23 04:22 . 2009-09-15 18:38 49152 c:\windows\SYSTEM32\config\systemprofile\Cookies\index.dat
+ 2008-01-23 04:22 . 2009-09-16 05:22 360448 c:\windows\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-01-23 04:22 . 2009-09-15 18:38 360448 c:\windows\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]
[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Works Update Detection"="c:\program files\Microsoft Works\WkDetect.exe" [2000-08-10 28739]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-16 2007832]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-08 149280]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Works Update Detection"="c:\program files\Microsoft Works\WkDetect.exe" [2000-08-10 28739]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Printing Migration"="c:\windows\system32\spool\migrate.dll" [2004-08-04 30208]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Filseclab Messenger.lnk - c:\program files\Common Files\Filseclab\FilMsg.exe [2007-7-30 315652]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2008-7-7 282624]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-16 19:04 11952 ----a-w- c:\windows\SYSTEM32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"=c:\progra~1\MESSEN~1\msmsgs.exe /background
"MoneyAgent"="c:\program files\Microsoft Money\System\Money Express.exe"
"Microsoft Works Update Detection"=c:\program files\Microsoft Works\WkDetect.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\windows\SYSTEM32\QTTASK.EXE" -atboottime
"CreateCD50"="c:\program files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
"AdaptecDirectCD"="c:\program files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
"RealTray"=c:\program files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
"TaskMonitor"=c:\windows\taskmon.exe
"PCHealth"=c:\windows\PCHealth\Support\PCHSchd.exe -s
"WorksFUD"=c:\program files\Microsoft Works\wkfud.exe
"Microsoft Works Portfolio"=c:\program files\Microsoft Works\WksSb.exe /AllUsers
"Microsoft Works Update Detection"=c:\program files\Microsoft Works\WkDetect.exe
"MULTIMEDIA KEYBOARD"=c:\program files\Netropa\Multimedia Keyboard\MMKeybd.exe
"LoadQM"=loadqm.exe
"HPAIO_PrintFolderMgr"=c:\windows\SYSTEM\hpoopm07.exe
"DownloadWare"="c:\program files\DownloadWare\dw.exe" /H
"SearchEnhancement"="c:\program files\SCBAR\V1\SCBAR.EXE" /U
"KodakCCS"=c:\program files\Common Files\KODAK\KODAK_DR\KodakCCS.exe --pdr: "c:\program files\Common Files\KODAK\KODAK_DR\dcmnter.pdr"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"NAV Agent"=c:\progra~1\NORTON~1\NAVAPW32.EXE
"RecoverFromReboot"=c:\windows\TEMP\RECOVE~1.EXE
"BJCFD"=c:\program files\BroadJump\Client Foundation\CFD.exe
"QuickTime Task"="c:\windows\SYSTEM32\QTTASK.EXE" -atboottime
"xfilter"="c:\program files\Filseclab\xfilter\xfilter.exe" -a
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices-]
"SchedulingAgent"=mstask.exe
"StillImageMonitor"=c:\windows\SYSTEM32\STIMON.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
R0 Lbd;Lbd;c:\windows\SYSTEM32\DRIVERS\Lbd.sys [9/6/2009 7:52 PM 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [5/23/2009 8:43 AM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [5/23/2009 8:43 AM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [5/23/2009 8:42 AM 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [5/23/2009 8:42 AM 297752]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 8:49 AM 1029456]
R3 LNE100;Linksys LNE100TX(v5) Fast Ethernet Adapter;c:\windows\SYSTEM32\DRIVERS\lne100v5.sys [5/25/2009 7:49 PM 36224]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\^RNA]
rundll rnasetup.dll,installoptionalcomponent rna
.
Contents of the 'Scheduled Tasks' folder
2009-08-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]
2009-09-15 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 14:49]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
DPF: DirectAnimation Java Classes - file://c:\windows\SYSTEM\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso4.cab
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-15 23:38
Windows 5.1.2600 Service Pack 3 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(360)
c:\windows\system32\vct3216.acm
c:\windows\system32\vct3216.dll
c:\windows\system32\MVOICE.VWP
- - - - - - - > 'lsass.exe'(416)
c:\windows\system32\WININET.dll
.
Completion time: 2009-09-16 23:43
ComboFix-quarantined-files.txt 2009-09-16 05:43
ComboFix2.txt 2009-09-15 19:16
Pre-Run: 3,530,883,072 bytes free
Post-Run: 3,535,831,040 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout = 30
default = multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS = "Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
241 --- E O F --- 2009-09-08 20:07
-
Do you remember any of those files in errors?